  1. Linux/MacOS

  2. Python 3.x

  3. Graphviz package

  4. Java (OpenJDK 10 or 11)

  5. plantuml.jar



  1. git clone


  1. [-h] [--debug] [--dfd] [--report REPORT] [--exclude EXCLUDE] [--seq] [--list] [--describe DESCRIBE]

  2. optional arguments:

  3.   -h, --help           show this help message and exit

  4.   --debug              print debug messages

  5.   --dfd                output DFD (default)

  6.   --report REPORT      output report using the named template file (sample template file is under docs/

  7.   --exclude EXCLUDE    specify threat IDs to be ignored

  8.   --seq                output sequential diagram

  9.   --list               list all available threats

  10.   --describe DESCRIBE  describe the properties available for a given element



  1. (pytm) ?  pytm git:(master) ? ./ --describe Element

  2. Element

  3.         OS

  4.         check

  5.         definesConnectionTimeout

  6.         description

  7.         dfd

  8.         handlesResources

  9.         implementsAuthenticationScheme

  10.         implementsNonce

  11.         inBoundary

  12.         inScope

  13.         isAdmin

  14.         isHardened

  15.         name

  16.         onAWS


  1. {

  2.    "SID":"INP01",

  3.    "target": ["Lambda","Process"],

  4.    "description": "Buffer Overflow via Environment Variables",

  5.    "details": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.",

  6.    "Likelihood Of Attack": "High",

  7.    "severity": "High",

  8.    "condition": "target.usesEnvironmentVariables is True and target.sanitizesInput is False and target.checksInputBounds is False",

  9.    "prerequisites": "The application uses environment variables.An environment variable exposed to the user is vulnerable to a buffer overflow.The vulnerable environment variable uses untrusted data.Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.",

  10.    "mitigations": "Do not expose environment variable to the user.Do not use untrusted data in your environment variables. Use a language or compiler that performs automatic bounds checking. There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.",

  11.    "example": "Attack Example: Buffer Overflow in $HOME A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. Attack Example: Buffer Overflow in TERM A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.",

  12.    "references": ", CVE-1999-0906, CVE-1999-0046,,,"

  13. }



下面的样本是tm.py文件,它描述了一个简单的应用程序,其中一名用户“User”登录进了应用程序,然后在App上发布了评论。App服务器将这些评论存储进了数据库,服务器中有一个AWS Lambda会定期清理数据库。

  1. #!/usr/bin/env python3

  2. from pytm.pytm import TM, Server, Datastore, Dataflow, Boundary, Actor, Lambda

  3. tm = TM("my test tm")

  4. tm.description = "another test tm"

  5. User_Web = Boundary("User/Web")

  6. Web_DB = Boundary("Web/DB")

  7. user = Actor("User")

  8. user.inBoundary = User_Web

  9. web = Server("Web Server")

  10. web.OS = "CloudOS"

  11. web.isHardened = True

  12. db = Datastore("SQL Database (*)")

  13. db.OS = "CentOS"

  14. db.isHardened = False

  15. db.inBoundary = Web_DB

  16. db.isSql = True

  17. db.inScope = False

  18. my_lambda = Lambda("cleanDBevery6hours")

  19. my_lambda.hasAccessControl = True

  20. my_lambda.inBoundary = Web_DB

  21. my_lambda_to_db = Dataflow(my_lambda, db, "(λ)Periodically cleans DB")

  22. my_lambda_to_db.protocol = "SQL"

  23. my_lambda_to_db.dstPort = 3306

  24. user_to_web = Dataflow(user, web, "User enters comments (*)")

  25. user_to_web.protocol = "HTTP"

  26. user_to_web.dstPort = 80

  27. = 'Comments in HTML or Markdown'

  28. user_to_web.order = 1

  29. web_to_user = Dataflow(web, user, "Comments saved (*)")

  30. web_to_user.protocol = "HTTP"

  31. = 'Ack of saving or error message, in JSON'

