Upload
luis-humm
View
216
Download
1
Embed Size (px)
Citation preview
Microsoft Confidential. © Microsoft Corp. 2005
Threat ModelingMichael HowardPrincipal Security Program ManagerMicrosoft [email protected]
Last Update: 8-Feb-2006
Microsoft Confidential. © Microsoft Corp. 2005 2
Who is this Guy?
• Microsoft employee for >15 years• Always in security• Editor for IEEE Security & Privacy• A pragmatist!
Microsoft Confidential. © Microsoft Corp. 2005 3
Overview of Course
• Why Model Threats?• The Modeling process
• DFD, Threat Types, Risk, Mitigations• Exercise (yes, a short exercise!)
Microsoft Confidential. © Microsoft Corp. 2005 4
Where Threat Modeling Lives in the Security Development Lifecycle
Microsoft Confidential. © Microsoft Corp. 2005 5
Why Threat Modeling?
To find security design flaws!
Microsoft Confidential. © Microsoft Corp. 2005 6
The Process In a Nutshell
Model
Identify Threats
Mitigate
Validate
Vision
Microsoft Confidential. © Microsoft Corp. 2005 7
VisionDefine Scenarios & Background Info• Define the most common and realistic use
scenarios for the application• Example from Windows Server 2003 and Internet Explorer
• “Think about an admin browsing the Internet from a Domain Controller”
• Example from Windows CE• “The stolen device”
• Define your users
Microsoft Confidential. © Microsoft Corp. 2005 8
Model the Application with DFDs• A Data Flow Diagram (DFD) is a graphical representation of how data enters, leaves, and traverses your component• It is not a Class Diagram or Flow Chart!• Shows all data sources and destinations• Shows all relevant processes that data goes through
• Good DFDs are critical to the process• This point can’t be emphasised enough!• Building DFDs == understanding the system• Analysing DFDs == understanding the threats
Microsoft Confidential. © Microsoft Corp. 2005 9
Model the Application with DFDs• Most “whiteboard architectures” are DFD-like
ExternalEntity
ProcessComplex-Process
Data Store Dataflow PrivilegeBoundary
Microsoft Confidential. © Microsoft Corp. 2005 10
Privilege Boundaries
• Specific DFD addition to TMs• Boundary between DFD elements with different
privilege levels• Machine boundary (data from the other machine could
be anonymous)• Integrity boundary (Low Medium trust)• Process boundary
(e.g.; User process SYSTEM process)• Kernel User mode
Microsoft Confidential. © Microsoft Corp. 2005 11
Types of DFDs
• Context Diagram• Very high-level; entire component / product / system
• Level 0 Diagram• High level; single feature / scenario
• Level 1 Diagram• Low level; detailed sub-components of features
• Level n Diagram• Even more detailed; unlikely to go beyond Level 2
Microsoft Confidential. © Microsoft Corp. 2005 12
A Real Context Diagram (Castle)
CastleService
LocalUser
Castle Config
Feedback
Join/LeaveCastle
RemoteCastle
Microsoft Confidential. © Microsoft Corp. 2005 13
A Real Level-0 DFD (Castle)
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
1 2
3
4
5
6
78
9
10
Microsoft Confidential. © Microsoft Corp. 2005 14
DFD Element Threat Types
• Each DFD element (Asset) is susceptible to certain kinds of threats• Spoofing• Tampering• Repudiation• Information Disclosure• Denial of Service• Elevation of Privilege
Microsoft Confidential. © Microsoft Corp. 2005 15
What is Repudiation?
• Something you probably won’t need to worry too much about!• Usually involves policies (read: you’ll need a lawyer)
• Mitigate with Non-repudiation techniques• Non-repudiation services generate evidence which
will help a disinterested party that a specific subject performed a specific action
• Evidence of Origination, Submission & Receipt
Microsoft Confidential. © Microsoft Corp. 2005 16
Every Asset is Subject to Attack
How are each of these elements protected?
Microsoft Confidential. © Microsoft Corp. 2005 17
Determining Threats
• Prime Threat• Based on DFD asset type
• Secondary Threat• Based on threat trees• Related issues
Microsoft Confidential. © Microsoft Corp. 2005 18
Prime Threats by Asset Type
External Entity
Process
Data Store
Dataflow
S T R I D E
Asset
Microsoft Confidential. © Microsoft Corp. 2005 19
Threat Trees
• A graphical representation of security-relevant pre-conditions in a system
• First outlined in Amoroso’s “Fundamentals of Computer Security Technology”
• Based on hardware fault trees• There are many “threat tree patterns”
Microsoft Confidential. © Microsoft Corp. 2005 20
Threat Tree Pattern ExampleSpoofing
Obtain legitimate credentials Falsify CredentialsLeverage insufficient
authentication
SpoofingAn Interactor or Process
Weak storage
Weak transit
Guessed Equivalence
Predictable Credentials
Server Client
Downgrade authentication
Tampering Threats
against Auth Process
Weak change management
Secure Channel
Non-secure channel
No Authentication System
Information Disclosure
against data flows
Null Credentials
Tampering against data
flows
KDC
PrimaryThreat
Each leaf is a secondary threat
to be evaluated
Microsoft Confidential. © Microsoft Corp. 2005 21
A Special Note about Information Disclosure threats
All information disclosure threats are potential
privacy issues.Raising the Risk.
