Eviltwin

My Threat Model: My Evil Twin

I firmly believe that the threat model (and therefore security requirements) need to be enumerated at the beginning of the design process, and the system security considered as a whole (not in component isolation).

The first step in my threat model is an adversary who is as creative, as intelligent, as innovative, as resourceful as possible. Thus my "Evil Twin". For simply if I could model an adversary who is MORE creative, resourceful, and innovative than my evil twin, I could run that model and become more resourceful etc...

The second step is to specify objectives and motivation, for both are necessary. Why should someone attack this system? What is the goal? You don't put a $10 lock on a $1 rock simply because nobody would bother stealing a $1 rock more than 10 times!

Finally, the resources need to be specified? Is it my evil twin, bored after work? Taking a month or two? With a clone army? A nation state budget?

It is also the evil twin's system level approach which matters.

For example, when Steve Trimberger designed Xilinx's bitfile protetion in the Virtex II bitfile security protection (designed to prevent unauthorized copies of an FPGA design), he made a deliberate decision, to the effect that "It would cost, say, $100,000 to bribe an engineer to get a copy of a design protected by the bitfile encryption. Thus I can only consider attacks costing less than $100,000, because there is a threat that can't be addressed through the technical means that requires just $100k, and so a sensible attacker, rather than spending $500,000 on a technical break, would just go for simple espionage instead."