threat modeling with stride - concordia...
TRANSCRIPT
ThreatModelingwithSTRIDE
SlidesadaptedfromThreatModeling:DesigningforSecurity(Wiley,2014)byAdamShostack
Wouldn’titbebeHertofindsecurityissuesbeforeyouwrite
alineofcode?Sohowcanyoudothat?
WaystoFindSecurityIssues
• StaLcanalysisofcode• FuzzingorotherdynamictesLng• Pentest/redteam• WaitforbugreportsaPerrelease
WaystoFindSecurityIssues(2)
• Threatmodeling!– Thinkaboutsecurityissuesearly– UnderstandyourrequirementsbeHer– Don’twritebugsintothecode– Andthesubjectofthislesson
So…howdoyouthreatmodel?
DefiniLons
• Whatisathreat?• Howisitdifferentfroma– vulnerability,– risk,– orjustaproblem?
• Whatisamodel?
ThinkLikeanAHacker?
• Likethinkinglikeaprofessionalchef!– Evenifyoucan,areyouthechefatOliveGardenorMarioBatalli’s?
• ThinkinglikeanaHacker–orfocusingonthemisrisky– Whatdotheyknow?Whatwilltheydo?– Ifyougetthesewrong,yourthreatmodelingwillgoastray
• Sodon’tstartfromaHackers!
FocusonAssets?
• Assets:valuablethings–thebusinesscares!• Butwhat’sanasset?– SomethinganaHackerwants?– Somethingyouwanttoprotect?– Asteppingstone?
FocusOnWhatYou’reBuilding!
• Needanengineeringapproach– Predictable– Reliable– Scalabletoalargeproduct
• Can’tbedependentononebrilliantperson• Ideally,youunderstandit• Concreteandtestable?
HowtoThreatModel(Summary)
• Whatareyoubuilding?• Whatcangowrong?• Whatareyougoingtodoaboutit?• Checkyourworkon1-3
WhatAreYouBuilding?
• CreateamodelofthesoPware/system/technology
• Amodelabstractsawaythedetailssoyoucanlookatthewhole
WhatAreSomeModelingMethods?
• Whiteboarddiagrams• Brainstorming• Structured(“formal”)diagrams– Dataflowdiagrams– Swimlanes– Statemachines
• MathemaLcalrepresentaLonsofcode
DataFlowDiagram(Example) Appendix E ■ Case Studies 513
bapp05.indd 12:19:50:PM 01/17/2014 Page 513
Web Clients
SQL Clients
Front End(s)
External Entity
Key:
Process Data Store
DB Admin
Data Management Logs
Log analysis
Acme SQL Account
DB Cluster
DBA (human) DB
Users(human)
Database
data flow TrustBoundary
Figure E-1: The Acme database
Threats and MitigationsThe threats identifi ed to the system are organized by module, to facilitate module owner review. They were identifi ed three ways:
■ Walking through the threat trees in Appendix B, “Threat Trees” ■ Walking through the requirements listed in Chapter 12, “Requirements Cookbook”
■ Applying STRIDE-per-element to the diagram shown in Figure E-1
Acme would rank the threats with a bug bar, although because neither the bar nor the result of such ranking is critical to this example, they are not shown. Some threats are listed by STRIDE, others are addressed in less structured text where a single mitigation addresses several threats. The threats are shown in italic to make them easier to skim.
Finding these threats took roughly two weeks, with a one-hour threat identi-fi cation meeting early in the day during which the team examined a component and its data fl ows. The examination consisted of walking through the threat trees in Appendix B and the requirements checklist in Chapter 12, and then
TrustBoundaries• Atrustboundaryiseverywheretwo(ormore)principalsinteract
• AllinteresLngboundariesaresemi-permeable– Airgaps– Firewalls– Requirepolicymechanisms(whicharehard)
• Formalmethodshelpbuildboundaries– IsolaLon– Typesafety– Policylanguages– Referencemonitors/kernels
SwimLaneDiagrams
• ShowtwoormoreenLLescommunicaLng,each“inalane”
• UsefulfornetworkcommunicaLon
• Laneshaveimplicitboundariesbetweenthem
48 Part I ■ Getting Started
c02.indd 11:35:5:AM 01/17/2014 Page 48
excludes sharks). It also requires a willingness to expose one’s ignorance by asking a “simple” question. It’s probably easier for a team that’s invested in UML to add trust boundaries to those diagrams than to create new diagrams just for threat modeling.
