pattern recognition and applications lab threat modeling · 2020. 5. 15. · pattern recognition...

Pattern Recognitionand Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic

Engineering

THREAT MODELING

Giorgio Giacinto

[email protected]

Spring Semester 2019/2020

http://pralab.diee.unica.it 2

Books

http://pralab.diee.unica.it

Definition

[Application] Threat Modeling – a strategic process aimed at considering possible attack scenarios and vulnerabilities within a proposed or existing application environment for the purpose of clearly identifying risk and impact levels

Tony UcedaVelez and Marco M. Morana, Risk Centric Threat Modeling, 2015

Tony UcedaVélez is the CEO & Founder of VERSPRITE (Cybersecurity Consultants)

Marco Morana is the Head of Security Architecture at JPMorgan Chase & Co

3


Threat Scenarios• An application could become a target when an attack

provides a return on investment to the attacker

• Threat scenarios1. Capturing the application business context and

identifying the application assets2. Identifying the possible threat agents and their goals

• Generalization for all applications with similar functionalities and data assets stored and processed.

• Prioritization the security measures to mitigate the risk

4


Threats: Technical and Business ImpactsThreat Technical Impact Business Impact

Malware infected PC taking over online banking credentials

Loss of users’ authentication data allowing fraudsters to take over the account(impersonation)

Money loss due to fraudulent transactions by impersonating the logged user to move money to fraudulent accounts through third party accounts (money mules)

External threat agent exploiting application’s SQL injection vulnerabilities

Unauthorized access to users’ data includingconfidential and PII, trading secrets, and intellectual property.

Liabilities for loss of users’ PII, lawsuits for unlawful noncompliance, security incident recovery costs, and revenue loss

Denial of service attack against the application

Unavailability of web server due to exploit of application and network vulnerabilities and lack of redundancies to cope with traffic overloads

Revenue loss due to loss and/or disruption of service denying customer access to services and goods. Lawsuits from customers and businesses and recovery costs

5


Threat Agents• Characterizing threats is essential for analyzing risks

• Three factors– The type of a threat– The threat agent– The targets

• Threat Agents– Humans (hactivists, cyber-criminals, cyber-spies, etc.)– Tools

• Malware, key-loggers, spyware, etc.– Nonhuman

• Storms, earthquakes, tornados, etc.

6


Reasons to Threat Model• Find security bugs early

• Understand your security requirements

• Engineer and deliver better products

• Address issues other techniques won’t

7


Addressing each threat

8

Mitigating Threats Eliminating Threats

Transferring ThreatsAccepting the Risk


Software threat modeling

9


Security Development Lifecycle• Developed by Microsoft starting in 2002• Established as a mandatory policy in 2004 for Microsoft

products• Adopted worldwide by many software development teams

since its public release in 2008

10https://www.microsoft.com/en-us/securityengineering/sdl/


SDL Practices

11https://www.microsoft.com/en-us/securityengineering/sdl/practices


Threat Modeling: a four-step process

1. What are you building?

2. What can go wrong with it once it’s built?

3. What should you do about those things that can go wrong?

4. Did you do a decent job of analysis?

12


Model the system• Graphical sketches

• Identification of Trust Boundaries

13


What can go wrong?• STRIDE taxonomy (Microsoft)

– Spoofing

– Tampering

– Repudiation

– Information Disclosure

– Denial of Service

– Elevation of Privilege

14


STRIDETHREAT PROPERTY VIOLATED TYPICAL VICTIM

Spoofing AuthenticationProcessesExternal entitiesPeople

Tampering IntegrityProcessesData storesData flows

Repudiation Non-Repudiation Processes

Information Disclosure ConfidentialityProcessesData storesData flows

Denial of Service AvailabilityProcessesData storesData flows

Elevation of Privilege Authorization Processes


Addressing SpoofingTHREAT TARGET MITIGATION STRATEGY MITIGATION TECHNIQUE

Spoofing a person Identification and authentication

Username & password, or biometrics, tokens, etc.Issues: enrollment, expiration, etc.

Spoofing a “file” on disk

Leverage the OS Full Paths, ACL, etc.

