informa
5 min read
article

What Star Wars Teaches Us About Threats

The venerable film franchise shows us how to take threats in STRIDE.

Over years of teaching threat modeling — including the STRIDE mnemonic, which I'll describe here — I've found that people often get stuck when trying to answer "what can go wrong?" My favorite way to help them clear these hurdles is with stories from a long time ago in a galaxy far, far away.

Star Wars offers an accessible and expansive set of examples. It lets us focus on fun rather than fear because fun leads to engagement. Engagement leads to understanding. And understanding leads to better threat modeling.

From a certain point of view, Star Wars: A New Hope is a tutorial in the STRIDE threats. Let's start with the first of those threats, "Spoofing."

How does R2-D2 know who Obi-Wan Kenobi is? How can he decide to play the recording of Princess Leia for Obi-Wan, but not Luke? These questions allow us to go investigate concepts of identifiers and authenticity while making them tangible and relatable.

Questions of Authenticity: "Who Is This? What Is Your Operating Number?"
Authenticity first requires an identifier: a statement of who you are. This might be a name ("Han Solo") or a role ("Stormtrooper"). Either might be true or false. Given the risk of impersonation, confusion, or lies, we look for authentication factors, such as an ID, a password, or a uniform. Then we evaluate if the identifier is authentic and grant (or deny) authorization.

There are many forms of authentication to consider, depending on if the authentication is by a person or a computer and to a person or a computer. This gives us a way to look at spoofing in different scenarios, including the offensive mechanisms used and the defensive protections.

Human Identifiers: "TK421, Do You Copy?"
People are exceptionally good at identifying people they know well, even after a long time without seeing them. Not recognizing someone is awkward because we expect to be recognized. Recognizing those you're close to: friends and family, or even co-workers, is implicit and automatic. We don't need authenticators.

But outside that circle, it gets rapidly harder. We use a lot of implicit identifiers: uniforms, knowledge, patterns of speech, and some people even use explicit ones, asking to see your identification.

Most of the heroes pretend to be someone other than themselves. Princess Leia pretends to not be a rebel leader after Darth Vader captures her ship. Old Ben pretends not to be Obi-Wan Kenobi, while lying to Luke about his father Anakin being killed by Darth Vader. Luke and Han pretend to be Stormtroopers.

Technical Identifiers: "I Am C-3PO, Human Cyborg Relations"
Many types of technical identifiers exist for services, machines, files, processes, and users. Some are designed for humans, such as "threatsbook.com," others are designed for computers, such as 172.18.19.20. And of course, there's tools to map between them.

It's hard to say when the first spoofed login screen was created, but it was probably around the time teletypes were replaced with electronic terminals. Someone could easily write a program that worked like this:

  • LOGIN: Accept a name and password.
  • Store them.
  • Display "Login incorrect" and logout, allowing the real login program to run.

Authenticating to remote computers only made this worse with the same pattern of false login prompts — now labeled phishing.

Star Wars also gives us examples of how people and technology interact to authenticate one another. R2-D2 authenticates Obi-Wan Kenobi before showing him the hologram of Leia. R2-D2 is also able to spoof an imperial droid when he plugs into the Death Star to find the main controls for the tractor beam, identify where Leia is being held, and shut down all the garbage smashers on the main detention level.

Clearly the Empire has an authentication problem.

A Galaxy's Worth of Case Studies
Watching Obi-Wan can teach you much about cybersecurity:

  • He Tampers with a power converter
  • He Repudiates claims about Luke's father
  • He Exceeds his authority in telling Stormtroopers that "these aren't the droids you're looking for."

Right here, we have most of the elements of the STRIDE mnemonic. There's also information disclosure, and of course, from the crawl through the destruction of the first Death Star, Star Wars is the story of Information disclosure (the I in STRIDE). That leaves only Denial-of-service, like blowing up a shield generator on a forest moon of Endor.

Enjoyment and stories are both powerful teaching aids. I've been using Star Wars as a hook to get people excited and to give them bits that help them remember for years now. Many engineers want to have a better handle on the question "what can go wrong with this code I'm working on?" They don't want to write insecure code, and they don't want to be exploit writers or security operators.

And maybe they don’t even want to learn about something that sounds abstract, like threat modeling. That’s fine – we can be concrete and have fun learning about the threats that motivate our work.

That's why I'm really excited to go in depth and take these lessons to the next level with my next book, Threats: What Every Engineer Should Learn from Star Wars, coming this fall. For all the fun, we need engineers to know what threats to consider, and what they mean. If we want people to build more secure systems ... it's our only hope!