Swim Lane Diagrams
Swim lane diagrams are a common way to represent fl ows between various participants. They’re drawn using long lines, each representing participants in a protocol, with each participant getting a line. Each lane edge is labeled to identify the participant; each message is represented by a line between participants; and time is represented by fl ow down the diagram lanes. The diagrams end up looking a bit like swim lanes, thus the name. Messages should be labeled with their contents; or if the contents are complex, it may make more sense to have a diagram key that abstracts out some details. Computation done by the parties or state should be noted along that partici-pant’s line. Generally, participants in such protocols are entities like comput-ers; and as such, swim lane diagrams usually have implicit trust boundaries between each participant. Cryptographer and protocol designer Carl Ellison has extended swim lanes to include the human participants as a way to structure discussion of what people are expected to know and do. He calls this extension ceremonies, which is discussed in more detail in Chapter 15, “Human Factors and Usability.”
A sample swim lane diagram is shown in Figure 2-6.
SYN
SYN-ACK
ACK
Data
Client Server
Figure 2-6: Swim lane diagram (showing the start of a TCP connection)
StateMachines
• Helpfulforconsideringwhatchangessecuritystate– Forexample,unauthenLcatedtoauthenLcated
– Usertoroot/admin
• Rarelyshowsboundaries
Chapter 2 ■ Strategies for Threat Modeling 49
c02.indd 11:35:5:AM 01/17/2014 Page 49
State Diagrams
State diagrams represent the various states a system can be in, and the transi-tions between those states. A computer system is modeled as a machine with state, memory, and rules for moving from one state to another, based on the valid messages it receives, and the data in its memory. (The computer should course test the messages it receives for validity according to some rules.) Each box is labeled with a state, and the lines between them are labeled with the conditions that cause the state transition. You can use state diagrams in threat modeling by checking whether each transition is managed in accordance with the appropriate security validations.
A very simple state machine for a door is shown in Figure 2-7 (derived from Wikipedia). The door has three states: opened, closed, and locked. Each state is entered by a transition. The “deadbolt” system is much easier to draw than locks on the knob, which can be locked from either state, creating a more complex diagram and user experience. Obviously, state diagrams can become complex quickly. You could imagine a more complex state diagram that includes “ajar,” a state that can result from either open or closed. (I started drawing that but had trouble deciding on labels. Obviously, doors that can be ajar are poorly specifi ed and should not be deployed.) You don’t want to make architectural decisions just to make modeling easier, but often simple models are easier to work with, and refl ect better engineering.
Opened
Closed Locked
State
Transition
Open doorClose door
Unlock deadbolt
Lock deadbolt
Transitioncondition
Figure 2-7: A state machine diagram
HowtoThreatModel(Summary)
• Whatareyoubuilding?• Whatcangowrong?• Whatareyougoingtodoaboutit?• Checkyourworkon1-3
WhatCanGoWrong?
• Funtobrainstorm• Mnemonics,treesorlibrariesofthreatscanallhelpstructurethinking
• Structurehelpsgetyoutowardscompletenessandpredictability
• STRIDEisamnemonic– Spoofing,Tampering,RepudiaLon,InformaLonDisclosure,DenialofService,ElevaLonofPrivilege
– Easy,right?
STRIDEThreat Property
ViolatedDefiniLon Example
Spoofing AuthenLcaLon ImpersonaLngsomethingorsomeoneelse.
PretendingtobeanyofBillGates,Paypal.comorntdll.dll
Tampering Integrity Modifyingdataorcode ModifyingaDLLondiskorDVD,orapacketasittraversesthenetwork
RepudiaLon Non-repudiaLon ClaimingtohavenotperformedanacLon.
“Ididn’tsendthatemail,”“Ididn’tmodifythatfile,”“Icertainlydidn’tvisitthatwebsite,dear!”
InformaLonDisclosure
ConfidenLality ExposinginformaLontosomeonenotauthorizedtoseeit
AllowingsomeonetoreadtheWindowssourcecode;publishingalistofcustomerstoawebsite.
DenialofService Availability Denyordegradeservicetousers
CrashingWindowsorawebsite,sendingapacketandabsorbingsecondsofCPULme,orrouLngpacketsintoablackhole.
