ThreatModelingwithSTRIDE

SlidesadaptedfromThreatModeling:DesigningforSecurity(Wiley,2014)byAdamShostack

Wouldn’titbebeHertofindsecurityissuesbeforeyouwrite

alineofcode?Sohowcanyoudothat?

WaystoFindSecurityIssues

•  StaLcanalysisofcode•  FuzzingorotherdynamictesLng•  Pentest/redteam•  WaitforbugreportsaPerrelease

WaystoFindSecurityIssues(2)

•  Threatmodeling!– Thinkaboutsecurityissuesearly– UnderstandyourrequirementsbeHer– Don’twritebugsintothecode– Andthesubjectofthislesson

So…howdoyouthreatmodel?

DefiniLons

•  Whatisathreat?•  Howisitdifferentfroma– vulnerability,–  risk,– orjustaproblem?

•  Whatisamodel?

ThinkLikeanAHacker?

•  Likethinkinglikeaprofessionalchef!– Evenifyoucan,areyouthechefatOliveGardenorMarioBatalli’s?

•  ThinkinglikeanaHacker–orfocusingonthemisrisky– Whatdotheyknow?Whatwilltheydo?–  Ifyougetthesewrong,yourthreatmodelingwillgoastray

•  Sodon’tstartfromaHackers!

FocusonAssets?

•  Assets:valuablethings–thebusinesscares!•  Butwhat’sanasset?– SomethinganaHackerwants?– Somethingyouwanttoprotect?– Asteppingstone?

FocusOnWhatYou’reBuilding!

•  Needanengineeringapproach– Predictable– Reliable– Scalabletoalargeproduct

•  Can’tbedependentononebrilliantperson•  Ideally,youunderstandit•  Concreteandtestable?

HowtoThreatModel(Summary)

•  Whatareyoubuilding?•  Whatcangowrong?•  Whatareyougoingtodoaboutit?•  Checkyourworkon1-3

WhatAreYouBuilding?

•  CreateamodelofthesoPware/system/technology

•  Amodelabstractsawaythedetailssoyoucanlookatthewhole

WhatAreSomeModelingMethods?

•  Whiteboarddiagrams•  Brainstorming•  Structured(“formal”)diagrams– Dataflowdiagrams– Swimlanes– Statemachines

•  MathemaLcalrepresentaLonsofcode

DataFlowDiagram(Example) Appendix E ■ Case Studies 513

bapp05.indd 12:19:50:PM 01/17/2014 Page 513

Web Clients

SQL Clients

Front End(s)

External Entity

Key:

Process Data Store

DB Admin

Data Management Logs

Log analysis

Acme SQL Account

DB Cluster

DBA (human) DB

Users(human)

Database

data flow TrustBoundary

Figure E-1: The Acme database

Threats and MitigationsThe threats identifi ed to the system are organized by module, to facilitate module owner review. They were identifi ed three ways:

■ Walking through the threat trees in Appendix B, “Threat Trees” ■ Walking through the requirements listed in Chapter 12, “Requirements Cookbook”

■ Applying STRIDE-per-element to the diagram shown in Figure E-1

Acme would rank the threats with a bug bar, although because neither the bar nor the result of such ranking is critical to this example, they are not shown. Some threats are listed by STRIDE, others are addressed in less structured text where a single mitigation addresses several threats. The threats are shown in italic to make them easier to skim.

Finding these threats took roughly two weeks, with a one-hour threat identi-fi cation meeting early in the day during which the team examined a component and its data fl ows. The examination consisted of walking through the threat trees in Appendix B and the requirements checklist in Chapter 12, and then

TrustBoundaries•  Atrustboundaryiseverywheretwo(ormore)principalsinteract

•  AllinteresLngboundariesaresemi-permeable– Airgaps–  Firewalls–  Requirepolicymechanisms(whicharehard)

•  Formalmethodshelpbuildboundaries–  IsolaLon–  Typesafety–  Policylanguages–  Referencemonitors/kernels

SwimLaneDiagrams

•  ShowtwoormoreenLLescommunicaLng,each“inalane”

•  UsefulfornetworkcommunicaLon

•  Laneshaveimplicitboundariesbetweenthem

48 Part I ■ Getting Started

c02.indd 11:35:5:AM 01/17/2014 Page 48

excludes sharks). It also requires a willingness to expose one’s ignorance by asking a “simple” question. It’s probably easier for a team that’s invested in UML to add trust boundaries to those diagrams than to create new diagrams just for threat modeling.

