TAM v2.1 Sandboxing – Part I – Risk Measurement Plug-in
TAM v2.1 supports multiple risk measurement techniques by allowing the user to specify a plug-in to measure the risk and save the relevant data along with the threat model. This two part blog helps you to understand the security impact of plug-in system in TAM. In order to understand the security impact, first we need to understand the need for plug-ins and how application handles them.
As per the threat modeling process, risk measurement is very subjective and optional, but a very important step which allows prioritization of threats and the respective countermeasures. Thus in order to fulfill this process objective the tool was developed in a way to support arbitrary risk measurement techniques. TAM allows the user to select a Risk measurement plug-in, which is loaded at runtime only when required to calculate the risk. Now this brings up some unique challenges first and foremost how do we make sure that the plug-ins use the same terminology such that the risk values are consistent across multiple plug-ins. Secondly, how can user control the behavior of these plug-ins. Let’s talk about each of the above issues and also look at how TAM tool implements it.
In order to calculate risk consistently, the process defines risk (R) as impact (I) times probability (P), i.e. R=I x P. Similarly, the tool also expects the plug-in to return impact and probability values and the risk is derived from it. In order to allow user based plug-ins, the tool exposes necessary interfaces for a developer to implement. The TMObjectModel.Interfaces namespace (TMObjectModel.dll) contains ICalculateRisk interface which has the CalculateRisk method. Plug-in needs to implement the above method and return RiskReturn object by filling in the Impact and Probability properties. RiskReturn class is also available in the same namespace. Tool uses this object to fill in the threat risk values. Tool loads the plugin and uses reflection to find out whether any publicly available classes export this interface and loads the appropriate class and executes the CalculateRisk method to get the RiskReturn object. By doing this we are reflecting, loading and executing the plugin code in the same trust as that of the tool.
To address the second issue of the user controlling the plugin, we allow user to configure the plugin and the tool only loads the plugin when it is needed for calculating the risk values. TAM uses Assembly.Load to load the plugin and finds if ICalculateRisk interface is exported by the public types and then instantiates it by calling its constructor. After successful instantiation it calls the CalculateRisk method and the returned object is used for risk calculation.
Sample code for the plug-in:
using System;
using System.Collections.Generic;
using System.Text;
using ACEServices.Torpedo2.TMObjectModel;
using ACEServices.Torpedo2.TMObjectModel.Interfaces;
namespace SampleRiskPlugin
{
public class SampleRiskPlugin : MarshalByRefObject, ICalculateRisk
{
#region ICalculateRisk Members
RiskReturn ICalculateRisk.CalculateRisk(ThreatModel currentTM, Threat currentThreat, XMLHashTable riskParams)
{
RiskReturn oReturn = new RiskReturn();
oReturn.Impact = EnumImpact.High;
oReturn.Probability = EnumProbability.High;
return oReturn;
}
#endregion
}
}
TAM Application Code loading the plug-in.
//Load the user specified plugin assembly
Assembly plugin = Assembly.LoadFrom(pluginfile);
//object to hold the plugin class
ICalculateRisk objectplugin = null;
//looping thru the export types in the plugin assembly
foreach (Type type in plugin.GetExportedTypes())
{
//finding if the type implements ICalculateRisk interface
if (type.FindInterfaces(Module.FilterTypeName, "ICalculateRisk").Length == 1)
{
//Getting the constructor info object to invoke the constructor.
ConstructorInfo consinfo = type.GetConstructor(new Type[0]);
if (consinfo != null)
{
//Creating the object exposed by the plugin
objectplugin = (ICalculateRisk)consinfo.Invoke(null);
return objectplugin;
}
}
}
In the next part we will discuss about the security impact of the above code.
- Anil Revuru (RV)