File or key names
§  File size or registry data
§  Last updated time and date
§  Data checksum (MD5 and/or SHA1 hash)
Architecturally, the tool is split into two parts: a host component and an administrative console. As shown in Figure E.4, one client can communicate with multiple servers, rather than running the tool locally on each computer.

Figure E.4 The networked host/admin console nature of the iNTegrity tool
In another operational environment, it might be known that a machine  has been compromised and can no longer be trusted, and the server and  client software can be run off, say, a bootable CD or USB drive. In this  case, the integrity-checking code is running under a trusted, read-only  Windows environment, and the host and admin components both read data  from the compromised machine, but not using the potentially compromised  OS. The host process does not run as a Windows service in this mode, but  as a standalone console application.
The Host Component
This small host component is written in C++ and runs as a service on a  Windows server. Its role is to take requests from the admin console and  respond to those requests. Valid requests include getting information  about host component version, and recursive and non-recursive file  properties. Note that the host software performs no analysis; it sends  raw integrity data (filenames, sizes, hashes, ACLs, and so on) to the  admin console, which performs the core analysis.
The Admin Console
The admin console code stores and analyzes resource (file, registry)  version information that comes from one or more host processes. A user  can instruct the admin console to connect to a host running the  iNTegrity host software, get resource information, and then compare that  data with a local, trusted data store of past resource information to  see if anything has changed.
The iNTegrity Data Flow Diagrams
The iNTegrity data flow diagrams are shown in Figures E.5 and E.6.
The iNTegrity example comes from a time when the standard advice was to create a context diagram,  which can be helpful when an external threat modeling consultant is  being used, acting as a forcing function to consider the scope and  boundaries of the threat model.

Figure E.5 Context diagram

Figure E.6 Main DFD
The following exercises were designed to walk students through the  activities they’ll need to perform to find threats. They can be used by  readers of this example without modification:
1.  Identify all the DFD elements. (People often miss the data flows.)
2.  Identify all threat types to each element.
3.  Identify three or more threats: one for a data flow, one for a data store, and one for a process.
4.  Identify first-order mitigations for each threat.
Extra credit: The level 1 diagram is not perfect. What would you change, add, or remove? 


Calculate the price of your paper

Total price:$26

Need a better grade?
We've got you covered.

Place an order