pattern recognition and applicationslab threat...
TRANSCRIPT
Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic
Engineering
THREATMODELING
Giorgio Giacinto
ComputerSecurity2017
http://pralab.diee.unica.it
Definition
[Application]ThreatModeling – astrategicprocessaimedatconsideringpossibleattack scenarios andvulnerabilitieswithinaproposedorexistingapplicationenvironmentforthepurposeofclearlyidentifyingrisk andimpact levelsTonyUceda VelezandMarcoM.Morana, RiskCentricThreatModeling,2015
3
http://pralab.diee.unica.it
ThreatScenarios• Anapplicationcouldbecomeatarget whenanattack
providesareturnoninvestmenttotheattacker
• Threatscenarios1. Capturingtheapplicationbusinesscontextand
identifyingtheapplicationassets2. Identifyingthepossiblethreatagentsandtheirgoals
• Generalizationforallapplicationswithsimilarfunctionalitiesanddataassetsstoredandprocessed.
• Prioritization thesecuritymeasurestomitigatetherisk
4
http://pralab.diee.unica.it
Threats:TechnicalandBusinessImpactsThreat TechnicalImpact BusinessImpact
Malware infectedPCtakingoveronlinebankingcredentials
Lossofusers’authenticationdataallowingfraudsterstotakeovertheaccount(impersonation)
Money lossduetofraudulenttransactionsbyimpersonatingtheloggedusertomovemoneytofraudulentaccountsthroughthirdpartyaccounts(moneymules)
Externalthreatagentexploitingapplication’sSQLinjectionvulnerabilities
Unauthorizedaccesstousers’dataincludingconfidentialandPII,tradingsecrets,andintellectualproperty.
Liabilitiesforlossofusers’PII,lawsuitsforunlawfulnoncompliance, securityincidentrecoverycosts,andrevenueloss
Denialofserviceattackagainsttheapplication
Unavailabilityofwebserverduetoexploitofapplicationandnetworkvulnerabilitiesandlackofredundanciestocopewithtrafficoverloads
Revenuelossduetolossand/ordisruptionofservicedenyingcustomeraccesstoservicesandgoods.Lawsuitsfromcustomersandbusinessesandrecoverycosts
5
http://pralab.diee.unica.it
ThreatAgents• Characterizingthreatsisessentialforanalyzingrisks
• Threefactors– Thetypeofathreat– Thethreatagent– Thetargets
• ThreatAgents– Humans(hactivists,cyber-criminals,cyber-spies,etc.)– Tools
• Malware,key-loggers,spyware,etc.– Nonhuman
• Storms,earthquakes,tornados,etc.
6
http://pralab.diee.unica.it
ReasonstoThreatModel• Find securitybugsearly
• Understand yoursecurityrequirements
• Engineer anddeliverbetterproducts
• Address issuesothertechniqueswon’t
7
http://pralab.diee.unica.it
Addressingeachthreat
8
Mitigating Threats Eliminating Threats
Transferring ThreatsAccepting theRisk
http://pralab.diee.unica.it
SecurityDevelopmentLifecycle• DevelopedbyMicrosoftstartingin2002• Establishedasamandatorypolicyin2004forMicrosoft
products• Adoptedworldwidebymanysoftwaredevelopment
teamssinceitspublicreleasein2008
10https://www.microsoft.com/sdl/
http://pralab.diee.unica.it
ThreatModeling:afour-stepprocess
1. Whatareyoubuilding?
2. Whatcangowrongwithitonceit’sbuilt?
3. Whatshouldyoudoaboutthosethingsthatcangowrong?
4. Didyoudoadecentjobofanalysis?
11
http://pralab.diee.unica.it
Whatcangowrong?• STRIDEtaxonomy(Microsoft)
– Spoofing
– Tampering
– Repudiation
– InformationDisclosure
– DenialofService
– ElevationofPrivilege
13
http://pralab.diee.unica.it 14
STRIDETHREAT PROPERTY VIOLATED TYPICAL VICTIM
Spoofing AuthenticationProcessesExternalentitiesPeople
Tampering IntegrityProcessesDatastoresDataflows
Repudiation Non-Repudiation Processes
InformationDisclosure ConfidentialityProcessesDatastoresDataflows
DenialofService AvailabilityProcessesDatastoresDataflows
Elevation ofPrivilege Authorization Processes
http://pralab.diee.unica.it
AddressingSpoofingTHREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Spoofingaperson Identificationandauthentication
Username&password,orbiometrics,tokens,etc.Issues:enrollment,expiration,etc.
