The Target of Evaluation
The system in question was called *RideShare* and is a SaaS mobility solution where drivers, aka partners, are matched with riders, aka customers, in an optimized way to reduce ETA, waiting time, and driving distance. There were no architectural diagrams of the solution. We know it runs the Backend/APIs in some cloud. The descriptions of the architecture were, I suppose, left intentionally vague, perhaps to allow teams to show their understanding (modeling) of the system and how they elicit threats.
In my team, I proposed using the C4modeling technique to describe the system. I find it to be very useful to break the complexity of the target of evaluation and to be able to understand the system in its context (users, third-party systems, etc) before diving into the details. This breaks a bit with the “simple” diagrams usually taught while threat modeling (circles for processes, parallel lines for storage, directed lines for data flows) but it adds more context to better understand the components and keeps you from going back and forth between the description and the diagram when threat hunting. Here’s the diagram we came up with:
We identify the riders, and drivers using their apps, and the respective backends/APIs they communicate with. We also see that there is a “Dispatch System” making the matches between riders and drivers. We can see the data types being exchanged.
We then went on to create so-called *container diagrams*. They show deployable units, not docker containers. Creating one from the description of the Mobile App was not difficult. But creating one from the description of the Different backend APIs was incredibly difficult because of the vagueness of the description.
This is part of the description given for the *Dispatch Service* architecture.
- All the active cabs keep on sending the location to the server once every 4 seconds through a web application firewall and load balancer. The accurate GPS location is sent to the data center through Kafka’s Rest APIs once it passes through the load balancer. Here we use Apache Kafka as the data hub.
- The location (state machine/latest location of cabs) will be sent to the database and to the dispatch optimization to keep the latest location updated.
We can identify that Kafka, a load balancer, a WAF, and a database are in use. We then want to understand which databases are in use and this is the description we receive:
- Redis for both caching and queuing. Some are behind Twemproxy (which provides scalability of the caching layer). Some are behind a custom clustering system.
- Ride Share uses schemaless (built in-house on top of MySQL), Riak, and Cassandra. Schemaless is for long-term data storage. Riak and Cassandra meet high-availability, low-latency demands.
So, which database is used for what? We have three possible databases and a vague description of how they could possibly fit into this picture. We spice that with Kafka and now the question is how is Kafka connected to the DB.
Now if we look at the *Analytics* component, the description is likewise intriguing:
- For log analysis, Ride Share uses multiple Kafka clusters. Kafka takes historical data along with real-time data. Data is archived into Hadoop before it expires from Kafka. The data is also indexed into an Elastic search stack for searching and visualizations. Elastic search does some log analysis using Kibana/Graphana.
Interesting questions arise here from the use of topics in Kafka and whether they are matched to an individual user or not.
There were several pages of description about ETA calculation, map region definition and building, and how the *Dispatch service* matches riders and drivers. Without knowing how this data flows within the components that make up this or the other services, it was hard to come up with many threats to them.
In my team we couldn’t really figure out the architecture beyond the high-level view already shown. This is something that could be improved upon for a future hackathon version.
There were no details on how the software is created and deployed, which can also lead to many serious vulnerabilities and by consequence threats.
We identified three threat actors within the context diagram:
- Internal to rideShare,
- Man in the middle, and
- one that directly probes the APIs:
For the mobile apps, we identified these bad actors:
- one jamming or otherwise interfering with GPS signals,
- one within the phone (process or physical access to mobile device), and
- man in the middle.
The Feedback
We had two intermediate checkpoints to show how we answered the typical threat modeling questions:
- What are we building?
- What could go wrong?
- What can we do about it?
- Did we do a good job?
Each checkpoint’s feedback was provided by a different mentor. The feedback was structured so that there was a general comments section and a section that structured points to consider. The structured points show the criteria by which threat models would be judged. This is the list of structured points of evaluation:
- The depth and breadth of details in the system model created
- The range and variety of threats identified
- The relevance of threats identified
- The comprehensiveness of the threats identified
- The effectiveness of the threat prioritization
- The range and variety of solutions identified and the feasibility of the implementation plan
- The comprehensiveness of the reflection process
- The presentation of the deliverable and the message clarity in the threat model document
The quality of the feedback provided in the general comments was really good, even if a bit contradictory with regard to the scope of analysis. As many details about the application, its development, and its operation were missing, we made some assumptions. The first reviewer suggested reducing the scope of analysis, thus we set some items like the development process out of scope. the second reviewer, in turn, advised us to reconsider what we were leaving out of scope and rather include it as controls that should be there.
We were also advised to show where the threat actors may find themselves, and thus we added diagrams with them to our deliverable.
The Platform
It is fantastic that a platform to exchange information on threat modeling has been created. We need to applaud Iriusrisk for providing such a platform free of cost. There are general topics where comments and questions can be written and where the community interacts. So far the only place where such exchanges happened was the OWASP #Threatmodeling channel in Slack.
For the hackathon private groups were created. One per team and one for all participants. Presentation slides, use cases, and general resources were made available. The private groups allow members to post questions and comments. This is how we, as participants and teammates, interacted with each other.
Conclusion
The hackathon was an interesting challenge. It was an interesting system to analyze, which could have benefited from some level of architectural diagramming from the creators or some better descriptions of the relationships between logic and the components it runs in or stores data into.
The organization of the event was really good. It started with the basics and a quick workshop to get a taste of threat modeling. The system we were presented with was challenging enough for all levels of expertise. The feedback quality was excellent and the comments were very helpful.
The platform itself is good for some level of communication between teammates, but perhaps setting up slack channels would be more efficient and foster more engagement.
It would be great if the use case and the winning threat model were made publicly available to serve their purpose as kata for anyone who couldn’t participate in the hackathon.