Glossary - Threat Modeling: Designing for Security (2014)

Threat Modeling: Designing for Security (2014)


This glossary is intended to provide practical definitions of terms to help you understand how they are used in threat modeling and in this book. I have aimed for clarity, consistency, and brevity.

I have tried to be clear in context, but I avoid attempts to declare one meaning or another “correct” or superior to others.

ACL (access control list)

This allows or denies access to files. ACL is often used interchangeably with permissions, despite the fact that Windows or other ACLs have some technically important differences from unix permissions—in particular, the flexibility of the semantics of a list of rules, rather than a fixed set of permission bytes.


The most privileged account on a system, and the name of the most privileged account on a Windows system. The text is contextually clear when an issue is specific to a design element or feature of Windows. Often used in the text interchangeably with “root,” the most privileged account on unix systems.


The properties violated by the STRIDE threats. Those properties are as follows: Authentication, Integrity, Non-repudiation, Confidentiality, Availability, and Authorization.

AJAX (Asynchronous JavaScript and XML)

Generally, AJAX refers to a style of programming websites and the relevant design of the back end which results in a more fluid and interactive experience than pushing the Submit button.

Alice and Bob

Protagonists in cryptographic protocols since time immemorial, or perhaps since Rivest, Shamir, and Adleman used them when introducing the RSA cryptosystem.

API (application programming interface)

A way for programmers to control a piece of technology.


A kind of model of a personality or behavior pattern.

ASLR (Address Space Layout Randomization)

Randomizing the address space of a process makes writing effective stack-smashing attacks more difficult. While ASLR is a specific technique, it is usually used in this book as an exemplar of a set of defensive techniques with the goal of preventing memory corruption or control-flow attacks.

ASN (Autonomous System Number)

Used in Internet routing, the ASN refers to a complete set of Internet addresses that should be routed to the same place.


An object of value, possibly intangible, in the sense that goodwill is an asset carried on a company's books. In threat modeling, it has two particular meanings. One, it is a thing that either an attacker will pursue or someone wants to protect or is a stepping stone to either. Two, it can mean a computer or other piece of technology, where asset is a synonym for a more common word.

attack surface

Places where a trust boundary can be traversed, whether by design or by accident.


The process of increasing another's confidence in an identification. “Alice Smith authenticated herself by showing her company badge.”

AuthN, AuthZ

These abbreviations for authentication and authorization, respectively, are often used because they are both shorter to write and can be easily skimmed.


The process of checking whether an identified entity is allowed to take some action. The entity can be a person or a technological system of some form. “Alice is not authorized to view the contents of the layoffs directory.”


The property of being available for intended service. Denial-of-service attacks are intended to reduce, impair, or eliminate availability.


A classic model of confidentiality, based on military classification schemes. In Bell-LaPadula's model, systems with higher privilege can read from lower privilege systems, but not write to them. (Think of a system running as “secret”; it can read unclassified systems but not write to them, as that could reveal secret information.)


An approach in which you have multiple controls in place—for example, using both a belt and suspenders to hold your pants up.

best practice

A term used either aspirationally or as a means of stifling debate. The aspirational use is of the form “we should use best practices for securing this system.” The debate-stifling form is “you need to enforce password changes, it's on our best practices list.” It is a best practice to apply “five whys” when told something is a best practice. “Five whys” is a practice attributed to Toyota for understanding root causes. At its core, ask why, and then ask why of the answer five times to find a root cause.


Another classic security model, this one based on integrity. Systems at a lower integrity level cannot write to a higher integrity level.


See Alice and Bob.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)

Those irritating and often unreadable words and/or numbers presented online before you can submit something are designed to be easy for humans and hard for computers, but they end up being easy for computers and hard for everyone except those people who are paid a dollar or two to sit and solve them all day. On the bright side, at least those poor folks have a job.


A term for a protocol that has been defined to include the people involved in the protocol. This is a useful way to analyze usability and human factors issues, and is covered at length in Chapter 2.


