Threat Modeling an Application [Moodle] Using STRIDE

In this writeup, my research partner, Chris Bassey and I generated a threat model on an Open Source Learning Management System application called Moodle.

1. Introduction.

Why Create Threat Models?

Threat modeling is a systematic approach to decoupling and mapping out data flow and entry points of a system to identify potential threats and vulnerabilities. Threat modeling applies to systems ranging from software, hardware to networks.

The definition of the object for threat modeling

Moodle(Web Application), https://moodle.org/ — This is an open source learning management system(LMS) used by educators and students. The use of Moodle increased in recent times because of the COVID-19 pandemic, universities and schools incorporated the use because of the ease of use and remote capabilities of the software.

Description: Moodle is a free open-source learning management system built on PHP using a MySQL database. The reason for threat modeling Moodle is that it has one of the largest market shares for LMS usage and if it has vulnerabilities, it will affect a lot of users.

Threat Modelling Tool Used

Microsoft Threat Modelling Tool — https://www.microsoft.com/en-us/download/details.aspx?id=49168

Justification

The Microsoft threat modeling tool works using the cyclic process of diagram > identify > mitigate > validate. This is important as the threat modeling landscape is continually changing and one change in a component requires the whole model to be re-evaluated.

The template used for the threat modeling in the Microsoft tool is the Software Development Lifecycle(SDL) template as it is built on the STRIDE threat modeling doctrine.

2. Data Flow Diagram(DFD) Model

DFD which is the data flow diagram shows the movement of data or data flow and its interaction with other components in an application. This DFD model generated for this writeup is limited to the Moodle web application.

Data Flow Diagram — Moodle

The identification of components

Before proceeding with the threat model proper, it is important to identify the various components of the system and how they interact. this can be achieved with a variety of tools — Browser inspection tools, port scanners, burp suite e.t.c.

Programming Language[s]: PHP

This is a programming language suited for web development whose code is executed on the server-side. It is used to manage dynamic content, databases, session tracking among others.

Web server: Typically Moodle can be deployed on any webserver supporting PHP e.g litespeed, apache, nginx. They can be identified via service fingerprinting.

Web server OS: The operating system the webserver is being run on should be identified as well.

Database: MySQL

MySQL is an open-source relational database where data is organized into tables, columns, and rows. It supports retrieval, insertion, and general querying of the DBMS using a structured query language (SQL). MySQL is installed on the operating system as the data is stored utilizing computer storage.

Network Protocols: HTTP/HTTPS

HTTPS is the hypertext transfer protocol secure. This is the encrypted version of HTTP which is used to send data between a browser and a web server.

IP Address: The IP address of the infrastructure should be identified. This can be done via pings, nslookups, and digs.

Users

These are external and internal actors that interact with the Moodle system like Teachers, Students, Administrators, Course creators, etc. These users have different authorization levels.

Application codebase

These are the files holding the PHP code for execution by the webserver. These files contain all the logic needed to run the Moodle application and perform operations with the database.

Components for Moodle

Moodle Components

3. The STRIDE Threat modeling technique

This is a threat identification model developed to identify security threats in 6 categories.

The categories are

• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of service
• Elevation of privilege.

The STRIDE model is important as it provides a quick list of threats for identification in applications.

The definition of threats

Using the STRIDE model, some threats were identified and classified based on this. They are:

Spoofing

• The external entity logging in may have had his credentials spoofed or stolen as a result, the user access is given to is not the right user. This threat is on the browser -> access request data flow section.
• An administrative or teacher account from the MySQL Database may be spoofed by an attacker and this may lead to access to the moodle admin panel. This is on the webserver/database boundary data flow.

Attack Options

• Password theft via phishing
• Password crashing via brute-forcing
• Attack on Moodle vulnerabilities.
• Create a new account directly on the database

Attack Tree

Stride Attack Tree

Tampering

• Data flowing from the webserver to the database may be tampered with in transit by an attacker (assume database and webserver are on the same server). This can lead to corruption of the database or the entry of wrong information into the database. — Web server/Database data flow.
• User inputs that end up being passed into SQL statements for execution on the database can be manipulated by an attacker to modify existing data. — User browser data flow.

Attack Tree

Tampering Attack Tree

Repudiation

• The MySQL database may claim that data sent from the client browser via the webserver was not written to it. — Web Server/Database data flow.
• A browser client may claim it did not receive a response sent from the webserver or it did not send data to the webserver. — User browser boundary data flow.

Information Disclosure

• Improper limit of responses to queries made from the database can allow an attacker to read information not intended for disclosure. E.g when a user’s single course grade is requested but all students’ grades in that course are returned and then filtered on the frontend. — Web Server — database data flow
• Data flowing across the access request and response may be sniffed by an attacker — User browser boundary data flow

Attack tree

Information Disclosure Attack Tree

Denial of Service

• An external agent can overwhelm the webserver with traffic denying a user access to the platform. — User browser boundary data flow.
• A security attacker can overwhelm the data store by trying to write more data than the database can handle thus denying the rest of the web service access to it.

Denial of Service Attack Tree

Elevation of Privilege

• A user may be able to gain elevated privileges beyond his authorized role and modify grades and other restricted elements. — User browser data flow
• An attacker may pass data into Access Request Service in order to change the flow of program execution within Access Request Service to the attacker’s choosing. — User browser data flow.

Attack tree

Escalation of Privileges Attack Tree

4. The Potential attacks severity calculation

The potential attacks severity calculation is done using the common vulnerability scoring system version 3, https://www.first.org/cvss/calculator/3.0. This informs decisions that will be made surrounding remediation and fixes. The CVSS base scores are calculated using Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, and Availability.

CVSS-1

CVSS — 2

Summary

Using the STRIDE model and DFD diagrams we have successfully generated a threat model for one of the most popular open-source LMS in use. While some of these threats may already have countermeasures, it would inform application developers and deployment specialists on the issues to look out for and be wary of when building their applications as all threat models do.