threat modeling - home.eng.iastate.edu
TRANSCRIPT
Threat Modeling
Lotfi ben Othmane
2
Web Application
3
Traffic Light Control System
4
Fleet Management System
Fleet Data Collector
Extract GPS coordinates
Fleet Management Web Application
Device coordinator
Extract in-vehcile data
Fleet Management Service
Fleet Management Database
5
Software Development Life Cycle
Secure software continue to function correctly under malicious (intended) attacks. [McGraw 2006]
• A statement of an intention to inflict pain, injury, damage, or other hostile action on someone- They received a threat
• A person or thing likely to cause damage or danger• The hurricane is a major threat to the community
6
Threat
7
What Are the Threats?
What Are the Threats?
• Criminals• Organized crimes• Jealous colleagues
8
9
Threats
10
Threats
AssetsSecretsSystem integrityHardware value
ThreatCriminalsOrganized crimesJealous colleague
VulnerabilitiesNo encryptionSoftware defectsMobile gadget
Attack
AttacksSteal the laptopSteal filesMake it part of botnet
Türpe and Poller, 2015
• "A threat is an intent to inflict damage on a system.” (Landwehr 2001)
• "A threat consists of an adverse action performed by a threat agent on an asset." (Common Criteria)
• "A potential for harm of an asset.“ (Yoshioka 2008)
• “Threats are the likelihood of, or potential for, hazardous events occurring.” (Schumacher 2006)
• "A threat is the potential for abuse of an asset that will cause harm in the context of the problem“ (Haley 2004)
• “Threat is a general condition, situation, or state ([…]) that may result in one or more related attacks” (Firesmith 2004)
11
Definitions of Threat
Like many technical terms, it ismeaning evolved over timeambiguousdepends on who you talk todepends on the perspectivecrucial to collaborate J
12
Security concepts
owners
countermeasures
threat agents
vulnerabilities
risk
assets
threats
to reduce
leading to
that increase
that may bereduced bythat may possess
to
impose
give riseto
wish to abuse and/or may damage
may be aware ofThat exploit
Wish to minimize
value
to
This slide is copied from Prof. Pieter Hartel slides for the course “Introduction to Information Security”
14
Reminder: Basic Security Model
• Policy: Requirements for what is allowed and what is not allowed
• Vulnerability: A weakness that makes a threat possible
• Threat: An event with the potential to violate the policy
• Attack: The action of exercising a threat by exploiting related vulnerabilities
• Threat modeling is about identifying potential threats to a given system.
• Attackers value differently a system resource.• A resource that may have high value for the
attacker may be worthless for the stakeholders
15
• Attacker approach• Who are the opponents• What are their goals
• Asset approach• What value does the asset have• How can the attacker reach the asset
• Software approach• What vulnerabilities can the attacker exploit
16
Approachs
Threat Modeling Techniques
17
0
200
400
600
800
1000
1200
Fault t
ree analysis
Attack
trees
MS SDL/STR
IDE
Misuse
case
s
Threat trees
Abuse cases
Securit
y use
case
sCoras
Aspect-
oriented Petri
nets
Defense tr
ees
Abuser storie
s
Mal-acti
vity diagrams
Linddun m
ethodology
Misuse
activit
ies
Number of references
Türpe and Poller, 2015
Attack tree represents attacks against a system in a tree structure, with the goalas the root node and different ways of achieving that goal as leaf nodes
18
Technique 1 - Attack Tree
Fault-tree analysis is a top-down approach to identify the component level failures (basic event) that cause the system level failure (top event) to occur
19
Technique 1 – Example of Attack Tree
https://www.schneier.com/academic/archives/1999/12/attack_trees.html
20
Technique 1 – Example of Attack Tree
Technique 2 - Abuse Cases
Use case describes the interaction of the users with the system.
21
Technique 2 - Abuse Cases
Abuse case describes interactions between a system and one or more actors, where the results of the interaction are harmfulto the system, or one of the actors.
22
Technique 3 - SDL Threat Modeling
23
Rate Rate the threats
Document Document the threats
Identify Identify the threats
Decompose Decompose the application
Create Create architecture overview
Identify Identify assets
Context Diagram
24https://doi.org/10.1016/B978-0-12-800202-5.00004-7
1. Identify trust boundaries2. Identify data flow3. Identify entry points4. Identify privileged code5. Document profiles
25
Decompose the Application
26
Data Flow Diagram
27
Security Profile
Input Can data in database be trusted?
Authentication Are credential secured?Are strong password enforced?
Sensitive data What sensitive data does the application use?What type of encryption are the data secured with?
Session management How are session cookies generated? How does the application authenticate with the session store?
Cryptography What algorithms are used?How long are the keys?
Exception management
How does the application handles errors?Are the error message generic enough?
Authorization Do you fail securely?How is authorization enforced?
Source http://msdn.microsoft.com/en-us/library/ff648644.aspx 28
Security property Threat (Goals)
Authentication Spoofing user identity
Integrity Tampering with data
Non-repudiation Repudiation
Confidentiality Information disclosure
Availability Denial of service
Authorization Elevation of privilege
Use STRIDE to Identify Goals for Threats
Identify the threat goals that apply to the identified assets
• Devices• Modify the device firmware• Delete the device firmware• Prevent the device from sending or receiving information
• Application (Web and desktop)• Cause misbehavior of the system components– e.g., sudden
interruption
• Databases• Interrupt the database management system that manages the
databases
• Privacy• Unauthorized secondary use by the collecting organization
29
Use Threats List to Identify Threats
30
Using STRIDE to Identify Goals for Threats
Web Browser Web server
Web application
Customers database
SpoofingTamperingRepudiationInformation disclosureDenial of serviceElevation of privilege
Using STRIDE to Identify Goals for Threats
31
DFD entity S T R I D E
External Entity X X
Data Flow X X X
Data Store X (X) X X
Process X X X X X X
Process Complex Process External Entity
Data StoreData Flow
Trust Boundaries
Türpe and Poller, 2015
32
Identify Application Threats
• Use attack tree and patterns to identify the threats associated with threat goals
• Threat #1: Attacker obtains authentication credentials by monitoring the network• Clear text credentials sent over the network AND• Attacker uses network monitoring tools
• Attacker recognizes credential data
DFD - Web Shop
•
33
34
Microsoft Threat Modeling Tool
Türpe and Poller, 2015
• Threat description: Attacker obtains authentication credentials by monitoring the network
• Threat target: Web application authentication process
• Attack technique: Use network monitoring software
• Countermeasures: Use SSL
35
Document the Threats
36
When Is Disk Encryption Required?
37
What Threat Is Associated With This Vulnerability?
Türpe and Poller, 2015
38
Threats to Self-Driving Car
39
Threats to Self-Driving Car
40
Threats to Fleet Management System
Fleet Data Collector
Extract GPS coordinates
Fleet Management Web Application
Device coordinator
Extract in-vehcile data
Fleet Management Service
Fleet Management Database
§ What are the classes of existing threat modeling methods?
§ Why threat modeling approaches are different?
§ Why analysts produce different set of threats while using the same method?
§ Is it possible to develop a threat modeling method that ensures two analysts produce the same set of threats for the same system?
Open Questions
41
Thank you
Any Question?
42