Quickly find Elevation Of Privilege issues using CRUD+E (CRUDE)
Find elevation of privilege (EoP) issues quickly using CRUD.
The most crucial part of threat modelling is to quickly find elevation of privilege (EoP) issues quickly. This method adds another tool to help the team use a more granular approach to finding EoP mismatches.
The acronym CRUD stands for Create, Read, Update and Delete. These are the four basic functions of data access and operation. Each letter in the acronym can refer to all functions executed in standard API calls (both internal and external).
Here’s a breakdown of CRUD capabilities:
• Create – insert new data into data record or function call
• Read – record a copy of the data record or function call
• Update – modify data in the data record or function call
• Delete – remove data in the data record or function call
Most operations also have another dimension of having agents performing tasks that those operations expose. This is represented by the Execute addition to CRUD.
CRUD+E represents the actual access control on each element in the diagram.
Step by step actions against a threat model
1. The team will assess each element and flow connection and will designate what CRUDE capabilities currently exist for that element or flow.
a. Example – a database may not be limited and therefore will allow all CRUD plus allowing roles to Execute stored procedures. This would give a full CRUDE on the database element.
2. Define each of the roles that will access the system.
a. Example – an Anonymous role would have Create capability only.
3. Iterate through each element with each role and record the difference between the role’s CRUDE and the element’s CRUDE.
a. Example – Team tests Anonymous (R) access to the database above (CRUDE). This gives a difference of (CUDE), which is a very dangerous set of capabilities that Anonymous could gain.
4. Team designs controls to mitigate or remove the difference found above.
a. Example – Team enforces limited role access to the database, only allowing roles direct access to stored procedures (E). The difference of CUD has been mitigated with the new access control restrictions.