Spoofinga“file”ondisk
LeveragetheOS FullPaths,ACL,etc.
CryptographicAuthenticators Digitalsignaturesorauthenticators
Spoofinganetworkaddress Cryptographic DNSSEC,HTTPS/SSL,IPSec
Spoofingaprograminmemory LeveragetheOS Application identifiers
enforcedbyOSs
15
http://pralab.diee.unica.it
AddressingTampering
16
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
TamperingwithafileOperatingSystems ACLs
Cryptographic Digitalsignatures, KeyedMAC
Racingtocreateafile(tampering theoperatingsystem)
Usingadirectorythat’sprotectedfromarbitraryusertampering
ACLs,PrivateDirectoryStructures,Randomizingfilenames,etc.
Tamperingwithanetworkpacket
Cryptographic HTTPS/SSL,IPSec
Anti-pattern Networkisolation
http://pralab.diee.unica.it
AddressingRepudiation
17
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Nologs(youcan’tproveanything)
MaintainingaLog Logallthesecurityrelevantinformation
Logscomeunderattack Logprotection Sendoverthenetwork,ACL
Logsasachannelforattack Tightly specifiedlogs
Earlydocumentationoflogdesigninthedevelopmentprocess
http://pralab.diee.unica.it
AddressingInformationDisclosure
18
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Network monitoring Encryption HTTPS/SSL,IPSec
Directoryorfilename LeveragetheOS ACLs
Filecontents
LeveragetheOS ACLs
Cryptography Fileencryption,Diskencryption
APIinformationdisclosure Design Designcontrol
Passbyreferenceorvalue
http://pralab.diee.unica.it
AddressingDenialofService
19
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Network flooding Lookforexhaustibleresources
ElasticresourcesEnsurethatattackresourcesconsumption isashighasorhigherthanyours
NetworkACLs
Programresources
Carefuldesign Elasticresourcemanagement,proofofwork
Avoidmultipliers
LookforplaceswhereattackerscanmultiplyCPUconsumptiononyourendwithminimal effortontheirend
Systemresources LeveragetheOS OSsettings
http://pralab.diee.unica.it
AddressingElevationofPrivilege
20
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Data/code confusionToolsandArchitecturesthatseparatedataandcode
PreparedstatementsorstoredproceduresinSQLLatevalidationthatdataiswhatthenextfunctionexpects
Controlflow/memorycorruption
Use atype-safelanguage
Type-safelanguagesprotectagainstentireclassesofattack
LeveragetheOSformemoryprotection Providedby mostmodernOS
Sandboxing
AppArmor inLinuxAppContainer inWindowsSandboxlib inMac OSCreateanewaccountforeachapp
Commandinjectionattacks Becareful Inputvalidation
Don’tsanitize.Logandthrowaway
http://pralab.diee.unica.it
Validationofthethreatmodel• Checkingthemodel
– Completeness– Accurateness– Coverageofallthesecuritydecisions– Representativenessofthediagram
• Updatingthediagram– Focusondataflow,ratherthanoncontrolflow– Changevagueargumentssuchas“sometimes”,“also”,byconsideringallthecases
– Don’thavedatasinks:showwhousesit– Showtheprocessthatmovesdatafromonedatastoretoanother
21
http://pralab.diee.unica.it
ThreeFocusAreas
23