Swim Lane Diagrams

Swim lane diagrams are a common way to represent fl ows between various participants. They’re drawn using long lines, each representing participants in a protocol, with each participant getting a line. Each lane edge is labeled to identify the participant; each message is represented by a line between participants; and time is represented by fl ow down the diagram lanes. The diagrams end up looking a bit like swim lanes, thus the name. Messages should be labeled with their contents; or if the contents are complex, it may make more sense to have a diagram key that abstracts out some details. Computation done by the parties or state should be noted along that partici-pant’s line. Generally, participants in such protocols are entities like comput-ers; and as such, swim lane diagrams usually have implicit trust boundaries between each participant. Cryptographer and protocol designer Carl Ellison has extended swim lanes to include the human participants as a way to structure discussion of what people are expected to know and do. He calls this extension ceremonies, which is discussed in more detail in Chapter 15, “Human Factors and Usability.”

A sample swim lane diagram is shown in Figure 2-6.

SYN

SYN-ACK

ACK

Data

Client Server

Figure 2-6: Swim lane diagram (showing the start of a TCP connection)

StateMachines

•  Helpfulforconsideringwhatchangessecuritystate– Forexample,unauthenLcatedtoauthenLcated

– Usertoroot/admin

•  Rarelyshowsboundaries

Chapter 2 ■ Strategies for Threat Modeling 49

c02.indd 11:35:5:AM 01/17/2014 Page 49

State Diagrams

State diagrams represent the various states a system can be in, and the transi-tions between those states. A computer system is modeled as a machine with state, memory, and rules for moving from one state to another, based on the valid messages it receives, and the data in its memory. (The computer should course test the messages it receives for validity according to some rules.) Each box is labeled with a state, and the lines between them are labeled with the conditions that cause the state transition. You can use state diagrams in threat modeling by checking whether each transition is managed in accordance with the appropriate security validations.

A very simple state machine for a door is shown in Figure 2-7 (derived from Wikipedia). The door has three states: opened, closed, and locked. Each state is entered by a transition. The “deadbolt” system is much easier to draw than locks on the knob, which can be locked from either state, creating a more complex diagram and user experience. Obviously, state diagrams can become complex quickly. You could imagine a more complex state diagram that includes “ajar,” a state that can result from either open or closed. (I started drawing that but had trouble deciding on labels. Obviously, doors that can be ajar are poorly specifi ed and should not be deployed.) You don’t want to make architectural decisions just to make modeling easier, but often simple models are easier to work with, and refl ect better engineering.

Opened

Closed Locked

State

Transition

Open doorClose door

Unlock deadbolt

Lock deadbolt

Transitioncondition

Figure 2-7: A state machine diagram

HowtoThreatModel(Summary)

•  Whatareyoubuilding?•  Whatcangowrong?•  Whatareyougoingtodoaboutit?•  Checkyourworkon1-3

WhatCanGoWrong?

•  Funtobrainstorm•  Mnemonics,treesorlibrariesofthreatscanallhelpstructurethinking

•  Structurehelpsgetyoutowardscompletenessandpredictability

•  STRIDEisamnemonic– Spoofing,Tampering,RepudiaLon,InformaLonDisclosure,DenialofService,ElevaLonofPrivilege

– Easy,right?

STRIDEThreat Property

ViolatedDefiniLon Example

Spoofing AuthenLcaLon ImpersonaLngsomethingorsomeoneelse.

PretendingtobeanyofBillGates,Paypal.comorntdll.dll

Tampering Integrity Modifyingdataorcode ModifyingaDLLondiskorDVD,orapacketasittraversesthenetwork

RepudiaLon Non-repudiaLon ClaimingtohavenotperformedanacLon.

“Ididn’tsendthatemail,”“Ididn’tmodifythatfile,”“Icertainlydidn’tvisitthatwebsite,dear!”

InformaLonDisclosure

ConfidenLality ExposinginformaLontosomeonenotauthorizedtoseeit

AllowingsomeonetoreadtheWindowssourcecode;publishingalistofcustomerstoawebsite.

DenialofService Availability Denyordegradeservicetousers

CrashingWindowsorawebsite,sendingapacketandabsorbingsecondsofCPULme,orrouLngpacketsintoablackhole.

ElevaLonofPrivilege AuthorizaLon GaincapabiliLeswithoutproperauthorizaLon

Allowingaremoteinternetusertoruncommandsistheclassicexample,butgoingfromalimitedusertoadminisalsoEoP.

