Did you read the last article about threat modeling and the topic interested you? Fasten your seat belts, because now you will see what threat modeling looks like on steroids!
Thanks to this article you will:
- be ahead of everyone in your actions,
- learn how to perform threat modeling quickly & easy,
- save a lot of time thinking up attack vectors,
- expand your threat base with AI.
Are you ready to become a threat modeling PRO in your team?
The quality of threat modeling is proportional to the experience and knowledge of the participants.
If the threat modeling process is carried out by a person who is just beginning to be interested in security and does not follow events on an ongoing basis - he or she may definitely lack the knowledge that is gained over time.
But is that a reason to let go? Definitely not!
Artificial intelligence powered threat modeling
As usual, technology comes to the rescue in such situations. ChatGPT is a sensation and despite the complaints of many engineers about the quality of its answers - it brings completely new possibilities that, when used in the right way, give a significant competitive advantage.
Not only can you use them to post on social media or write funny songs, you can:
- instantly increase the security of your project,
- identify risks you haven't thought of,
- prepare unit tests based on them,
...and many more!
ChatGPT driven threat modeling
Let's see an example in action.
Describe the object you want to subject to threat modeling and give clear instructions.
Hi ChatGPT. I'd like to do threat modeling and I'd like you to help me with that. I will describe the smart contract I am currently working on, and then ask me 5 questions that will help you identify threats.
After receiving the answer, prepare a list of at least 20 checks starting with "Verify that..." that will help me to overcome potential vulnerabilities that threaten my project.
Are you ready for a smart contract description?
Describe your component in detail.
I plan to write a smart contract based on the ERC20 standard. I would like to add to its basic functions:
- fee() function that allows you to set a fee for each transfer,
- withdraw() function that allows you to withdraw the accumulated fee for a privileged address,
- changeFeeColector() function that allows to change the privileged address that can collect the fee.
Answer questions to improve your output (of course not all of them will make sense).
- Fee will be known to the Fee Collector. He will set it up. It should be between 10% and 30%.
- I don't know what address you mean, let's skip this question.
- Fee will be transferred to msg.sender. The value of the transferred fee will not be possible to determine, the entire amount counted by the balance variable will be transferred.
- Currently there are no limits.
- I don't know.
Analyze the checks and choose the ones that suit you and make sense.
Create the checklist again. Let it contain only checks that I will select based on the number. Selected checks are: 1, 3, 4, 5.
Create a template for unit tests based on them.
Write a customizable unit test template for all these threats compatible with the hardhat framework.
Customize and build based on best practices. Done!
This is just a small demonstration of what you can do with ChatGPT to build a threat model. There are many more questions you can ask and ways to improve the answers you receive. It all depends on your creativity and current knowledge.
Artificial intelligence speeds up the work and boosts security efforts. However, as we can see, it will not replace either the auditor or the developer in the near future.
Summary
You still have to select valuable answers and discard those that don't make sense. Nevertheless, it is a significant simplification and acceleration of work that is worth using.
NOTE: Before you start using it at work, consider whether you are sharing confidential information and read the license of the software you use.
We share our knowledge to make your project secure.
- Did you like this article? Be sure to share it on social media!
Subscribe to the newsletter to not miss any of the future articles. Composable Security 🇵🇱⛓️ is a company that increases the security of projects based on solidity smart contracts.
If you need support in the field of security or auditing smart contracts do not hesitate to contact us.
About the author
Co-author of SCSVS and White Hat. Professionally dealing with security since 2017 and since 2019 contributing to the crypto space. Big DeFi fan and smart contract security researcher.
