threat modeling workshop renting car system

rentingcar.plantuml

@startuml 
skinparam monochrome true 
skinparam defaultTextAlignment center 
' Root nodes 
agent "Steal Car" as goalsteal
agent "Disrupt business operations" as goaldisrupt

' Sub goals 
agent "Make car unrentable" as goaldos
agent "Rent all car" as goalrentall

goaldisrupt --> goaldos
goaldisrupt --> goalrentall

agent "DoS car rentals" as dosrentals
goaldos --> dosrentals

agent "Break Cars" as breakcars
agent "DoS API Gateway" as dosapi
agent "Mess with mobile app" as messmobile
dosrentals --> breakcars
' This is a good opportunity to try refactoring for better view
' Try changing the following ---> to --> and see how it looks
dosrentals ---> dosapi
dosrentals --> messmobile

agent "Crash Mobile App" as crashmobile
messmobile --> crashmobile

agent "Get App Removed from App Store" as removestore
messmobile --> removestore

agent "DDoS with many requests" as ddosreq
agent "Screw certificates" as screwcerts
agent "Gain Access to system" as gainsysaccess
dosapi --> ddosreq
dosapi --> screwcerts
dosapi --> gainsysaccess

agent "Steal admin credentials" as stealadmincreds
gainsysaccess --> stealadmincreds

agent "(todo)" as detailsadminscred
stealadmincreds --> detailsadminscred

agent "SF Style" as sfstyle
goalsteal --> sfstyle
cloud "**иии**" as cloud1
sfstyle --> cloud1

interface "and" as and1
 goalsteal --> and1

agent "Unlock Car" as unlockcar
agent "Start Engine" as startengine
and1 --> unlockcar
and1 --> startengine

agent "Gain Car Owner Access" as gainowner

unlockcar --> gainowner
startengine --> gainowner

agent "Get Owner Credentials" as getocreds
gainowner --> getocreds
gainowner --> gainsysaccess

agent "Steal creds from owner" as stealcreds
getocreds --> stealcreds
agent "Ask nicely" as nicely
getocreds --> nicely

agent "Bluetooth snarfing" as snarf
stealcreds --> snarf

agent "Evil Twin" as eviltwin
stealcreds --> eviltwin

agent "Lack of transport crypto" as lackbcrypto

snarf --> lackbcrypto
 
@enduml 

rentingcar.py

#!/usr/bin/env python3

from pytm import *

tm = TM("Renting Car Startup Flow Diagram")
tm.description = "This is a threat model made in the Threat Modeling Workshop."

owner = Actor("Owner Phone")
customer = Actor("Customer Phone")

ownz = Server("Ownz Mobile")
cadz = Server("Cadz Mobile")
	
apigw = Server("API Gateway")
auth = Server("Auth")
conncar = SetOfProcesses("Connected Car")
abc = Server("ABC")

api = Server("API")
apiar = Server("API AR")
apiai = Server("API AI")
apiamfm = Server("API AM/FM")

unsure = Process("?")
# todo change this for a cloud?
watson = ExternalEntity("Watson")

flatfile = Datastore("Flatfile radio stations")
carsdb = Datastore("Cars DB")

insidecar = Boundary("Inside the car")
dmz = Boundary("DMZ")
prod = Boundary(" ")

for process in [conncar, cadz, abc, customer]:
	process.inBoundary = insidecar

apiai.inBoundary = dmz

for process in [apigw, api, apiar, apiamfm, auth, flatfile, carsdb, unsure]:
	process.inBoundary = prod

owner2ownz = Dataflow(owner, ownz, "Launch")
customer2cadz = Dataflow(customer, cadz, "Launch")
ownz2apigw = Dataflow(ownz, apigw, "HTTPS")
cadz2apigw = Dataflow(cadz, apigw, "HTTPS")

apigw2apiai = Dataflow(apigw, apiai, "HTTP")
apigw2apiamfm = Dataflow(apigw, apiamfm, "SSH")
apigw2apiar = Dataflow(apigw, apiar, "HTTP/2")
apigw2api = Dataflow(apigw, api, "HTTP")

api2carsdb = Dataflow(api, carsdb, " ")
apiaamfm2flatfile = Dataflow(apiamfm, flatfile, " ")
apiai2watson = Dataflow(apiai, watson, " ")
apigw2auth = Dataflow(apigw, auth, "Kerberos")

apiar2unsure = Dataflow(apiar, unsure, " ")

conncar2abc = Dataflow(conncar, abc, " ")
abc2carsdb = Dataflow(abc, carsdb, " ")
conncar2cadz = Dataflow(conncar, cadz, "Bluetooth")


tm.process()