How to Build a Wall That Stops White Walkers—Fantastic Threat Models
Protecting the Seven Kingdoms from a giant horde of magic ice zombies
WARNING: LOTS OF GAME OF THRONES SPOILERS
Eight thousand years before that incredible moment when Tyrion smacked Joffrey’s smug little face in Winterfell, Brandon the Builder created the Wall a few hundred miles north. The Wall was built to protect Westeros from the super creepy White Walkers and its construction finally ended the Long Night. All of the plotting and killing and… romancing that happens in Game of Thrones is possible because of that wall — thankfully someone thought about how to make it secure.
A wall that doesn’t keep out White Walkers is pointless, so the first step Brandon must have taken in building the wall was to develop a threat model. A threat model is a structured analysis of the security of anything you build.
Imagine you’re Brandon the Builder and that you’re building the Wall. Creating the threat model takes three steps:
- Break the Wall down into each of its parts
- Figure out how the White Walkers could attack each part
- Make a strategy to defend against each attack
1. What Does it Take to Build a Wall That Strong?
First we need to break the Wall into its parts, and it’s always worth drawing a diagram. Think about all of the entry and exit points — where are people coming in and where do they go out? What other things do they depend on to keep working? Are they storing anything valuable? Where?
Let’s work with these five sections:
- 300 miles of rock and ice 700 feet tall
- Tunnels through the Wall with massive gates
- Weapons on the top of the Wall (trebuchets, catapults, cranes, a scythe)
- 19 Castles south of the Wall (only three are occupied
- The Sworn Brothers of the Night’s Watch (aka Crows)
All of these components are related, but they each serve a critical part in keeping the White Walkers out. If the White Walkers break any of them, it won’t matter who’s sitting on the Iron throne, everybody’s going to die.
2. Testing the Defenses with STRIDE
Now that we’ve broken the Wall down into its pieces, we want to see how the White Walkers could mess with each one. Again, they’re going to eat everyone if we miss one, so it pays to be thorough. Thankfully, someone (Microsoft) created a mnemonic for thinking about security threats: STRIDE. STRIDE stands for:
- S — Spoofing (pretending not to be someone you’re not)
- T — Tampering (modifying something you shouldn’t be able to)
- R — Repudiation (denying responsibility for some action, whether you did it or not)
- I — Information Disclosure (accessing information you shouldn’t have)
- D — Denial of Service (preventing something from operating correctly)
- E — Elevation of Privilege (gaining abilities you shouldn’t have)
This should help us think through the different angles the White Walkers might take. With a methodology in mind, we can apply it to each part of the Wall. Let’s start with the physical wall itself.
300 miles of rock and ice 700 feet tall
Spoofing: The Wall in no way cares who you pretend to be.
Tampering: Modifying this Wall is only likely to crush you with falling ice and rock.
Repudiation: If you break the Wall, we’re going to know it was you.
Information Disclosure: The Wall is big, what else do you want to know?
Denial of Service — Vulnerability: Legends say that there is a horn called the Horn of Winter (or the Horn of Joramun), and that if someone blows into the horn, the entire Wall will collapse. That’s pretty much the only way to stop the Wall from working, but it’s one hell of a vulnerability.
Elevation of Privilege: No one has any privileges with the Wall.
Tunnels
Spoofing — Vulnerability: The Crows control access to the tunnels, so you’d need to convince them that you’re a Crow (say, by wearing a black cloak? it’s a long shot) to get access to the tunnels. The Wights spoof their way through the tunnel by seeming/being dead, so if you can come back from the dead, that’s a trick that we know has worked before.
Tampering—Vulnerability: The gates that protect the tunnels are 4 inch thick rolled steel, but apparently they can be broken. This is supposed to be super hard, but Mag the Mighty did it on his own. Granted, he’s a giant but still, damn.
Repudiation: Nope.
Information Disclosure: The tunnels don’t know anything.
Denial of Service: This wouldn’t be a very good way to get through the Wall (in fact, filling the tunnel with rocks and ice is a built in defense).
Elevation of Privilege — Vulnerability: If you makes it through a tunnel, it’s pretty much game over because they can take over the access controls of the tunnel and let in the rest of their army.
Weapons
Spoofing—Vulnerability: You can get the Crows to waste their ammo on a dummy, they’re pretty well stocked, but eventually this could take the weapons offline.
Tampering—Vulnerability: The weapons are on the top of the Wall, but if you can reach them (warging, giants firing bows, climbers) then you can take them offline.
Repudiation: The weapons don’t care what you did or didn’t do.
