Threat Modeling in Pervasive Computing Paradigm Nazir A Malik and Muhammad Younus Javed DCE, College of E & ME National University of Sciences and Technology Rawalpindi, Pakistan {nazirmalik, myjaved}@ceme.edu.pk Umar Mahmud CS Dept, College of Signals National University of Sciences and Technology Rawalpindi, Pakistan Umar.mahmud@gmail.com Abstract— This paper presents the threat modeling approach for pervasive environment’s security. In pervasive computing, a user might be part of various security domains at any particular instant of time having various authentication mechanisms and different privileges in different security domains. A number of threat modeling approaches and methods have been defined in literature and are in use. However, because of the nature of the pervasive computing and ubiquitous networks, these approaches do not handle the inherent security problems and perspective of pervasive computing. The paper examines in detail the threat modeling and analysis approaches being developed at Microsoft and other methods used for threat modeling. The paper present a novel approach for addressing the threat modeling in pervasive computing and presents the model for threat modeling and risk analysis in pervasive environment. Keywords- Pervasive computing; Threat Analysis; Threat modeling; Security domains I. INTRODUCTION With the fast pace advent of information technology, pervasive computing is becoming the reality into our daily lives. As its an emerging technology, a number of challenges in context aware computing paradigm exist which need to be addressed to make pervasive computing a reality. Reference [1] gives a detailed description of the future challenges in context aware computing. One of the most important challenges in pervasive computing environment is the implementation of security schemes. Because of the heterogeneous nature of the network, security plays a very important role in the deployment of pervasive computing networks. The need for the security necessitates the evaluation of the threats involved. As new technologies are developing, the security requirements and the measures to counter threats need to be constantly reviewed. The personal network devices are becoming more and more compact and their integration is getting seamless. The existence of threat has evolved the need for information security. The systematic and comprehensive analysis of threats to the information system’s confidentiality, integrity and availability needs to be done to ensure the security of the system. A number of threat modeling methodologies exist to evaluate and analyze the threats. In pervasive environment, a large number of wireless devices provide services to the users forming a heterogeneous network. As new technologies and services are being devised, the number of wireless devices in pervasive heterogeneous environment will keep on increasing thereby demanding a new paradigm for threat modeling in pervasive environment. Existing threat modeling methodologies do not incorporate the problems of pervasive computing and a new approach for threat modeling needs to be evolved for pervasive computing paradigm. Reference [2] gives the description of security vulnerabilities in virtual world/pervasive environment in comparison with real world. The concept of virtual identity management in security domains is also described. The problem of security in pervasive computing increases in larger environments, when the users have multiple identities in different security domains and moves from one domain to another domain. Due to non availability of centralized authorize, the problem of scalability can be much greater than that of Public Key Infrastructure. II. THREAT MODELING METHODOLOGIES A. Microsoft’s Threat Modeling Reference [3] gave a systematic methodology and a free tool for threat modeling. Figure 1 shows the GUI of the tool. The Threat Modeling Tool provides a simple to use user interface. It collects the background information required for threat modeling in the form of usage scenarios, external dependencies, implementation assumptions, internal and external security implementation details. Entry points and assets are defined along with various trust levels and protected resources. DFDs are drawn for the process flow. Known threats to the components are entered along with their description and mitigation before finally generating the threat model of the system. Threat model makes attack trees for each threat defined to a particular component of the system. The vulnerabilities table generated by the tool gives the STRIDE classification and DREAD rating to each threat. STRIDE is acronym of Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service and Elevation of privilege. DREAD is acronym of Damage, Reproducibility, Exploitability, Affected users and Discoverability. 978-2-9532443-0-4 © 2008 ESRGroups France 1