UsingSTRIDE

•  ConsiderhoweachSTRIDEthreatcouldimpacteachpartofthemodel– “HowcouldacleveraHackerspoofthispartofthesystem?...tamperwith?…etc.”

•  Trackissuesasyoufindthem– “aHackercouldpretendtobeaclient&connect”

•  TrackassumpLons– “IthinkthatconnecLonisalwaysoverSSL”

•  ConsolidateintoanaHacktree

SpoofingOntheLocalMachineThreatExample WhattheA7ackerDoes Notes/Examples

Spoofingaprocess

Createsafilebeforetherealprocess

Thenyourprocessreliesonit

Abusesnames Createaversionof“sudo”andalterPATH

Spoofingafilename Createsafileinthelocaldirectory

Library,executableorconfigfile

Createsalink,changesit Alsocalled‘racecondiLon’orTOCTOU

Createsmanyfilesinatargetdirectory

Codecaneasilycreateallpossible/tmp/foo.random

SpoofingOveraNetworkThreatExample WhattheA7ackerDoes Notes/Examples

Spoofingamachine ARPspoofing

IPspoofing

DNSspoofing

DNScompromise CanbeattheTLD,registrarorDNSserver

IPredirecLon

Spoofingaperson Takeoveraccount “StrandedinLondon”

Setthedisplayname

Spoofingarole Declaresthemselvestobethatrole

SomeLmesopeningaspecialaccount,semngupadomain/website,other“verifiers”

TamperingwithaFileThreatExample WhattheA7ackerDoes Notes/Examples

Modifyingafile… …whichyouownandyourelyon

…whichtheyownandyourelyon

Modifyingafileonaserver…

…youown

…theyown(ortakeover)

Modifieslinksorredirects Redirectsaresuper-commonontheweb,andoPenrotaway

TamperingwithMemoryThreatExample WhattheA7ackerDoes Notes/Examples

Modifyingcode Changesyourcodetosuitthemselves

HardtodefendagainstiftheaHackerisrunningcodeinsidethetrustboundaries

Modifyingdatathey’vesupplied

SuppliesdatatoapassbyreferenceAPI,thenchangesit

WorksbecauseofTOCTOUissues

Suppliesdataintoasharedmemorysegment,thenchangesit

TamperingwithaNetworkThreatExample WhattheA7ackerDoes Notes/Examples

Redirectstheflowofdatatotheirmachine

UsesanaHackatsomenetworklayertoredirecttraffic

Pakistan/YouTube

Modifiesdataflowingoverthenetwork

Easier(andmorefun)withwirelessnetworks

UsesnetworktamperingtoimprovespoofingaHacks

RepudiaLonThreatExample WhattheA7ackerDoes Notes/examples

RepudiaLnganacLon Claimstohavenotclicked

Maybetheydid,maybetheydidn’t,maybethey’rehonestlyconfused

Claimstonothavereceived

1.Electronicorphysical2.Receiptisstrange;doesaclientdownloadingemailmeanyou’veseenit?Didanetworkproxypre-fetchimages?WasapackagelePonaporch?

ClaimstobeafraudvicLm

Usessomeoneelse’saccount

RepudiaLonAHacksonLogsThreatExample WhattheA7ackerDoes Notes/Examples

Discoverstherearenologs

Modifiesdataflowingoverthenetwork

Putsdatainthelogstoconfuseyou

</tr></html>

InformaLonDisclosure(Processes)ThreatExample WhattheA7ackerDoes Notes/Examples

Extractsuserdata ExploitsbugslikeSQLinjecLontoreaddbtables

Canfindthisbylookingtodatastores,butheretheissueistheprocessreturningdataitshouldn’t

Readserrormessages

Extractsmachinesecrets Readserrormessages Cannotconnecttodatabase‘foo’asuser‘sql’withpassword‘&IO*(^&’

Exploitsbugs “Heartbleed”

InformaLonDisclosure(DataStores)

