THREAT MODELING - UniCa
-
Upload
khangminh22 -
Category
Documents
-
view
1 -
download
0
Transcript of THREAT MODELING - UniCa
Pattern Recognition and Applications Lab
University
of Cagliari, Italy
Department of Electrical and Electronic
Engineering
THREATMODELING
Giorgio Giacinto
CorsoSicurezzaInforma1ca2015-2016
http://pralab.diee.unica.it
2
Books
h;p://pralab.diee.unica.it
Defini1on
[Applica1on]ThreatModeling–astrategicprocessaimedatconsideringpossiblea9ackscenariosandvulnerabili@eswithinaproposedorexis1ngapplica@onenvironmentforthepurposeofclearlyiden1fyingriskandimpactlevelsTonyUcedaVelezandMarcoM.Morana,RiskCentricThreatModeling,2015
3
h;p://pralab.diee.unica.it
ThreatScenarios• Anapplica1oncouldbecomeatargetwhenana;ack
providesareturnoninvestmenttothea;acker
• Threatscenarios1. Capturingtheapplica1onbusinesscontextand
iden1fyingtheapplica1onassets2. Iden1fyingthepossiblethreatagentsandtheirgoals
• Generaliza1onforallapplica1onswithsimilarfunc1onali1esanddataassetsstoredandprocessed.
• Priori@za@onthesecuritymeasurestomi1gatetherisk
4
h;p://pralab.diee.unica.it
ThreatAgents• Characterizingthreatsisessen@alforanalyzingrisks• Threefactors– Thetypeofathreat– Thethreatagent– Thetargets
• ThreatAgents– Humans(hac1vists,cyber-criminals,cyber-spies,etc.)– Tools
• Malware,key-loggers,spyware,etc.– Nonhuman
• Storms,earthquakes,tornados,etc.
5
h;p://pralab.diee.unica.it
ReasonstoThreatModel• Findsecuritybugsearly
• Understandyoursecurityrequirements
• Engineeranddeliverbe;erproducts
• Addressissuesothertechniqueswon’t
6
h;p://pralab.diee.unica.it
Threats:TechnicalandBusinessImpactsThreat TechnicalImpact BusinessImpact
MalwareinfectedPCtakingoveronlinebankingcreden1als
Lossofusers’authen1ca1ondataallowingfraudsterstotakeovertheaccount(impersona@on)
Moneylossduetofraudulenttransac1onsbyimpersona1ngtheloggedusertomovemoneytofraudulentaccountsthroughthirdpartyaccounts(moneymules)
Externalthreatagentexploi1ngapplica1on’sSQLinjec1onvulnerabili1es
Unauthorizedaccesstousers’dataincludingconfiden1alandPII,tradingsecrets,andintellectualproperty.
Liabili@esforlossofusers’PII,lawsuitsforunlawfulnoncompliance,securityincidentrecoverycosts,andrevenueloss
Denialofservicea;ackagainsttheapplica1on
Unavailabilityofwebserverduetoexploitofapplica1onandnetworkvulnerabili1esandlackofredundanciestocopewithtrafficoverloads
Revenuelossduetolossand/ordisrup1onofservicedenyingcustomeraccesstoservicesandgoods.Lawsuitsfromcustomersandbusinessesandrecoverycosts
7
h;p://pralab.diee.unica.it
Addressingeachthreat
8
Mi@ga@ngThreatsElimina@ngThreats
TransferringThreats
Accep@ngtheRisk
http://pralab.diee.unica.it
SoPwarethreatmodeling
9
h;p://pralab.diee.unica.it
SecurityDevelopmentLifecycle• DevelopedbyMicrosoPstar1ngin2002• Establishedasamandatorypolicyin2004forMicrosof
products• Adoptedworldwidebymanysofwaredevelopment
teamssinceitspublicreleasein2008
10h;ps://www.microsof.com/sdl/
h;p://pralab.diee.unica.it
ThreatModeling:afour-stepprocess
1. Whatareyoubuilding?
2. Whatcangowrongwithitonceit’sbuilt?
3. Whatshouldyoudoaboutthosethingsthatcangowrong?
4. Didyoudoadecentjobofanalysis?
11
h;p://pralab.diee.unica.it
Modelthesystem• Graphicalsketches• Iden1fica1onofTrustBoundaries
12
h;p://pralab.diee.unica.it
Whatcangowrong?• STRIDEtaxonomy(Microso;)
– Spoofing
– Tampering
– Repudia@on
– Informa@onDisclosure
– DenialofService
– Eleva@onofPrivilege
13
h;p://pralab.diee.unica.it
AddressingSpoofingTHREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Spoofingaperson Iden1fica1onandauthen1ca1on
Username&password,orbiometrics,tokens,etc.Issues:enrollment,expira1on,etc.