  32. web_to_user.order = 2

  33. web_to_db = Dataflow(web, db, "Insert query with comments")

  34. web_to_db.protocol = "MySQL"

  35. web_to_db.dstPort = 3306

  36. = 'MySQL insert statement, all literals'

  37. web_to_db.order = 3

  38. db_to_web = Dataflow(db, web, "Comments contents")

  39. db_to_web.protocol = "MySQL"

  40. = 'Results of insert op'

  41. db_to_web.order = 4

  42. tm.process()



  1. --dfd | dot -Tpng -o sample.png



  1. --seq | java -Djava.awt.headless=true -jar plantuml.jar -tpng -pipe > seq.png



  1. --report docs/ | pandoc -f markdown -t html > report.html


  1. # Threat Model Sample

  2. ***

  3. ## System Description

  4. {tm.description}

  5. ## Dataflow Diagram

  6. ![Level 0 DFD](dfd.png)

  7. ## Dataflows

  8. Name|From|To |Data|Protocol|Port

  9. ----|----|---|----|--------|----

  10. {dataflows:repeat:{{}}|{{}}|{{}}|{{}}|{{item.protocol}}|{{item.dstPort}}

  11. }

  12. ## Findings

  13. {findings:repeat:* {{item.description}} on element "{{}}"

  14. }


  1. INP01 - Buffer Overflow via Environment Variables

  2. INP02 - Overflow Buffers

  3. INP03 - Server Side Include (SSI) Injection

  4. CR01 - Session Sidejacking

  5. INP04 - HTTP Request Splitting

  6. CR02 - Cross Site Tracing

  7. INP05 - Command Line Execution through SQL Injection

  8. INP06 - SQL Injection through SOAP Parameter Tampering

  9. SC01 - JSON Hijacking (aka JavaScript Hijacking)

  10. LB01 - API Manipulation

  11. AA01 - Authentication Abuse/ByPass

  12. DS01 - Excavation

  13. DE01 - Interception

  14. DE02 - Double Encoding

  15. API01 - Exploit Test APIs

  16. AC01 - Privilege Abuse

  17. INP07 - Buffer Manipulation

  18. AC02 - Shared Data Manipulation

  19. DO01 - Flooding

  20. HA01 - Path Traversal

  21. AC03 - Subverting Environment Variable Values

  22. DO02 - Excessive Allocation

  23. DS02 - Try All Common Switches

  24. INP08 - Format String Injection

  25. INP09 - LDAP Injection

  26. INP10 - Parameter Injection

  27. INP11 - Relative Path Traversal

  28. INP12 - Client-side Injection-induced Buffer Overflow

  29. AC04 - XML Schema Poisoning

  30. DO03 - XML Ping of the Death

  31. AC05 - Content Spoofing

  32. INP13 - Command Delimiters

  33. INP14 - Input Data Manipulation

  34. DE03 - Sniffing Attacks

  35. CR03 - Dictionary-based Password Attack

  36. API02 - Exploit Script-Based APIs

  37. HA02 - White Box Reverse Engineering

  38. DS03 - Footprinting

  39. AC06 - Using Malicious Files

  40. HA03 - Web Application Fingerprinting

  41. SC02 - XSS Targeting Non-Script Elements

  42. AC07 - Exploiting Incorrectly Configured Access Control Security Levels

  43. INP15 - IMAP/SMTP Command Injection

  44. HA04 - Reverse Engineering

  45. SC03 - Embedding Scripts within Scripts

  46. INP16 - PHP Remote File Inclusion

  47. AA02 - Principal Spoof

  48. CR04 - Session Credential Falsification through Forging

  49. DO04 - XML Entity Expansion

  50. DS04 - XSS Targeting Error Pages

  51. SC04 - XSS Using Alternate Syntax

  52. CR05 - Encryption Brute Forcing

  53. AC08 - Manipulate Registry Information

  54. DS05 - Lifting Sensitive Data Embedded in Cache





