Assets

A type of wireless network router that provides a cellular access network in a local region of space.

Represents a mobile phone network capable of supporting communication from mobile hosts.

Abstract representation of a cellular network, to which mobile 4G or 5G devices may connect. A private cellular network can be restricted to devices whose users have a specific system role.

Abstract representation of a cellular network, to which mobile 4G or 5G devices may connect. A public cellular network is open to anyone as a subscriber.

A type of radio network used in cellular networks.

Model of access rights, restricted to specific contexts.

An WebClient represents a general HTTP client process, which uses HTTP including REST, associated with a specific web application service. It includes interactive clients (e.g. browsers and apps) and non-interactive services. If your process is a general purpose interactive web client supporting access to arbitrary services using dynamic HTML and scripting (a browser), or an app for accessing one or more predefined services, use the relevant specialised subclass.

An WebBrowser represents an interactive HTTP browser process, used by a human to access online applications and to navigate the Web, and supporting active rendering of a user interface specified by HTML or embedded scripting languages.

An interactive HTTP client process, which uses HTTP including REST, associated with a specific web application service. If your process is a general purpose interactive web client (a browser), use a WebBrowser asset instead.

A base class for data type classification overlay parent classes.

A program that can be launched from a command line and used interactively by a possibly remote user via keyboard and screen only to view and alter stored data displayed in textual form.

Represents data whose original source is outside the model, delivered via unsolicited email.

A type of data whose compromise has a higher impact than other types of data.

Provides a means to interact with processes running on a remote host via a desktop service running on that host.

A process with a user interface specialised to support user interactions with data. If an Interactive Process amends data, the user is assumed to be responsible. If an Interactive Process creates or receives data that the user inputs, it is assumed the user does so via the Interactive Process unless another process is already being used for this.

An application process with a graphical user interface, but not specifically for data viewing and data entry.

Supports remote access to graphical desktop functionality on its host. If the service controls the host, it has root privileges, enabling remote system admin. If the service controls other processes running on the host, it has the privileges assigned to those processes, and users can interact via a remote desktop client with those processes and any data used by them. This is distinct from a simple login service which also provides access to the shell, but users can only interact with command line processes. A desktop service may be configured as a restricted workspace by enabling security controls such that it does not allow the user unrestricted access to the shell, but only to processes that are specified as being available to the desktop service.

A program whose only function is to view and alter stored data. Use a TextEditor asset for such a program that can be used with a simple text-based interface, i.e. without a GUI. If an Editor receives data, it will be assumed that the user views the data (or creates it if the data has no other source). If an Editor amends data, the user is assumed to be making the changes.

A process that allows data to be stored and accessed using a well known query language.

A process that provides remote access to data stored on a local disk (just block or file access, no data queries).

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

Base class for all assets describing data lifecycle states, excluding overlay parent classes.

Represents a class of data items that can be stored on Hosts, or processed and exchanged by Processes. Note that this asset represents the presence of data in the system. Physical copies of the data are represented by inferred assets linked with Processes that serve or use them, hosts where they are stored.

An interactive process that can be launched via a shell command line and used with a text interface, i.e., using a remote terminal client or a text editor.

A program that can be launched from a command line and used interactively by a possibly remote user via keyboard and screen only.

A process with significant complexity unable to run on a specialised device.

Represents an ESMTP Mail Exchange (MX) process, which listens for and responds to requests sent using ESMTP.

A virtual host containing support for sharing a virtual network and storage services with one or more Containers.

A CloudWorker represents a virtual cluster of worker nodes, which is allocated and managed via a framework such as Kubernetes.

A VM that forms part of a virtual cluster managed by a framework such as Kubernetes, but is used to host control plane functions of the management framework.

A subnet implemented by K8S using iptables rules to provide connectivity to Pods and Services using networks connecting their hosts.

A simple virtual host containing software needed to support a packaged process, suitable for deployment via Docker or Kubernetes.