Spoofinga“file”ondisk LeveragetheOS FullPaths,ACL,etc.
CryptographicAuthen1cators Digitalsignaturesorauthen1cators
Spoofinganetworkaddress Cryptographic DNSSEC,HTTPS/SSL,IPSec
Spoofingaprograminmemory LeveragetheOS Applica1oniden1fiers
enforcedbyOSs
14
h;p://pralab.diee.unica.it
AddressingTampering
15
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Tamperingwithafile Opera1ngSystems ACLs
Cryptographic Digitalsignatures,KeyedMAC
Racingtocreateafile(tamperingtheopera@ngsystem)
Usingadirectorythat’sprotectedfromarbitraryusertampering
ACLs,PrivateDirectoryStructures,Randomizingfilenames,etc.
Tamperingwithanetworkpacket Cryptographic HTTPS/SSL,IPSec
An1-pa;ern Networkisola1on
h;p://pralab.diee.unica.it
AddressingRepudia1on
16
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Nologs(youcan’tproveanything)
MaintainingaLog Logallthesecurityrelevantinforma1on
Logscomeundera9ack Logprotec1on Sendoverthenetwork,ACL
Logsasachannelfora9ack Tightlyspecifiedlogs
Earlydocumenta1onoflogdesigninthedevelopmentprocess
h;p://pralab.diee.unica.it
AddressingInforma1onDisclosure
17
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Networkmonitoring Encryp1on HTTPS/SSL,IPSec
Directoryorfilename LeveragetheOS ACLs
Filecontents LeveragetheOS ACLs
Cryptography Fileencryp1on,Diskencryp1on
APIinforma@ondisclosure Design Designcontrol
Passbyreferenceorvalue
h;p://pralab.diee.unica.it
AddressingDenialofService
18
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Networkflooding Lookforexhaus1bleresources
Elas1cresourcesEnsurethata;ackresourcesconsump1onisashighasorhigherthanyours
NetworkACLs
Programresources Carefuldesign Elas1cresourcemanagement,proofofwork
Avoidmul1pliers
Lookforplaceswherea;ackerscanmul1plyCPUconsump1ononyourendwithminimaleffortontheirend
Systemresources LeveragetheOS OSsenngs
h;p://pralab.diee.unica.it
AddressingEleva1onofPrivilege
19
THREATTARGET MITIGATIONSTRATEGY MITIGATIONTECHNIQUE
Data/codeconfusionToolsandArchitecturesthatseparatedataandcode
PreparedstatementsorstoredproceduresinSQLLatevalida1onthatdataiswhatthenextfunc1onexpects
Controlflow/memorycorrup@on
Useatype-safelanguage
Type-safelanguagesprotectagainsten1reclassesofa;ack
LeveragetheOSformemoryprotec1on ProvidedbymostmodernOS
Sandboxing
AppArmorinLinuxAppContainerinWindowsSandboxlibinMacOSCreateanewaccountforeachapp
Commandinjec@ona9acks Becareful Inputvalida1on
Don’tsani1ze.Logandthrowaway
h;p://pralab.diee.unica.it
Valida1onofthethreatmodel• Checkingthemodel– Completeness– Accurateness– Coverageofallthesecuritydecisions– Representa1venessofthediagram
• Upda@ngthediagram– Focusondataflow,ratherthanoncontrolflow– Changevagueargumentssuchas“some1mes”,“also”,byconsideringallthecases
– Don’thavedatasinks:showwhousesit– Showtheprocessthatmovesdatafromonedatastoretoanother
20
http://pralab.diee.unica.it
Structuredapproachestothreatmodeling
21
h;p://pralab.diee.unica.it
ThreeFocusAreas
