Package ProcessComms
URI: ProcessComms
Description: Model of process-process communications.
The authentication credentials of a client accessing a service are no longer secure and reliable, i.e. the client could can be impersonated to the service. This does not necessarily mean an attacker can access the service, only that they have access to client credentials. |
|
The client is influenced by a malicious actor who is able to induce the client to send malicious requests to its service. |
|
Referring to a client-service relationship, representing inability of the client to authenticate with the service. |
|
Untrustworthy users are able to send messages to a service from the direction of a specific client. This relates to any message so it includes messages sent anonymously, prior to authentication. It is not related to which users can access the service. Consequently, a high likelihood is not in itself a cause for concern, so the impact level should never be raised for this behaviour. |
|
A malicious actor is able to access the related service and authenticate as the related client. This means the attacker is able to send requests to the service, and either the attacker has access to client credentials or the service fails to authenticate before allowing access. |
|
There is a loss of connectivity between processes. |
|
A malicious actor is able to send messages via a reverse proxy to a related service. The service is exposed to malicious requests, but not directly from an attacker. |
|
The service accessed by a client is controlled by a malicious actor, usually (but not always) caused by the service being hacked by an external attacker. |
|
Applies to a communication route, i.e. the Interface between a Host and a Subnet, or a Logical Segment representing a route between two Subnets. Signifies that exceptions do exist allowing client-service connections and communications to tunnel through a default deny routing policy. |
|
The service accessed by a client is an imposter. |
An application firewall is used at Proxy to protect Process from remote vulnerability exploits. |
|
The service Service has a whitelist of network addresses from which it accepts client requests, and all the network interfaces from which requests may come have addresses that are fixed or in a restricted range not available to attackers. |
|
Access to service Service by client Client is disabled. This control strategy represents a permanent restriction introduced by design, or a temporary situation created following activation of a contingency plan. In the latter case, this control strategy should not itself be selected, because its controls will be fulfilled by the contingency plan activation strategy. |
|
Apply a default firewall rule at host Host to drop messages sent to services running on the host from subnet LogicalSubnet. This strategy may represent a run-time adaptation in response to a threat, or a permanent restriction introduced by design or in accordance with an operational policy or user preference. It also triggers threats representing side effects that would be caused by such a restriction, which affect access to services running on Host but not other uses of its connection to LogicalSubnet. |
|
Firewall rules that normally allow access to service Service by clients on otherwise blocked network paths are switched off. This strategy represents a permanent restriction introduced by design or in accordance with an operational policy or user preference to avoid accessing Service over certain networks. It may also arise as a side effect of a run-time response to a more specific threat. In either case, it triggers threats representing side effects that would be caused by such a restriction where they affect all available network paths used by a client. |
|
Firewall rules that normally allow access to service Service by clients on otherwise blocked network paths are switched off to prevent an attack. This strategy may represent a run-time adaptation in response to a threat, or a permanent restriction introduced by design or in accordance with an operational policy or user preference to avoid accessing Service over certain networks. It also triggers threats representing side effects that would be caused by such a restriction where they affect all available network paths used by a client. |
|
Signifies that Service can be considered immune to a confused deputy attack that does not involve exploitation of a software vulnerability. This should be used when Service is programmed in such a way that it can only access a back-end service for specific clients. Do not use this if access to back-end services require OIDC- or OAuth-style tokens issued to the client - in that case add the OIDC/OAuth service along with the appropriate relationships from the client and to the back-end service(s). |
|
Change from: Access to service Service by client Client may be temporarily disabled by the process manager ServiceManager to prevent the service forwarding excessive requests or becoming overloaded itself, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats. However, it also triggers other threats representing side effects of the policy change, based on how likely it is that the contingency plan will need to be activated. |
|
Access to service Service by client Client is disabled by the process manager ServiceManager to prevent the service forwarding excessive requests or becoming overloaded itself. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal the process manager ServiceManager. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again. |
|
Firewall rules that normally allow access from client Client to service Service may be temporarily switched off by manager HostManager of the service host SHost if the network path is subject to snooping. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Firewall rules that normally allow access from client Client to service Service have been switched off by manager HostManager of the service host SHost to prevent snooping. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, user HostManager who is responsible for managing SHost should arrange for firewall policies to be switched off. The Disable Service Channel control should be deselected only when access is enabled again. |