A proxy for running commands on a Container within a K8S or Docker platform or equivalent. Behaves like a login service on a bastion server, providing shell access via a front-end system (the K8s Master Node) to login services on the Containers. It is not itself a login service, as it does not provide shell access on its own host. The default trustworthiness levels are set on the assumption that this asset will be subject to penetration testing by the data centre operator before it is used.

A proxy for accessing services running in a Container under a K8S or equivalent platform. The default trustworthiness levels are set on the assumption that this asset will be subject to penetration testing by the data centre operator before it is used.

Used to detect firing of construction patterns that produce no other assets.

A subclass of DataAccess relating to a process that serves data as an intermediary, without storing it locally (except possibly in a cache). This subclass is used where the process is not a DB process, implying there is no query processing and data is simply fetched and forwarded.

Represents stored data loaded by a process, in which the process acts as an enabler for access by other processes, i.e. a server of stored data.

A subclass of DataAccess relating to a remote access client used to interact with a process on another host. In this situation, the remote access client never holds a complete copy of the data in its memory, but it does participate in the data flow between its user and the remote process.

A subclass of DataUse relating to a process that creates data and also supplies the results for use by other processes.

A subclass of DataUse relating to a process that reads locally stored data and also supplies the data for use by other processes.

An overlay parent class covering all DataAccess assets that represent the production or consumption of data in data flows. This excludes processes that only serve data.

A subclass of DataUse relating to a process that uses data as both an input and an output.

Represents the exchange of data between interacting processes (or their ability to securely exchange data).

A subclass of DataAccess relating to a process that serves data as an intermediary, without storing it locally (except possibly in a cache). As such, the process acts as both a producer and a consumer in flows of this data.

A subclass of DataUse relating to a process that uses data as an input or produces it as output (i.e. data processing as opposed to data serving or data transfer).

A subclass of DataUse relating to a process that creates data as an output.

A subclass of DataUse relating to a process that uses data as an input.

A base class for any assets used only to model state created by data lifecycle inference patterns.

Represents an end to end flow of data between processes via a set of Data Steps connecting between intermediate processes.

Represents a copy of data stored in persistent memory on a device.

A common parent class for any asset that contains data, including assets that represent stored or flowing data, and assets such as IoT Things that incorporate embedded data.

Represents a stored copy of data, which may or may not be persistent. Class name reflects the fact that the copy may be a cached data flow, created by a process if it cannot send data when produced as output, or cannot use data as input when it is received. A persistent stored copy is represented by subclass DataCopy.

A base class for all assets representing Data. Used partly to provide a classifier for the palette.

Represents access to Data by a Process, including (in principle) the choice of which data instance(s) to serve or process.

A subclass of DataUse relating to a process that updates data and also supplies the results for use by other processes.

Overlay parent class representing data loaded by a process, in which the process acts as an enabler for data access by other processes, either as a data source or as a server of stored data.

Represents the ability of two processes to exchange data.

Used for model construction only.

A sequence of communicating processes from the process that uses data to the process that enables it to access the data.

Represents a specific element within a structured data asset. Used to model the presence of parts in data that may be more sensitive or have extra protection compared to the remaining contents of a data asset.

A parent class for certain types of data indicating the data is subject to national as well as European regulation under GDPR Article 9.4.

A parent class for certain types of data indicating the data is subject to additional data protection measures under the EU Regulation GDPR Article 9.

Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or data concerning a natural person's sex life or sexual orientation. These categories of data are subject to GDPR Art 9, along with biometric, genetic and health data all of which are presented using separate specialised classes.

A Thing that can sense its physical environment and produce data describing aspects of that environment including the device user. A sensor has no console allowing login, but it may have an interface allowing some interaction with a human user.

Data used to control the physical actuator hardware in an IoT device.

A Thing that is able to affect aspects of the physical environment in ways defined by data sent to it. A Controller has no console allowing login, but it may have an interface allowing some interaction with a human user.