22
Assets,A9ackers,SoPwareExampleofadataflowdiagramoftheAcme/SQLdatabase
http://pralab.diee.unica.it
• ThingsA9ackersWant– Userpasswords– SSN,iden1fiers– Creditcardnumbers– Confiden1albusinessdata
• ThingsYouWanttoProtect– Reputa1on– Goodwill– Unusedassets
• SteppingStones– Everythingthatcanbeused
toa;ackotherassets
23
Focusingonassets
h;p://pralab.diee.unica.it
• Needalistoftypesofa9ackers– Differentmo1va1ons,skills,backgroundandperspec1ve
• Humanizingthea9ackerbearstheriskofendingupwith“noonewouldeverdothat”
RiskbasedThreatModelingfocusesonassetsandona9ackers
forpriori@zingthreatmi@ga@ontasks
Security-CentricThreatModelingavoidsenumera1ng
andfocusesonthetechnicalanalysis
Focusingona;ackers
24
h;p://pralab.diee.unica.it
Focusingonsofware• Security-centricapproachtothreatmodeling
• BasedonsoPwaremodelsdescribedbydiagrams
– Dataflowdiagrams
– UML
– SwinLaneDiagrams
– Statediagrams
• Basedonthedefini@onofTrustBoundaries
25
http://pralab.diee.unica.it
FindingThreats
26
h;p://pralab.diee.unica.it
SpoofingThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Spoofingaprocessonthesamemachine
Createsafilebeforetherealprocess
Renaming/linking Crea1ngaTrojan“su”andalteringthepath
Renaming Namingyourprocess“sshd”
Spoofingafile
Createsafileinthelocaldirectory
Alibrary,executableorconfigfile
Createsalinkandchangesit
Thechangeshouldhappenbetweenthelinkbeingcheckedandthelinkbeingaccessed
Createsmanyfilesintheexpecteddirectory
e.g.,automa1ccrea1onof10,000filesinthe/tmpdirectorytofillalltheavailablespace
27
h;p://pralab.diee.unica.it
SpoofingThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Spoofingamachine
ARPspoofing
IPspoofing
DNSspoofing Forwardorreverse
DNScompromise CompromiseTLD,registrarorDNSoperator
IPredirec1on Attheswitchorrouterlevel
SpoofingapersonSetse-maildisplayname
Takeoverarealaccount
Spoofingarole Declaresthemselvestobethatrole
Some1mesopeningaspecialaccountwitharelevantname
28
h;p://pralab.diee.unica.it
TamperingThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Tamperingwithafile
Modifiesafiletheyownandonwhichyourely
Modifyafileyouown
Modifiesafileonafileserverthatyouown
Modifiesafileontheirfileserver
Effec1vewhenyouincludefilesfromremotedomains
Modifieslinksorredirects
Tamperingwithmemory
Modifiesyourcode
Hardtodefendagainstoncethea;ackerisrunningcodeasthesameuser
Modifiesdatathey’vesuppliedtoyourAPI
Passbyvalues,notbyreferencewhencrossingatrustboundary
29
h;p://pralab.diee.unica.it
TamperingThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Tamperingwithanetwork
Redirectstheflowofdatatotheirmachine Ofenstage1oftampering
Modifiesdataflowingoverthenetwork
Eveneasierwhenthenetworkiswireless(e.g.,WiFi,3G,etc.)
Enhancespoofinga;acks
30
h;p://pralab.diee.unica.it
Repudia1onThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Repudia@nganac@on
Claimstohavenotclicked
Claimstohavenotreceived Howreliablearereceiptsofdelivery/download?
