Content
- Iriusrisk Core Diagramming Constructs
- Iriusrisk Meta-data Attributes
- Component Draw.io Representation
- Dataflow Draw.io Representation
- Anatomy of a valid IriusRisk draw.io file
Overview
IriusRisk uses draw.io (now called diagrams.net) as its primary diagramming tool. In order for IriusRisk to generate a threat model, it attaches meta-data to a standard draw.io diagram. If you use the draw.io instance embedded in IriusRisk, then this happens transparently. But if you wanted to generate a draw.io diagram, or import an external diagram then you could add this meta-data into the draw.io XML format so that IriusRisk can immediately generate a threat model from it.
This document describes what meta-data needs to be added, and how to add it to the standard draw.io XML format.
Iriusrisk Core Diagramming Constructs
TrustZones
TrustZones contain components. All components must belong to a TrustZone, i.e. they must be “inside” a TrustZone diagrammatically. TrustZones can nest within each other.
Components
Components can optionally belong to other components, that is to say components can be inside other components, with no restriction on the nesting depth.
Shapes in draw.io that are mapped to IriusRisk components must belong to a TrustZone. If they do not, then IriusRisk will display an error when generating the threat model.
Shapes within draw.io that do not have the required meta-data attributes are simply ignored by IriusRisk when the threat model is generated.
Dataflows
Components can have dataflows that connect to other components. Dataflows must be uni-directional. Dataflows can contain attributes such as the data assets transmitted across them, a name for the dataflow and arbitrary string tags. There can only be one dataflow in the same direction between two components.
Iriusrisk Meta-data Attributes
Construct |
Draw.io Tag |
Attributes |
Trustzone |
mxCell |
ir.type=TRUSTZONE ir.ref=<unique ID for the TrustZone as mapped in IriusRisk> |
Component |
mxCell |
ir.componentDefinition.ref=<the uniquely identifying component name> ir.type=COMPONENT |
DataFlow Tag |
mxCell |
it.type=DATAFLOW_TAG |
Component Tag |
mxCell |
ir.type=COMPONENT_TAG |
Dataflow |
object with mxcell |
ir.ref=<unique ID for the dataflow defined by the diagram not mapped in IriusRisk> ir.tags=<Associating any type(s) of data flowing separated by comma> |
Asset |
mxCell |
ir.assets=<name of asset> |
Trustzone Drawio Representation
Define a TrustZone within an mxCell element by adding ir.ref and ir.type into the style attribute.
Ir.ref
The ir.ref for a TrustZone consist of a unique guid that is used to map the TrustZone to IriusRisk. The ir.ref for a guid are pre defined within a given IriusRisk domain setup and as such your drawio diagram is required to use the same guid as present in your domain. See the section Trustzone Reference below for examples of TrustZones setup in a particular domain.
ir.ref=a5bf6278-da3e-4252-80ee-7054a551a170
Ir.type
The ir.type associates a type to the mxCell recognized by IriusRisk as a given construct. For TrustZones the type is defined as:
ir.type=TRUSTZONE
Value
The value attribute contains the name of the TrustZone. This value is transitory, because once uploaded to IriusRisk, when the model is generated this name will be set to the name of the trustzone referenced by the “ir.ref” value.
Example:
<mxCell id="2" value="Public Cloud" style="editable=0;ir.ref=a12d6060-de84-4d11-b299-77c9dd18e314;recursiveResize=0;rounded=0;whiteSpace=wrap;html=1;dashed=1;strokeColor=#FF3332;verticalAlign=top;strokeWidth=2;fillColor=#F5F5F5;fontColor=#000000;opacity=60;connectable=0;container=1;ir.type=TRUSTZONE;" parent="1" vertex="1">
<mxGeometry x="750" y="160" width="180" height="230" as="geometry"/>
</mxCell>
Produces
Component Draw.IO Representation
ir.componentDefinition.ref
The ir.componentDefinition uniquely identifies the type of component. This is the most important attribute because it relates the draw.io shape to the corresponding Component Definition in IriusRisk.
resIcon
The resicon uniquely identifies an icon that represents an external resource Icon in this example AWS resource icons.
Draw.io for a Aws Cloudfront Component
<mxCell id="8" value="CF - CloudFront" style="ir.ref=baee7d87-24d8-4f19-969b-ece26c3f7662;ir.componentDefinition.ref=cf-cloudfront;resIcon=mxgraph.aws4.cloudfront;outlineConnect=0;fontColor=#232F3E;gradientColor=#F78E04;gradientDirection=north;fillColor=#D05C17;strokeColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontStyle=0;fontColor=#064C79;fontSize=12;aspect=fixed;shape=mxgraph.aws4.resourceIcon;ir.type=COMPONENT;ir.synchronized=1;" parent="3" vertex="1">
<mxGeometry x="150" y="260" width="62.4" height="62.4" as="geometry"/>
</mxCell>
Dataflow Draw.io Representation
A dataflow is defined with an object element referencing parent and source components which are mxCell id numbers.
ir.tags
Used in this case to associate relevant information towards the purpose of a dataflow. In this case an HTTPS protocol is associated with a dataflow representing the security group ingress of an AWS Security Group.
ir.ref
Ir.ref is used to associate a unique guid to components. Unlike a TrustZone, rather than a specific guid, a randomly generated id will be assigned.
