Threat Model Thursday: ARM’s Network Camera TMSA

  1. Give an overview of the camera TOE, and its use and major security features. By TOE, they mean Target of Evaluation, which is a subset of the camera. So how they do this is very, very, strongly grounded in the Common Criteria, to an extent that it’s hard for anyone not grounded in that world to read.
  2. Provide a diagram of what’s in scope, and a set of assets to be protected.
  3. Offer a set of threats. I’ll analyze these below.
  4. List a set of expected security policies that the end user will have. Some of these, frankly, are optimistic, such as “the admin shall change the default passwords,” and “are assumed to follow and apply administrative guidance.” However, optimistic or not, they are explicit, which allows us to evaluate them, and decide if they work for us. (Alternate approaches might be to not have a password to the device, and to remotely administer it. There are associated security issues, which we could also evaluate.)
  5. Tie the security objectives to a set of threats.
  6. Derive security requirements to meet the objectives.
  7. Compare the requirements to Arm’s CryptoIsland, Trustzone, and Root of Trust “products.”
  • T.impersonation
  • T.MITM
  • T.firmware_abuse
  • T.tamper
  • P.Credential_Management (The admin will change the password)
  • A.Trusted_Admin
Network camera framed copy



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Shostack

Adam Shostack

Generally blogging at, but shared posts here before Medium asked me to jump through more and more hoops..