2012 Summer Project Week:Threat Modeling

From NAMIC Wiki
Jump to: navigation, search
Home < 2012 Summer Project Week:Threat Modeling

Key Investigators

  • Kitware: Jean-Christophe Fillion-Robin (JC), Julien Finet (J2)
  • Radnostics: Anthony Blumfield
  • Isomics: Steve Pieper


Identify “low hanging fruit” architecture enhancements that will limit the ability of using 3D slicer as a launching pad to take control of the host computer.

Why now? Earlier architectural changes are cheaper and reduce the application compatibility burden.

Approach, Plan

During project week we will create a high level threat model for 3D Slicer v4 and identify possible mitigations

Focus on elevation of privilege threats; punt other threat types to a later stage

Meeting Tuesday noon-3PM, Room 32-D407 (walk through D408)


Four major areas identified:

  • Code from many sources
  • Complex file formats (e.g. DICOM)
  • Network interfaces
  • Build


  • Start with low hanging fruit
  • Invest in measures that enhance security & quality simultaneously


  • CLIs:
    • Default to executable CLIs running in low privileged child processes. Use in proc libs only when necessary.
    • Reduce execution of CLIs to those actually used by supporting an xml file rather than --xml
    • Investigate sandboxes for python. (i.e pysandbox)
  • Complex file formats
    • Investigate loading and validating files in low privileged child process
  • Network interfaces
    • Investigate limiting functionality and sandboxing
    • What is the situation with OpenIGTLink?
  • Secure build: compiler/linker options
  • Best practices

Delivery Mechanism

  1. Document


  • Swiderski F, Snyder W. Threat Modeling. ISBN-0735619913
  • Howard M, LeBlanc D. Writing Secure Code, Second Edition. ISBN-0735617228