Threat modeling for drivers
Driver writers and architects should make threat modeling an integral part of the design process for any driver. This article provides guidelines for creating threat models for drivers for the Microsoft Windows family of operating systems.
Creating a threat model requires a thorough understanding of the driver’s design, the types of threats to which the driver might be exposed, and the consequences of a security attack that exploits a particular threat. After creating the threat model for a driver, you can determine how to mitigate the potential threats.
This article discusses points to consider regarding threat modeling for drivers.
This article contains call to action recommendations and resources for threat modeling for drivers.
Security should be a fundamental design point for any driver. Any successful product is a target. If you are writing a driver for Microsoft Windows operating systems, you must assume that sometime, somewhere, someone will try to use your driver to compromise system security.
Designing a secure driver involves:
- Identifying the points at which the driver could be vulnerable to an attack.
- Analyzing the types of attacks that could be mounted at each such point.
- Ensuring that the driver contains features to prevent or thwart such attacks.
Threat modeling is a structured approach to these important design tasks. A threat model is a way of categorizing and analyzing the threats to an asset. From a driver writer’s perspective, the assets are the hardware, software, and data on the computer or network.
A threat model answers the following questions:
- Which assets need protection?
- To what threats are the assets vulnerable?
- How important or likely is each threat?
- How can you mitigate the threats?
Threat modeling is a critical part of software design because it ensures that security is built into the product, rather than addressed as an afterthought. A good threat model can help find and prevent bugs during the design process, thus eliminating potentially costly patches later.
This article applies the principles of threat modeling to driver design and provides examples of threats to which a driver might be susceptible. For a more complete description of threat modeling for software design, see Writing Secure Software, by Michael Howard and David LeBlanc, published by Microsoft Press.