The encrypted version of a message. If e means encrypt, k is a key, and p is plaintext, a ciphertext message is ek(p).

ciphertext, known

See known ciphertext.


The security property describing information restricted to a set of authorized people, and only disclosed to them.

control-flow attack

An attack on a program which alters the control flow. Stack-smashing attacks are an example of control flow attacks, where attacker-supplied data overwrites the program's stack.

CSA (Cloud Security Alliance)

Quoting its website, “The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”

CSC (Conditioned-safe ceremony)

A ceremony that involves a step designed to result in people engaging in that step by rote. See also ceremony.

CSRF (Cross-site request forgery)

A type of web attack whereby an attacker convinces your browser to request one or more web pages, using your cookies, without your participation.

DBA (Database administrator)

The privileged person or set of people who have administrative rights to a database.

DDoS (distributed denial of service)

A denial-of-service attack carried out by more than one machine.

DFD (data flow diagram)

Diagrams which show the data flow of a system. Sometimes called threat model diagrams, because they're so useful in threat modeling.

DoS (denial of service)

The class of attack that violates availability.

DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability)

Developed and then retired by Microsoft. Discussed in Chapter 9.

DRM (digital rights management)

Schemes that treat the purchaser of a digital object as a threat, and attempt to prevent them from usefully accessing a file except using certain programs. Also called digital restrictions management.

EAL (Evaluation Assurance Level)

An EAL is an element of the Common Criteria for security evaluation promulgated by major Western governments and Japan.

EoP (elevation of privilege)

Both a category of threat and (capitalized) the name of the threat modeling game. As a threat, EoP refers to a way in which people can exceed their authorization (or privileges). This includes gaining the capability to run code on a computer (aka breaking in), or moving from a restricted account to a more privileged one.

escalation of privilege

A synonym for elevation of privilege.


In its traditional sense, exploit refers to taking advantage of or unfairly benefitting from the work of another. In the technical sense, it can mean taking advantage of a program flaw such that an attacker gains some benefit. For example, “The document contains an exploit” means that a flaw in the program has been identified, and the document has been carefully constructed to take advantage of that flaw.


A small computer with integrated radios and networking, designed to augment cellular phone service. A femtocell is a natural place to execute man-in-the-middle attacks.


Either a structured approach (often with pre- and post-conditions) or a mathematical structuring. It is used in both ways in this book.

FQDN (fully qualified domain name)

A domain name ending in a recognized top-level domain (such as .com) or, more precisely, ending with “.”—the root of domain trust. (Thus, is an FQDN.)

friendly fraud

Term used by payments processors to refer to when a family member, roommate, or other person uses a credit card, and the owner of the card denies knowing anything about the charges.

GEMS (Generic Error Modeling System)

James Reason's model describing how people make mistakes.

global passive adversary

An entity which can eavesdrop around the world. Used either to specify a precise capability with which to judge the security of a design, or to avoid political discussion that can result from naming a particular country's spies. Revelations of NSA practices in the summer of 2013 should lead to skepticism over the euphemistic variant.

GOMS (Goals, Operators, Methods, and Selection)

Rules to an early model of how people process information.

heap overflow

An exploitable condition whereby attackers can write data to the dynamically allocated heap in a way that allows them to influence or replace normal operation of a program.

IaaS (Infrastructure as a Service)

A cloud offering in which clients buy power, network, and CPU cycles, and run their own systems on top of them, often in the form of complete virtual machines. See also PaaS, SaaS.

IC (individual contributor)

Someone whose work does not involve managing others.

IETF (Internet Engineering Task Force)

The folks who define how computers on the Internet talk to each other.

IETF threat modeling

Personal shorthand for my interpretation of RFC 3552 as an approach to threat modeling. To the best of my knowledge, the IETF does not endorse a methodology for, or a structured approach to, threat modeling.

information disclosure

A threat that violates confidentiality.

IOI (item of interest)

In privacy threat modeling, an IOI is an aspect of the system of interest to attackers. For an excellent source for privacy terminology, see “A Terminology for Talking About Privacy by Data Minimization” (Pfitzman, 2010).


