Purpose

A Service object is used to represent a piece of software that is ready to respond to client requests coming from a network. This is, in turn, represented by the connection to a Dataflow object. A Service is equal to an open network port. If the Service provides remote login/administration functionality, like SSH/RDP/VNC, the Service shall be connected to a Host using a Shell type of connection.

Connections

Object

Connection

Description

Function

Access Control

Authorization

Provides login prompt for the Service.

A missing Access Control means full access on an Application Service, and for the Shell Service, either user access or compromise of the underlying Host. A Shell Service should use the same AccessControl as the Host. Additionally, full access on an Application Service makes it easier for the Attacker as the attack surface gets bigger

Dataflow

Communication

A connection to a Dataflow denotes an information flow between the Service and a Client.

A missing Dataflow means that there is no communication with the Client from a Service, thus preventing server side attacks.

Host

Non-Root Application Execution

A Service run by a regular system user, not providing remote login/shell functionality but instead more limited application specific tasks.

Mandatory.

Host

Root Application Execution

A Service run by the root user, not providing remote login/shell functionality but instead more limited application specific tasks.

Mandatory.

Host

Non-Root Shell Execution

A Service run by a regular system user, providing remote login/shell functionality

Mandatory.

Host

Root Shell Execution

A Service run by the root user, providing remote login/shell functionality.

Mandatory.

Web Application

Web Service Execution

The Service is running/hosting a WebApplication "on top" of it. E.g. the Service being the Apache web server and the WebApplication being a business portal system run by it.

A missing web application prevents attacks through XSS, RFI, CI and SQLi exploits.

Datastore

Database Execution

Denotes information storage that is reachable by the Service e.g. a database.

A missing Datastore has no direct impact on the service but can prevent Read and Write access to the Datastore from the Service.

Keystore

Keystore Execution

A connection to a Keystore object denotes that the Keystore is hosted by the Service.

A missing connection to a Keystore prevents Read access on a Keystore through Services.

Network

Network Exposure

A connection to a Network denotes what Network the Service is exposed on.

If there is no connection to a Network, the Service is not reachable from that network. If the Host of the Service is only connected to one Network, the Service is automatically exposed on that Network.

Software Product

Software Properties

A Service always needs to be connected to a Software Product which denotes what software it is running e.g. an OpenVPN server.

This association is mandatory.

Existence

The Service object has an extra attribute; Existence. Existence can be either On, Off or set to a probability between 0 and 1. Existence is used to set a probability to an object being present or not. Examples of use cases are found in the Attack Vector chapter. The default value for Existence is On.

Attack Steps and Defenses

Attack Step

Description

Leads to

ApplicationLogin

The possibility to log in to the Service as any user of the application.

Service: DeployExploit
Service: UserAccess

BypassAntiMalware

Bypassing the anti malware solution (running on the Host) that is protecting the Service.

Service: Compromise

BypassIDS

Bypassing the IDS solution (running on the Host) that is protecting the Service.

Service: BypassAntiMalware

Compromise

The possibility to control/own it.

Service: Connect
Dataflow: Respond
Dataflow: Access
Datastore: Read
Datastore: Write
Datastore: Delete
Keystore: Read
Keystore: Delete
Host(root): Compromise
Host(non-root): UserAccess

Connect

The possibility to reach the Service from a network point of view (but not log in and use it).

AccessControl: Access
Service: DenialOfService
WebApplication: DiscoverNewVulnerability
WebApplication: BypassWAFViaCI
WebApplication: BypassWAFViaRFI
WebApplication: BypassWAFViaSQLInjection
WebApplication: BypassWAFViaXSS
Service: UserAccess
Service: ApplicationLogin
Service: NonRootShellLogin
Service: RootShellLogin

DenialOfService

The possibility to block the service this application is supposed to provide.

Dataflow: DenialOfService

DeployExploit

The possibility to use a vulnerability of the service.

Service: BypassIDS

FindExploit

The possibility to discover a vulnerability related to this service.

Service: DeployExploit

NonRootShellLogin

The possibility to log in to the Service and gain remote login/shell functionality as a normal qualified non-root user.

Host: UserAccess

RootShellLogin

The possibility to log in to the Service and gain remote login/shell functionality as a root user.

Service(non-root): Host.UserAccess
Service(root): Host.Compromise

UserAccess

The possibility to connect to the service and be prompted for login credentials (but not log in and use it).

Service: FindExploit

Defense

Description

Impact

Default

Patched

Denotes whether the Service has all applicable software security patches implemented.

Can prevent an Attacker from obtaining an exploit.

0.5


What’s Next