Cryptographic Authenticators Digital signatures or authenticators

Spoofing a network address Cryptographic DNSSEC, HTTPS/SSL, IPSec

Spoofing a program in memory Leverage the OS Application identifiers

enforced by OSs

16


Addressing Tampering

17

THREAT TARGET MITIGATION STRATEGY MITIGATION TECHNIQUE

Tampering with a fileOperating Systems ACLs

Cryptographic Digital signatures, Keyed MAC

Racing to create a file (tampering the operating system)

Using a directory that’s protected from arbitrary user tampering

ACLs, Private Directory Structures, Randomizing file names, etc.

Tampering with a network packet

Cryptographic HTTPS/SSL, IPSec

Anti-pattern Network isolation


Addressing Repudiation

18


No logs (you can’t prove anything)

Maintaining a Log Log all the security relevant information

Logs come under attack Log protection Send over the network, ACL

Logs as a channel for attack Tightly specified logs

Early documentation of log design in the development process


Addressing Information Disclosure

19


Network monitoring Encryption HTTPS/SSL, IPSec

Directory or filename Leverage the OS ACLs

File contents

Leverage the OS ACLs

Cryptography File encryption, Diskencryption

API information disclosure Design Design control

Pass by reference or value


Addressing Denial of Service

20


Network flooding Look for exhaustible resources

Elastic resourcesEnsure that attack resources consumption is as high as or higher than yours

Network ACLs

Program resources

Careful design Elastic resource management, proof of work

Avoid multipliers

Look for places where attackers can multiply CPU consumption on your end with minimal effort on their end

System resources Leverage the OS OS settings


Addressing Elevation of Privilege

21


Data/code confusionTools and Architectures that separate data and code

Prepared statements or stored procedures in SQLLate validation that data is what the next function expects

Control flow / memory corruption

Use a type-safe language

Type-safe languages protect against entire classes of attack

Leverage the OS for memory protection Provided by most modern OS

Sandboxing

AppArmor in LinuxAppContainer in WindowsSandboxlib in Mac OSCreate a new account for each app

Command injectionattacks Be careful Input validation

Don’t sanitize. Log and throw away


Validation of the threat model• Checking the model– Completeness– Accurateness– Coverage of all the security decisions– Representativeness of the diagram

• Updating the diagram– Focus on data flow, rather than on control flow– Change vague arguments such as “sometimes”, “also”, by

considering all the cases– Don’t have data sinks: show who uses it– Show the process that moves data from one data store to

another

22


Structured approaches to threat modeling

23


Three Focus Areas

24

Assets, Attackers, SoftwareExample of a data flow diagram of the Acme/SQL database


• Things Attackers Want– User passwords– SSN, identifiers– Credit card numbers– Confidential business data

• Things You Want to Protect– Reputation– Goodwill– Unused assets

• Stepping Stones– Everything that can be used

to attack other assets

25

Focusing on assets


• Need a list of types of attackers– Different motivations, skills, background and perspective

• Humanizing the attacker bears the risk of ending up with “no one would ever do that”

Risk based Threat Modelingfocuses on assets and on attackers

for prioritizing threat mitigation tasks

Security-Centric Threat Modelingavoids enumerating

and focuses on the technical analysis

Focusing on attackers

26


Focusing on software• Security-centric approach to threat modeling

• Based on software models described by diagrams

– Data flow diagrams

– UML

– Swin Lane Diagrams

– State diagrams

• Based on the definition of Trust Boundaries

27


Finding Threats

28


Spoofing ThreatsTHREAT EXAMPLES WHAT THE ATTACKER DOES NOTES

Spoofing a process on the same machine

Creates a file before the real process

Renaming / linking Creating a Trojan “su” and altering the path

Renaming Naming your process “sshd”

Spoofing a file

Creates a file in the local directory

A library, executable or config file

Creates a link and changes it

The change should happen between the link being checked and the link being accessed

Creates many files in the expected directory

e.g., automatic creation of 10,000 files in the /tmpdirectory to fill all the available space

29


Spoofing Threats

THREAT EXAMPLES WHAT THE ATTACKER DOES NOTES

Spoofing a machine

ARP spoofing

IP spoofing

DNS spoofing Forward or reverse

DNS compromise Compromise TLD, registrar or DNS operator

IP redirection At the switch or router level

Spoofing a personSets e-mail display name

Take over a real account

Spoofing a role Declares themselves to be that role

Sometimes opening a special account with a relevant name

30


Tampering ThreatsTHREAT EXAMPLES WHAT THE ATTACKER DOES NOTES

Tampering with a file

Modifies a file they own and on which you rely

Modify a file you own

Modifies a file on a file server that you own

Modifies a file on their file server

Effective when you include files from remote domains

Modifies links or redirects

Tampering with memory

Modifies your code

Hard to defend against once the attacker is

running code as the same user

Modifies data they’ve supplied to your API

Pass by values, not by reference when crossing a

trust boundary

31


Tampering Threats


Tampering with a network

Redirects the flow of data to their machine Often stage 1 of tampering

Modifies data flowing over the network

Even easier when the network is wireless (e.g., WiFi, 3G, etc.)