|
Firewall rules that normally allow access from client Client to service Service may be temporarily switched off by manager HostManager of the service host SHost if the network path is subject to snooping. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Access to service Service by client Client may be temporarily disabled by its manager ServiceManager to prevent authenticated attacks by impersonated clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Access to service Service by client Client is disabled by the process manager ServiceManager to prevent authenticated attacks by impersonated clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal the process manager ServiceManager. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again. |
|
Access to service Service by client Client may be temporarily disabled by the process manager ServiceManager to prevent authenticated attacks by compromised or impersonated clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats. However, it also triggers other threats representing side effects of the policy change, based on how likely it is that the contingency plan will need to be activated. |
|
Access to service Service by client Client is disabled by the process manager ServiceManager to prevent authenticated attacks by compromised clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal the process manager ServiceManager. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again. |
|
Firewall rules that normally allow access to service Service on specific network path(s) may be temporarily switched off by its host manager HostManager. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
|
Firewall rules that normally allow access to service Service on specific network path(s) have been switched off by its host manager HostManager. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, user HostManager who is responsible for managing host SHost should arrange for firewall policies to be switched off, ideally as close as possible to subnet LogicalSubnet from where the risk arises.The Disable Service Channel control should be deselected only when access is enabled again. |
|
Firewall rules that normally allow access to service Service on specific network path(s) may be temporarily switched off by its host manager HostManager. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated. |
Applies to a client-service relationship, and means the service accepts client connections only from a set of known network addresses. |
|
A filter that scans the content of requests to a service, and refuses to forward any request in which malicious content is detected. |
|
Artificial control used to specify when a Process acting as a service is immune to a confused deputy attack except by exploitation of a vulnerability. |
|
Signifies that access to a service in a specific client role is disabled, i.e. the policy allowing access to a service in a specific client role has been switched off. This may represent a permanent restriction introduced by design, or a temporary situation created by a run-time response to an increased risk level. Either way, it causes a loss of availability as a side effect. |
|
Signifies that a service channel (i.e. a tunnel through firewall controls) which is assumed to be in place for expected client-service connections is disabled. This is not a contingency plan but a restriction introduced by design, or as a run-time threat response. |
|
Change from: Signifies that access to a service in a specific client role may be temporarily disabled if the client is compromised, i.e. the policy allowing access to a service in that client role may be dynamically switched on or off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. This control governs access rights for a specific client to a specific service, and so applies to the inferred Client-Service Relationship asset representing their mutual trust. |
|
Applies to an inferred Service Channel asset representing the privileged path from client to service. Signifies that the service channel may be temporarily disabled, i.e. policy exceptions allowing client-service messages to pass through default firewall rules are switched off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. |
|
Signifies that access to a service in a specific client role may be temporarily disabled if their means of authentication is compromised, i.e. the policy allowing access to a service in that client role may be dynamically switched on or off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. This control governs access rights for a specific client to a specific service, and so applies to the inferred Client-Service Relationship asset representing their mutual trust. |
|
Signifies that access to a service in a specific client role may be temporarily disabled if the client is compromised, i.e. the policy allowing access to a service in that client role may be dynamically switched on or off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. This control governs access rights for a specific client to a specific service, and so applies to the inferred Client-Service Relationship asset representing their mutual trust. |
|
Applies to an inferred Service Channel asset representing the privileged path from client to service. Signifies that the service channel may be temporarily disabled, i.e. policy exceptions allowing client-service messages to pass through default firewall rules are switched off. This represents a contingency plan which will compromise availability, to an extent based on the likelihood of the attack. |
A privileged path through the network to a service from a subnet accessible by attackers . |
|
A trust relationship between a client and a service that relates to the use of that service to authenticate the client and/or verify their access rights. |
|
A trust relationship between a client and a service that relates to the use of that service to verify third party access rights. |
|
A network path that provides a basis for attacks on services via NAT devices. |
|
A privileged path through the network to a service from a subnet accessible by attackers whose messages would be addressed in a way that is consistent with a specific client. |