Sub-category WhattheA7ackerDoes

Permissions TakeadvantageofmissingorinappropriateACLs

Takeadvantageofbaddatabasepermissions

Filefilesprotectedbyobscurity

Security Findcryptokeysondiskorinmemory

Getdatafromlogs/tempfiles

Getdatafromswapfiles

SeeinteresLnginformaLoninfilenames/directorynames

Network Seedatatraversinganetwork

Misc Obtaindevice,bootinnewOS

InformaLonDisclosure(DataFlow)Sub-category WhattheA7ackerDoes

Network Readdataonanetwork

Redirectstrafficstoenablereadingdataonthenetwork

Metadata Learnssecretsbyanalyzingtraffic

LearnswhotalkstowhombywatchingtheDNS

LearnswhotalkstowhombyanalyzingsocialnetworkinformaLon

DenialofServiceThreatExample WhattheA7ackerDoes Notes/Examples

Againstaprocess Absorbmemory(ramordisk)

AbsorbCPU

Usesaprocessasanamplifier

Againstbusinesslogic “ToomanyloginaHempts”

Againstadatastore Fillsthedatastore

Makesenoughrequeststoslowthesystem

Againstadataflow ConsumesnetworkresourcesCanbetemporary(astheaHackconLnues;fillthenetwork)orpersistbeyondthat(filladisk)

ElevaLonofPrivilege(“EoP”)ThreatExample WhattheA7ackerDoes Notes/Examples

EoPAgainstprocessviacorrupLon

Sendsinputsthecodedoesn’thandleproperly

Verycommon,usuallyhighimpact

Gainsread/writeaccesstomemory

WriLngmemorymoreobviouslybad

EoPviamisusedauthorizaLonchecks

EoPviabuggyauthorizaLonchecks

Centralizingcheckingmakesconsistency,correctnesseasier

EoPviadatatampering Modifybitsondisk

UsingSTRIDE

•  ConsiderhoweachSTRIDEthreatcouldimpacteachpartofthemodel– “HowcouldacleveraHackerspoofthispartofthesystem?...tamperwith?…etc.”

•  Trackissuesasyoufindthem– “aHackercouldpretendtobeaclient&connect”

•  TrackassumpLons– “IthinkthatconnecLonisalwaysoverSSL”

•  ConsolidateintoanaHacktree

WhentoFindThreats

•  Startatthebeginningofyourproject– Createamodelofwhatyou’rebuilding– Doafirstpassforthreats

•  Digdeepasyouworkthroughfeatures– ThinkabouthowthreatsapplytoyourmiLgaLons

•  Checkyourdesign&modelmatchesasyougetclosetoshipping

AHackersRespondtoYourDefenses

PlayingChess

•  TheidealaHackerwillfollowtheroadyoudefend–  IdealaHackersarelikesphericalcows—they’reausefulmodelforsomethings

•  RealaHackerswillgoaroundyourdefenses•  Yourdefensesneedtobebroadanddeep

“OrdersofMiLgaLon”Order Threat MiEgaEon

1st Windowsmashing Reinforcedglass

2nd Windowsmashing Alarm

3rd Cutalarmwire Heartbeatsignal

4th Fakeheartbeat Cryptographicsignalintegrity

ByExample:

•  Thuswindowsmashingisafirstorderthreat,cumngalarmwire,athird-orderthreat

•  Easytogetstuckarguingaboutorders•  Arebothstrongerglass&alarms1stordermiLgaLons?(Whocares?!)

•  FocusontheconceptofinterplaybetweenmiLgaLons&furtheraHacks

HowtoApproachSoPware

•  Depthfirst– Themostfunand“insLnctual”– Keepfollowingthreatstoseewheretheygo– Canbeusefulskilldevelopment,promoLng“flow”

•  Breadthfirst– ThemostconservaLveuseofLme– Mostlikelytoresultingoodcoverage

TrackingThreatsandAssumpLons

•  Thereareaninfinitenumberofwaystostructurethis

•  Usetheonethatworksreliablyforyou•  (Hopedoesn’tworkreliably)

ExampleThreatTrackingTablesDiagramElement ThreatType Threat BugID

Dataflow#4,webservertobusinesslogic

Tampering Addorderswithoutpaymentchecks

4553“Needintegritycontrolsonchannel”

Infodisclosure Paymentinstrumentssentinclear

4554“needcrypto”#PCI

ThreatType DiagramElement(s) Threat BugID

Tampering Webbrowser AHackermodifiesourJavaScriptorderchecking

4556“Addorder-checkinglogictoserver”

Dataflow#2frombrowsertoserver

FailuretoauthenLcate

4557“AddenforceHTTPSeverywhere”