Enhance spoofing attacks

32


Repudiation Threats


Repudiating an action

Claims to have not clicked

Claims to have not received How reliable are receipts of delivery / download?

Claims to have been a fraud victim

Uses someone else’s account

Uses someone else’s payment instrument without

authorization

Attacking the logs

Notices you have no logs

Puts attacks in the logs to confuse logs, log-reading code,

or persons reading the log

33


Information Disclosure Threats


Information disclosureagainst a process

Extracts secrets from error messages

Reads the error messages from username/passwords to entire database tables

Extracts machine secretes from error cases

Can make defense against memory corruption such as ASLR far less useful

Extracts business/personal secrets from error cases

34




Information disclosureagainst data stores

Takes advantage of inappropriate or missing ACLs

Takes advantage of bad database permissions

Finds file protected by obscurity

Finds crypto keys on disk (or in memory)

Sees interesting information in filenames

Reads files as they traverse the network

Gets data from logs or temp files

Gets data from swap or other temp storage

Extracts data by obtaining device, changing OS

35




Information disclosureagainst a data flow

Reads data on the network

Redirects traffic to enable reading data on the network

Learns secretes by analyzing traffic

Learns who’s talking to whom by watching the DNS

Learns who’s talking to whom by social network infodisclosure

36


Denial of Service Threats


Denial of service against a process

Absorbs memory (RAM or disk)

Absorbs CPU

Uses process as an amplifier

Denial of service against a data store

Fills data store up

Makes enough requests to slow down the system

Denial of serviceagainst a data flow Consumes network resources

37


Elevation of Privilege Threats


Elevation of privilege against a process by corrupting the process

Sends inputs that the codedoesn’t handle properly

These errors are very common, and have high impact

Gains access to read or write memory inappropriately

Reading memory can enable further attacks

Elevation through missed authorization checks

Elevation through buggy authorization checks

Centralizing such checks make bugs easier to manage

Elevation through data tampering

Modifies bits on disk to do things other than what the authorized user intends

38


Attack Trees

39


Benefits of modeling with attack trees

Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes

(Bruce Schneier, 1999)

40


Example of an attack tree

41

https://www.schneier.com/cryptography/archives/1999/12/attack_trees.html


Example of an attack tree: Repudiationagainst a Process


Example of an attack tree - SSL

43

mind map representation


Mitigating Threats

44


Tactics and Technologies• Authentication -> Mitigating Spoofing– Tactics: cryptographic keys, PKI, CAs– Technologies: IPSec, SSH, Kerberos, hashes, etc.

• Integrity -> Mitigating Tampering– Tactics: permissions, cryptographic mechanisms, logs– Technologies: ACLs, digital signatures, hashes, etc.

• Non-Repudiation -> Mitigating Repudiation– Tactics: fraud prevention, logs and cryptography– Technologies: log analysis tools, digital signatures, etc.

45


Tactics and Technologies• Confidentiality-> Mitigating Information Disclosure– Tactics: ACLs, cryptography– Technologies: ACLs, encryption, key management, etc.

• Availability -> Mitigating Denial of Service– Tactics: proof of work, ensure the attacker can receive data– Technologies: filters, quotas, cloud services, etc.

• Authorization -> Mitigating Elevation of Privilege– Tactics: limiting the use of privileged accounts, sandboxing,

defense layers, etc.– Technologies: ACLs, RBAC, chroot, etc.

46


Risk-based approach to Application threat modeling

47


The DREAD model• Damage Potential– How extensive is the damage (impact) upon a vulnerability

becoming successfully exploited?

• Reproducibility– How easy is it for this type of attack to be reproduced?

• Exploitability– How easy is it for a known vulnerability to be exploited?

