Microsoft Confidential. © Microsoft Corp. 2005 Threat Modeling Michael Howard Principal Security Program Manager Microsoft Corp. [email protected]

Microsoft Confidential. © Microsoft Corp. 2005

Threat ModelingMichael HowardPrincipal Security Program ManagerMicrosoft [email protected]

Last Update: 8-Feb-2006

Microsoft Confidential. © Microsoft Corp. 2005 2

Who is this Guy?

• Microsoft employee for >15 years• Always in security• Editor for IEEE Security & Privacy• A pragmatist!


Overview of Course

• Why Model Threats?• The Modeling process

• DFD, Threat Types, Risk, Mitigations• Exercise (yes, a short exercise!)


Where Threat Modeling Lives in the Security Development Lifecycle


Why Threat Modeling?

To find security design flaws!


The Process In a Nutshell

Model

Identify Threats

Mitigate

Validate

Vision


VisionDefine Scenarios & Background Info• Define the most common and realistic use

scenarios for the application• Example from Windows Server 2003 and Internet Explorer

• “Think about an admin browsing the Internet from a Domain Controller”

• Example from Windows CE• “The stolen device”

• Define your users


Model the Application with DFDs• A Data Flow Diagram (DFD) is a graphical representation of how data enters, leaves, and traverses your component• It is not a Class Diagram or Flow Chart!• Shows all data sources and destinations• Shows all relevant processes that data goes through

• Good DFDs are critical to the process• This point can’t be emphasised enough!• Building DFDs == understanding the system• Analysing DFDs == understanding the threats


Model the Application with DFDs• Most “whiteboard architectures” are DFD-like

ExternalEntity

ProcessComplex-Process

Data Store Dataflow PrivilegeBoundary


Privilege Boundaries

• Specific DFD addition to TMs• Boundary between DFD elements with different

privilege levels• Machine boundary (data from the other machine could

be anonymous)• Integrity boundary (Low Medium trust)• Process boundary

(e.g.; User process SYSTEM process)• Kernel User mode


Types of DFDs

• Context Diagram• Very high-level; entire component / product / system

• Level 0 Diagram• High level; single feature / scenario

• Level 1 Diagram• Low level; detailed sub-components of features

• Level n Diagram• Even more detailed; unlikely to go beyond Level 2


A Real Context Diagram (Castle)

CastleService

LocalUser

Castle Config

Feedback

Join/LeaveCastle

RemoteCastle


A Real Level-0 DFD (Castle)

CastleService

Explorer(or rundll32)

SSDP SSDP

Remote Castle Service

Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback

ManageCastle Join, leave,

Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props

Query other Castle info

Publish thisCastle info

Manage Castle

Get acct info

Get versioninfo

Set versioninfo

1 2

3

4

5

6

78

9

10


DFD Element Threat Types

• Each DFD element (Asset) is susceptible to certain kinds of threats• Spoofing• Tampering• Repudiation• Information Disclosure• Denial of Service• Elevation of Privilege


What is Repudiation?

• Something you probably won’t need to worry too much about!• Usually involves policies (read: you’ll need a lawyer)

• Mitigate with Non-repudiation techniques• Non-repudiation services generate evidence which

will help a disinterested party that a specific subject performed a specific action

• Evidence of Origination, Submission & Receipt


Every Asset is Subject to Attack

How are each of these elements protected?


Determining Threats

• Prime Threat• Based on DFD asset type

• Secondary Threat• Based on threat trees• Related issues


Prime Threats by Asset Type

External Entity

Process

Data Store

Dataflow

S T R I D E

Asset


Threat Trees

• A graphical representation of security-relevant pre-conditions in a system

• First outlined in Amoroso’s “Fundamentals of Computer Security Technology”

• Based on hardware fault trees• There are many “threat tree patterns”


Threat Tree Pattern ExampleSpoofing

Obtain legitimate credentials Falsify CredentialsLeverage insufficient

authentication

SpoofingAn Interactor or Process

Weak storage

Weak transit

Guessed Equivalence

Predictable Credentials

Server Client

Downgrade authentication

Tampering Threats

against Auth Process

Weak change management

Secure Channel

Non-secure channel

No Authentication System

Information Disclosure

against data flows

Null Credentials

Tampering against data

flows

KDC

PrimaryThreat

Each leaf is a secondary threat

to be evaluated


A Special Note about Information Disclosure threats

All information disclosure threats are potential

privacy issues.Raising the Risk.

