The attack methods and their system-level objectives listed above are targeted against “something.” That set of “somethings” are the attack surfaces of the architecture. In most systems—that is, examining most architectures—some attack surfaces will be more exposed than others. Ultimately, the ARA and threat modeling process should prioritize the exposed attack surfaces.
In the ATASM process, we try to enumerate all the attack surfaces before we categorize the importance of each surface. It’s useful to avoid the prioritization process during enumeration. Think of it as an attack surface brainstorm: Any discussion about the legitimacy or fitness of an attack surface tends to bog down the enumeration into too many details. In this way, the natural flow resulting from nonjudgmental observation is broken. It’s easy to miss an attack surface, especially when it seems inconsequential, or perhaps that function just seems to be “part of the running program.” For that very reason, getting a good flow of nonjudgmental inspection can help to uncover all the attack surfaces. Prioritization can come later, once everything has been uncovered. In the process being described in this chapter, we simply enumerate all the attack surfaces and try to avoid discussion of their importance and exposure until a later step.
In order to find the attack surfaces, we first must break down the architecture sufficiently to expose them. If you’re not comfortable with the architecture decomposition and factoring process, review Chapter 3, in which these processes are explained in detail.