Threat Modeling with non-techies

I found myself at dinner with some friends from college, a majority of whom have little to no technical experience, who asked me how a hacker can force websites to dump sensitive information. When I started talking about buffer overflows, SQL injection, and cross site scripting, I could see their interest quickly drop. When I first started this blog I tried to explain complex physics in simple ways, so I tried to find an analogy to help them understand how these attacks work.

All of these attacks have data that get misinterpreted as code and causes some form of command execution on the remote server. What industry takes data and uses it as instructions? Food service. Waiters. SQL injection and cross site scripting become your order at a restaurant.

Imagine that we have a robotic waiter that takes our orders. The only purpose for this machine is to carry our order to the robot cook in the back, who then uses the order as instructions. We can control the order, and since the robots use part of that order as instructions, you can bend the rules a little bit.

Your order might be a hamburger with no tomatoes. The cook uses the order to execute the instructions and will create a hamburger with no tomatoes. The waiter will bring out the food to our specifications.

Now lets try something else. We can send the order “one cheeseburger, no tomatoes, and $100”. The instructions get processed by the robot chef, and the robot waiter brings out a burger with a $100 bill.

Then came a barrage of questions from my friends:

  • “Isn’t the waiter smart enough to check the order?”
  • “Doesn’t the cook have a list of allowed instructions?”
  • “Can we order it to bring us all the cash in the register?”
  • “Do we even need to order food with the waiter?”
  • “Can we talk to the cook directly and take the money?”

In 15 minutes while waiting for our thai food, a group of people who had never worked in InfoSec had the beginnings of a threat model.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.