Is the data sensitive or PII?


Calculating Risk with Numbers• DREAD etc.• Very subjective• Often requires the analyst be a security expert

• On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key?

• Where do you draw the line?• Do you fix everything above 0.4 risk and leave

everything below as “Won’t Fix”?


Calculating Risk with Heuristics• Simple rules of thumb• Derived from the MSRC bulletin rankings


Security Risk Rankings (Examples)• Critical

• Run malicious code• Most ‘E’ vulns

• Important• Denial of service

against a server• And now it’s dead

• Moderate• Server DoS that

stops once attack stops

• Low• DoS against a

client


Mitigating Threats

• Options:• Leave as-is• Remove from product• Remedy with technology countermeasure• Warn user


Mitigation Techniques

Threat Mitigation FeatureSpoofing AuthenticationTampering IntegrityRepudiation NonrepudiatonInformation Disclosure ConfidentialityDenial of Service AvailabilityElevation of Privilege Authorization


An Example: Castle


Assumptions and Scenarios

• Home environment only, non-domain, 10 machines max

• Abby is the user• Relying on the OS for most security technology


Castle Level-0 DFD

CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

1 2

3

4

5

6

78

9

10


Castle DFD ElementsExternal Entities (SR)

• 1

CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

1 2

3

4

5

6

78

9

10


Castle DFD ElementsProcesses (STRIDE)

• 2, 3, 4 & 8

CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

1 2

3

4

5

6

78

9

10


Castle DFD ElementsData Stores (TID and possibly R)

• 5, 6 & 7

CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

1 2

3

4

5

6

78

9

10


Castle DFD ElementsData Flows (TID)

• [12, 21] [23, 32] etc

CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

1 2

3

4

5

6

78

9

10


CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

Spoofing “The other end”

Threat Spoofing Remote Castle ServiceExample “I’m castle, honest!”Mitigation ??Microsoft Confidential. © Microsoft Corp. 2005 2929

External EntityExternal Entity

ProcessProcess

Data StoreData Store

DataflowDataflow

SS TT RR II DD EE

AssetAsset


CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

Tamper with ‘Bits’ on disk

Threat Tampering with Castle ServiceExample Replace bits on disk with rogueMitigation Good ACL, SignatureMicrosoft Confidential. © Microsoft Corp. 2005 2929


ProcessProcess


DataflowDataflow

SS TT RR II DD EE

AssetAsset


CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

Denial of Service against Castle

Threat Castle no longer respondsExample Flood RPC endpointMitigation Require authnMicrosoft Confidential. © Microsoft Corp. 2005 2929


ProcessProcess


DataflowDataflow

SS TT RR II DD EE

AssetAsset


CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

Priv Elev against Castle

Threat Bug in design/code leads to EoPExample No need, you will have bugs!Mitigation Run in lower priv/drop privsMicrosoft Confidential. © Microsoft Corp. 2005 2929


ProcessProcess


DataflowDataflow

SS TT RR II DD EE

AssetAsset


CastleService


SSDP SSDP


Registry

LSA

SAM

Local User

Shacct

Get acct info

Feedback


Set users props

Set acct info

ReadCastle info

Set psswd

Set acctinfo

Feedback

Get machinepassword

Cache Castleinfo

Query users props



Manage Castle

Get acct info

Get versioninfo

Set versioninfo

Info Disc of data flow Castle-Castle

Threat View sensitive data on networkExample Use network snifferMitigation RPC with encryptionMicrosoft Confidential. © Microsoft Corp. 2005 2929


ProcessProcess


DataflowDataflow

SS TT RR II DD EE

AssetAsset


Exercise:Threat Modeling and Mitigation• Objective: Identifying, Categorizing and

Mitigating Threats• Refer to Exercise handout• Work in pairs• Estimated time to complete: 10 mins