Claimstohavebeenafraudvic1m
Usessomeoneelse’saccount
Usessomeoneelse’spaymentinstrumentwithoutauthoriza1on
A9ackingthelogs
No1cesyouhavenologs
Putsa;acksinthelogstoconfuselogs,log-readingcode,orpersonsreadingthelog
31
h;p://pralab.diee.unica.it
Informa1onDisclosureThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Informa@ondisclosureagainstaprocess
Extractssecretsfromerrormessages
Readstheerrormessagesfromusername/passwordstoen1redatabasetables
Extractsmachinesecretesfromerrorcases
Canmakedefenseagainstmemorycorrup1onsuchasASLRfarlessuseful
Extractsbusiness/personalsecretsfromerrorcases
32
h;p://pralab.diee.unica.it
Informa1onDisclosureThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Informa@ondisclosureagainstdatastores
TakesadvantageofinappropriateormissingACLs
Takesadvantageofbaddatabasepermissions
Findsfileprotectedbyobscurity
Findscryptokeysondisk(orinmemory)
Seesinteres1nginforma1oninfilenames
Readsfilesastheytraversethenetwork
Getsdatafromlogsortempfiles
Getsdatafromswaporothertempstorage
Extractsdatabyobtainingdevice,changingOS
33
h;p://pralab.diee.unica.it
Informa1onDisclosureThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Informa@ondisclosureagainstadataflow
Readsdataonthenetwork
Redirectstraffictoenablereadingdataonthenetwork
Learnssecretesbyanalyzingtraffic
Learnswho’stalkingtowhombywatchingtheDNS
Learnswho’stalkingtowhombysocialnetworkinfodisclosure
34
h;p://pralab.diee.unica.it
DenialofServiceThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Denialofserviceagainstaprocess
Absorbsmemory(RAMordisk)
AbsorbsCPU
Usesprocessasanamplifier
Denialofserviceagainstadatastore
Fillsdatastoreup
Makesenoughrequeststoslowdownthesystem
Denialofserviceagainstadataflow Consumesnetworkresources
35
h;p://pralab.diee.unica.it
Eleva1onofPrivilegeThreatsTHREATEXAMPLES WHATTHEATTACKERDOES NOTES
Eleva@onofprivilegeagainstaprocessbycorrup@ngtheprocess
Sendsinputsthatthecodedoesn’thandleproperly
Theseerrorsareverycommon,andhavehighimpact
Gainsaccesstoreadorwritememoryinappropriately
Readingmemorycanenablefurthera;acks
Eleva@onthroughmissedauthoriza@onchecks
Eleva@onthroughbuggyauthoriza@onchecks
Centralizingsuchchecksmakebugseasiertomanage
Eleva@onthroughdatatampering
Modifiesbitsondisktodothingsotherthanwhattheauthorizeduserintends
36
h;p://pralab.diee.unica.it
STRIDE-per-element
S T R I D E
Externalen1ty x x
Process x x x x x x
DataFlow x x x
Datastore ? x x
37
http://pralab.diee.unica.it
A9ackTrees
38
h;p://pralab.diee.unica.it
Benefitsofmodelingwitha;acktrees
• A<acktreesprovideaformal,methodicalwayofdescribingthesecurityofsystems,basedonvaryingaCacks.Basically,yourepresentaCacksagainstasysteminatreestructure,withthegoalastherootnodeanddifferentwaysofachievingthatgoalasleafnodes
(BruceSchneier,1999)
39
h;p://pralab.diee.unica.it
Exampleofana;acktree
40
h;ps://www.schneier.com/cryptography/archives/1999/12/a;ack_trees.html
h;p://pralab.diee.unica.it
Exampleofana;acktree-SSL
41mindmaprepresenta1on
http://pralab.diee.unica.it
Mi@ga@ngThreats
42
h;p://pralab.diee.unica.it
Tac1csandTechnologies• Authen@ca@on->Mi@ga@ngSpoofing– Tac@cs:cryptographickeys,PKI,CAs– Technologies:IPSec,SSH,Kerberos,hashes,etc.
• Integrity->Mi@ga@ngTampering– Tac@cs:permissions,cryptographicmechanisms,logs– Technologies:ACLs,digitalsignatures,hashes,etc.
• Non-Repudia@on->Mi@ga@ngRepudia@on– Tac@cs:fraudprevenLon,logsandcryptography– Technologies:loganalysistools,digitalsignatures,etc.
43
h;p://pralab.diee.unica.it
Tac1csandTechnologies• Confiden@ality->Mi@ga@ngInforma@onDisclosure– Tac@cs:ACLs,cryptography– Technologies:ACLs,encrypLon,keymanagement,etc.
• Availability->Mi@ga@ngDenialofService– Tac@cs:proofofwork,ensuretheaCackercanreceivedata– Technologies:filters,quotas,cloudservices,etc.
• Authoriza@on->Mi@ga@ngEleva@onofPrivilege– Tac@cs:limiLngtheuseofprivilegedaccounts,sandboxing,defenselayers,etc.
– Technologies:ACLs,RBAC,chroot,etc.
44
http://pralab.diee.unica.it
Risk-basedapproachtoApplica@onthreatmodeling
45
h;p://pralab.diee.unica.it
TheDREADmodel• DamagePoten1al– Howextensiveisthedamage(impact)uponavulnerabilitybecomingsuccessfullyexploited?
• Reproducibility– Howeasyisitforthistypeofa;acktobereproduced?
• Exploitability– Howeasyisitforaknownvulnerabilitytobeexploited?
