Python 3.x

Graphviz package

Java (OpenJDK 10 or 11)




git clone

工具使用 [-h] [--debug] [--dfd] [--report REPORT] [--exclude EXCLUDE] [--seq] [--list] [--describe DESCRIBE]


optional arguments:

  -h, --help           show this help message and exit

  --debug              print debug messages

  --dfd                output DFD (default)

  --report REPORT      output report using the named template file (sample template file is under docs/

  --exclude EXCLUDE    specify threat IDs to be ignored

  --seq                output sequential diagram

  --list               list all available threats

  --describe DESCRIBE  describe the properties available for a given element



(pytm) ➜  pytm git:(master) ✗ ./ --describe Element
















如果你是安全从业人员的话,你也可以向“ threatlib/threats.json ”文件中添加新的威胁属性:



   "target": ["Lambda","Process"],

   "description": "Buffer Overflow via Environment Variables",

   "details": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.",

   "Likelihood Of Attack": "High",

   "severity": "High",

   "condition": "target.usesEnvironmentVariables is True and target.sanitizesInput is False and target.checksInputBounds is False",

   "prerequisites": "The application uses environment variables.An environment variable exposed to the user is vulnerable to a buffer overflow.The vulnerable environment variable uses untrusted data.Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.",

   "mitigations": "Do not expose environment variable to the user.Do not use untrusted data in your environment variables. Use a language or compiler that performs automatic bounds checking. There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.",

   "example": "Attack Example: Buffer Overflow in $HOME A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. Attack Example: Buffer Overflow in TERM A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.",

   "references": ", CVE-1999-0906, CVE-1999-0046,,,"



threats.json ”文件中包含的字符串可以通过 eval() 函数来运行,它可以确保文件拥有正确的权限并确保代码能够正确执行。

下面的样本是tm.py文件,它描述了一个简单的应用程序,其中一名用户“ User ”登录进了应用程序,然后在App上发布了评论。App服务器将这些评论存储进了数据库,服务器中有一个 AWS Lambda 会定期清理数据库。

#!/usr/bin/env python3


from pytm.pytm import TM, Server, Datastore, Dataflow, Boundary, Actor, Lambda


tm = TM("my test tm")

tm.description = "another test tm"


User_Web = Boundary("User/Web")

Web_DB = Boundary("Web/DB")


user = Actor("User")

user.inBoundary = User_Web


web = Server("Web Server")

web.OS = "CloudOS"

web.isHardened = True


db = Datastore("SQL Database (*)")

db.OS = "CentOS"

db.isHardened = False

db.inBoundary = Web_DB

db.isSql = True

db.inScope = False


my_lambda = Lambda("cleanDBevery6hours")

my_lambda.hasAccessControl = True

my_lambda.inBoundary = Web_DB


my_lambda_to_db = Dataflow(my_lambda, db, "(λ)Periodically cleans DB")

my_lambda_to_db.protocol = "SQL"

my_lambda_to_db.dstPort = 3306


user_to_web = Dataflow(user, web, "User enters comments (*)")

user_to_web.protocol = "HTTP"

user_to_web.dstPort = 80 = 'Comments in HTML or Markdown'

user_to_web.order = 1


web_to_user = Dataflow(web, user, "Comments saved (*)")

web_to_user.protocol = "HTTP" = 'Ack of saving or error message, in JSON'

web_to_user.order = 2


web_to_db = Dataflow(web, db, "Insert query with comments")

web_to_db.protocol = "MySQL"

web_to_db.dstPort = 3306 = 'MySQL insert statement, all literals'

web_to_db.order = 3


db_to_web = Dataflow(db, web, "Comments contents")

db_to_web.protocol = "MySQL" = 'Results of insert op'

db_to_web.order = 4




如果在运行 文件时使用了“ --dfd ”参数,那么它将会向stdout生成输出文件: --dfd | dot -Tpng -o sample.png


下列命令可以生成一份序列图: --seq | java -Djava.awt.headless=true -jar plantuml.jar -tpng -pipe > seq.png

生成的图表和数据可以引入到模板文件中来创建最终的报告: --report docs/ | pandoc -f markdown -t html > report.html


# Threat Model Sample


## System Description


## Dataflow Diagram

![Level 0 DFD](dfd.png)

## Dataflows

Name|From|To |Data|Protocol|Port




## Findings

{findings:repeat:* {{item.description}} on element “{{}}”



INP01 - Buffer Overflow via Environment Variables

INP02 – Overflow Buffers

INP03 – Server Side Include (SSI) Injection

CR01 – Session Sidejacking

INP04 – HTTP Request Splitting

CR02 – Cross Site Tracing

INP05 – Command Line Execution through SQL Injection

INP06 – SQL Injection through SOAP Parameter Tampering

SC01 – JSON Hijacking (aka JavaScript Hijacking)

LB01 – API Manipulation

AA01 – Authentication Abuse/ByPass

DS01 – Excavation

DE01 – Interception

DE02 – Double Encoding

API01 – Exploit Test APIs

AC01 – Privilege Abuse

INP07 – Buffer Manipulation

AC02 – Shared Data Manipulation

DO01 – Flooding

HA01 – Path Traversal

AC03 – Subverting Environment Variable Values

DO02 – Excessive Allocation

DS02 – Try All Common Switches

INP08 – Format String Injection

INP09 – LDAP Injection

INP10 – Parameter Injection

INP11 – Relative Path Traversal

INP12 – Client-side Injection-induced Buffer Overflow

AC04 – XML Schema Poisoning

DO03 – XML Ping of the Death

AC05 – Content Spoofing

INP13 – Command Delimiters

INP14 – Input Data Manipulation

DE03 – Sniffing Attacks

CR03 – Dictionary-based Password Attack

API02 – Exploit Script-Based APIs

HA02 – White Box Reverse Engineering

DS03 – Footprinting

AC06 – Using Malicious Files

HA03 – Web Application Fingerprinting

SC02 – XSS Targeting Non-Script Elements

AC07 – Exploiting Incorrectly Configured Access Control Security Levels

INP15 – IMAP/SMTP Command Injection

HA04 – Reverse Engineering

SC03 – Embedding Scripts within Scripts

INP16 – PHP Remote File Inclusion

AA02 – Principal Spoof

CR04 – Session Credential Falsification through Forging

DO04 – XML Entity Expansion

DS04 – XSS Targeting Error Pages

SC04 – XSS Using Alternate Syntax

CR05 – Encryption Brute Forcing

AC08 – Manipulate Registry Information

DS05 – Lifting Sensitive Data Embedded in Cache


Pytm:【 GitHub传送门

*参考来源: izar ,FB小编Alpha_h4ck编译,转载请注明来自FreeBuf.COM