4

[I'm surprised that my searches didn't find this questions before, but then I may just not be asking it "the right way."]

A project I am on is starting to look a threat trees for a connected piece of hardware that is under development. As a start, we decided to look at a simple entry point, the USB port. That took up most of the meeting, and is still incomplete.

I am pretty certain we are not the first or last team ever to consider the attack surface presented by a USB port. That begs my main questions

Is there a library of common attack trees exist?

jwernerny
  • 161
  • 5
  • 1
    Combinatorial explosion is what you can find. Home router - home computer is the most widely found one, beyond that (and especially in corporate settings) everything gets messy. – Deer Hunter Feb 01 '16 at 18:17
  • A good model can help avoid such explosion. A useful model for the USB port might be hardware driver issues, design flaws (such as autorun), implementation flaws (such as buffer overflows). You might also break the areas of flaw into USB-specific code and filesystem code. A model like this can help drive effective test design. – Adam Shostack Feb 01 '16 at 20:33

1 Answers1

2

Sadly, there is not a good free/community driven set. There's a set at the back of my book on threat modeling, and there's a set for sale via a company called Amenaza which I have not seen.

If there's something else, I didn't discover it when doing research for the book, and would love to hear about it.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12