ElevaLonofPrivilege AuthorizaLon GaincapabiliLeswithoutproperauthorizaLon
Allowingaremoteinternetusertoruncommandsistheclassicexample,butgoingfromalimitedusertoadminisalsoEoP.
UsingSTRIDE
• ConsiderhoweachSTRIDEthreatcouldimpacteachpartofthemodel– “HowcouldacleveraHackerspoofthispartofthesystem?...tamperwith?…etc.”
• Trackissuesasyoufindthem– “aHackercouldpretendtobeaclient&connect”
• TrackassumpLons– “IthinkthatconnecLonisalwaysoverSSL”
• ConsolidateintoanaHacktree
SpoofingOntheLocalMachineThreatExample WhattheA7ackerDoes Notes/Examples
Spoofingaprocess
Createsafilebeforetherealprocess
Thenyourprocessreliesonit
Abusesnames Createaversionof“sudo”andalterPATH
Spoofingafilename Createsafileinthelocaldirectory
Library,executableorconfigfile
Createsalink,changesit Alsocalled‘racecondiLon’orTOCTOU
Createsmanyfilesinatargetdirectory
Codecaneasilycreateallpossible/tmp/foo.random
SpoofingOveraNetworkThreatExample WhattheA7ackerDoes Notes/Examples
Spoofingamachine ARPspoofing
IPspoofing
DNSspoofing
DNScompromise CanbeattheTLD,registrarorDNSserver
IPredirecLon
Spoofingaperson Takeoveraccount “StrandedinLondon”
Setthedisplayname
Spoofingarole Declaresthemselvestobethatrole
SomeLmesopeningaspecialaccount,semngupadomain/website,other“verifiers”
TamperingwithaFileThreatExample WhattheA7ackerDoes Notes/Examples
Modifyingafile… …whichyouownandyourelyon
…whichtheyownandyourelyon
Modifyingafileonaserver…
…youown
…theyown(ortakeover)
Modifieslinksorredirects Redirectsaresuper-commonontheweb,andoPenrotaway
TamperingwithMemoryThreatExample WhattheA7ackerDoes Notes/Examples
Modifyingcode Changesyourcodetosuitthemselves
HardtodefendagainstiftheaHackerisrunningcodeinsidethetrustboundaries
Modifyingdatathey’vesupplied
SuppliesdatatoapassbyreferenceAPI,thenchangesit
WorksbecauseofTOCTOUissues
Suppliesdataintoasharedmemorysegment,thenchangesit
TamperingwithaNetworkThreatExample WhattheA7ackerDoes Notes/Examples
Redirectstheflowofdatatotheirmachine
UsesanaHackatsomenetworklayertoredirecttraffic
Pakistan/YouTube
Modifiesdataflowingoverthenetwork
Easier(andmorefun)withwirelessnetworks
UsesnetworktamperingtoimprovespoofingaHacks
RepudiaLonThreatExample WhattheA7ackerDoes Notes/examples
RepudiaLnganacLon Claimstohavenotclicked
Maybetheydid,maybetheydidn’t,maybethey’rehonestlyconfused
Claimstonothavereceived
1.Electronicorphysical2.Receiptisstrange;doesaclientdownloadingemailmeanyou’veseenit?Didanetworkproxypre-fetchimages?WasapackagelePonaporch?