Is the data sensitive or PII?
Microsoft Confidential. © Microsoft Corp. 2005 22
Calculating Risk with Numbers• DREAD etc.• Very subjective• Often requires the analyst be a security expert
• On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key?
• Where do you draw the line?• Do you fix everything above 0.4 risk and leave
everything below as “Won’t Fix”?
Microsoft Confidential. © Microsoft Corp. 2005 23
Calculating Risk with Heuristics• Simple rules of thumb• Derived from the MSRC bulletin rankings
Microsoft Confidential. © Microsoft Corp. 2005 24
Security Risk Rankings (Examples)• Critical
• Run malicious code• Most ‘E’ vulns
• Important• Denial of service
against a server• And now it’s dead
• Moderate• Server DoS that
stops once attack stops
• Low• DoS against a
client
Microsoft Confidential. © Microsoft Corp. 2005 25
Mitigating Threats
• Options:• Leave as-is• Remove from product• Remedy with technology countermeasure• Warn user
Microsoft Confidential. © Microsoft Corp. 2005 26
Mitigation Techniques
Threat Mitigation FeatureSpoofing AuthenticationTampering IntegrityRepudiation NonrepudiatonInformation Disclosure ConfidentialityDenial of Service AvailabilityElevation of Privilege Authorization
Microsoft Confidential. © Microsoft Corp. 2005
An Example: Castle
Microsoft Confidential. © Microsoft Corp. 2005 28
Assumptions and Scenarios
• Home environment only, non-domain, 10 machines max
• Abby is the user• Relying on the OS for most security technology
Microsoft Confidential. © Microsoft Corp. 2005 29
Castle Level-0 DFD
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
1 2
3
4
5
6
78
9
10
Microsoft Confidential. © Microsoft Corp. 2005 30
Castle DFD ElementsExternal Entities (SR)
• 1
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
1 2
3
4
5
6
78
9
10
Microsoft Confidential. © Microsoft Corp. 2005 31
Castle DFD ElementsProcesses (STRIDE)
• 2, 3, 4 & 8
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
1 2
3
4
5
6
78
9
10
Microsoft Confidential. © Microsoft Corp. 2005 32
Castle DFD ElementsData Stores (TID and possibly R)
• 5, 6 & 7
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
1 2
3
4
5
6
78
9
10
Microsoft Confidential. © Microsoft Corp. 2005 33
Castle DFD ElementsData Flows (TID)
• [12, 21] [23, 32] etc
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
1 2
3
4
5
6
78
9
10
Microsoft Confidential. © Microsoft Corp. 2005 34
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
Spoofing “The other end”
Threat Spoofing Remote Castle ServiceExample “I’m castle, honest!”Mitigation ??Microsoft Confidential. © Microsoft Corp. 2005 2929
External EntityExternal Entity
ProcessProcess
Data StoreData Store
DataflowDataflow
SS TT RR II DD EE
AssetAsset
Microsoft Confidential. © Microsoft Corp. 2005 35
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
Tamper with ‘Bits’ on disk
Threat Tampering with Castle ServiceExample Replace bits on disk with rogueMitigation Good ACL, SignatureMicrosoft Confidential. © Microsoft Corp. 2005 2929
External EntityExternal Entity
ProcessProcess
Data StoreData Store
DataflowDataflow
SS TT RR II DD EE
AssetAsset
Microsoft Confidential. © Microsoft Corp. 2005 36
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
Denial of Service against Castle
Threat Castle no longer respondsExample Flood RPC endpointMitigation Require authnMicrosoft Confidential. © Microsoft Corp. 2005 2929
External EntityExternal Entity
ProcessProcess
Data StoreData Store
DataflowDataflow
SS TT RR II DD EE
AssetAsset
Microsoft Confidential. © Microsoft Corp. 2005 37
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
Priv Elev against Castle
Threat Bug in design/code leads to EoPExample No need, you will have bugs!Mitigation Run in lower priv/drop privsMicrosoft Confidential. © Microsoft Corp. 2005 2929
External EntityExternal Entity
ProcessProcess
Data StoreData Store
DataflowDataflow
SS TT RR II DD EE
AssetAsset
Microsoft Confidential. © Microsoft Corp. 2005 38
CastleService
Explorer(or rundll32)
SSDP SSDP
