Embed Size (px)
Citation preview
Threat Modeling: Improving the Threat Modeling: Improving the Application Life cycleApplication Life cycle
Dan SellersDan Sellers.Net Developer Specialist.Net Developer SpecialistMicrosoft CanadaMicrosoft Canadahttp://blogs.msdn.com/dansellershttp://blogs.msdn.com/dansellers
AgendaAgenda
Important notes and definitionsImportant notes and definitions
Why model threats?Why model threats?
The modeling processThe modeling processDFD, Threat Types, Risk, MitigationsDFD, Threat Types, Risk, Mitigations
ExerciseExercise
Developer Security Data PointsDeveloper Security Data Points““75 percent of hacks happen at the application” - 75 percent of hacks happen at the application” - Gartner “Security at the Application Gartner “Security at the Application Level”Level”
““Over 70 percent of security vulnerabilities exist at the application layer, not the network Over 70 percent of security vulnerabilities exist at the application layer, not the network layer” - layer” - GartnerGartner
"The conclusion is unavoidable: any notion that security is a matter of simply protecting "The conclusion is unavoidable: any notion that security is a matter of simply protecting the network perimeter is hopelessly out of date” - the network perimeter is hopelessly out of date” - IDC and Symantec, 2004IDC and Symantec, 2004
““11 of CERT’s 13 major security advisories for 2003 are bugs arising from programming 11 of CERT’s 13 major security advisories for 2003 are bugs arising from programming errors in applications [not the OS]” - errors in applications [not the OS]” - Carnegie Mellon UniversityCarnegie Mellon University
““If only 50 percent of software vulnerabilities were removed prior to production … costs If only 50 percent of software vulnerabilities were removed prior to production … costs would be reduced by 75 percent” would be reduced by 75 percent” - - Gartner “Security at the Application Level”Gartner “Security at the Application Level”
““The battle between hackers and security professionals has moved from the network layer The battle between hackers and security professionals has moved from the network layer to the Web applications themselves"to the Web applications themselves" - - Network WorldNetwork World
““64 percent of developers are not confident in their ability to write secure applications” - 64 percent of developers are not confident in their ability to write secure applications” - Microsoft Developer ResearchMicrosoft Developer Research
““The Economic Impacts of Inadequate Infrastructure for Software Testing 2002” put the The Economic Impacts of Inadequate Infrastructure for Software Testing 2002” put the cost of fixing a bug in the field at $30,000 vs. $5,000 during codingcost of fixing a bug in the field at $30,000 vs. $5,000 during coding -- NIST NIST
Some Important Notes:Some Important Notes:
Security is a Process and NOT a ProductSecurity is a Process and NOT a Product
Two types of Security for SoftwareTwo types of Security for SoftwareApplication SecurityApplication Security
Secure SoftwareSecure Software
QA confused with Software Security QA confused with Software Security TestingTesting
Improve the process (start early, and often)Improve the process (start early, and often)
Fault InjectionFault Injection
Security TestingSecurity Testing
Intendedfunctionality
Traditionalfaults
Actualsoftwarefunctionality
Unintended,undocumentedor unknown functionalityPoor
Defenses Extra‘functionality’
BOs, XSS, etc
Weak authn
BO in authn
Intended behavior!
Test for the Unintended behavior!
Some Important DefinitionsSome Important Definitions
Threat AgentThreat AgentSomeone who could do harm to a system (also adversary)Someone who could do harm to a system (also adversary)
ThreatThreatAn adversary’s goalAn adversary’s goal
Threat TreeThreat TreeA graphical representation of security-relevant A graphical representation of security-relevant pre-conditions in a systempre-conditions in a system
VulnerabilityVulnerabilityA flaw in the system that could help a threat agent realize A flaw in the system that could help a threat agent realize a threata threat
AssetAssetSomething of value to valid users and adversaries alikeSomething of value to valid users and adversaries alike
AttackAttackWhen a motivated and sufficiently skilled threat agent takes When a motivated and sufficiently skilled threat agent takes advantage of a vulnerabilityadvantage of a vulnerability
8787
Why Threat Modeling?Why Threat Modeling?
