search

izar / pytm

A Pythonic framework for threat modeling
Other
860 stars 161 forks source link

Alternative format for threat lib for better readability and editing #237

Open raphaelahrens opened 3 months ago

raphaelahrens commented 3 months ago

So I looked through the threats recently and again and again I find it difficult to read through the JSON document.

What bothers me the most is the combination of text in details, mitigation, and example with the metadata like id condtion severity and target.

It makes the text hard to read and the metadata difficult to find.

Now I had the idea to have a markdown file for each threat in the style of pandoc with the yaml_metadata_extension.

The result could look similar to this

---
id: INP01
condition: target.usesEnvironmentVariables is True and target.controls.sanitizesInput is False and target.controls.checksInputBounds is False
severity: High
target: (<class 'pytm.pytm.Lambda'>, <class 'pytm.pytm.Process'>)
---

# Buffer Overflow via Environment Variables

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

## Example

Attack Example: Buffer Overflow in `$HOME` A buffer overflow in sccw allows local users to gain root access via the `$HOME` environmental variable. Attack Example: Buffer Overflow in TERM A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.

## Mitigations

Do not expose environment variable to the user.Do not use untrusted data in your environment variables. Use a language or compiler that performs automatic bounds checking. There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.

## References

-  https://capec.mitre.org/data/definitions/10.html
-  CVE-1999-0906
-  CVE-1999-0046
-  http://cwe.mitre.org/data/definitions/120.html
-  http://cwe.mitre.org/data/definitions/119.html
-  http://cwe.mitre.org/data/definitions/680.html

Of course this file would not be parseable by pytm with the restriction that it should only depend on python stdlib. But what could be done is that the threats are stored in markdown files from which the threatlib.json could be generated.

What do you think about this idea?

raphaelahrens commented 2 months ago

Another advantage of this approach would be that code elements in the threats, could be marked as code and will not interfere with the formatting in the report.

An example of this is in SC04, which includes examples of jjencode

($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

and a bypass via the window

this['al' + 'ert'](1)

When running 

python3 tm.py --report docs/basic_template.md | pandoc > /dev/null

we get the error

[WARNING] Could not convert TeX math =($_=!&#x27;&#x27;+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+, rendering as TeX:
  =($_=!&#x27;&#x27;+$)[_/_]+$_[+$])])()[_
    ^
  unexpected '$'
  expecting "\\bangle", "\\brace", "\\brack", "\\choose", "\\displaystyle", "\\textstyle", "\\scriptstyle", "\\scriptscriptstyle", "{", "\\operatorname", letter, digit, ".",
 "!", "'", "''", "'''", "''''", "*", "+", ",", "-", ".", "/", ":", ":=", ";", "<", "=", ">", "?", "@", "~", "_", "^", "\\left", "\\", "\\hyperref" or end of input

For the first line but for this['al' + 'ert'](1) this turned into 

<a href="1">'al' + 'ert'</a>
raphaelahrens commented 2 months ago

I have implemented a prototype

https://github.com/raphaelahrens/threatmd

pentestguy commented 1 month ago

Do you know if this issue is going to be fixed? because I am also facing the same issue.

raphaelahrens commented 1 month ago

@pentestguy what issue do you mean?

pentestguy commented 1 month ago

The same issue is below

[WARNING] Could not convert TeX math =($=!''+$)[/]+$[+$])])()[[/]+[+~$]+$[]+, rendering as TeX: =($=!''+$)[/]+$[+$])])()[ ^ unexpected '$' expecting "\bangle", "\brace", "\brack", "\choose", "\displaystyle", "\textstyle", "\scriptstyle", "\scriptscriptstyle", "{", "\operatorname", letter, digit, ".", "!", "'", "''", "'''", "''''", "*", "+", ",", "-", ".", "/", ":", ":=", ";", "<", "=", ">", "?", "@", "~", "_", "^", "\left", "\", "\hyperref" or end of input