STRIDE mapping

This section of the coreLang Language Reference is presenting the categorization of attack steps in coreLang in relation to the STRIDE model.

The following is an excerpt from the wikipedia page on STRIDE.

📘

STRIDE is a model for identifying computer security threats developed by Praerit Garg and Loren Kohnfelder at Microsoft. It provides a mnemonic for security threats in six categories.

The threats are:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privilege

In coreLang, each modeling object has a set of related attack steps which are operations that an attacker is expected to try to achieve in order to gain access to the object, or other connected objects, for continued progress within the modeled environment.

Since coreLang is developed with attack operations in mind, some attack steps are not covered by the STRIDE categories and some are related to several STRIDE categories.

Application

coreLang Attack Step Name

STRIDE Category

AccessNetworkAndConnections

n/a (A suitable category would be "establish reachability". The closest STRIDE mapping would be "I", thinking about network enumeration, but this attack step is not about information gathering but rather establishing contact.)

AttemptLocalConnectVulnOnHost

n/a (Prerequisite operation to other operations.)

AttemptNetworkConnectViaResponse

n/a (Prerequisite operation to other operations.)

AttemptReverseReach

n/a (Prerequisite operation to other operations.)

AttemptUseVulnerability

n/a (Prerequisite operation to other operations.)

Authenticate

Spoofing

Deny

Denial of service

FullAccess

Elevation of privilege

LocalConnect

n/a (See AccessNetworkAndConnections.)

Modify

Tampering

NetworkConnect

n/a (See AccessNetworkAndConnections.)

NetworkConnectViaResponse

n/a (See AccessNetworkAndConnections.)

Read

Information disclosure

SpecificAccess

Elevation of privilege (gaining access to a low privileged account is also categorized as elevating privileges since the attacker should have no privileges at all).

SpecificAccessAuthenticate

Spoofing

UnsafeActivityByUser

n/a (See AccessNetworkAndConnections.)

ConnectionRule

coreLang Attack Step Name

STRIDE Category

AccessNetworks

n/a (A suitable category would be "establish reachability". The closest STRIDE mapping would be "I", thinking about network enumeration, but this attack step is not about information gathering but rather establishing contact.)

DenialOfService

Denial of service

Credentials

coreLang Attack Step Name

STRIDE Category

AttemptAccess

n/a (Prerequisite operation to other operations.)

AttemptUse

n/a (Prerequisite operation to other operations.)

CredentialTheft

Information disclosure

CredentialsReuse

  • Spoofing (if the credentials are modeled as authentication credentials)
  • Repudiation (if the credentials are modeled as signing credentials)

Delete

Denial of service

Deny

Denial of service

GuessCredentials

Information disclosure

Read

Information disclosure

Use

  • Spoofing (if the credentials are modeled as authentication credentials)
  • Repudiation (if the credentials are modeled as signing credentials)

UseLeakedCredentials

  • Spoofing (if the credentials are modeled as authentication credentials)
  • Repudiation (if the credentials are modeled as signing credentials)

Write

Tampering

Data

coreLang Attack Step Name

STRIDE Mapping

Access

n/a (Prerequisite operation to other operations.)

ApplicationRespondConnect

Spoofing

AttemptAccess

n/a (Prerequisite operation to other operations.)

AttemptAccessFromIdentity

n/a (Prerequisite operation to other operations.)

CompromiseAppOrigin

Tampering (and Repudiation if SigningCredentials are present but also compromised)

Delete

Denial of service

Deny

Denial of service

Eavesdrop

Information disclosure

Extract

Information disclosure

MainInTheMiddle

Tampering

Read

Information disclosure

ReadContainedInformation

Information disclosure

Write

Tampering

Group

coreLang Attack Step Name

STRIDE Mapping

CompromiseGroup

Spoofing

Identity

coreLang Attack Step Name

STRIDE Mapping

Assume

Spoofing

AttemptAssume

n/a (Prerequisite operation to other operations.)