ClaimstobeafraudvicLm
Usessomeoneelse’saccount
RepudiaLonAHacksonLogsThreatExample WhattheA7ackerDoes Notes/Examples
Discoverstherearenologs
Modifiesdataflowingoverthenetwork
Putsdatainthelogstoconfuseyou
</tr></html>
InformaLonDisclosure(Processes)ThreatExample WhattheA7ackerDoes Notes/Examples
Extractsuserdata ExploitsbugslikeSQLinjecLontoreaddbtables
Canfindthisbylookingtodatastores,butheretheissueistheprocessreturningdataitshouldn’t
Readserrormessages
Extractsmachinesecrets Readserrormessages Cannotconnecttodatabase‘foo’asuser‘sql’withpassword‘&IO*(^&’
Exploitsbugs “Heartbleed”
InformaLonDisclosure(DataStores)
Sub-category WhattheA7ackerDoes
Permissions TakeadvantageofmissingorinappropriateACLs
Takeadvantageofbaddatabasepermissions
Filefilesprotectedbyobscurity
Security Findcryptokeysondiskorinmemory
Getdatafromlogs/tempfiles
Getdatafromswapfiles
SeeinteresLnginformaLoninfilenames/directorynames
Network Seedatatraversinganetwork
Misc Obtaindevice,bootinnewOS
InformaLonDisclosure(DataFlow)Sub-category WhattheA7ackerDoes
Network Readdataonanetwork
Redirectstrafficstoenablereadingdataonthenetwork
Metadata Learnssecretsbyanalyzingtraffic
LearnswhotalkstowhombywatchingtheDNS
LearnswhotalkstowhombyanalyzingsocialnetworkinformaLon
DenialofServiceThreatExample WhattheA7ackerDoes Notes/Examples
Againstaprocess Absorbmemory(ramordisk)
AbsorbCPU
Usesaprocessasanamplifier
Againstbusinesslogic “ToomanyloginaHempts”
Againstadatastore Fillsthedatastore
Makesenoughrequeststoslowthesystem
Againstadataflow ConsumesnetworkresourcesCanbetemporary(astheaHackconLnues;fillthenetwork)orpersistbeyondthat(filladisk)
ElevaLonofPrivilege(“EoP”)ThreatExample WhattheA7ackerDoes Notes/Examples
EoPAgainstprocessviacorrupLon
Sendsinputsthecodedoesn’thandleproperly
Verycommon,usuallyhighimpact
Gainsread/writeaccesstomemory
WriLngmemorymoreobviouslybad
EoPviamisusedauthorizaLonchecks
EoPviabuggyauthorizaLonchecks
Centralizingcheckingmakesconsistency,correctnesseasier
EoPviadatatampering Modifybitsondisk
UsingSTRIDE
• ConsiderhoweachSTRIDEthreatcouldimpacteachpartofthemodel– “HowcouldacleveraHackerspoofthispartofthesystem?...tamperwith?…etc.”
• Trackissuesasyoufindthem– “aHackercouldpretendtobeaclient&connect”
• TrackassumpLons– “IthinkthatconnecLonisalwaysoverSSL”
• ConsolidateintoanaHacktree
WhentoFindThreats
• Startatthebeginningofyourproject– Createamodelofwhatyou’rebuilding– Doafirstpassforthreats
• Digdeepasyouworkthroughfeatures– ThinkabouthowthreatsapplytoyourmiLgaLons
• Checkyourdesign&modelmatchesasyougetclosetoshipping
AHackersRespondtoYourDefenses
PlayingChess
• TheidealaHackerwillfollowtheroadyoudefend– IdealaHackersarelikesphericalcows—they’reausefulmodelforsomethings
• RealaHackerswillgoaroundyourdefenses• Yourdefensesneedtobebroadanddeep
“OrdersofMiLgaLon”Order Threat MiEgaEon
1st Windowsmashing Reinforcedglass
2nd Windowsmashing Alarm
3rd Cutalarmwire Heartbeatsignal
4th Fakeheartbeat Cryptographicsignalintegrity
ByExample:
• Thuswindowsmashingisafirstorderthreat,cumngalarmwire,athird-orderthreat
• Easytogetstuckarguingaboutorders• Arebothstrongerglass&alarms1stordermiLgaLons?(Whocares?!)
• FocusontheconceptofinterplaybetweenmiLgaLons&furtheraHacks
HowtoApproachSoPware
• Depthfirst– Themostfunand“insLnctual”– Keepfollowingthreatstoseewheretheygo– Canbeusefulskilldevelopment,promoLng“flow”
• Breadthfirst– ThemostconservaLveuseofLme– Mostlikelytoresultingoodcoverage
TrackingThreatsandAssumpLons
• Thereareaninfinitenumberofwaystostructurethis
• Usetheonethatworksreliablyforyou• (Hopedoesn’tworkreliably)
ExampleThreatTrackingTablesDiagramElement ThreatType Threat BugID
Dataflow#4,webservertobusinesslogic
Tampering Addorderswithoutpaymentchecks
4553“Needintegritycontrolsonchannel”
Infodisclosure Paymentinstrumentssentinclear
4554“needcrypto”#PCI
ThreatType DiagramElement(s) Threat BugID
Tampering Webbrowser AHackermodifiesourJavaScriptorderchecking
4556“Addorder-checkinglogictoserver”
Dataflow#2frombrowsertoserver
FailuretoauthenLcate
4557“AddenforceHTTPSeverywhere”
Botharefine,helpyouiterateoverdiagramsindifferentways
ExampleAssumpLonTrackingAssumpEon Impactifit’s
wrongWhototalkto
Who’sfollowingup
Follow-upbydate
Bug#
It’soktoignoredenialofservicewithinthedatacenter
Availabilitywillbebelowspec
Alice Bob April15 4555
• ImpactissomeLmessoobviousit’snotworthfillingout• Whototalktoisnotalwaysobvious,it’soktostartoutblank• TrackingassumpLonsinbugshelpsyounotlosetrack• TreattheassumpLonasabug–youneedtoresolveit
TheCustomer/VendorBoundary
• Thereisalwaysatrustboundarywhen:– Yourcodegoestosomeoneelse’s(device/premises)– Theirdatacomestoyourcode
• Lawyers,pretendingdonoteliminatehumantrustissues
• Youneedtothinkaboutitwhiledecidingwhathappensoverthedataflowshown
YoursoPware
Customerdevice
YoursoPware
Yourdatacenter
GenericAPIThreatModel
• Performsecuritychecksinsidetheboundary• CopybeforevalidaLonforpurpose– IshHp://evil.org/pwnme.html“valid”?