Botharefine,helpyouiterateoverdiagramsindifferentways

ExampleAssumpLonTrackingAssumpEon Impactifit’s

wrongWhototalkto

Who’sfollowingup

Follow-upbydate

Bug#

It’soktoignoredenialofservicewithinthedatacenter

Availabilitywillbebelowspec

Alice Bob April15 4555

•  ImpactissomeLmessoobviousit’snotworthfillingout•  Whototalktoisnotalwaysobvious,it’soktostartoutblank•  TrackingassumpLonsinbugshelpsyounotlosetrack•  TreattheassumpLonasabug–youneedtoresolveit

TheCustomer/VendorBoundary

•  Thereisalwaysatrustboundarywhen:–  Yourcodegoestosomeoneelse’s(device/premises)–  Theirdatacomestoyourcode

•  Lawyers,pretendingdonoteliminatehumantrustissues

•  Youneedtothinkaboutitwhiledecidingwhathappensoverthedataflowshown

YoursoPware

Customerdevice

YoursoPware

Yourdatacenter

GenericAPIThreatModel

•  Performsecuritychecksinsidetheboundary•  CopybeforevalidaLonforpurpose–  IshHp://evil.org/pwnme.html“valid”?

•  Definethepurposefordata,validatenearthatdefiniLon

•  ManageerrorreporLng•  Documentwhatcheckshappenwhere•  DocryptoinconstantLme•  AddressthesecurityrequirementsforyourAPI

HowtoThreatModel(Summary)

•  Whatareyoubuilding?•  Whatcangowrong?•  Whatareyougoingtodoaboutit?•  Checkyourworkon1-3

WhatAreYouGoingtoDoAboutIt?

•  Foreachthreat:– Fixit!– MiLgatewithstandardorcustomapproaches– Acceptit?– Transfertherisk?

•  ForeachassumpLon:– Checkit– WrongassumpLonsleadtoreconsiderwhatgoeswrong

FixIt!

•  ThebestwaytofixasecuritybugistoremovefuncLonality– Forexample,ifSSLdoesn’thavea“heartbeat”message,the“heartbleedbug”couldn’texist

– Youcanonlytakethissofar– OPenLmesendupmakingrisktradeoffs

•  MiLgatetheriskinvariousways(nextslide)

MiLgate

•  Add/usetechnologytopreventaHacks•  Forexample,preventtampering:– Network:Digitalsignatures,cryptographicintegritytools,cryptotunnelssuchasSSHorIPsec

•  Developers,sysadminshavedifferenttoolkitsformiLgaLngproblems

•  Standardapproachesavailablewhichhavebeentested&workedthrough

•  SomeLmesyouneedacustomapproach

SomeTechnicalWaystoAddressThreat MiEgaEonTechnology DeveloperExample SysadminExample

Spoofing AuthenLcaLon Digitalsignatures,AcLvedirectory,LDAP

Passwords,cryptotunnels

Tampering Integrity,permissions Digitalsignatures ACLs/permissions,cryptotunnels

RepudiaLon FraudprevenLon,logging,signatures

Customerhistoryriskmanagement

Logging

InformaLondisclosure

Permissions,encrypLon

Permissions(local),PGP,SSL

Cryptotunnels

Denialofservice Availability ElasLcclouddesign Loadbalancers,morecapacity

ElevaLonofprivilege

AuthorizaLon,isolaLon Roles,privileges,inputvalidaLonforpurpose,(fuzzing*)

Sandboxes,firewalls

*Fuzzing/faultinjecLonisnotamiLgaLon,butagreattesLngtechniqueSeechapter8,ThreatModelingformore

CustomMiLgaLons

•  SomeLmesthestandardtechnologiesdon’tworkforyoursituaLon

•  RequirescustommiLgaLons(orriskacceptance)

•  EasytogetacustommiLgaLonwrong•  Hardandexpensivetotest(page176)

AccepLngRisk

•  Worksbestwhenit’syourrisk– YourorganizaLoncanacceptrisk– Becarefulabout“accepLng”riskforyourcustomers.

•  Customerriskacceptance– Viauserinterface– SomeLmesthecustomerhasdetailsyoucan’thave(isthisnetworkyourworkoracoffeeshop?)