The property that an object is whole, undivided, and of the form that its creators intended and its reliant parties expect. The property violated by tampering.

known ciphertext

An attack that works when the encrypted version of a message is available to the adversary.

meaningful ID

An identifier that is meaningful to the human using it, which brings to mind exactly one entity. See both Chapter 2, and Chapter 2.

MITM (man-in-the-middle)

An attack in which someone can intercede between the participants in a protocol, spoofing Alice to Bob (so that Bob believes that someone else is Alice) and Bob to Alice (such that Alice believes that same someone else is Bob). Often, cryptographers call this MITM “Mallory.” Thus, Bob believes that Mallory is Alice, and Alice believes that Mallory is Bob. Hijinks, as they say, tend to ensue.


As a noun, a simplified or abstracted description of a thing, system, or process; as a verb, the act of devising, creating, or using such an abstracted or simplified description.


The Arabic term for an intelligence or state security agency. Sometimes invoked as an alternative to talking about the U.S. National Security Agency or other passive adversaries, although events of the Arab Spring exposed a willingness to engage in active attacks.


The United States National Institutes of Standards and Technology.


The security property that people cannot falsely repudiate (deny) their actions.

NSA (National Security Agency [United States])

Often invoked because of its powerful capabilities to listen to a wide swath of traffic, or its skills in making or breaking cryptographic algorithms. Generally, NSA is used as an example of a global passive adversary.


Organization for Economic Cooperation and Development.

PaaS (Platform as a Service)

A cloud computing offering whereby the client buys a system, such as a web stack on a given OS, and runs their own applications on top of it. For example, Google App Engine is a Platform as a Service.


See ACL.


keeping track of cryptographic keys you receive to detect changes. Also called “TOFU.”

PKI (public key infrastructure)

An approach to key authentication in which a trusted third party authenticates keys. Subject to a variety of threats.


Program manager or program management. At Microsoft, program managers are engineers with responsibility for all non-code, non-test deliverables, often including vision, specs, timelines, and delivery of the product. This role carries a great deal of implicit meaning and expectation, and the best description I know of can be found in “The Zen of Program Management” (Microsoft, 2007).

race conditions

A class of security incidents in which there's a delay and a possibility of changing things between the checking of a condition (such as the target of a symbolic link) and the use of that check's results. Also called TOCTOU (time of check, time of use).

reference monitor

The software that enforces security policies, such as access to objects. Acting as a reference monitor for operating system objects is one function an OS kernel provides.


The act of denying responsibility for an action.

RFC (Request for Comments)

The standards documents issued by the IETF (Internet Engineering Task Force).


The most privileged account on a unix system. The text is contextually clear when an issue is specific to a design element or feature of unix. Often used in the text interchangeably with “administrator”.

SaaS (Software as a Service)

A cloud offering in which the client buys a business package of some type, such as CRM, and the CRM is operated by a company, such as Contrast with PaaS and IaaS.


Behavior which is hard to distinguish from behavior by scammers. For example, the use of obscure domains to accept e-mail click through is used by attackers (leading to advice to check URLs) and by legitimate organizations (leading to that advice being less valuable, and to people being confused.) Scamicry prevents people's natural pattern recognition from working well around information security.

SDL (Security Development Lifecycle)

The set of activities undertaken by an organization to prevent the introduction of security issues in software development.

SIPRNet (Secret Internet Protocol Router Network)

The air-gapped IP network operated by the United States defense department.

social proof

A phenomenon where people believe that what others are doing is acceptable (or safe) behavior. Sometimes exploited by attackers whose collaborators act the way they want you to act.


The account used in a sockpuppet attack.

sockpuppet attack

Describes an attack whereby someone creates a set of accounts to create the impression that their position has more support than it otherwise might appear to have. Also called in various communities Sybils or tentacles. The offline versions include social proof and, in politics, astroturfing.


The category of threats that violate authentication by pretending to be someone or something else.