• Definethepurposefordata,validatenearthatdefiniLon
• ManageerrorreporLng• Documentwhatcheckshappenwhere• DocryptoinconstantLme• AddressthesecurityrequirementsforyourAPI
HowtoThreatModel(Summary)
• Whatareyoubuilding?• Whatcangowrong?• Whatareyougoingtodoaboutit?• Checkyourworkon1-3
WhatAreYouGoingtoDoAboutIt?
• Foreachthreat:– Fixit!– MiLgatewithstandardorcustomapproaches– Acceptit?– Transfertherisk?
• ForeachassumpLon:– Checkit– WrongassumpLonsleadtoreconsiderwhatgoeswrong
FixIt!
• ThebestwaytofixasecuritybugistoremovefuncLonality– Forexample,ifSSLdoesn’thavea“heartbeat”message,the“heartbleedbug”couldn’texist
– Youcanonlytakethissofar– OPenLmesendupmakingrisktradeoffs
• MiLgatetheriskinvariousways(nextslide)
MiLgate
• Add/usetechnologytopreventaHacks• Forexample,preventtampering:– Network:Digitalsignatures,cryptographicintegritytools,cryptotunnelssuchasSSHorIPsec
• Developers,sysadminshavedifferenttoolkitsformiLgaLngproblems
• Standardapproachesavailablewhichhavebeentested&workedthrough
• SomeLmesyouneedacustomapproach
SomeTechnicalWaystoAddressThreat MiEgaEonTechnology DeveloperExample SysadminExample
Spoofing AuthenLcaLon Digitalsignatures,AcLvedirectory,LDAP
Passwords,cryptotunnels
Tampering Integrity,permissions Digitalsignatures ACLs/permissions,cryptotunnels
RepudiaLon FraudprevenLon,logging,signatures
Customerhistoryriskmanagement
Logging
InformaLondisclosure
Permissions,encrypLon
Permissions(local),PGP,SSL
Cryptotunnels
Denialofservice Availability ElasLcclouddesign Loadbalancers,morecapacity
ElevaLonofprivilege
AuthorizaLon,isolaLon Roles,privileges,inputvalidaLonforpurpose,(fuzzing*)
Sandboxes,firewalls
*Fuzzing/faultinjecLonisnotamiLgaLon,butagreattesLngtechniqueSeechapter8,ThreatModelingformore
CustomMiLgaLons
• SomeLmesthestandardtechnologiesdon’tworkforyoursituaLon
• RequirescustommiLgaLons(orriskacceptance)
• EasytogetacustommiLgaLonwrong• Hardandexpensivetotest(page176)
AccepLngRisk
• Worksbestwhenit’syourrisk– YourorganizaLoncanacceptrisk– Becarefulabout“accepLng”riskforyourcustomers.
• Customerriskacceptance– Viauserinterface– SomeLmesthecustomerhasdetailsyoucan’thave(isthisnetworkyourworkoracoffeeshop?)