A simple process that runs on a controller and handles conversion of input data into control signals for robotic or other interaction with the real (physical) world.

Base class for inferred onboard sensor acquisition and control processes running on an IoT Thing.

Data sensed by the physical sensor hardware in an IoT device.

A simple process that runs on a sensor and handles the acquisition and sending of data from the real (physical) world.

A device with onboard processing able to interact with the physical world.

A group working together in pursuit of goals (which may or may not be shared by all the individuals participating in the group), constituted as a legal entity (e.g. a limited company, charity or government department). If your organisation does not have this status, make it an Organisation (the base asset class) instead.

Represents a specific set of regulations to which part or all of a system may be subject. The regulations themselves may come from several sources, e.g. EU and national laws may both apply to parts of a system in a given member state.

An individual, company, or other entity which has legal rights and is subject to obligations. Overlay parent class for Human and some Organisation subtypes.

Base class for assets representing or related to agency and governance mechanisms.

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

A USBClient is a device designed to be connected to other hosts via a USB link.

Represents the communication capability established when two devices are paired over a USB connection. Inferred where there is a pairsWithUSB relationship between devices.

A USB Host is one to which a USB device can be connected.

Route through a gateway Host to a connected USB/BT device from an IP network. Modelled as a type of Open Segment because the message source does not need to be obfuscated in transit through the gateway Host.

Route through a gateway Host between two devices paired with that Host by Bluetooth connections. Modelled as a type of Open Segment because the message source does not need to be obfuscated in transit through the gateway Host. In most devices, mesh routing is disabled by default, but SSM must assume it may be enabled so potential threats are not overlooked.

An L1Subnet is one that connects paired hosts directly, with no addressing as such used within the subnet. Used as a base class for USB and Bluetooth connections.

Represents the communication capability established when two devices are paired over a Bluetooth connection. Inferred where there is a pairsWithBluetooth relationship between devices.

Route through a gateway Host from a connected USB/BT device to an IP network. Modelled as a type of NAT Segment because the message source is obfuscated in transit through the Host. This is not SNAT because the source is not connected to the gateway via an IP network, but the effect is similar as the message acquires a source address of the gateway on the destination network.

Represents the ability to use removable (e.g. USB) storage devices as a means to transfer data between hosts. Such devices therefore act a bit like networks, so in practice any threats are caused by the mechanism used to connect them to other hosts.

Provides a means to access the command line on a remote host via a login service running on that host.

A remote access service is any process that can be accessed remotely and used to run commands or otherwise interact with processes running in a shell on its host.

A remote access client is any process that can be used to run commands or otherwise interact with processes running in a shell on a remote host.

Represents accessibility for a process when running on a specific host on a specific subnet, with links to the process, host and subnet, and locations (spaces), where it can be connected to that subnet, plus channels and paths that are accessible to a client or available for accessing a service when it is connected.

A network that uses radio as its means of communication, and may therefore be snooped or jammed.

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

A mobile interactive computer, equipped with wireless and sometimes cellular network interfaces, able to run arbitrary applications, including client processes for accessing services over a network. Although designated as a PC, they are not always used as personal devices.

Represents a process (usually implemented by software running on a Host) that can read, update or create data, or exchange data with other processes.

A physical subnet is one that makes direct use of physical hardware.

A physical host device, that could therefore be physically as well as electronically attacked (unlike a VirtualHost).

A mobile or IoT device that is dedicated to a single user and carried wherever they go. It is possible for hosts of these types to be non-dedicated, but if a user both interacts with and manages them, they are considered dedicated.

A common parent class for process-related access contexts.

A very simple fixed device used to transmit and receive data between different locally connected subnets.

Represents accessibility for a process when running on a specific host in a specific location, with links to the process, host, location (space), and networks it can use for communication in that location, plus channels and paths that are accessible to a client or available for accessing a service when in that location.