Remote Castle Service
Registry
LSA
SAM
Local User
Shacct
Get acct info
Feedback
ManageCastle Join, leave,
Set users props
Set acct info
ReadCastle info
Set psswd
Set acctinfo
Feedback
Get machinepassword
Cache Castleinfo
Query users props
Query other Castle info
Publish thisCastle info
Manage Castle
Get acct info
Get versioninfo
Set versioninfo
Info Disc of data flow Castle-Castle
Threat View sensitive data on networkExample Use network snifferMitigation RPC with encryptionMicrosoft Confidential. © Microsoft Corp. 2005 2929
External EntityExternal Entity
ProcessProcess
Data StoreData Store
DataflowDataflow
SS TT RR II DD EE
AssetAsset
Microsoft Confidential. © Microsoft Corp. 2005 39
Exercise:Threat Modeling and Mitigation• Objective: Identifying, Categorizing and
Mitigating Threats• Refer to Exercise handout• Work in pairs• Estimated time to complete: 10 mins
Microsoft Confidential. © Microsoft Corp. 2005 40
Exercise:Identify all the DFD assets• External Entities
• Admin (1.0)
• Processes• iNTegrity Host (3.0)• iNTegrity Admin
Console (2.0)
• Data Stores• Registry (7.0)• File System (6.0)• Config Data (4.0)• Integrity Files (5.0)
• Data Flows• 7.0 -> 3.0, 6.0 ->
3.0• 3.0 -> 2.0, 2.0 ->
3.0• 1.0 -> 2.0, 2.0 ->
1.0• 4.0 -> 2.0• 5.0 -> 2.0, 2.0 ->
5.0
File System6.0
iNTegrityHost
Software3.0
Admin1.0
iNTegrityAdmin
Console2.0
RawFS
Data
Config Data4.0
Integrity Files5.0
ReadSettings
ReadUpdate
Registry7.0
RawRegistry
Data
Commands
ResourceIntegrity
Data
Instructions
IntegrityChange
Information
Microsoft Confidential. © Microsoft Corp. 2005 41
Exercise:Identify all threat types per asset• P (STRIDE):
3.0 and 2.0• E (SR): 1• DF (TID): 7.0-
>3.0, 6.0->3.0, 3.0<->2.0, 1.0<->2.0, 5.0<->2.0,4.0->2.0
• DS (TID): 7.0, 6.0, 4.0, 5.0
• DS (R): 5.0
File System6.0
iNTegrityHost
Software3.0
Admin1.0
iNTegrityAdmin
Console2.0
RawFS
Data
Config Data4.0
Integrity Files5.0
ReadSettings
ReadUpdate
Registry7.0
RawRegistry
Data
Commands
ResourceIntegrity
Data
Instructions
IntegrityChange
Information
Microsoft Confidential. © Microsoft Corp. 2005 42
File System6.0
iNTegrityHost
Software3.0
Admin1.0
iNTegrityAdmin
Console2.0
RawFS
Data
Config Data4.0
Integrity Files5.0
ReadSettings
ReadUpdate
Registry7.0
RawRegistry
Data
Commands
ResourceIntegrity
Data
Instructions
IntegrityChange
Information
Exercise:Threat Modeling and Mitigation• Identify three threats, one for a data flow, one for
a data store and one for a process
TRID
STRIDE
TID
Microsoft Confidential. © Microsoft Corp. 2005 43
Exercise:Threat Modeling and Mitigation• Identify first order mitigations for each threat
File System6.0
iNTegrityHost
Software3.0
Admin1.0
iNTegrityAdmin
Console2.0
RawFS
Data
Config Data4.0
Integrity Files5.0
ReadSettings
ReadUpdate
Registry7.0
RawRegistry
Data
Commands
ResourceIntegrity
Data
Instructions
IntegrityChange
Information
TRID
STRIDE
TID
Server auth: SSL/TLS
Encryption: SSL/TLS
Integrity: ACL, Signature, MAC
Microsoft Confidential. © Microsoft Corp. 2005
Questions?
Resources
• Technical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx
• Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
• Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet
• Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx
• New, as a pilot for 2007, the Breakout sessions will be available post event, in the TechEd Video Library, via the My Event page of the website
MSDN Library
Knowledge Base
Forums MSDN
Magazine User Groups
NewsgroupsE-learning Product
Evaluations Videos Webcasts V-labs
Blogs MVPs Certification Chats
learn
support
connect
subscribe
Visit MSDN in the ATE Pavilion and get a FREE 180-day trial of MS Visual Studio Team System!
Complete your evaluation on the My Event pages of the website at the CommNet or the Feedback Terminals to win!
All attendees who submit a session feedback form within 12 hours after the session ends will have the chance to win the very latest HTC 'Touch' smartphone complete with Windows Mobile® 6 Professional
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.