|
A trust relationship between a client and a service. |
|
A network path to a service from a subnet through which messages from a specific client would pass. |
|
A privileged path through the network to a service from a subnet accessible by attackers whose messages are rewritten by a NAT gateway in a way that is consistent with a specific client. |
|
A privileged path through the network to a service from a subnet accessible by attackers whose messages are rewritten by a NAT gateway in a way that is consistent with at least one client. |
|
The host of a service. This role name is chosen so alphanumeric sorting puts it between client-related roles and the network path used by those clients to communicate with the service. |
|
A process acting as a service. This role name is chosen so alphanumeric sorting puts it between client-related roles and the network path used by those clients to communicate with the service. |
|
A subnet on a path between client and service where messages from an attacker could join that path and benefit from newtork address translation en route to the service. |
|
A client service trust relationship in a chain between a client and a service via a reverse proxy. |
|
A client service trust relationship between a client and a service that communicate indirectly. |
|
A client service trust relationship in a chain between a client and a service via a reverse proxy. |
|
Refers to a pre-existing subnet, which (if present) changes the significance of assets matching other roles in the same pattern. |
|
A privileged path through the network to a service from a subnet accessible by attackers whose messages are addressed in a way that is consistent with a specific client, and are not rewritten by a NAT gateway. |
|
A privileged path through the network to a service from a subnet accessible by attackers whose messages are addressed in a way that is consistent with at least one client, and are not rewritten by a NAT gateway. |
|
A process acting as a reverse proxy, relating requests between a client and a service. |
|
A client-service trust relationship existing between a client or service and an intervening reverse proxy. |
|
A process acting as a client to a reverse proxy. |
|
A privileged path through the network to a service from a subnet accessible by attackers whose messages would be addressed in a way that is consistent with at least one client. |
|
A privileged communication path through the network between a client and a service. |
|
A client channel representing the relationship between a process and a key vault holding keys used by the process to access data. |
Base class for all attack paths. |
|
Represents a trust relationship between a Client and a Service. Exists where the two exchange authorization tokens but not necessarily other credentials. |
|
Base class for all attack paths related to a specific client. |
|
Represents a trust relationship between a Client and a Service. Exists where the two communicate directly, or where the Service may need to know the identity of the Client. |
|
Represents a path to a service from a logical subnet that is on a path from a specific legitimate client. |
|
Path to a service from a subnet from which a message can be sent to the service that (due to network address translation) would appear to come from a source address that is indistinguishable from a specific legitimate client. |
|
Path to a service from a subnet from which a message can be sent to the service that (due to network address translation) would appear to come from a source address that is indistinguishable from at least one legitimate client. |
|
Base class for assets representing process-process relationships, privileged communication channels, and opportunities for attacks using those channels. |
|
Base class for client-service connection assets. |
|
Base class for paths linked to logical subnets through which client-service connection requests are made. |
|
Path to a service from a subnet which is on a path from a legitimate client, so messages sent from this subnet can reach the service, even if default firewall rules could normally prevent it. |
|
Path to a service from a subnet which is on a path from at least one legitimate client, so messages sent from this subnet can reach the service, even if default firewall rules could normally prevent it. |
|
Base class for all attack paths not related to a specific client. |
|
Represents a communication path through the network between a Client and a Service. This channel is privileged, in the sense that where default firewall rules would block connections from the Client to the Service, they are enabled by an exception to the default rules. |
|
A simple reverse proxy process that provides a proxy endpoint for some other, usually HTTP(S) service. |
Only trustworthy users can send messages to a service from the direction of a specific client. This relates to any message so it includes messages sent anonymously, prior to authentication. It is not related to which users can access the service. Consequently, the calculated level will often be low, and this is not necessarily a cause for concern. |
|
The client accessing the related service has a reliable means of authentication which can be verified by the service. This is not related to the trustworthiness of those able to access the service, only the trustworthiness of those in possession of client credentials. |
|
The client accessing the related service is not controlled by an untrustworthy actor. This pertains to the trustworthiness of those able to access the service as the client (i.e., after authentication). |
|
The client is clear on what requests it should send to the service on behalf of its own clients. |
|
Only trustworthy clients can send requests via the client (which is a reverse proxy) to the related service. |
|
The service accessed by a client is not an imposter. |
|
Applies to a communication route, i.e. the Interface between a Host and a Subnet, or a Logical Segment representing a route between two Subnets. Signifies that no exceptions were created to allow client-service connections and messages to tunnel through a default deny routing policy. |
|
The service accessed by a client is not controlled by a malicious actor. |