TransferringRisk
• Vialicenseagreements,termsofservice,etc.• Silently• Bothcanleadtounhappycustomers– ThreatthatnoonereadsToS– Surprise!– Mediablowups
SomeTechnicalWaystoAddressThreat MiEgaEonTechnology DeveloperExample SysadminExample
Spoofing AuthenLcaLon Digitalsignatures,AcLvedirectory,LDAP
Passwords,cryptotunnels
Tampering Integrity,permissions Digitalsignatures ACLs/permissions,cryptotunnels
RepudiaLon FraudprevenLon,logging,signatures
Customerhistoryriskmanagement
Logging
InformaLondisclosure
Permissions,encrypLon
Permissions(local),PGP,SSL
Cryptotunnels
Denialofservice Availability ElasLcclouddesign Loadbalancers,morecapacity
ElevaLonofprivilege
AuthorizaLon,isolaLon Roles,privileges,inputvalidaLonforpurpose,(fuzzing*)
Sandboxes,firewalls
*Fuzzing/faultinjecLonisnotamiLgaLon,butagreattesLngtechniqueSeechapter8,ThreatModelingformore
UnderstandingAuthenLcaLon
• Toproveorshow(something,esp.aclaimoranar>s>cwork)tobetrueorgenuine
• Appliestoallsortsofthings– Programsorlibrariesondisk– Remotemachines– People(acomplexsubject,coveredlaterinthecourse)
TacLcsforAuthenLcaLon
• Local– LeveragetheOS/program(database,webserver,etc)– Defaultsarenotalwayssecure
• Remotemachines– Cryptographicmethods(morereliable)– ConsistencycheckingDNS,IP,route(lessreliable)
• Cryptographickeyexchange– DNSSec,PKI,etc:AllinvolvetrustdelegaLon– Manual:expensive,someLmesworthwhileforexisLngbusinessrelaLonships
DeveloperWaystoAddressSpoofing
• LeveragetheOS– Usefullpathnames(whatdoesopen(“foo.txt”)find?)
– Makepathnamescanonical• Resolvinglinksincluding../orsymlinks• Remove%20orotherencoding
– Checkpermissions– Shareddirectoriesareusuallytroublesome
• CryptographicidenLfiers&validaLon
OperaLonalWaystoAddressSpoofing
• Difficulttoimprovelocal(on-system)nameresoluLonwhenthecodeisdone
• PossibletouseSSHorIPSecorothercryptotunnelingtoreducespoofingissuesoverthenetwork
TechnologiesforAddressingSpoofing
• AuthenLcaLngcomputers– IPSec,DNSSec,SSHHostkeys– Kerberos– WindowsDomainauthenLcaLon– PKIwithSSL/TLS
• AuthenLcaLngbits(files,messages,etc)– Digitalsignatures– Hashes(appropriatelymanaged)
TechnologiesforAddressingSpoofing(2)
1. Somethingyouknow,likeapassword2. Somethingyouhave,likeanaccesscard3. Somethingyouare(oraremeasuredtobe)– “Biometrics”– Fingerprints,veinpaHerns,photographs
4. SomeoneyouknowwhocanauthenLcateyou• ThefirstthreearetradiLonal,#4isnew• “MulL-factorauthenLcaLon”usuallymeansmorethanonefromthelist– Somepeoplecallchannelsafactor– ManyofthemshouldthreatmodelbeHer
UnderstandingIntegrity
• Tointerferewith(something)inordertocausedamageormakeunauthorizedaltera>ons
• Canapplytodatawhereveritis,including:– Disk– Network– Memory
TacLcsforIntegrity
• Systemdefenses– Permissions(operaLngsystem/program)
• Cryptographicdefenses– Digitalsignatures– Hashes/MACs
• Loggingandaudit– Thesedonotprevent,butmaydeter– Generallyusedasafallbackordefenseindepth
DeveloperWaystoAddressIntegrity
• Usepermissionsasprovided• Cryptographyisrequiredoveranetwork• ImplemenLngapermissionsystemishard– Lotsofmistakeshavebeenmade&documented
OperaLonalWaystoAddressIntegrity
• AddaddiLonalprotecLons– Tripwire-likesystemsonlocalmachine– Tunnelingovernetwork
• Tripwire:acLngonalertsiskey!– Don’tbethesefolks->
• Goodalertdesignisapre-requisite– Toomanyalerts,peoplewillbeoverwhelmed– Toofew,they’llmissstuff
TechnologiesforAddressingIntegrity
• Protectfileswith– Digitalsignatures– ACLs/permissions– Hashes– WindowsMandatoryIntegrityControlfeatures– Uniximmutability
• Protectnetworktrafficwith– SSL– SSH– IPSec– Digitalsignatures
UnderstandingNon-RepudiaLon
• Repudia>on:Torefusetoacceptorbeassociatedwith;denythetruthorvalidityofsomestatement
• Non-repudiaLonarethetools&technologiestoestablishwhathappened—ideallytothesaLsfacLonofeveryoneinvolvedorimpacted
• Bridgesbusiness&technicallevels• RepudiaLoncanbeafeature– “OffTheRecord”
TacLcsforNon-RepudiaLon
• FraudprevenLon– Internalfraudsuchasembezzlement– “Customer”fraudprevenLon
• Logs– Asmuchasyoucan,keepforaslongasyoucan
• Cryptography
“Customer”FraudPrevenLon
• Alice’saccountistakenover&abused(or)• Bobcreatesanaccountforfraud• Mustmanageboth• Stablecustomersaregood,predictable• Technologies/services– ValidaLonservices– Customerhistorysharing– MulL-merchantdata– Purchasedevicetracking
DeveloperWaystoAddress
• Logbusinesslogic– Eg“ForthistransacLon,wesawthatgeolocate(ip)was‘SeaHle,’whichistypicalforthisaccount.”