Assets,Attackers,SoftwareExampleofadataflowdiagramoftheAcme/SQLdatabase
http://pralab.diee.unica.it
• ThingsAttackersWant– Userpasswords– SSN,identifiers– Creditcardnumbers– Confidentialbusinessdata
• ThingsYouWanttoProtect– Reputation– Goodwill– Unusedassets
• SteppingStones– Everythingthatcanbeusedtoattackotherassets
24
Focusingonassets
http://pralab.diee.unica.it
• Needalistoftypes ofattackers– Differentmotivations,skills,backgroundandperspective
• Humanizingtheattackerbearstheriskofendingupwith“noonewouldeverdothat”
RiskbasedThreatModelingfocusesonassets andonattackers
forprioritizing threatmitigation tasks
Security-CentricThreatModelingavoidsenumerating
andfocusesonthetechnicalanalysis
Focusingonattackers
25
http://pralab.diee.unica.it
Focusingonsoftware• Security-centricapproachtothreatmodeling
• Basedonsoftwaremodelsdescribedbydiagrams
– Dataflowdiagrams
– UML
– Swin LaneDiagrams
– Statediagrams
• BasedonthedefinitionofTrustBoundaries
26
http://pralab.diee.unica.it
SpoofingThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Spoofing aprocessonthesamemachine
Createsafilebeforetherealprocess
Renaming/linking CreatingaTrojan“su”andalteringthepath
Renaming Namingyourprocess“sshd”
Spoofingafile
Createsafileinthelocaldirectory
Alibrary,executableorconfig file
Createsalinkandchangesit
Thechangeshouldhappenbetweenthelink beingcheckedandthelinkbeingaccessed
Createsmanyfilesintheexpecteddirectory
e.g.,automaticcreationof10,000filesinthe/tmpdirectorytofill alltheavailablespace
28
http://pralab.diee.unica.it
SpoofingThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Spoofing amachine
ARP spoofing
IPspoofing
DNSspoofing Forwardorreverse
DNScompromise CompromiseTLD,registrarorDNSoperator
IPredirection Attheswitchor routerlevel
SpoofingapersonSetse-mail displayname
Takeoverarealaccount
Spoofingarole Declaresthemselvestobethatrole
Sometimes openingaspecialaccountwitharelevantname
29
http://pralab.diee.unica.it
TamperingThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Tamperingwithafile
Modifiesafiletheyownandonwhichyourely
Modifyafileyouown
Modifiesafileonafileserverthatyouown
Modifiesafileontheirfileserver
Effectivewhenyouincludefilesfromremotedomains
Modifieslinksorredirects
Tamperingwithmemory
Modifiesyourcode
Hardtodefendagainstoncetheattackeris
runningcodeasthesameuser
Modifiesdatathey’vesupplied toyourAPI
Passbyvalues,notbyreferencewhencrossinga
trustboundary 30
http://pralab.diee.unica.it
TamperingThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Tamperingwithanetwork
Redirectstheflowofdatatotheirmachine Oftenstage1oftampering
Modifiesdataflowingoverthenetwork
Eveneasierwhenthenetworkiswireless(e.g.,WiFi,3G,etc.)
Enhancespoofingattacks
31
http://pralab.diee.unica.it
RepudiationThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Repudiatinganaction
Claimstohavenotclicked
Claimstohavenotreceived Howreliablearereceiptsofdelivery/download?