Information Disclosure — Vulnerability: You could figure out where the weapons are located by warging into a bird to help prepare for an attack.
Denial of Service — Vulnerability: In one episode, when the Wall is under attack, the Crows release a giant scythe connected to the Wall with a chain. It swings in an arc and kills a group of climbers in its path. However, the scythe is slow to reset, so an attacker could intentionally trigger the scythe (by sacrificing climbers or by faking it out somehow), and then climb past it before it can be reloaded.
Elevation of Privilege — Vulnerability: If you take control of the weapons and point them south, the battle will turn very quickly.
Nineteen Castles
Spoofing: It’s possible that you can spoof your way into the castle from the south, but a White Walker would have to take the tunnels and we already covered spoofing those.
Tampering: Only 3 of the 19 castles are occupied, so you could mess with or destroy the other 16 if you could get to them. Again, you’d basically have to come from the south.
Repudiation: Hm, don’t think so.
Information Disclosure — Vulnerability: The castles receive messages via ravens that could be intercepted, especially by a warg.
Denial of Service: Cutting off supplies to a castle from the south would keep it from functioning for defenses.
Elevation of Privilege: If you take a castle, including one of the empty ones, your position becomes much harder to attack. Again, this isn’t that useful to White Walkers.
The Sworn Brothers of the Night’s Watch
Spoofing: These dudes are all criminals or hiding from something, so if you’re human it would be pretty easy to infiltrate their ranks (this was Cersei’s plan to kill Jon Snow with Osney Kettleblack in the books). If you’re a White Walker, it’s way less easy because you’re creepy and white and have horns and glowing eyes and look like an ice lizard.
Tampering — Vulnerability: Hm, this covers wounding a crow, which the White Walkers can definitely do if they get close enough.
Repudiation — Vulnerability: The Crows lack trust, so repudiation could be a deadly strategy against them. If you are able to successfully carry out an attack and then avoid blame for it, you can turn the Crows against each other.
Information Disclosure — Vulnerability: The Crows are pretty tough, but they’re human and the White Walkers are pretty twisted, so they probably have ways to make a Crow talk.
Denial of Service — Vulnerability: Sowing discord can totally ruin the Crows. A little politicking and the infighting makes them completely vulnerable to an attack.
Elevation of Privilege — Vulnerability: If you can infiltrate the Crows, you can get access to the weapons and the gate controls.
3. Patching the holes
This breakdown shows three major flaws in the Wall’s defenses.
- The Horn of Winter totally owns it
- The Tunnels can be breached by giants
- The Sworn Brothers of the Night’s Watch are flawed humans who can be exploited in a bunch of different ways.
Then, there are a second tier of vulnerabilities like wargs being able to intercept messages from ravens or determine the placement of weapons. Those are a lot less critical fixes for now.
First things first, we should prioritize finding and destroying that horn, because it’s most likely to result in catastrophic failure (a horn that was probably fake was found and destroyed in the books, but only because the wildlings were threatening to use it — the Crows should have been proactive about finding it themselves). The Tunnels already have the self-destruct defense where they get filled in, but can we get some stronger doors on the tunnels? Someone should look into that and figure out how much it would cost. Then, in order to address the Crows being humans, we need more structure for their order. They keep getting distracted with human things instead of focusing on ice-demon things, so lets increase the ratio of maesters to warriors to make sure they’re staying focused on the right enemy. Also, new recruits (and we should be getting way more new recruits) should go through their training in less important castles so they’re less likely to mess the whole thing up. Also, how about some terrifying White Walker murals in the castles? Yeah, that would probably help.
If we could get all of that done, the Crows could feel a lot better about the Wall’s chances against the growing army of icy undead.
Go forth and threat model
And that’s how Brandon the Builder would threat model the Wall he built. Break it into pieces, think about how each piece can be attacked, then prioritize the flaws and get to fixing them. The term “threat model” sounds like it requires a bunch of special training, but in reality it’s a simple process that everyone should be doing it all the time. Just like version control, it should be in the toolbox of every developer. With practice, it gets easier and more natural, though some structure like STRIDE helps keep us honest and makes sure we don’t get sloppy.
So far, the Wall has been good enough to protect the Seven Kingdoms. With a quick analysis, however, we can see that it’s far from perfect, and there’s more to do if the Crows want to avoid becoming White Walker lunch.
Of course, if the White Walkers get a dragon, all bets are off…
B is the CEO and co-founder at Clef. If two-factor authentication has been in your backlog for months, but still hasn’t gotten prioritized, check out Clef’s new product Instant2FA.com — it’s two-factor authentication that takes minutes to integrate instead of weeks.