A fixed physical host used to run application processes that are accessed remotely over a network. If your server device is not headless, make it a Workstation.

A locally connected physical network that uses radio communication.

A parent class for devices that are specialised for a purpose, and are therefore not normally able to host arbitrary processes and data. As distinct from GeneralHost devices, which have no such limitations.

A fixed physical host with a fully functional user interface, including a conventional PC, used to run interactive applications locally, as well as interactive client processes for accessing services over a network.

A network that uses physical wiring as its means of communication.

A locally connected network in which connections between hosts are provided by physical wires.

A base class for logical subnet classification overlay parent classes.

A base class for all process classification overlay parent classes.

A base class for all host classification overlay parent classes.

A parent class for devices that support access via something equivalent to a shell, i.e. a means for users to run and control processes.

A type of simple process that is so trivial that some types of threats arise so rarely they can be neglected, e.g. threats involving software bugs.

A mobile physical host used to run apps, some of which run locally but many act as clients for accessing services over a network.

Represents the ability of processes on a common host to communicate with each other using the loopback address.

Represents a text messaging client running on a phone that is used interactively by its users. The domain model assumes every smart phone will be running one of these clients, but they must be inserted by users if they run on other devices including tablets or PCs, etc.

A mobile physical host used to run apps that mostly act as clients for accessing services over a network, and which typically connects using near field communications to a router such as a smartphone.

A mobile physical host used to run apps that mostly act as clients for accessing services over a network.

A process with limited complexity able to run on a specialised device.

A device specialised to support functionality so limited that it does not support shell access, e.g. a USB thumb drive, IoT controller or IoT sensor.

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

Represents accessibility for a host when on a specific subnet, with links to the host, subnet, and locations (spaces) where it can be connected to in that subnet.

A Host that has no fixed location, and whose network connections are thus mostly non-persistent.

Base class for all network subnets, including real subnets (i.e. those over which messages can be sent or routed) and some that are not real but represent a set of (inferred) real networks and routers.

A simple process that runs on a host and handles authentication of that hosts to subnets that require it.

A simple process that provides authentication and authorization of client processes or devices connecting to other services and networks.

A collection of identical physical servers that can be managed as a cluster. A singleton Cluster in a system model represents multiple Server-class Hosts.

Common base class for any Host that represents a collection of Hosts.

A (physical) host with a user interface that also supports shell access, making it possible for users to log in. Attackers who can gain physical access could also exploit vulnerabilities and gain control over the device.

Represents a wide area, mostly wired network composed of several connected subnets that are not explicitly included.

A type of wired network router that provides connections with and within core networks.

A building or buildings containing physical hosts and networks that can itself be connected to other networks, and used to support virtual hosts and management via a cloud platform. Internal connections and resources will be inferred where necessary, if not added manually.

A (physical) host device that has no built in (physical) user interface, which means it cannot be used directly by a Human.

Represents a general ESMTP Mail User Agent (MUA) process. It provides a means for attackers to send malicious content designed to trick its users. Used as a base class for assertible subclasses representing webmail services and desktop email clients, etc.

Represents an ESMTP Mail User Agent (MUA) process accessed remotely by users. This is either via a WebBrowser (which makes the MUA a webmail service) or an EmailClient (which makes the MUA an IMAP/POP service). The MUA provides a means for attackers to send malicious content designed to trick its users.

A Host that is always located in one fixed Space, i.e. it doesn't move around, and its network connections are thus persistent.

A parent class for devices that are able to run arbitrary processes and hold data with no problems. Distinct from SimpleHost devices, which are specialised to a particular purpose.

A process with significant complexity unable to run on a specialised device.

Represents an ESMTP Mail User Agent (MUA) process that is used interactively by its users.

A device that can store, process, transmit or receive data.

A device that is mobile, but could be a Notebook, Smartphone, or Tablet. Used where different users may employ different types of client device, so the model cannot specify (or assume) a single type.

