This is the Wiki documentation of the threat modeling project.
We offer a domain specific language (DSL) for describing the system under investigation as well as all threat modeling relevant parts. We provide both a textual and a graphical editor for our DSL.
The system is described by a generic component-based system model consisting of components and their connections. In addition, the security analyst can define security related restrictions and assumptions. Restrictions express which components might be allowed to know which data. Assumptions describe assumptions regarding the implementation of the components made during the design phase, e.g., that a specific component will never leak data containing a password in cleartext. We also provide a static analysis that checks of the system meets all specified restriction with respect to the specified assumptions.
In the following, we describe all modeling and analysis features in more detail. If you would like to try our tooling yourself, check our Users Guide for first steps!
The following links can give additional semantic information for every part of our models.
We model our security definitions in assumptions and restrictions:
We offer a textual and graphical modeling tool, implemented using xtext and sirius respectively.