Exercise:Identify all the DFD assets• External Entities

• Admin (1.0)

• Processes• iNTegrity Host (3.0)• iNTegrity Admin

Console (2.0)

• Data Stores• Registry (7.0)• File System (6.0)• Config Data (4.0)• Integrity Files (5.0)

• Data Flows• 7.0 -> 3.0, 6.0 ->

3.0• 3.0 -> 2.0, 2.0 ->

3.0• 1.0 -> 2.0, 2.0 ->

1.0• 4.0 -> 2.0• 5.0 -> 2.0, 2.0 ->

5.0

File System6.0

iNTegrityHost

Software3.0

Admin1.0

iNTegrityAdmin

Console2.0

RawFS

Data

Config Data4.0

Integrity Files5.0

ReadSettings

ReadUpdate

Registry7.0

RawRegistry

Data

Commands

ResourceIntegrity

Data

Instructions

IntegrityChange

Information


Exercise:Identify all threat types per asset• P (STRIDE):

3.0 and 2.0• E (SR): 1• DF (TID): 7.0-

>3.0, 6.0->3.0, 3.0<->2.0, 1.0<->2.0, 5.0<->2.0,4.0->2.0

• DS (TID): 7.0, 6.0, 4.0, 5.0

• DS (R): 5.0

File System6.0

iNTegrityHost

Software3.0

Admin1.0

iNTegrityAdmin

Console2.0

RawFS

Data

Config Data4.0

Integrity Files5.0

ReadSettings

ReadUpdate

Registry7.0

RawRegistry

Data

Commands

ResourceIntegrity

Data

Instructions

IntegrityChange

Information


File System6.0

iNTegrityHost

Software3.0

Admin1.0

iNTegrityAdmin

Console2.0

RawFS

Data

Config Data4.0

Integrity Files5.0

ReadSettings

ReadUpdate

Registry7.0

RawRegistry

Data

Commands

ResourceIntegrity

Data

Instructions

IntegrityChange

Information

Exercise:Threat Modeling and Mitigation• Identify three threats, one for a data flow, one for

a data store and one for a process

TRID

STRIDE

TID


Exercise:Threat Modeling and Mitigation• Identify first order mitigations for each threat

File System6.0

iNTegrityHost

Software3.0

Admin1.0

iNTegrityAdmin

Console2.0

RawFS

Data

Config Data4.0

Integrity Files5.0

ReadSettings

ReadUpdate

Registry7.0

RawRegistry

Data

Commands

ResourceIntegrity

Data

Instructions

IntegrityChange

Information

TRID

STRIDE

TID

Server auth: SSL/TLS

Encryption: SSL/TLS

Integrity: ACL, Signature, MAC


Questions?

Resources

• Technical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx

• Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx

• Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet

• Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx

• New, as a pilot for 2007, the Breakout sessions will be available post event, in the TechEd Video Library, via the My Event page of the website

MSDN Library

Knowledge Base

Forums MSDN

Magazine User Groups

NewsgroupsE-learning Product

Evaluations Videos Webcasts V-labs

Blogs MVPs Certification Chats

learn

support

connect

subscribe

Visit MSDN in the ATE Pavilion and get a FREE 180-day trial of MS Visual Studio Team System!

http://www.microsoft.com/communities/default.mspx

http://www.microsoft.com/communities/default.mspx

http://www.microsoft.com/learning/default.mspx

http://www.microsoft.com/learning/default.mspx

http://microsoft.com/msdn

http://microsoft.com/technet

http://www.microsoft.com/technet/downloads/trials/default.mspx

http://www.microsoft.com/technet/downloads/trials/default.mspx

Complete your evaluation on the My Event pages of the website at the CommNet or the Feedback Terminals to win!

All attendees who submit a session feedback form within 12 hours after the session ends will have the chance to win the very latest HTC 'Touch' smartphone complete with Windows Mobile® 6 Professional

© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Documents

Microsoft Confidential. © Microsoft Corp. 2005 Threat Modeling Michael Howard Principal Security Program Manager Microsoft Corp. [email protected]