Supports remote access to command line functionality on its host. If the service controls the host, it has root privileges, enabling remote system admin. If the service controls other processes running on the host, it has the privileges assigned to those processes, and users can interact via a remote terminal client with those processes. A desktop service may be configured as a restricted workspace by enabling security controls such that it does not allow the user unrestricted access to the shell, but only to processes that are specified as being available to the login service.

A common parent class for host-related access contexts.

An OSI Layer 3 subnet is one that supports addressing of messages between connected devices and devices that need not be connected to the same subnet.

An OSI Layer 2 subnet is one supporting communication between connected devices.

Common parent of L2 and L3 subnets, i.e. subnets that support communication between different, unpaired hosts.

An L0Subnet is one provided by a host for communication within that host. This covers API calls and socket level communication between hosted processes to emulated IP switching between virtual hosts. The key difference between this and L3 virtual networks is that intrusion on the network is impossible except by compromising a connected host.

A base class for any means of communication between hosts.

Special type of PhysicalSubnet, used as an abstraction for the core and access networks that make up the global, public Internet. There is only one Internet, so only one of these should appear in each system model.

Common parent of L0 and L1 subnets, i.e. subnets that support communication within a single host or between two paired hosts.

Represents accessibility for a host when in a specific location, with links to the host, location (space), and networks it can be connected to in that location.

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

Base class for all network assets excluding host devices, including abstract and real subnets, network interfaces, routes through gateway hosts, and extended network paths.

A base class for logical subnets that are purely internal within a single host.

A (physical) host with a user interface that allows users to interact with a process, but not to log into the host.

Represents a path in the network between two LogicalSubnets in which all of the subnets involved are physical.

A route between subnets via a gateway on which messages cannot be routed by default. Subclasses are used to represent cases where messages can be routed, so a route represented by the base class only is one where messages cannot be sent unless they are replies on a previously established connection.

Base class for all assets representing network communications.

The interface between a Host and a Logical Subnet. Represents a possible point of control and a target for attack. If the Logical Subnet is an IP network, the Interface also represents the existence of an IP address.

Base class for network paths.

A route through a Host between two connected Logical Subnets along which it is always possible to route messages.

A base class representing a route through a Host between any two distinct Logical Subnets of any kind.

Route through a Host between two distinct Logical Subnets in which the source of the message (e.g. its IP address) is rewritten in transit through the gateway Host. If both subnets are IP networks, this corresponds to SNAT on outbound messages.

Represents a path in the network between two LogicalSubnets.

A route through a Host between two connected Logical Subnets along which it is possible to route messages where the message source need not be obfuscated by any form of network address translation, although the destination address may in some cases be changed from that of the gateway Host.

A route through a NAT device (or equivalent) from a public subnet to a private one. In an IPv4 network, destination addresses for messages along this route must be translated from public to private addresses. This would normally only happen if the message is a response in a previously established connection from private to public subnets, unless port forwarding is implemented to allow access to specific services.

Used for model construction only.

A base class for any assets used only to model state created by network connectivity inference patterns.

Used for model construction only.

A public space with a boundary, so it can feasibly be checked or inspected despite being a public space. The boundary may be a physical perimeter (e.g. as in a public building), or non-physical (e.g. a region within an open space whose boundary is specified on a map). Note that access to the space cannot be restricted. A separate PrivateSpace type is used for bounded spaces with a secure perimeter and access restrictions.

An overlay parent class descended from Palette Type, to be used to control the grouping of assertable assets in the SSM GUI Asset Palette.

Represents a bounded physical space that can be secured to restrict access.

Represents an open physical space that anyone can access, lacking even a defined boundary so it cannot even be patrolled or inspected. Use the Bounded Space type for more localised regions or public buildings, etc.

Represents a physical space in which devices may be located or from which networks may be accessed.