TransferringRisk

•  Vialicenseagreements,termsofservice,etc.•  Silently•  Bothcanleadtounhappycustomers– ThreatthatnoonereadsToS– Surprise!– Mediablowups

SomeTechnicalWaystoAddressThreat MiEgaEonTechnology DeveloperExample SysadminExample

Spoofing AuthenLcaLon Digitalsignatures,AcLvedirectory,LDAP

Passwords,cryptotunnels

Tampering Integrity,permissions Digitalsignatures ACLs/permissions,cryptotunnels

RepudiaLon FraudprevenLon,logging,signatures

Customerhistoryriskmanagement

Logging

InformaLondisclosure

Permissions,encrypLon

Permissions(local),PGP,SSL

Cryptotunnels

Denialofservice Availability ElasLcclouddesign Loadbalancers,morecapacity

ElevaLonofprivilege

AuthorizaLon,isolaLon Roles,privileges,inputvalidaLonforpurpose,(fuzzing*)

Sandboxes,firewalls

*Fuzzing/faultinjecLonisnotamiLgaLon,butagreattesLngtechniqueSeechapter8,ThreatModelingformore

UnderstandingAuthenLcaLon

•  Toproveorshow(something,esp.aclaimoranar>s>cwork)tobetrueorgenuine

•  Appliestoallsortsofthings– Programsorlibrariesondisk– Remotemachines– People(acomplexsubject,coveredlaterinthecourse)

TacLcsforAuthenLcaLon

•  Local–  LeveragetheOS/program(database,webserver,etc)– Defaultsarenotalwayssecure

•  Remotemachines–  Cryptographicmethods(morereliable)–  ConsistencycheckingDNS,IP,route(lessreliable)

•  Cryptographickeyexchange– DNSSec,PKI,etc:AllinvolvetrustdelegaLon– Manual:expensive,someLmesworthwhileforexisLngbusinessrelaLonships

DeveloperWaystoAddressSpoofing

•  LeveragetheOS– Usefullpathnames(whatdoesopen(“foo.txt”)find?)

– Makepathnamescanonical•  Resolvinglinksincluding../orsymlinks•  Remove%20orotherencoding

– Checkpermissions– Shareddirectoriesareusuallytroublesome

•  CryptographicidenLfiers&validaLon

OperaLonalWaystoAddressSpoofing

•  Difficulttoimprovelocal(on-system)nameresoluLonwhenthecodeisdone

•  PossibletouseSSHorIPSecorothercryptotunnelingtoreducespoofingissuesoverthenetwork

TechnologiesforAddressingSpoofing

•  AuthenLcaLngcomputers–  IPSec,DNSSec,SSHHostkeys– Kerberos– WindowsDomainauthenLcaLon– PKIwithSSL/TLS

•  AuthenLcaLngbits(files,messages,etc)– Digitalsignatures– Hashes(appropriatelymanaged)

TechnologiesforAddressingSpoofing(2)

1.  Somethingyouknow,likeapassword2.  Somethingyouhave,likeanaccesscard3.  Somethingyouare(oraremeasuredtobe)–  “Biometrics”–  Fingerprints,veinpaHerns,photographs

4.  SomeoneyouknowwhocanauthenLcateyou•  ThefirstthreearetradiLonal,#4isnew•  “MulL-factorauthenLcaLon”usuallymeansmorethanonefromthelist–  Somepeoplecallchannelsafactor– ManyofthemshouldthreatmodelbeHer

UnderstandingIntegrity

•  Tointerferewith(something)inordertocausedamageormakeunauthorizedaltera>ons

•  Canapplytodatawhereveritis,including:– Disk– Network– Memory

TacLcsforIntegrity

•  Systemdefenses– Permissions(operaLngsystem/program)

•  Cryptographicdefenses– Digitalsignatures– Hashes/MACs

•  Loggingandaudit– Thesedonotprevent,butmaydeter– Generallyusedasafallbackordefenseindepth

DeveloperWaystoAddressIntegrity

•  Usepermissionsasprovided•  Cryptographyisrequiredoveranetwork•  ImplemenLngapermissionsystemishard– Lotsofmistakeshavebeenmade&documented

OperaLonalWaystoAddressIntegrity

•  AddaddiLonalprotecLons– Tripwire-likesystemsonlocalmachine– Tunnelingovernetwork

•  Tripwire:acLngonalertsiskey!– Don’tbethesefolks->

•  Goodalertdesignisapre-requisite– Toomanyalerts,peoplewillbeoverwhelmed– Toofew,they’llmissstuff

TechnologiesforAddressingIntegrity

•  Protectfileswith– Digitalsignatures– ACLs/permissions– Hashes– WindowsMandatoryIntegrityControlfeatures– Uniximmutability

•  Protectnetworktrafficwith–  SSL–  SSH–  IPSec– Digitalsignatures

UnderstandingNon-RepudiaLon

•  Repudia>on:Torefusetoacceptorbeassociatedwith;denythetruthorvalidityofsomestatement