Claimstohavebeenafraudvictim
Usessomeone else’saccount
Usessomeoneelse’spaymentinstrumentwithout
authorization
Attackingthelogs
Noticesyouhavenologs
Putsattacksinthelogstoconfuselogs,log-readingcode,orpersonsreadingthelog
32
http://pralab.diee.unica.it
InformationDisclosureThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Informationdisclosureagainstaprocess
Extracts secretsfromerrormessages
Readstheerrormessagesfromusername/passwords toentiredatabasetables
Extractsmachinesecretesfromerrorcases
Can makedefenseagainstmemorycorruptionsuchasASLRfarlessuseful
Extractsbusiness/personal secretsfromerrorcases
33
http://pralab.diee.unica.it
InformationDisclosureThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Informationdisclosureagainstdatastores
TakesadvantageofinappropriateormissingACLs
Takesadvantageofbaddatabasepermissions
Findsfileprotectedbyobscurity
Findscryptokeysondisk(orinmemory)
Seesinterestinginformation infilenames
Readsfilesastheytraversethenetwork
Getsdatafromlogsortemp files
Getsdatafromswaporothertemp storage
Extractsdataby obtainingdevice,changingOS
34
http://pralab.diee.unica.it
InformationDisclosureThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Informationdisclosureagainstadataflow
Reads dataonthenetwork
Redirectstraffictoenablereadingdata onthenetwork
Learnssecretesbyanalyzingtraffic
Learnswho’stalkingtowhombywatchingtheDNS
Learnswho’stalkingtowhombysocialnetworkinfodisclosure
35
http://pralab.diee.unica.it
DenialofServiceThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Denialofserviceagainstaprocess
Absorbsmemory(RAMordisk)
AbsorbsCPU
Usesprocess asanamplifier
Denial ofserviceagainstadatastore
Fillsdatastoreup
Makesenoughrequeststoslowdownthesystem
Denialofserviceagainstadataflow Consumesnetwork resources
36
http://pralab.diee.unica.it
ElevationofPrivilegeThreats
THREATEXAMPLES WHATTHEATTACKERDOES NOTES
Elevationofprivilegeagainstaprocessbycorrupting theprocess
Sendsinputsthatthecodedoesn’thandleproperly
These errorsareverycommon,andhavehighimpact
Gainsaccesstoreadorwritememory inappropriately
Readingmemorycanenablefurther attacks
Elevationthroughmissedauthorizationchecks
Elevationthroughbuggyauthorizationchecks
Centralizingsuchchecksmakebugseasiertomanage
Elevationthroughdatatampering
Modifiesbitsondisktodothingsotherthanwhattheauthorizeduserintends
37
http://pralab.diee.unica.it
Benefitsofmodelingwithattacktrees
Attacktrees provideaformal,methodical wayofdescribingthesecurityofsystems,basedonvaryingattacks.Basically,yourepresentattacksagainstasysteminatreestructure,withthegoalastherootnodeanddifferentwaysofachievingthatgoalasleafnodes
(BruceSchneier,1999)
39
http://pralab.diee.unica.it
Exampleofanattacktree
40
https://www.schneier.com/cryptography/archives/1999/12/attack_trees.html
http://pralab.diee.unica.it
TacticsandTechnologies• Authentication->MitigatingSpoofing
– Tactics:cryptographickeys,PKI,CAs– Technologies:IPSec,SSH,Kerberos,hashes,etc.
• Integrity->MitigatingTampering– Tactics:permissions,cryptographicmechanisms,logs– Technologies:ACLs,digitalsignatures,hashes,etc.
• Non-Repudiation->MitigatingRepudiation– Tactics:fraudprevention,logsandcryptography– Technologies:loganalysistools,digitalsignatures,etc.
44
http://pralab.diee.unica.it
TacticsandTechnologies• Confidentiality->MitigatingInformationDisclosure
– Tactics:ACLs,cryptography– Technologies:ACLs,encryption,keymanagement,etc.
• Availability->MitigatingDenialofService– Tactics:proofofwork,ensuretheattackercanreceivedata– Technologies:filters,quotas,cloudservices,etc.
• Authorization->MitigatingElevationofPrivilege– Tactics:limitingtheuseofprivilegedaccounts,sandboxing,defenselayers,etc.
– Technologies:ACLs,RBAC,chroot,etc.
45
http://pralab.diee.unica.it
TheDREADmodel• DamagePotential
– Howextensiveisthedamage(impact)uponavulnerabilitybecomingsuccessfullyexploited?
• Reproducibility– Howeasyisitforthistypeofattacktobereproduced?
• Exploitability– Howeasyisitforaknownvulnerabilitytobeexploited?