• Cryptographicdigitalsignatures– Mostusefultodaybetweenbusinesspartners,notconsumer-usable
OperaLonalWaystoAddress
• OperaLonsgetstuckinvesLgaLng– Table-topexercisesmayexposeissuesthatthelogsdon’texist
• Scaling– Logsmayendupindiverseplaces– Dedicatedpeople– Specializedtooling
TechnologiesforAddressingRepudiaLon
• Logs– Logging– Loganalysistools– Securedlogstorage
• Digitalsignatures• SecureLmestamps• TrustedthirdparLes
UnderstandingConfidenLality
• Toensurethatinforma>onisonlydisclosedtoauthorizedpar>es
• Secretsindata– Yours:financialresults,newproductplans– Entrustedtoyou:privatedata– Complexrules:WhocanseethatFacebookpost?
• Secretsalsoexistinmetadata– “LayoffleHerforAlice.docx”,“Janlayoff/alice.docx”– CallstoanSTDclinic(repeatedly?!)
TacLcsforConfidenLality
• Onasystem– ACLs/permissions– Cryptography
• Betweensystems– Cryptography
• TohidetheexistenceofinformaLon– Steganography
DeveloperWaystoAddress
• Permissions/ACLs• Cryptography– Data(fileondisk,emailmessage)– Container(volumeencrypLon,emailconnecLons)– Requiresproperkeymanagement– Remember:EncrypLondoesn’tprovideauthenLcaLonorintegrity
OperaLonalWaystoAddress
• Addpermissions/ACLs• VolumeencrypLon– Protectsifthemachineisstolenandpowereddown
– Doesn’tprotectagainstanaHackerwhobreaksin• NetworkencrypLon(SSH,SSL,IPSec)
TechnologiesforConfidenLality• ProtecLngfiles
– ACLs/Permissions– EncrypLon– Appropriatekeymanagement
• ProtecLngnetworkdata– EncrypLon– Appropriatekeymanagement
• CommunicaLonheaders/actofcommunicaLon– Mixnetworks– OnionrouLng– Steganography
UnderstandingAvailability
• BeingabletomeetadefinedorimpliedSLA• AHackscanabsorbanyresource– Disk,network,CPU
• AHackscanbetransientorrequireintervenLon– NetworkfloodingstopswhenaHackerdoes– Forkbomb(eg:while(1){fork();})mightneedreboot– FulldiskmightrequirehumanintervenLon
TacLcsforAvailability
• Haveenoughresourcestoserverequests• Proofofwork– …“ProvesNottoWork”– Bitcoinuseshighcostproofs
• ProofofcommunicaLon
DeveloperWaystoAddress
• Avoidfixed-sizebuffers– Forexample,5half-openTCPconnecLons
• Consider– Resourcesyouconsumeperrequest– Howmanyrequestsyou’llserve– CleveraHacksthatballoonresourceuse– Recovery
OperaLonalWaystoAddress
• Quotas• ElasLccloudsystemstoaddmoreresources
TechnologiesforAddressingDoS
• ACLs• Filters• Quotas(ratelimits,thresholding,throHling)• Highavailabilitydesign• Extrabandwidth• Cloudservices
UnderstandingAuthorizaLon
• Eleva>onofPrivilegeisoneclassofauthorizaLonbypass– Theonlyonecoveredhere– AuthorizaLonsystemsaretheirownsub-field
TacLcsforAuthorizaLon
• LimittheaHacksurface– Forexample,smallnumberofsetuidprograms– Usesandboxesfornetwork-exposedcode– Don’trunasroot/admin– Beawarethatthere’soPenelevaLonpathsforsemi-privilegedaccounts
• Comprehensible,manageablepermissionssystems
