Skip to content

Commit

Permalink
check for min tls version
Browse files Browse the repository at this point in the history
  • Loading branch information
@nineinchnick
nineinchnick committed Oct 2, 2020
1 parent 4143867 commit 98650af
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 1 deletion.
29 changes: 29 additions & 0 deletions pytm/pytm.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,13 @@ def __set__(self, instance, value):
super().__set__(instance, value)


class varTLSVersion(var):
def __set__(self, instance, value):
if not isinstance(value, TLSVersion):
raise ValueError("expecting a TLSVersion, got a {}".format(type(value)))
super().__set__(instance, value)


class varData(var):
def __set__(self, instance, value):
if isinstance(value, str):
Expand Down Expand Up @@ -220,6 +227,17 @@ class Classification(OrderedEnum):
TOP_SECRET = 5


class TLSVersion(OrderedEnum):
NONE = 0
SSLv1 = 1
SSLv2 = 2
SSLv3 = 3
TLSv10 = 4
TLSv11 = 5
TLSv12 = 6
TLSv13 = 7


def _sort(flows, addOrder=False):
ordered = sorted(flows, key=lambda flow: flow.order)
if not addOrder:
Expand Down Expand Up @@ -830,6 +848,12 @@ class Element:
required=False,
doc="Maximum data classification this element can handle.",
)
minTLSVersion = varTLSVersion(
TLSVersion.NONE,
required=False,
doc="""Minimum required TLS version required.
Note that currently only TLS 1.2 and 1.3 are considered secure.""",
)
findings = varFindings([])

def __init__(self, name, **kwargs):
Expand Down Expand Up @@ -1271,6 +1295,11 @@ class Dataflow(Element):
srcPort = varInt(-1, doc="Source TCP port")
dstPort = varInt(-1, doc="Destination TCP port")
isEncrypted = varBool(False, doc="Is the data encrypted")
tlsVersion = varTLSVersion(
TLSVersion.NONE,
required=True,
doc="TLS version used.",
)
protocol = varString("", doc="Protocol used in this data flow")
data = varData([], doc="Default type of data in incoming data flows")
authenticatesDestination = varBool(
Expand Down
2 changes: 1 addition & 1 deletion pytm/threatlib/threats.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@
"details": "An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream, influence the nature of the data transmitted, or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position himself so as to observe explicit data channels (e.g. network traffic) and read the content.",
"Likelihood Of Attack": "Medium",
"severity": "Medium",
"condition": "not target.isEncrypted or (target.source.inScope and not target.isResponse and (not target.authenticatesDestination or not target.checksDestinationRevocation))",
"condition": "not target.isEncrypted or (target.source.inScope and not target.isResponse and (not target.authenticatesDestination or not target.checksDestinationRevocation)) or target.tlsVersion < target.sink.minTLSVersion",
"prerequisites": "The target must transmit data over a medium that is accessible to the adversary.",
"mitigations": "Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties.",
"example": "Adversary tries to block, manipulate, and steal communications in an attempt to achieve a desired negative technical impact.",
Expand Down
19 changes: 19 additions & 0 deletions tests/output.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
"inBoundary": null,
"inScope": true,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Internet"
},
{
Expand All @@ -14,6 +15,7 @@
"inBoundary": null,
"inScope": true,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Server/DB"
}
],
Expand All @@ -34,6 +36,7 @@
],
"isAdmin": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "User",
"outputs": [
"User enters comments (*)"
Expand Down Expand Up @@ -78,6 +81,7 @@
"isHardened": false,
"isResilient": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Web Server",
"onAWS": false,
"outputs": [
Expand Down Expand Up @@ -132,6 +136,7 @@
"isEncrypted": false,
"isHardened": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Lambda func",
"onAWS": true,
"outputs": [],
Expand Down Expand Up @@ -180,6 +185,7 @@
"isHardened": false,
"isResilient": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Task queue worker",
"onAWS": false,
"outputs": [
Expand Down Expand Up @@ -233,6 +239,7 @@
"isSQL": true,
"isShared": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "SQL Database",
"onAWS": false,
"onRDS": false,
Expand Down Expand Up @@ -270,6 +277,7 @@
"isEncrypted": false,
"isResponse": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "User enters comments (*)",
"note": "bbb",
"order": 1,
Expand All @@ -279,6 +287,7 @@
"sink": "Web Server",
"source": "User",
"srcPort": -1,
"tlsVersion": "TLSVersion.NONE",
"usesLatestTLSversion": false,
"usesSessionTokens": false,
"usesVPN": false
Expand All @@ -299,6 +308,7 @@
"isEncrypted": false,
"isResponse": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Insert query with comments",
"note": "ccc",
"order": 2,
Expand All @@ -308,6 +318,7 @@
"sink": "SQL Database",
"source": "Web Server",
"srcPort": -1,
"tlsVersion": "TLSVersion.NONE",
"usesLatestTLSversion": false,
"usesSessionTokens": false,
"usesVPN": false
Expand All @@ -328,6 +339,7 @@
"isEncrypted": false,
"isResponse": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Call func",
"note": "",
"order": 3,
Expand All @@ -337,6 +349,7 @@
"sink": "Lambda func",
"source": "Web Server",
"srcPort": -1,
"tlsVersion": "TLSVersion.NONE",
"usesLatestTLSversion": false,
"usesSessionTokens": false,
"usesVPN": false
Expand All @@ -357,6 +370,7 @@
"isEncrypted": false,
"isResponse": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Retrieve comments",
"note": "",
"order": 4,
Expand All @@ -366,6 +380,7 @@
"sink": "Web Server",
"source": "SQL Database",
"srcPort": -1,
"tlsVersion": "TLSVersion.NONE",
"usesLatestTLSversion": false,
"usesSessionTokens": false,
"usesVPN": false
Expand All @@ -386,6 +401,7 @@
"isEncrypted": false,
"isResponse": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Show comments (*)",
"note": "",
"order": 5,
Expand All @@ -395,6 +411,7 @@
"sink": "User",
"source": "Web Server",
"srcPort": -1,
"tlsVersion": "TLSVersion.NONE",
"usesLatestTLSversion": false,
"usesSessionTokens": false,
"usesVPN": false
Expand All @@ -415,6 +432,7 @@
"isEncrypted": false,
"isResponse": false,
"maxClassification": "Classification.UNKNOWN",
"minTLSVersion": "TLSVersion.NONE",
"name": "Query for tasks",
"note": "",
"order": 6,
Expand All @@ -424,6 +442,7 @@
"sink": "SQL Database",
"source": "Task queue worker",
"srcPort": -1,
"tlsVersion": "TLSVersion.NONE",
"usesLatestTLSversion": false,
"usesSessionTokens": false,
"usesVPN": false
Expand Down

0 comments on commit 98650af

Please sign in to comment.