Formal Support for Threat Modeling with Attack Decision Diagrams

Misato Nakabayashi; Taro Sekiyama; Ichiro Hasuo; Yutaka Ishikawa

Formal Support for Threat Modeling with Attack Decision Diagrams

Misato Nakabayashi, Taro Sekiyama, Ichiro Hasuo, Yutaka Ishikawa

Published: 01 Jan 2024, Last Modified: 01 Oct 2024COMPSAC 2024EveryoneRevisionsBibTeXCC BY-SA 4.0

Abstract: System threat analysis requires a wide range of knowledge and is time-consuming. In this study, we propose FSTM system, a method to visualize threats in the system to support threat modeling using a formal verification tool. Concretely, given a security requirement and a system model, we represent what kind of attacks are enabled to prevent the system from satisfying the security requirement using an AND-OR tree based on exhaustive formal verification. To generate an exhaustive AND-OR tree, a large number of system models modified to enable various attack patterns and verification costs are required because verification results must be obtained for all threat patterns. We used the property that we call monotonicity of security to reduce the number of verifications and automatically generate a verification model for each threat pattern from a single verification model. We implemented FSTM system using Tamarin Prover, a formal verification tool, and evaluated it with case studies.

Loading