Embed Size (px)
Citation preview
NASA ESMD Summer 2010 Faculty Fellowship
Threat Modeling forSecurity Assessment inCyberphysical Systems
Janusz ZalewskiFlorida Gulf Coast University
Andrew J. KorneckiEmbry-Riddle University
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Introduction
Why threat modeling?System designers must first determine what threats are feasible[and then what security policies make economic sense relative to the values of resources exposed to a threat.]
D. Kleidermacher, M. KleidermacherEmbedded Systems SecurityNewnes/Elsevier, Oxford, 2012
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Introduction
In case of imminent security breach:What “cyberphysical systems require is• either reconfiguration to reacquire the
needed resources automatically or• graceful degradation if they are not
available. ”National Research Council, Committee for AdvancingSoftware-Intensive Systems ProducibilityCritical Code: Software Producibility for DefenseNational Academies Press, 2010
How to assess security before the system is put into operation?• Theoretical Assessment
(analytical model)• Actual Experiments
(measurements)• Simulation
(numerical calculations)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Introduction
threat modeling. A systematic exploration technique to expose any circumstance or event having the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. [IEEE 1074-2006]
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
threat assessment. Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.[Definition added from CNSS-4009]
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Modeling Process: Sequence of Actions1) Understand the Adversary’s View2) Create a Model: Data Flow Diagrams3) Determine and Investigate the Threats
- STRIDE to identify/define the threats - Threat Trees to assess vulnerabilities - DREAD to characterize risks
4) Mitigate the Threats5) Validate the Mitigations
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Understading the Adversary’s View
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsStep 1) STRIDE to Identify/Define ThreatsStep 2) Threat Trees: assess vulnerabilitiesStep 3) DREAD to characterize risks
associated with vulnerabilities
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsStep 1) STRIDE to Identify/Define Threats• Spoofing• Tampering• Repudiation• Information Disclosure• Denial of Service• Elevation of Provilege
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating Threats Step 2) Threat Tree Example
Root Threat
Mitigated Condition
Mitigated Condition
Mitigated Condition
Mitigated Condition
Unmitigated Condition
Unmitigated Condition
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsStep 3) DREAD to characterize risks associated with vulnerabilities• Damage Potential• Reproducibility• Exploitability• Affected Users• Discoverability
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsStep 3) Risk is traditionally evaluated as severity times likelihood of an event• Damage Potential - severity• Reproducibility - likelihood• Exploitability - likelihood• Affected Users - severity• Discoverability - likelihood
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsAlternative to STRIDE - Threat Library• Common Weakness Enumeration (CWE)• Common Vulnerabilities/Exposures (CVE)• Common Vulnerability Scoring (CVSS)• Assessing Risk (critical, high, med, low)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsWhat is Common Vulnerability Scoring?http://www.first.org/cvss/cvss-guide.pdfCVSS is a system for assessing the severity of computer system security vulnerabilities, using 3 types of metrics:• Base Metric Group• Temporal Metric Group (optional)• Environmental Metric Group (optional).
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsCVSS Base – Exploitability & Impact Metrics
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsRisk. A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of:1) the adverse impacts that would arise if the
circumstance or event occurs; and 2) the likelihood of occurrence.[CNSS-4009]
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsHow to Assess Risk: critical, high, med, low?Metric values:• Confidentiality, Integrity, Availibility Impact
Scale: None, Partial, Complete.• Access Vector: Local, Adjacent, Full Net.• Access Complexity: High, Medium, Low.• Authentication: Multiple, Single, None.
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsScoring Formula:• BaseScore6 = roundTo1dec(((0.6*Impact) +
(0.4*Exploitability) – 1.5)*f(Impact))• Impact = 10.41*(1-(1-ConfImpact)*(1-
IntegImpact)*(1-AvailImpact))• Exploitability = 20 * AccessVector *
AccessComplexity * Authentication• f(impact)= 0 if Impact=0, 1.176 otherwise
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
How the Threat Model is Used?• Design: Code Review• Implementation: Penetration Testing• Security Assessment: Simulation
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Simulation
Mapping the Cyberphysical System into SDL threat modeling tool
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Simulation
SDL Threat Modeling Tool
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Simulation
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Experiments
CVE ID Publish Date
Update Date
Score Access Complexity Authentication Confiden‐tiality Integrity Availa‐bility
CVE‐2011‐4415 2008‐07‐01 2012‐05‐11 1.2 Remote High Not Required None None None
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE‐2011‐3607.
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Experiments
Waiting for Questions
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems: Questions