Source: Common Criteria for Information Technology Security Evaluation v2.1Source: Common Criteria for Information Technology Security Evaluation v2.1
Because Because attackersattackers
Want to attackWant to attack Your Your applicationapplication
We must putWe must putappropriate defenses appropriate defenses
in our productsin our products
Time DetectedTime Detected
IntroducedIntroduced RequirementsRequirements ArchitectureArchitecture ConstructionConstruction TestTest Post-ReleasePost-Release
RequirementsRequirements 11 33 5-105-10 1010 10-10010-100
ArchitectureArchitecture -- 11 1010 1515 25-10025-100
ConstructionConstruction -- -- 11 1010 10-2510-25
What is Threat Modeling?What is Threat Modeling?
Source: Code Complete 2Source: Code Complete 2ndnd Ed Ed
Threat Modeling:Threat Modeling:Is the security-based analysis of an Is the security-based analysis of an application to help find “anti-scenarios”application to help find “anti-scenarios”
Is a critical part of the design processIs a critical part of the design process
Reduces the cost of securing an Reduces the cost of securing an applicationapplication
Design
1 X
Development
Static Analysis
6.5X
Testing
Integration Testing
System/Acceptance Testing
15X
Deployment
Application In the Field
100XWhy Software Development Must ChangeWhy Software Development Must Change
Delivering secure applications has to become a Delivering secure applications has to become a mandatory requirement … the cost of fixing mandatory requirement … the cost of fixing defects after deployment is almost fifteen times defects after deployment is almost fifteen times greater than detecting and eliminating them greater than detecting and eliminating them during development. during development.
Source IDC and IBM Systems Sciences Institute
Security Training
Security Kickoff& Register with
SWI
Security DesignBest
Practices
Security Arch & Attack SurfaceReview
Use SecurityDevelopment
Tools &Security BestDev & Test Practices
Create Security
Docsand Tools
For Product
PrepareSecurity
ResponsePlan
Security Push
Pen Testing
FinalSecurity Review
Security Servicing &ResponseExecution
Feature ListsQuality Guidelines
Arch DocsSchedules
DesignSpecifications
Testing and Verification
Development of New Code
Bug Fixes
Code Signing A Checkpoint
Express Signoff
RTM
Product SupportService Packs/QFEs Security
Updates
Requirements Design Implementation Verification ReleaseSupport
&Servicing
Where Threat Modeling Where Threat Modeling Fits in the SDLFits in the SDL
ThreatModeling
FunctionalSpecifications
Security Deployment Lifecycle Task and ProcessesSecurity Deployment Lifecycle Task and Processes
Traditional Microsoft Software Product Development Lifecycle Tasks and ProcessesTraditional Microsoft Software Product Development Lifecycle Tasks and Processes
The Goals of Threat Modeling and The Goals of Threat Modeling and Secure DesignSecure Design
Identify where an application is Identify where an application is most vulnerablemost vulnerable
Determine which threats require Determine which threats require mitigationmitigation
Reduce risk to an acceptable level Reduce risk to an acceptable level through mitigationthrough mitigation
The Updated Threat Modeling ProcessThe Updated Threat Modeling Process
Plan Plan MitigationsMitigations
DefineDefineScenariosScenarios
CreateCreateDFDDFD
ManualManual
RoteRote
DetermineDetermineThreatThreatTypesTypes
Build Build Threat TreesThreat Trees
DetermineDetermineRiskRisk
OptionalOptional
Define ScenariosDefine Scenarios
Define the most common and realistic Define the most common and realistic use scenarios for the applicationuse scenarios for the application
Example from Microsoft Windows Server Example from Microsoft Windows Server 2003 and Microsoft Internet Explorer2003 and Microsoft Internet Explorer
““Think about an admin browsing the Internet Think about an admin browsing the Internet from a Domain Controller”from a Domain Controller”
Bounds the scope of what you need to Bounds the scope of what you need to modelmodel