SQL injection

A category of attack whereby a SQL command is “injected” into a query by an attacker.

SSDL (secure software development lifecycle)

A synonym for SDL.

SSN (social security number)

See Chapter 2 for discussion.

stack smashing

A subset of buffer overflow in which the attacker overwrites the program stack, leading to a change in control flow.


The art of secret writing. Invisible inks are an example of a steganographic technique, as is altering the least significant bits of an image to carry a message.

stepping-stone asset

Something an attacker wants to take over in order to gain access to some further target. See things attackers want asset, things you protect asset.


Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. A mnemonic for finding threats. Often incorrectly (and sometimes frustratingly) called a classification system or taxonomy.

Sybil, Sybil attack

See sockpuppet, sockpuppet attack.

System 1, System 2

Psychological terms describing two approaches to thinking and decision making—a fast automatic system, and a slower, more deliberative system. System 1 responses are fast and require little conscious thought; in contrast, System 2 is slower and more deliberate. See Chapter 2, or Thinking, Fast and Slow (Kahneman, 2011) for more information.


Attacks that violate the integrity of a system, file, or data flow.


See sockpuppet attack.

things attackers want asset

An asset with the property that an attacker wants to copy, delete, tamper with, or otherwise attack for gain. Contrast with stepping-stone asset.

things you protect asset

An asset with the property that you protect because it's important to you, rather than because you expect an attacker to go after it.

threat discovery

A synonym for threat enumeration.

threat elicitation

A synonym for threat enumeration.

threat modeling

The use of abstractions to aid in thinking about risk. See the Introduction for explicit discussion of the various ways in which the term is used.

Time of check/Time of use issue

Sometimes abbreviated TOCTOU; see race condition.

TM (threat modeling)

Not to be confused with trademark or ™, a legal process for the protection of brands to reduce confusion.

TMA (Threat model analysis)

Either an activity to look for threats, or the written output of such a process. Used in the early days of threat modeling at Microsoft, but it sometimes crops up elsewhere.

TOFU (trust on first use)

Keeping track of cryptographic keys you've seen to avoid asking people repeated questions about trusting those keys. Also called persistence.

transitive asset

A phrase used in Swiderski and Snyder's Threat Modeling (Microsoft Press, 2004) to refer to what I call a stepping-stone asset.

trust boundary

The place where more than one principal interacts—thus, where threats are most clearly visible. Threats are not restricted to trust boundaries but almost always involve actions across trust boundaries.

trust levels

A description of the security context in which an entity works. Things at the same level are isomorphic—there is no advantage to going from one to another. If some code has different privileges (permissions, etc.), then that code is at different trust levels.


A way of describing an entity that can violate your security rules, and is trusted not to do so.

trusted third party

A party who, by mutual agreement, can screw other participants. Seriously, that's what trusted means. You expect them to perform reliably, and if they don't, you're out of luck.

TOCTOU (time of check/time of use)

See race condition.


An approach to networking whereby one protocol is encapsulated in another to gain some advantage. Common examples include SSH and SSL.

TTL (time to live)

A value set in a network protocol with the intent of decrementing the value at each network hop. Not all tunneling systems will reduce TTL as they move packets.

UX (user experience)

A superset of the user interface elements, including how the person experiences them, and expectations about the skills, experiences, and training the person may have.


The person or people who create software. Used because it's less verbose than “the people who make your software,” but I mean no disrespect to the creators of open-source or free/libre software.

WYSIATI (What You See Is All There Is)

A term coined by Daniel Kahneman (Farrar, Straus and Giroux, 2011) to refer to a set of ways in which human perception and recollection diverge from what we might hope.


What's your threat model? A question asked to clarify understanding of risks. The answer is generally a few words, such as “global passive adversary” or “someone who can run code as a different account on the machine.”

YAGNI (You Ain't Gonna Need It)

This saying comes from the extreme programming (XP) movement, and emphasizes building only the product you're shipping, and as little else as you can get away with shipping. Security requirements and threat models are often viewed as things you ain't gonna need, which is often incorrect.