![Page 1: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/1.jpg)
NASA ESMD Summer 2010 Faculty Fellowship
Threat Modeling forSecurity Assessment inCyberphysical Systems
Janusz ZalewskiFlorida Gulf Coast University
Andrew J. KorneckiEmbry-Riddle University
![Page 2: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/2.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Introduction
Why threat modeling?System designers must first determine what threats are feasible[and then what security policies make economic sense relative to the values of resources exposed to a threat.]
D. Kleidermacher, M. KleidermacherEmbedded Systems SecurityNewnes/Elsevier, Oxford, 2012
![Page 3: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/3.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Introduction
In case of imminent security breach:What “cyberphysical systems require is• either reconfiguration to reacquire the
needed resources automatically or• graceful degradation if they are not
available. ”National Research Council, Committee for AdvancingSoftware-Intensive Systems ProducibilityCritical Code: Software Producibility for DefenseNational Academies Press, 2010
![Page 4: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/4.jpg)
How to assess security before the system is put into operation?• Theoretical Assessment
(analytical model)• Actual Experiments
(measurements)• Simulation
(numerical calculations)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Introduction
![Page 5: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/5.jpg)
threat modeling. A systematic exploration technique to expose any circumstance or event having the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. [IEEE 1074-2006]
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
![Page 6: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/6.jpg)
threat assessment. Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.[Definition added from CNSS-4009]
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
![Page 7: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/7.jpg)
Modeling Process: Sequence of Actions1) Understand the Adversary’s View2) Create a Model: Data Flow Diagrams3) Determine and Investigate the Threats
- STRIDE to identify/define the threats - Threat Trees to assess vulnerabilities - DREAD to characterize risks
4) Mitigate the Threats5) Validate the Mitigations
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
![Page 8: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/8.jpg)
Understading the Adversary’s View
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
![Page 9: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/9.jpg)
Determining and Investigating ThreatsStep 1) STRIDE to Identify/Define ThreatsStep 2) Threat Trees: assess vulnerabilitiesStep 3) DREAD to characterize risks
associated with vulnerabilities
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
![Page 10: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/10.jpg)
Determining and Investigating ThreatsStep 1) STRIDE to Identify/Define Threats• Spoofing• Tampering• Repudiation• Information Disclosure• Denial of Service• Elevation of Provilege
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
![Page 11: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/11.jpg)
Determining and Investigating Threats Step 2) Threat Tree Example
Root Threat
Mitigated Condition
Mitigated Condition
Mitigated Condition
Mitigated Condition
Unmitigated Condition
Unmitigated Condition
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
![Page 12: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/12.jpg)
Determining and Investigating ThreatsStep 3) DREAD to characterize risks associated with vulnerabilities• Damage Potential• Reproducibility• Exploitability• Affected Users• Discoverability
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
![Page 13: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/13.jpg)
Determining and Investigating ThreatsStep 3) Risk is traditionally evaluated as severity times likelihood of an event• Damage Potential - severity• Reproducibility - likelihood• Exploitability - likelihood• Affected Users - severity• Discoverability - likelihood
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
![Page 14: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/14.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsAlternative to STRIDE - Threat Library• Common Weakness Enumeration (CWE)• Common Vulnerabilities/Exposures (CVE)• Common Vulnerability Scoring (CVSS)• Assessing Risk (critical, high, med, low)
![Page 15: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/15.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsWhat is Common Vulnerability Scoring?http://www.first.org/cvss/cvss-guide.pdfCVSS is a system for assessing the severity of computer system security vulnerabilities, using 3 types of metrics:• Base Metric Group• Temporal Metric Group (optional)• Environmental Metric Group (optional).
![Page 16: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/16.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsCVSS Base – Exploitability & Impact Metrics
![Page 17: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/17.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsRisk. A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of:1) the adverse impacts that would arise if the
circumstance or event occurs; and 2) the likelihood of occurrence.[CNSS-4009]
![Page 18: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/18.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsHow to Assess Risk: critical, high, med, low?Metric values:• Confidentiality, Integrity, Availibility Impact
Scale: None, Partial, Complete.• Access Vector: Local, Adjacent, Full Net.• Access Complexity: High, Medium, Low.• Authentication: Multiple, Single, None.
![Page 19: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/19.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
Determining and Investigating ThreatsScoring Formula:• BaseScore6 = roundTo1dec(((0.6*Impact) +
(0.4*Exploitability) – 1.5)*f(Impact))• Impact = 10.41*(1-(1-ConfImpact)*(1-
IntegImpact)*(1-AvailImpact))• Exploitability = 20 * AccessVector *
AccessComplexity * Authentication• f(impact)= 0 if Impact=0, 1.176 otherwise
![Page 20: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/20.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Modeling
How the Threat Model is Used?• Design: Code Review• Implementation: Penetration Testing• Security Assessment: Simulation
![Page 21: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/21.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Simulation
Mapping the Cyberphysical System into SDL threat modeling tool
![Page 22: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/22.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Simulation
SDL Threat Modeling Tool
![Page 23: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/23.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Simulation
![Page 24: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/24.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Experiments
CVE ID Publish Date
Update Date
Score Access Complexity Authentication Confiden‐tiality Integrity Availa‐bility
CVE‐2011‐4415 2008‐07‐01 2012‐05‐11 1.2 Remote High Not Required None None None
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE‐2011‐3607.
![Page 25: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/25.jpg)
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems” Experiments
![Page 26: NASA ESMD Summer 2010 Threat Modeling for Faculty ......In case of imminent security breach: What “cyberphysical systems require is • either reconfiguration to reacquire the needed](https://reader035.vdocuments.net/reader035/viewer/2022081617/602344509da248514a690dc2/html5/thumbnails/26.jpg)
Waiting for Questions
Janusz Zalewski et al., “Threat Modeling in Cyberphysical Systems: Questions