• Affected Users– Impact on a user base

• Discoverability– How easily a vulnerability is detected

48


Risk rating using DREAD• For each element of the DREAD model a qualitative

assessment of risk is performed by assigning one out of three values– HIGH or 3– MEDIUM or 2– LOW or 1

49

THREAT D R E A D Total Rating

Attacker obtain authentication credentials by monitoring the network 3 3 2 2 2 12 High

SQL commands injected into application 3 3 3 3 2 14 High


Example of a Threat Rating TableThreat HIGH (3) MEDIUM (2) LOW (1)

D Damage Potential

The attacker can subvert the security system; get full trust authorization; run as administrator; upload content.

Leaking sensitive information

Leaking trivial information

R Reproducibility

The attack can be reproduced every time and does not require a timing window.

The attack can be reproduced, but only with a timing window and a particular race situation.

The attack is very difficult to reproduce, even with knowledge of the security hole

E ExploitabilityA novice programmer could make the attack in a short time frame.

A skilled programmer could make the attack, then repeat the steps.

The attack requires an extremely skilled person and in-depth knowledge every time to exploit

50


Example of a Threat Rating Table

THREAT HIGH (3) MEDIUM (2) LOW (1)

A Affected UsersAll users, default configuration, key customers

Some users, non-default configuration

Very small percentage of users, obscure feature; affects anonymous users

D Discoverability

Published information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable

The vulnerabilityis a seldom-used part of the product, and only a few users should come across it. It would take some thinking to see malicious use.

The bug is obscure and it is unlikely that users will work out damage potential

51


Application threat modeling

52


PASTAProcess for Attack Simulation and Threat Analysis

• Identify business objectives• Identify security & compliance requirements• Technical / Business impact analysis

Define Objectives

• Enumerate Software Components• Dependencies: Network / Software (COTS) / Services• Data flow diagramming• Third Party Infrastructures (cloud, SaaS, ASP Models)

Define Technical Scope

• Use cases / Abuse (misuse) cases / Define app entry points• Actions / Assets / Services / Roles / Data sources• Data Flow Diagramming (DFDs) / Trust Boundaries

Application Decomposition

53


PASTAProcess for Attack Simulation and Threat Analysis

• Probabilistic Attack Scenarios• Regression analysis on security events• Threat Intelligence correlation & analytics

Threat Analysis

• Vulnerability database (CVE)• Identifying vulnerability & abuse case tree nodes• Design flaws & weaknesses• Scoring (CVSS / CWSS)

Vulnerability & weaknesses mapping

• Attack Tree Development / Attack Library Management• Attack node mapping to Vulnerability nodes• Exploit to vulnerability match making

Attack Modeling

• Qualify & Quantify Business Impact• Residual Risk Analysis• ID risk mitigation strategies / Develop countermeasures

Risk and Impact Analysis

54


User stories, Misuse cases, and Countermeasures

55

User

Application / Server

Enter username and password

User Authentication

Show Generic Error Message

Validate Password Minimum Length and

Complexity

Lock Account After N Failed Login Attempts

includes

includes

includes

includes

Malicious User

Brute Force Authentication

Harvest / Guess Valid User Accounts

Dictionary Attack

includes

includesmitigates

threatens

mitigates

mitigates

mitigates

Additional examples can be found at http://www.se.rit.edu/~se555/Misuse%20Cases.pdf


DFD with Risk Analysis

56


Threat Modelling in Practice

57


Requirements-Threats-Mitigations

Requirements

Threats Mitigations

Impossible to mitigate implies non-requirement

Compliance

Threats help identify requirements

Real threats violate requirements


• Allow listing the concrete threats out of the abstractterms used in STRIDE

– CAPEC (MITRE)Common Attack Pattern Enumeration and ClassificationV3.2 (September 2019 - 517 attack patterns)

– ATT&CK (MITRE)knowledge base of adversary tactics and techniques based on real-world observations

– OWASP Cheat Sheet Seriesa concise collection of high value information on specific web application security topics

59

Attack Libraries


Threat Modeling a software product


Threat Modeling an internal network


Threat Modeling a One Time Token Authentication Systems


Threat Modeling Tools

63


Software tools• Microsoft SDL Threat Modeling Tool

https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling– Available for free from Microsoft (latest release: 2020)

• OWASP Threat Dragon (open source – web application)https://threatdragon.org/

• ThreatModeler (commercial)https://threatmodeler.com– A defense-oriented tool– It uses a set of attack libraries

64

pattern recognition and applications lab threat modeling · 2020. 5. 15. · pattern recognition...

Documents