•  Non-repudiaLonarethetools&technologiestoestablishwhathappened—ideallytothesaLsfacLonofeveryoneinvolvedorimpacted

•  Bridgesbusiness&technicallevels•  RepudiaLoncanbeafeature– “OffTheRecord”

TacLcsforNon-RepudiaLon

•  FraudprevenLon–  Internalfraudsuchasembezzlement– “Customer”fraudprevenLon

•  Logs– Asmuchasyoucan,keepforaslongasyoucan

•  Cryptography

“Customer”FraudPrevenLon

•  Alice’saccountistakenover&abused(or)•  Bobcreatesanaccountforfraud•  Mustmanageboth•  Stablecustomersaregood,predictable•  Technologies/services–  ValidaLonservices–  Customerhistorysharing– MulL-merchantdata–  Purchasedevicetracking

DeveloperWaystoAddress

•  Logbusinesslogic– Eg“ForthistransacLon,wesawthatgeolocate(ip)was‘SeaHle,’whichistypicalforthisaccount.”

•  Cryptographicdigitalsignatures– Mostusefultodaybetweenbusinesspartners,notconsumer-usable

OperaLonalWaystoAddress

•  OperaLonsgetstuckinvesLgaLng– Table-topexercisesmayexposeissuesthatthelogsdon’texist

•  Scaling– Logsmayendupindiverseplaces– Dedicatedpeople– Specializedtooling

TechnologiesforAddressingRepudiaLon

•  Logs– Logging– Loganalysistools– Securedlogstorage

•  Digitalsignatures•  SecureLmestamps•  TrustedthirdparLes

UnderstandingConfidenLality

•  Toensurethatinforma>onisonlydisclosedtoauthorizedpar>es

•  Secretsindata– Yours:financialresults,newproductplans– Entrustedtoyou:privatedata– Complexrules:WhocanseethatFacebookpost?

•  Secretsalsoexistinmetadata– “LayoffleHerforAlice.docx”,“Janlayoff/alice.docx”– CallstoanSTDclinic(repeatedly?!)

TacLcsforConfidenLality

•  Onasystem– ACLs/permissions– Cryptography

•  Betweensystems– Cryptography

•  TohidetheexistenceofinformaLon– Steganography

DeveloperWaystoAddress

•  Permissions/ACLs•  Cryptography– Data(fileondisk,emailmessage)– Container(volumeencrypLon,emailconnecLons)– Requiresproperkeymanagement– Remember:EncrypLondoesn’tprovideauthenLcaLonorintegrity

OperaLonalWaystoAddress

•  Addpermissions/ACLs•  VolumeencrypLon– Protectsifthemachineisstolenandpowereddown

– Doesn’tprotectagainstanaHackerwhobreaksin•  NetworkencrypLon(SSH,SSL,IPSec)

TechnologiesforConfidenLality•  ProtecLngfiles

–  ACLs/Permissions–  EncrypLon–  Appropriatekeymanagement

•  ProtecLngnetworkdata–  EncrypLon–  Appropriatekeymanagement

•  CommunicaLonheaders/actofcommunicaLon– Mixnetworks–  OnionrouLng–  Steganography

UnderstandingAvailability

•  BeingabletomeetadefinedorimpliedSLA•  AHackscanabsorbanyresource– Disk,network,CPU

•  AHackscanbetransientorrequireintervenLon– NetworkfloodingstopswhenaHackerdoes– Forkbomb(eg:while(1){fork();})mightneedreboot– FulldiskmightrequirehumanintervenLon

TacLcsforAvailability

•  Haveenoughresourcestoserverequests•  Proofofwork– …“ProvesNottoWork”– Bitcoinuseshighcostproofs

•  ProofofcommunicaLon

DeveloperWaystoAddress

•  Avoidfixed-sizebuffers– Forexample,5half-openTCPconnecLons

•  Consider– Resourcesyouconsumeperrequest– Howmanyrequestsyou’llserve– CleveraHacksthatballoonresourceuse– Recovery

OperaLonalWaystoAddress

•  Quotas•  ElasLccloudsystemstoaddmoreresources

TechnologiesforAddressingDoS

•  ACLs•  Filters•  Quotas(ratelimits,thresholding,throHling)•  Highavailabilitydesign•  Extrabandwidth•  Cloudservices