• AffectedUsers– Impactonauserbase
• Discoverability– Howeasilyavulnerabilityisdetected
47
http://pralab.diee.unica.it
RiskratingusingDREAD• ForeachelementoftheDREADmodelaqualitative
assessmentofriskisperformedbyassigningoneoutofthreevalues– HIGH or3– MEDIUMor2– LOW or1
48
THREAT D R E A D Total Rating
Attackerobtainauthenticationcredentialsby monitoringthenetwork 3 3 2 2 2 12 High
SQLcommandsinjectedintoapplication 3 3 3 3 2 14 High
http://pralab.diee.unica.it
ExampleofaThreatRatingTable
Threat HIGH (3) MEDIUM(2) LOW(1)
D DamagePotential
Theattackercansubvertthesecuritysystem; getfulltrustauthorization;runasadministrator;uploadcontent.
Leaking sensitiveinformation
Leakingtrivialinformation
R Reproducibility
Theattackcan bereproducedeverytimeanddoesnotrequireatimingwindow.
Theattackcanbereproduced,butonlywithatimingwindowandaparticularracesituation.
Theattackisverydifficulttoreproduce,evenwithknowledgeofthesecurityhole
E ExploitabilityAnovice programmercouldmaketheattackinashorttimeframe.
Askilledprogrammercouldmaketheattack,thenrepeatthesteps.
Theattackrequiresanextremelyskilledpersonandin-depthknowledgeeverytimetoexploit
49
http://pralab.diee.unica.it
ExampleofaThreatRatingTable
THREAT HIGH (3) MEDIUM(2) LOW(1)
A AffectedUsersAllusers,defaultconfiguration,keycustomers
Someusers,non-defaultconfiguration
Verysmallpercentageofusers,obscurefeature;affectsanonymoususers
D Discoverability
Publishedinformationexplainstheattack.Thevulnerabilityisfoundinthemostcommonlyusedfeatureandisverynoticeable
Thevulnerabilityisaseldom-usedpartoftheproduct,andonlyafewusersshouldcomeacrossit.Itwouldtakesomethinkingtoseemalicioususe.
Thebugisobscureanditisunlikelythatuserswillworkoutdamagepotential
50
http://pralab.diee.unica.it
PASTAProcessforAttackSimulationandThreatAnalysis
• Identifybusinessobjectives• Identifysecurity&compliancerequirements• Technical/Businessimpactanalysis
DefineObjectives
• EnumerateSoftwareComponents• Dependencies:Network/Software(COTS)/Services• Dataflowdiagramming• ThirdPartyInfrastructures(cloud,SaaS,ASPModels)
DefineTechnicalScope
• Usecases/Abuse(misuse)cases/Defineappentrypoints• Actions/Assets/Services/Roles/Datasources• DataFlowDiagramming(DFDs)/TrustBoundaries
ApplicationDecomposition
52
http://pralab.diee.unica.it
PASTAProcessforAttackSimulationandThreatAnalysis
• ProbabilisticAttackScenarios• Regressionanalysisonsecurityevents• ThreatIntelligencecorrelation&analytics
ThreatAnalysis
• Vulnerabilitydatabase(CVE)• Identifyingvulnerability&abusecasetreenodes• Designflaws&weaknesses• Scoring(CVSS/CWSS)
Vulnerability&weaknessesmapping
• AttackTreeDevelopment/AttackLibraryManagement• AttacknodemappingtoVulnerabilitynodes• Exploittovulnerabilitymatchmaking
AttackModeling
• Qualify&QuantifyBusinessImpact• ResidualRiskAnalysis• IDriskmitigationstrategies/Developcountermeasures
RiskandImpactAnalysis
53
http://pralab.diee.unica.it 55
Requirements-Threats-Mitigations
Requirements
Threats Mitigations
Impossibleto mitigateimpliesnon-requirement
Compliance
Threatshelp identifyrequirements
Realthreatsviolaterequirements
http://pralab.diee.unica.it
• Allowlisting theconcretethreatsoutoftheabstracttermsusedinSTRIDE
– CAPEC(MITRE)CommonAttackPatternEnumerationandClassificationV2.8(504attackpatterns)
– OWASPWebApplicationAttacks
56
AttackLibraries