<mxCell id="6" value="Web Client -> S3 - Simple Storage Service" style="edgeStyle=none;curved=1;html=1;ir.synchronized=1;strokeColor=#27aae1;strokeWidth=3;ir.ref=44095c16-6612-4362-8bc6-476d0acce392;ir.tags=HTTPS;" parent="1" source="5" target="4" edge="1">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
Ir.assets
Used to associate selected assets to dataflows.
<mxCell id="6" value="Web Client -> S3 - Simple Storage Service" style="edgeStyle=none;curved=1;html=1;ir.synchronized=1;strokeColor=#27aae1;strokeWidth=3;ir.ref=44095c16-6612-4362-8bc6-476d0acce392;ir.assets=Personally Identifiable Information;ir.tags=HTTPS;" parent="1" source="5" target="4" edge="1">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
Component Tag Draw.io Representation
Ir.type is used to define a type that is understood by IriusRisk. In the following COMPONENT_TAG is a type that is used to associate a value of “10.0.0.0/16” to a VPC parent component.
<mxCell id="11" value="10.0.0.0/16" style="text;align=center;connectable=0;deletable=0;editable=0;html=1;ir.type=COMPONENT_TAG;points=[];resizable=0;verticalAlign=top;" parent="9" vertex="1">
<mxGeometry x="0.5" y="1" relative="1" as="geometry"/>
</mxCell>
Anatomy of a valid IriusRisk draw.io file
In this section we provide an example of a well-formed draw.io input file with all the required IriusRisk attributes prior to a threat model being generated.
Initial Diagram
Threat Model Updated
By clicking on the ‘Model is out of date. Click here to update the threat model’ button, IriusRisk analyzes the drawio diagram to determine the threats and countermeasures associated with the diagram.
Draw.io - with IriusRisk elements highlighted
Draw.io - Raw
<?xml version="1.0" encoding="UTF-8"?>
<mxfile host="ken.iriusrisk.com" modified="2021-03-08T18:22:45.005Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" version="12.2.4" etag="Yx_EoT9caGS7ywPdwqEE" pages="1">
<diagram id="cYTq-YUnH-bELTsAcWOM" name="Page-1">
<mxGraphModel dx="1468" dy="733" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="4681" pageHeight="3300" math="0" shadow="0">
<root>
<mxCell id="0"/>
<mxCell id="1" parent="0"/>
<mxCell id="2" value="Public Cloud" style="editable=0;ir.ref=a12d6060-de84-4d11-b299-77c9dd18e314;recursiveResize=0;rounded=0;whiteSpace=wrap;html=1;dashed=1;strokeColor=#FF3332;verticalAlign=top;strokeWidth=2;fillColor=#F5F5F5;fontColor=#000000;opacity=60;connectable=0;container=1;ir.type=TRUSTZONE;" parent="1" vertex="1">
<mxGeometry x="750" y="160" width="180" height="230" as="geometry"/>
</mxCell>
<mxCell id="4" value="S3 - Simple Storage Service" style="ir.ref=37d7b850-cf05-472c-8656-25681b7b152e;ir.componentDefinition.ref=s3;resIcon=mxgraph.aws4.s3;outlineConnect=0;fontColor=#232F3E;gradientColor=#F78E04;gradientDirection=north;fillColor=#D05C17;strokeColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontStyle=0;fontColor=#064C79;fontSize=12;aspect=fixed;shape=mxgraph.aws4.resourceIcon;ir.type=COMPONENT;ir.synchronized=1;" parent="2" vertex="1">
<mxGeometry x="59" y="84" width="62.4" height="62.4" as="geometry"/>
</mxCell>
<mxCell id="3" value="Internet" style="editable=0;ir.ref=efe968a6-36e9-49ac-84e6-7e826b736965;recursiveResize=0;rounded=0;whiteSpace=wrap;html=1;dashed=1;strokeColor=#FF3332;verticalAlign=top;strokeWidth=2;fillColor=#F5F5F5;fontColor=#000000;opacity=60;connectable=0;container=1;ir.type=TRUSTZONE;" parent="1" vertex="1">
<mxGeometry x="420" y="160" width="180" height="230" as="geometry"/>
</mxCell>
<object label="Web Client" ir.description="" id="5">
<mxCell style="ir.ref=d48f357d-676b-4705-805c-6900ad90e1f2;ir.componentDefinition.ref=web-client;rounded=1;whiteSpace=wrap;html=1;strokeWidth=3;strokeColor=#B9D0E6;fillColor=#DBEAF7;fontColor=#064C79;fontSIZE=12;ir.type=COMPONENT;ir.synchronized=1;ir.tags=Team A;" parent="3" vertex="1">