6868
Model the Application Model the Application with DFDswith DFDs
Most “whiteboard architectures” Most “whiteboard architectures” are DFD-likeare DFD-like
ExternalExternalEntityEntity
ProcessProcess Multi-ProcessMulti-Process
Data StoreData Store DataflowDataflow PrivilegePrivilegeBoundaryBoundary
8787
7575
DFD ProcessDFD Process
Create the context diagramCreate the context diagram
Create Level-0 DFDCreate Level-0 DFD
Create Level-1 DFD (if needed)Create Level-1 DFD (if needed)
Create Level-2 DFD (if needed)Create Level-2 DFD (if needed)
Keep going until there are no more Keep going until there are no more multi-processesmulti-processes
Generally Level-2 is “deep enough” Generally Level-2 is “deep enough”
9090
The Context DiagramThe Context Diagram
ServerServer
UsersUsers
AdminAdmin
RequestRequest
ResponseResponse
AdminAdminSettingsSettings
Logging Logging DataData
One multi-process, One multi-process, and the different external entitiesand the different external entities
7777
Privilege BoundariesPrivilege Boundaries
Specific DFD addition to TMsSpecific DFD addition to TMs
Boundary between DFD elements with Boundary between DFD elements with different privilege levelsdifferent privilege levels
Machine boundary (data from the other Machine boundary (data from the other machine could be anonymous)machine could be anonymous)
Process boundary Process boundary (e.g., user process (e.g., user process SYSTEM process) SYSTEM process)
9393
Next – The Level-0 DFDNext – The Level-0 DFD
UserUser
AdminAdmin
AuthnAuthnEngineEngine
AuditAuditEngineEngine
ServiceService
MnmgtMnmgtToolToolCredentialsCredentials
Data FilesData Files
Audit DataAudit DataRequestRequest
ResponseResponse
Aut
hnA
uthn
Req
uest
Req
uest
AuthnAuthn
InfoInfo
Set/GetSet/GetCredsCreds
RequestedRequestedFile(s)File(s)
Audit DataAudit Data
SetSet
User DataUser Data
Verify
Verify
User D
ata
User D
ata
Aud
itA
udit
Req
uest
sR
eque
sts
Aud
itA
udit
Info
Info
Aud
itA
udit
Rea
dR
ead
Aud
itA
udit
Writ
eW
rite
GetGetCredsCreds
11
22
33
44
55
66
77
88
99
7979
Implementation ExamplesImplementation Examples
• Real People• News feeds• Data feeds• Events• Notifications• Etc.
• Function call• Network traffic• Shared memory
• Etc.
• Services• Web Services• Assemblies• DLLs• EXEs• COM object• Etc.
• Database• File• Registry• Shared Memory
• Queue/Stack• Etc.
Common DFD “Bugs”Common DFD “Bugs”(1) How does the data get into the data store?(1) How does the data get into the data store?
ServiceService
Data FilesData Files
ServiceService
Data FilesData Files
Data Entry Data Entry OperatorOperator
Data Data EntryEntryToolTool
7878
Common DFD “Bugs”Common DFD “Bugs”(2) How does data move from one data store to another?(2) How does data move from one data store to another?
Data FilesData Files
Data FilesData Files
Data FilesData Files
Data FilesData Files
ReplicationReplicationEngineEngine
Common DFD “Bugs”Common DFD “Bugs”(3) How does data move from a user to a data store?(3) How does data move from a user to a data store?
UserUser
Data FilesData Files
UserUser
Data FilesData Files
Data EntryData EntryToolTool
DFD Element Threat TypesDFD Element Threat Types
Each DFD element (Asset) is Each DFD element (Asset) is susceptible to certain kinds of threatssusceptible to certain kinds of threats
SpoofingSpoofing
TamperingTampering
RepudiationRepudiation
Information DisclosureInformation Disclosure
Denial of ServiceDenial of Service
Elevation of PrivilegeElevation of Privilege
8484
104104
Anti-C in CIAAnti-C in CIA
Anti-I in CIAAnti-I in CIA
Anti-A in CIAAnti-A in CIA
Every Asset is Subject to AttackEvery Asset is Subject to Attack
UserUser
AdminAdmin
AuthnAuthnEngineEngine
AuditAuditEngineEngine
ServiceService
MnmgtMnmgtToolToolCredentialsCredentials
Data FilesData Files
Audit DataAudit DataRequestRequest
ResponseResponse
Aut
hnA
uthn
Req
uest
Req
uest
AuthnAuthn
InfoInfo
Set/GetSet/GetCredsCreds
RequestedRequestedFile(s)File(s)
Audit DataAudit Data
SetSet
User DataUser Data
Verify
Verify
User D
ata
User D
ata
Aud
itA
udit
Req