A singleton subclass of Public Space representing all unsecured physical locations that are not in any other Space.

A data item or set that contains genetic information relating to individuals.

A data item or set that contains biometric measurements relating to individuals.

A data item or set that contains health information, which may or may not be related to a specific individual.

A sensor for acquiring health related data from a patient. Has no console allowing login, but it may have an interface allowing some interaction with a human user, who may or may not be the patient.

Path to a service from a subnet which is on a path from at least one legitimate client, so messages sent from this subnet can reach the service, even if default firewall rules could normally prevent it.

Base class for all attack paths not related to a specific client.

Path to a service from a subnet which is on a path from a legitimate client, so messages sent from this subnet can reach the service, even if default firewall rules could normally prevent it.

A simple reverse proxy process that provides a proxy endpoint for some other, usually HTTP(S) service.

Base class for paths linked to logical subnets through which client-service connection requests are made.

Represents a communication path through the network between a Client and a Service. This channel is privileged, in the sense that where default firewall rules would block connections from the Client to the Service, they are enabled by an exception to the default rules.

Base class for client-service connection assets.

Path to a service from a subnet from which a message can be sent to the service that (due to network address translation) would appear to come from a source address that is indistinguishable from at least one legitimate client.

Path to a service from a subnet from which a message can be sent to the service that (due to network address translation) would appear to come from a source address that is indistinguishable from a specific legitimate client.

Represents a path to a service from a logical subnet that is on a path from a specific legitimate client.

Represents a trust relationship between a Client and a Service. Exists where the two communicate directly, or where the Service may need to know the identity of the Client.

Base class for all attack paths related to a specific client.

Represents a trust relationship between a Client and a Service. Exists where the two exchange authorization tokens but not necessarily other credentials.

Base class for all attack paths.

Base class for assets representing process-process relationships, privileged communication channels, and opportunities for attacks using those channels.

A Human who is below the applicable age of consent for participation in an IT-based system.

A Human who is legally competent to give their consent for any process resulting from their participation in an IT based system.

An individual user role within the socio-technical system that uses and/or manages assets.

A group working together in pursuit of goals, which may or may not be shared by all the individuals participating in the group. An organisation need not be a legal entity with similar legal status to an individual (e.g. a limited company, charity or government department), as it may represent a loose federation or social group. If your organisation is a legal entity, make it a Legal Organisation instead.

Represents an entity with motives for engaging in the modelled system. Note that systems are modelled as socio-cyber-physical systems, so users and various organisational actors are considered part of a system they are using.

A virtual subnet is any subnet comprising a slice (in any sense) of one or more physical subnets.

A virtualised device provisioned by another Host, usually but not always at a data centre, using a subset of the underlying physical hardware capacity. Distinct from a PhysicalHost.

A virtual network created by means of protocol tunnelling over other networks. Packet level encryption is usually but not always used, so only physical routing headers (not VPN headers or message content) is accessible in the underlying network.

A virtual host provisioned at a data centre, allocated a fraction of the underlying physical hardware capacity, and able to host arbitrary applications and data.

Link between two physical hosts that is needed to support communication between clients and services over virtual networks.

A very simple virtual device used to transmit and receive data between different locally connected (possibly virtual) subnets.

Common parent class for any host that is automatically scalable, i.e. a virtual host where the number of instances can be increased to handle increased loads.

A subnet implemented using iptables rules to provide an IP address overlay on an existing network. This can be used to route between virtual hosts using a network that connects their physical hosts, for example.

A locally connected (virtual) network between a host device and virtual hosts provisioned on that device.

Represents a physical network path between physical hosts that is used to route traffic in a virtual subnet, underpinning a Virtual Channel.

A collection of identical virtual servers that can be managed as a cluster. A singleton VCluster in a system model represents multiple VM-class Hosts.

A locally connected virtual network in which connections between hosts are transported over other networks. Includes software defined networks.