<mxGeometry x="30" y="80" width="120" height="70" as="geometry"/>
</mxCell>
</object>
<mxCell id="7" value="Team A" style="text;html=1;resizable=0;editable=0;deletable=0;connectable=0;points=[];ir.type=COMPONENT_TAG;align=center;verticalAlign=top;" parent="5" vertex="1">
<mxGeometry x="0.5" y="1" relative="1" as="geometry"/>
</mxCell>
<mxCell id="6" value="Web Client -> S3 - Simple Storage Service" style="edgeStyle=none;curved=1;html=1;ir.synchronized=1;strokeColor=#27aae1;strokeWidth=3;ir.ref=44095c16-6612-4362-8bc6-476d0acce392;ir.assets=Personally Identifiable Information;ir.tags=HTTPS;" parent="1" source="5" target="4" edge="1">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
</root>
</mxGraphModel>
</diagram>
</mxfile>
Draw.io - Raw
<?xml version="1.0" encoding="UTF-8"?>
<mxfile host="ken.iriusrisk.com" modified="2021-03-08T18:22:45.005Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" version="12.2.4" etag="Yx_EoT9caGS7ywPdwqEE" pages="1">
<diagram id="cYTq-YUnH-bELTsAcWOM" name="Page-1">
<mxGraphModel dx="1468" dy="733" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="4681" pageHeight="3300" math="0" shadow="0">
<root>
<mxCell id="0"/>
<mxCell id="1" parent="0"/>
<mxCell id="2" value="Public Cloud" style="editable=0;ir.ref=a12d6060-de84-4d11-b299-77c9dd18e314;recursiveResize=0;rounded=0;whiteSpace=wrap;html=1;dashed=1;strokeColor=#FF3332;verticalAlign=top;strokeWidth=2;fillColor=#F5F5F5;fontColor=#000000;opacity=60;connectable=0;container=1;ir.type=TRUSTZONE;" parent="1" vertex="1">
<mxGeometry x="750" y="160" width="180" height="230" as="geometry"/>
</mxCell>
<mxCell id="4" value="S3 - Simple Storage Service" style="ir.ref=37d7b850-cf05-472c-8656-25681b7b152e;ir.componentDefinition.ref=s3;resIcon=mxgraph.aws4.s3;outlineConnect=0;fontColor=#232F3E;gradientColor=#F78E04;gradientDirection=north;fillColor=#D05C17;strokeColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontStyle=0;fontColor=#064C79;fontSize=12;aspect=fixed;shape=mxgraph.aws4.resourceIcon;ir.type=COMPONENT;ir.synchronized=1;" parent="2" vertex="1">
<mxGeometry x="59" y="84" width="62.4" height="62.4" as="geometry"/>
</mxCell>
<mxCell id="3" value="Internet" style="editable=0;ir.ref=efe968a6-36e9-49ac-84e6-7e826b736965;recursiveResize=0;rounded=0;whiteSpace=wrap;html=1;dashed=1;strokeColor=#FF3332;verticalAlign=top;strokeWidth=2;fillColor=#F5F5F5;fontColor=#000000;opacity=60;connectable=0;container=1;ir.type=TRUSTZONE;" parent="1" vertex="1">
<mxGeometry x="420" y="160" width="180" height="230" as="geometry"/>
</mxCell>
<object label="Web Client" ir.description="" id="5">
<mxCell style="ir.ref=d48f357d-676b-4705-805c-6900ad90e1f2;ir.componentDefinition.ref=web-client;rounded=1;whiteSpace=wrap;html=1;strokeWidth=3;strokeColor=#B9D0E6;fillColor=#DBEAF7;fontColor=#064C79;fontSIZE=12;ir.type=COMPONENT;ir.synchronized=1;ir.tags=Team A;" parent="3" vertex="1">
<mxGeometry x="30" y="80" width="120" height="70" as="geometry"/>
</mxCell>
</object>
<mxCell id="7" value="Team A" style="text;html=1;resizable=0;editable=0;deletable=0;connectable=0;points=[];ir.type=COMPONENT_TAG;align=center;verticalAlign=top;" parent="5" vertex="1">
<mxGeometry x="0.5" y="1" relative="1" as="geometry"/>
</mxCell>
<mxCell id="6" value="Web Client -> S3 - Simple Storage Service" style="edgeStyle=none;curved=1;html=1;ir.synchronized=1;strokeColor=#27aae1;strokeWidth=3;ir.ref=44095c16-6612-4362-8bc6-476d0acce392;ir.assets=Personally Identifiable Information;ir.tags=HTTPS;" parent="1" source="5" target="4" edge="1">
<mxGeometry relative="1" as="geometry"/>
</mxCell>
</root>
</mxGraphModel>
</diagram>
</mxfile>
Comments
0 comments
Article is closed for comments.