Information

coreLang Attack Step Name

STRIDE Mapping

AttemptAccess

n/a (Prerequisite operation to other operations.)

Delete

Denial of service

Deny

Denial of service

Read

Information disclosure

Write

Tampering

Network

coreLang Attack Step Name

STRIDE Mapping

Access

n/a (Prerequisite operation to other operations.)

AccessNetworkData

n/a (Prerequisite to Eavesdrop.)

BypassAccessControl

n/a (Prerequisite to Access.)

BypassEavesdropProtection

n/a (Prerequisite to Eavesdrop.)

BypassMitMProtection

n/a (Prerequisite to MainInTheMiddle.)

DenialOfService

Denial of service

Eavesdrop

Information disclosure

MainInTheMiddle

Spoofing, Tampering, Repudiation

NetworkForwarding

Tampering

PhysicalAccess

n/a (Prerequisite operation to other operations.)

PhysicalZone

coreLang Attack Step Name

STRIDE Mapping

GainPhysicalAccess

n/a (Prerequisite to attack steps in the System object.)

RoutingFirewall

coreLang Attack Step Name

STRIDE Mapping

AccessNetworkAndConnections

n/a (A suitable category would be "establish reachability". The closest STRIDE mapping would be "I", thinking about network enumeration, but this attack step is not about information gathering but rather establishing contact.)

AttemptLocalConnectVulnOnHost

n/a (Prerequisite operation to other operations.)

AttemptNetworkConnectViaResponse

n/a (Prerequisite operation to other operations.)

AttemptReverseReach

n/a (Prerequisite operation to other operations.)

AttemptUseVulnerability

n/a (Prerequisite operation to other operations.)

Authenticate

Spoofing

DenialOfService

Denial of service

Deny

Denial of service

FullAccess

Elevation of privilege

LocalConnect

n/a (Prerequisite operation to other operations.)

Modify

Tampering

NetworkConnect

n/a (Prerequisite operation to other operations.)

NetworkConnectViaResponse

n/a (Prerequisite operation to other operations.)

Read

Information disclosure

SpecificAccess

Elevation of privilege (gaining access to a low privileged account is also categorized as elevating privileges since the attacker should have no privileges at all).

SpecificAccessAuthenticate

Spoofing

UnsafeActivityByUser

n/a (Prerequisite operation to other operations.)

SoftwareProduct

coreLang Attack Step Name

STRIDE Mapping

CompromiseApplication

Repudiation, Tampering

DenyApplication

Denial of service

ModifyApplication

Tampering

ReadApplication

Information disclosure

SoftwareVulnerability

Abusing or succeeding with an attack operation on a vulnerability is not considered important in the STRIDE context. Instead, these operations have an effect on the connected Application. The actual effect of them is therefore considered (and classified) within the connected Application object.

coreLang Attack Step Name

STRIDE Mapping

Abuse

n/a (Affecting Application.)

Deny

n/a (Affecting Application.)

Exploit

n/a (Prerequisite to Abuse.)

ExploitTrivially

n/a (Alternative prerequisite to Exploit.)

ExploitWithEffort

n/a (Alternative prerequisite to Exploit.)

Impact

n/a (Affecting Application.)

Modify

n/a (Affecting Application.)

Read

n/a (Affecting Application.)

User

coreLang Attack Step Name

STRIDE Mapping

AttemptDeliverMaliciousRemovableMedia

n/a (Prerequisite operation to other operations.)

AttemptSocialEngineering

n/a (Prerequisite operation to other operations.)

CredentialTheft

Information disclosure (Spoofing happens on the Identity object when using the stolen credentials.)

DeliverMaliciousRemovableMedia

n/a (Prerequisite operation to other operations.)

PasswordReuseCompromise

Information disclosure (As in the attacker finding more identities also matching the previously stolen credentials.)

PhishUser

n/a (Prerequisite operation to other operations.)

UnsafeUserActivity

Spoofing and elevation of privilege (Since the attacker succeeds with making the user execute code on behalf of the attacker, i.e. impersonating the user.)