UnderstandingAuthorizaLon

•  Eleva>onofPrivilegeisoneclassofauthorizaLonbypass– Theonlyonecoveredhere– AuthorizaLonsystemsaretheirownsub-field

TacLcsforAuthorizaLon

•  LimittheaHacksurface– Forexample,smallnumberofsetuidprograms– Usesandboxesfornetwork-exposedcode– Don’trunasroot/admin– Beawarethatthere’soPenelevaLonpathsforsemi-privilegedaccounts

•  Comprehensible,manageablepermissionssystems

DeveloperWaystoAddress

•  LimittheaHacksurface•  Carefullydefinepurpose&validaLonrulesforinbounddata

•  Definewhatyou’llaccept,notwhatyoureject•  Rejectbadinput,don’ttrytosaniLze•  LoopedcanonicalizaLonrouLnes•  Transformfromoneformtoanother(e.g.,markdowntohtml)

OperaLonalWaystoAddress

•  Defenseindepth•  Runeachtargetasitsownuniquelimiteduser– Unix“nobody”accountendedupquiteprivileged

•  Sandboxes

TechnologiesforAddressing

•  ACLs•  Groupsorrolemembership•  Rolebasedaccesscontrols•  Windowsprivileges(runas)/Unixsudo•  Chroot,apparmor,otherunixsandboxes•  MOICEWindowssandbox•  InputvalidaLonfordefinedpurposes

HowtoThreatModel(Summary)

•  Whatareyoubuilding?•  Whatcangowrong?•  Whatareyougoingtodoaboutit?•  Checkyourworkon1-3

CheckYourWork

•  Requirementsengineeringandqualityassurance

•  Checkthatyoucoveredallthethreats&assumpLons

•  Checkthateachiscoveredwell

TesLngSoPwareYouMake

•  Allthreatsyoufindcanbetested•  InagileshopsthatrelyonTest-DrivenDevelopment(TDD),threatmodelingisagreatwaytodesigntests

•  Startwithatesttoexecutethethreat•  ConLnuewithteststhatbypassmiLgaLons(aka2ndorderaHacks)

•  AutomaLonvsmanual

PenetraLonTesLng

•  Aka“ethicalhacking,”“redteaming”•  Improvethesecurityofyourcodebybreakingit

•  Differsfromthreatmodeling– Donelate– Hardtojudgescope– SomeLmes“blackbox”wheretestersstartwithoutknowledgeofsystem

TesLngSoPwareYouAcquire

•  BuildasoPwaremodel– UsethedocumentaLonandactualsoPware– SeeiftheyincludeathreatmodelorsecurityoperaLonsguide

•  Lookforthreats•  Addresstheissuesyoufind

BuildaSoPwareModel

•  Components– Startwiththebinaries,databases,dependencies– Somewilllikelymergeintoasingleprocessforthreatmodelingpurposes

•  Trustboundaries– Account(s)used– Sockets,RPC– Admininterfaces

•  Lookatpla�ormchangesoninstall•  Diagramasyoufindthings

LookforThreats

•  Usethemodelyou’vecreated•  ThisissimilartolookingforthreatsinanyothersoPware– You’relessfamiliarwithit–  ItmayincluderelevantdocumentaLon–  (Ifnot,whatdoesthattellyou?)

•  UseSTRIDE,CAPEC,aHacktrees,etc.

AddresstheIssuesYouFind

•  Askthecreatortofixthem–  Bereadytodiscussviewsofrequirements,tradeoffs–  Somebackwardsvendorswillthreatenyou(thisisaredflagtheydon’tunderstandsecurity)

•  LookforanalternaLve–  EasierifyouTMearly

•  MiLgateyourself– UsingoperaLonalsecuritytechniquesfromearlierclasseson“whattodoaboutit”

QA’ingtheThreatModelingProcess

•  Anotheraspectofcheckingyourwork•  ChecksoPwaremodel/realityconformance•  Checkthateachtaskandprocessisdone•  Bugchecking:LookateachTMbug–  Isitclosedproperly(fixed,notwon�ix)?–  Isthereatestcase?– Tagsonbugsreallyhelpfulhere

Recap

•  ThinklikeanaHackerisn’trepeatable•  FocusingonassetsandaHackersdoesn’tworkformostpeople

•  4quesLons– Whatareyoubuilding?– Whatcangowrong?– Whatareyougoingtodoaboutit–  Checkingyourwork

•  Formore,ThreatModelingDesigningforSecurity