Share via


Elevation of Privilege - The Game

Elevation of Privilege (abbreviated "EoP") is a card game developed by Adam Shostack with assistance from many patient Microsoft developers, and is designed to provide a fun and educational introduction to the concepts and practice of Threat Modeling.

The basic gameplay is similar to that of many "trick-winning" card games, in which a player leads a card of a particular suit, and other players have to play a card that will match the suit, discard a card of a different suit, or play a card of the declared "trump" suit. The winner of the trick will be the player who plays the highest-value trump card, or if all players played cards from the same suit as the lead player, the player who plays the highest-value card from the led suit is the winner of the trick. The winner of each trick then leads for the next trick until all cards have been used.

EoP can be played with the goal of simply accruing tricks, and gaining points for each trick won in this matter - but the purpose of the game is to encourage the players to think of credible threats to an application design, so that these threats can be enumerated, analysed and mitigated. To this end, the suits in the EoP deck are the six elements of the "STRIDE" framework of threats:

[[articles:EoP Threat Suits - S (Spoofing)|S - Spoofing]]
[[articles:EoP Threat Suits - T (Tampering)|T - Tampering]]
[[articles:EoP Threat Suits - R (Repudiation)|R - Repudiation]]
[[articles:EoP Threat Suits - I (Information Disclosure)|I - Information Disclosure]]
[[articles:EoP Threat Suits - D (Denial of Service)|D - Denial of Service]]
[[articles:EoP Threat Suits - E (Elevation of Privilege)|E - Elevation of Privilege]]

Play starts with the "3 of Tampering" card, and as each card is played, players should try to think of threats that match the description on the card they are playing. Each such credible threat earns an extra point, and is recorded for later analysis and mitigation. Since this is an exercise in Threat Modeling, it is not important to decide at the time of playing the card whether or not the threat is mitigated - even mitigated threats are to be recorded, and analysed later to ensure they are mitigated. Since Threats are simply those things that an attacker might try against an application (or which might cause the application to function in an unwanted way - an accidental threat), it is not only valid to include threats that others might see as "obviously mitigated already", but it also moves gameplay along considerably.

Play ends when other people want the conference room, when players get bored with the game, or when they decide that enough is enough, and they'll use the SDL threat modeling tool instead. This usually indicates that the player feels the cards are slowing down their ability to generate valid threats, or that the player's points score is so far behind everyone else's that it is impossible for them to win any more.

Cheating is encouraged.

Inventing new attacks is encouraged.

Setting fire to the cards and saying, "How's that for an Ace of Denial-of-Service?" is considered somewhat counter-productive.

Resources