uest
sR
eque
sts
Aud
itA
udit
Info
Info
Aud
itA
udit
Rea
dR
ead
Aud
itA
udit
Writ
eW
rite
GetGetCredsCreds
11
22
33
44
55
66
77
88
99
Threat Types by Asset TypeThreat Types by Asset Type
External EntityExternal Entity
ProcessProcess
Data StoreData Store
DataflowDataflow
SS TT RR II DD EE
AssetAsset
List all Assets from the DFDList all Assets from the DFD
External EntitiesExternal Entities1 & 91 & 9
ProcessesProcesses2, 4, 5 & 82, 4, 5 & 8
Data StoresData Stores3, 6 & 73, 6 & 7
Data FlowsData Flows114, 44, 41, 21, 24, 44, 42, 2, 332, 62, 64, 34, 35, 55, 53, 3, 559, 99, 95, 95, 98, 88, 89, 9, 778, 88, 87, 47, 488
Every asset is subject to threatsEvery asset is subject to threats
A Complete List of ThreatsA Complete List of Threats
SpoofingSpoofingE: 1, 9E: 1, 9
P: 2, 4, 5, 8P: 2, 4, 5, 8
TamperingTamperingP: 2, 4, 5, 8P: 2, 4, 5, 8
DS: 3, 6, 7DS: 3, 6, 7
DF: 1DF: 14 etc4 etc
RepudiationRepudiationE: 1, 9E: 1, 9
P: 2, 4, 5, 8P: 2, 4, 5, 8
Information DisclosureInformation DisclosureP: 2, 4, 5, 8P: 2, 4, 5, 8
DS: 3, 6, 7DS: 3, 6, 7
DF: 1DF: 14 etc4 etc
Denial of ServiceDenial of ServiceP: 2, 4, 5, 8P: 2, 4, 5, 8
DS: 3, 6, 7DS: 3, 6, 7
DF: 1DF: 14 etc4 etc
Elevation of PrivilegeElevation of PrivilegeP: 2, 4, 5, 8P: 2, 4, 5, 8
Threat ReductionThreat Reduction
Assets…Assets………within the same trust boundarywithin the same trust boundary
……using like technologyusing like technology
Can be treated as one unitCan be treated as one unitSaves time!Saves time!
Great for data flowsGreat for data flows
Calculating Risk with NumbersCalculating Risk with Numbers
DREAD, etc.DREAD, etc.
Very subjectiveVery subjective
Often requires the analyst be a Often requires the analyst be a security expertsecurity expert
On a scale of 0.0 to 1.0, just how likely On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private is it that an attacker could access a private key?key?
Where do you draw the line?Where do you draw the line?Do you fix everything above 0.4 risk and Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?leave everything below as “Won’t Fix”?
9393
Security Risk Rankings (Examples)Security Risk Rankings (Examples)
CriticalCriticalRun malicious codeRun malicious code
Most ‘E’ vulnsMost ‘E’ vulns
ImportantImportantDenial of service Denial of service against a serveragainst a server
ModerateModerateServer DoS that Server DoS that stops once attack stops once attack stopsstops
LowLowDoS against a clientDoS against a client
Mitigating ThreatsMitigating Threats
Options:Options:Leave as-isLeave as-is
Remove from productRemove from product
Remedy with technology countermeasureRemedy with technology countermeasure
Warn userWarn user
106106
Mitigation TechniquesMitigation Techniques
ThreatThreat Mitigation FeatureMitigation Feature
SpoofingSpoofing AuthenticationAuthentication
TamperingTampering IntegrityIntegrity
RepudiationRepudiation NonrepudiationNonrepudiation
Information DisclosureInformation Disclosure ConfidentialityConfidentiality
Denial of ServiceDenial of Service AvailabilityAvailability
Elevation of PrivilegeElevation of Privilege AuthorizationAuthorization
107107
Testing MitigationsTesting Mitigations
All threats and mitigations must All threats and mitigations must be testedbe tested
The job of a good security tester is to The job of a good security tester is to find other conditions in the threat treefind other conditions in the threat tree
Threats have mitigationsThreats have mitigations
Mitigations can be attackedMitigations can be attacked
SpoofingSpoofingAuthentication Authentication
Password guessing, brute force, Authn Password guessing, brute force, Authn downgradedowngrade
The Threat Modeling ProcessThe Threat Modeling Process
1. Define key scenarios1. Define key scenarios
2. Model the application using DFDs2. Model the application using DFDs
3. Determine threat types for each 3. Determine threat types for each DFD elementDFD element
4. Calculate risk4. Calculate risk
5. Plan mitigations5. Plan mitigations
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