• AffectedUsers– Impactonauserbase
• Discoverability– Howeasilyavulnerabilityisdetected
46
h;p://pralab.diee.unica.it
Riskra1ngusingDREAD• ForeachelementoftheDREADmodelaqualita@ve
assessmentofriskisperformedbyassigningoneoutofthreevalues– HIGH or3– MEDIUMor2– LOW or1
47
THREAT D R E A D Total Ra@ng
A;ackerobtainauthen1ca1oncreden1alsbymonitoringthenetwork 3 3 2 2 2 12 High
SQLcommandsinjectedintoapplica1on 3 3 3 3 2 14 High
h;p://pralab.diee.unica.it
ExampleofaThreatRa1ngTableThreat HIGH(3) MEDIUM(2) LOW(1)
DDamagePoten1al
Thea;ackercansubvertthesecuritysystem;getfulltrustauthoriza1on;runasadministrator;uploadcontent.
Leakingsensi1veinforma1on
Leakingtrivialinforma1on
RReproducibility Thea;ackcanbereproducedevery1meanddoesnotrequirea1mingwindow.
Thea;ackcanbereproduced,butonlywitha1mingwindowandapar1cularracesitua1on.
Thea;ackisverydifficulttoreproduce,evenwithknowledgeofthesecurityhole
EExploitability Anoviceprogrammercouldmakethea;ackinashort1meframe.
Askilledprogrammercouldmakethea;ack,thenrepeatthesteps.
Thea;ackrequiresanextremelyskilledpersonandin-depthknowledgeevery1metoexploit
48
h;p://pralab.diee.unica.it
ExampleofaThreatRa1ngTableThreat HIGH(3) MEDIUM(2) LOW(1)
AAffectedUsers Allusers,defaultconfigura1on,keycustomers
Someusers,non-defaultconfigura1on
Verysmallpercentageofusers,obscurefeature;affectsanonymoususers
DDiscoverability Publishedinforma1onexplainsthea;ack.Thevulnerabilityisfoundinthemostcommonlyusedfeatureandisveryno1ceable
Thevulnerabilityisaseldom-usedpartoftheproduct,andonlyafewusersshouldcomeacrossit.Itwouldtakesomethinkingtoseemalicioususe.
Thebugisobscureanditisunlikelythatuserswillworkoutdamagepoten1al
49
http://pralab.diee.unica.it
Applica@onthreatmodeling
50
h;p://pralab.diee.unica.it
PASTAProcessforA;ackSimula1onandThreatAnalysis
• Iden1fybusinessobjec1ves• Iden1fysecurity&compliancerequirements• Technical/Businessimpactanalysis
DefineObjec@ves
• EnumerateSofwareComponents• Dependencies:Network/Sofware(COTS)/Services• Dataflowdiagramming• ThirdPartyInfrastructures(cloud,SaaS,ASPModels)
DefineTechnicalScope
• Usecases/Abuse(misuse)cases/Defineappentrypoints• Ac1ons/Assets/Services/Roles/Datasources• DataFlowDiagramming(DFDs)/TrustBoundaries
Applica@onDecomposi@on
51
h;p://pralab.diee.unica.it
PASTAProcessforA;ackSimula1onandThreatAnalysis
• Probabilis1cA;ackScenarios• Regressionanalysisonsecurityevents• ThreatIntelligencecorrela1on&analy1cs
ThreatAnalysis
• Vulnerabilitydatabase(CVE)• Iden1fyingvulnerability&abusecasetreenodes• Designflaws&weaknesses• Scoring(CVSS/CWSS)
Vulnerability&weaknessesmapping
• A;ackTreeDevelopment/A;ackLibraryManagement• A;acknodemappingtoVulnerabilitynodes• Exploittovulnerabilitymatchmaking
A9ackModeling
• Qualify&Quan1fyBusinessImpact• ResidualRiskAnalysis• IDriskmi1ga1onstrategies/Developcountermeasures
RiskandImpactAnalysis
52
h;p://pralab.diee.unica.it
Use,Misusecases,andCountermeasures
53
User
Application / Server
Enter username and password
User Authentication
Show Generic Error Message
Validate Password Minimum Length and
Complexity
Lock Account After N Failed Login Attempts
includes
includes
includes
includes
Malicious User
Brute Force Authentication
Harvest / Guess Valid User Accounts
Dictionary Attack
includes
includesmitigates
threatens
mitigates
mitigates
mitigates
h;p://pralab.diee.unica.it
DFDwithRiskAnalysis
54