Elevation of Privilege: The Cards

This appendix discusses the threats in the Elevation of Privilege card game. It goes beyond the material included in the game, with the goal of making the game more helpful. Each bulleted item in the lists that follow includes the card, the threat, a brief discussion, and possibly a reference or comments about how to address it.

The aces are all of the form “You've invented a new type of attack.” The intent of “new” is “not clearly covered in a card,” rather than “never before seen.” How to interpret “clearly covered” is up to the group that's playing. You might be liberal, and encourage use of the aces, especially by those who are not security experts. You might be harsh, and set a high bar for security experts. It depends on the tone of your gameplay. However you decide to interpret it, be sure to write down the threat and address it. There is no per-threat-type discussion of Aces.

For more on the motivation, design, and development of Elevation of Privilege, see my paper “Elevation of Privilege: Drawing Developers into Threat Modeling” (Shostack, 2012).

Spoofing

Many of the concepts here are discussed at length in Chapter 14 “Accounts and Identity.”

2 of Spoofing. An attacker could squat on the random port or socket that the server normally uses. Squatting is a term of art for a program that occupies the resource before your program starts. If you use a random port (registered with some portmapper), how can a client ensure that ...