paper-attacktrees-ddj-ft

paper-attacktrees-ddj-ft - Bruce Schneier Home Blog...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Bruce Schneier Home Blog Crypto-Gram Newsletter Books Essays and Op Eds News and Interviews Audio and Video Speaking Schedule Password Safe Cryptography Contact Information Attack Trees Dr. Dobb's Journal December 1999 Modeling security threats By Bruce Schneier Bruce is the CTO of Counterpane Internet Security, author of Applied Cryptography, Second Edition (John Wiley & Sons, 1995), and inventor of the Blowfish and Twofish encryption algorithms. You can contact Bruce at http://www.counterpane.com/ . Few people truly understand computer security, as illustrated by computer-security company marketing literature that touts "hacker proof software," "triple-DES security," and the like. In truth, unbreakable security is broken all the time, often in ways its designers never imagined. Seemingly strong cryptography gets broken, too. Attacks thought to be beyond the ability of mortal men become commonplace. And as newspapers report security bug after security bug, it becomes increasingly clear that the term "security" doesn't have meaning unless also you know things like "Secure from whom?" or "Secure for how long?" Clearly, what we need is a way to model threats against computer systems. If we can understand all the different ways in which a system can be attacked, we can likely design countermeasures to thwart those attacks. And if we can understand who the attackers are -- not to mention their abilities, motivations, and goals -- maybe we can install the proper countermeasures to deal with the real threats. Enter Attack Trees Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes. Figure 1 , for instance, is a simple attack tree against a physical safe. The goal is opening the safe. To open the safe, attackers can pick the lock, learn the combination, cut open Search blog only essays and op eds only whole site Crypto-Gram Newsletter A free monthly e-mail newsletter on security and security technology. read more Latest Book more books by Bruce Schneier Schneier on Security A blog covering security and security technology. read more Search
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
the safe, or install the safe improperly so that they can easily open it later. To learn the combination, they either have to find the combination written down or get the combination from the safe owner. And so on. Each node becomes a subgoal, and children of that node are ways to achieve that subgoal. (Of course, this is just a sample attack tree, and an incomplete one at that. How many other attacks can you think of that would achieve the goal?) Note that there are AND nodes and OR nodes (in the figures, everything that isn't an AND node is an OR node). OR nodes are alternatives -- the four ways to open a safe, for example. AND nodes represent different steps toward achieving the
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This document was uploaded on 12/05/2009.

Page1 / 6

paper-attacktrees-ddj-ft - Bruce Schneier Home Blog...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online