DeveloperWaystoAddress
• LimittheaHacksurface• Carefullydefinepurpose&validaLonrulesforinbounddata
• Definewhatyou’llaccept,notwhatyoureject• Rejectbadinput,don’ttrytosaniLze• LoopedcanonicalizaLonrouLnes• Transformfromoneformtoanother(e.g.,markdowntohtml)
OperaLonalWaystoAddress
• Defenseindepth• Runeachtargetasitsownuniquelimiteduser– Unix“nobody”accountendedupquiteprivileged
• Sandboxes
TechnologiesforAddressing
• ACLs• Groupsorrolemembership• Rolebasedaccesscontrols• Windowsprivileges(runas)/Unixsudo• Chroot,apparmor,otherunixsandboxes• MOICEWindowssandbox• InputvalidaLonfordefinedpurposes
HowtoThreatModel(Summary)
• Whatareyoubuilding?• Whatcangowrong?• Whatareyougoingtodoaboutit?• Checkyourworkon1-3
CheckYourWork
• Requirementsengineeringandqualityassurance
• Checkthatyoucoveredallthethreats&assumpLons
• Checkthateachiscoveredwell
TesLngSoPwareYouMake
• Allthreatsyoufindcanbetested• InagileshopsthatrelyonTest-DrivenDevelopment(TDD),threatmodelingisagreatwaytodesigntests
• Startwithatesttoexecutethethreat• ConLnuewithteststhatbypassmiLgaLons(aka2ndorderaHacks)
• AutomaLonvsmanual
PenetraLonTesLng
• Aka“ethicalhacking,”“redteaming”• Improvethesecurityofyourcodebybreakingit
• Differsfromthreatmodeling– Donelate– Hardtojudgescope– SomeLmes“blackbox”wheretestersstartwithoutknowledgeofsystem
TesLngSoPwareYouAcquire
• BuildasoPwaremodel– UsethedocumentaLonandactualsoPware– SeeiftheyincludeathreatmodelorsecurityoperaLonsguide
• Lookforthreats• Addresstheissuesyoufind
BuildaSoPwareModel
• Components– Startwiththebinaries,databases,dependencies– Somewilllikelymergeintoasingleprocessforthreatmodelingpurposes
• Trustboundaries– Account(s)used– Sockets,RPC– Admininterfaces
• Lookatpla�ormchangesoninstall• Diagramasyoufindthings
LookforThreats
• Usethemodelyou’vecreated• ThisissimilartolookingforthreatsinanyothersoPware– You’relessfamiliarwithit– ItmayincluderelevantdocumentaLon– (Ifnot,whatdoesthattellyou?)
• UseSTRIDE,CAPEC,aHacktrees,etc.
AddresstheIssuesYouFind
• Askthecreatortofixthem– Bereadytodiscussviewsofrequirements,tradeoffs– Somebackwardsvendorswillthreatenyou(thisisaredflagtheydon’tunderstandsecurity)
• LookforanalternaLve– EasierifyouTMearly
• MiLgateyourself– UsingoperaLonalsecuritytechniquesfromearlierclasseson“whattodoaboutit”
QA’ingtheThreatModelingProcess
• Anotheraspectofcheckingyourwork• ChecksoPwaremodel/realityconformance• Checkthateachtaskandprocessisdone• Bugchecking:LookateachTMbug– Isitclosedproperly(fixed,notwon�ix)?– Isthereatestcase?– Tagsonbugsreallyhelpfulhere
Recap
• ThinklikeanaHackerisn’trepeatable• FocusingonassetsandaHackersdoesn’tworkformostpeople
• 4quesLons– Whatareyoubuilding?– Whatcangowrong?– Whatareyougoingtodoaboutit– Checkingyourwork
• Formore,ThreatModelingDesigningforSecurity