ISOL 536 Security Architecture and Design Threat Modeling Session 3 “What Can Go Wrong?” Agenda • STRIDE (in depth!) • Reading: Chapter 3 Approach • “What can go wrong” & “what to do about it” are often (and reasonably) tied together in practice • This course splits them because they are distinct questions & skills STRIDE Security mavens Trees Libraries Experts in other areas STRIDE STRIDE Agenda • Recap: A mnemonic for finding threats • Details as examples • Variants STRIDE (review) Threat Property Violated Definition Spoofing Authentication Impersonating Pretending to be any of Bill Gates, Paypal.com or something or someone ntdll.dll else. Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it traverses the network Repudiation Non-repudiation Claiming to have not performed an action. “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!” Information Confidentiality Exposing information to someone not authorized to see it Allowing someone to read the Windows source code; publishing a list of customers to a web site. Denial of Service Availability Deny or degrade service to users Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole. Elevation of Privilege Authorization Gain capabilities without proper authorization Allowing a remote Internet user to run commands is the classic example, but going from a limited user to admin is also EoP. Disclosure Example Spoofing By Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532 Spoofing On the Local Machine Threat Example What the Attacker Does Notes/Examples Spoofing a process Creates a file before the real process Then your process relies on it Abuses names Create a version of “sudo” and alter PATH Creates a file in the local directory Library, executable or config file Creates a link, changes it Also called ‘race condition’ or TOCTOU Creates many files in a target directory Code can easily create all possible /tmp/foo.random Spoofing a filename Spoofing Over a Network Threat Example What the Attacker Does Spoofing a machine ARP spoofing Notes/Examples IP spoofing DNS spoofing DNS compromise Can be at the TLD, registrar or DNS server IP redirection Spoofing a person Take over account “Stranded in London” Set the display name Spoofing a role Declares themselves to be that role Sometimes opening a special account, setting up a domain/website, other “verifiers” Tampering http://pinlac.com/LegoDSTractorBeam.html Tampering with a File Threat Example What the Attacker Does Modifying a file… … which you own and you rely on Notes/Examples … which they own and you rely on Modifying a file on a server… …you own …they own (or take over) Modifies links or redirects Redirects are supercommon on the web, and often rot away Tampering with Memory Threat Example What the Attacker Does Notes/Examples Modifying code Changes your code to suit themselves Hard to defend against if the attacker is running code inside the trust boundaries Modifying data they’ve supplied Supplies data to a pass by reference API, then changes it Works because of TOCTOU issues Supplies data into a shared memory segment, then changes it Tampering with a Network Threat Example What the Attacker Does Notes/Examples Redirects the flow of data to their machine Uses an attack at some network layer to redirect traffic Pakistan/YouTube Modifies data flowing over the network Easier (and more fun) with wireless networks Uses network tampering to improve spoofing attacks Repudiation Repudiation By Seb H http://www.flickr.com/photos/88048956@N04/8531040850/ Repudiation Threat Example What the Attacker Does Notes/examples Repudiating an action Claims to have not clicked Maybe they did, maybe they didn’t, maybe they’re honestly confused Claims to not have received 1. Electronic or physical 2. Receipt is strange; does a client downloading email mean you’ve seen it? Did a network proxy prefetch images? Was a package left on a porch? Claims to be a fraud victim Uses someone else’s account Repudiation Attacks on Logs Threat Example What the Attacker Does Notes/Examples Discovers there are no logs Modifies data flowing over the network Puts data in the logs to confuse you Information Disclosure Information Disclosure (and impact) Photo by Simon Liu http://www.flickr.com/photos/si- Information Disclosure (Processes) Threat Example What the Attacker Does Notes/Examples Extracts user data Exploits bugs like SQL injection to read db tables Can find this by looking to data stores, but here the issue is the process returning data it shouldn’t Reads error messages Extracts machine secrets Reads error messages Cannot connect to database ‘foo’ as user ‘sql’ with password ‘&IO*(^&’ Exploits bugs “Heartbleed” Information Disclosure (Data Stores) Sub-category What the Attacker Does Permissions Take advantage of missing or inappropriate ACLs Take advantage of bad database permissions File files protected by obscurity Security Find crypto keys on disk or in memory Get data from logs/temp files Get data from swap files See interesting information in filenames/directory names Network See data traversing a network Misc Obtain device, boot in new OS Information Disclosure (Data Flow) Sub-category What the Attacker Does Network Read data on a network Redirects traffics to enable reading data on the network Metadata Learns secrets by analyzing traffic Learns who talks to whom by watching the DNS Learns who talks to whom by analyzing social network information Denial of Service Model by Nathan Sawaya http://brickartist.com/gallery/han-solo-in-carbonite/ Denial of Service Threat Example What the Attacker Does Against a process Absorb memory (ram or disk) Notes/Examples Absorb CPU Uses a process as an amplifier Against business logic Against a data store Can be temporary or persistent Fills the data store Against a data flow Consumes network resources Makes enough requests to slow the system “Too many login attempts” Elevation of Privilege http://www.flickr.com/photos/prodiffusion/ Elevation of Privilege (“EoP”) Threat Example What the Attacker Does Notes/Examples EoP Against process via corruption Sends inputs the code doesn’t handle properly Very common, usually high impact Gains read/write access to memory Writing memory more obviously bad EoP via misused authorization checks EoP via buggy authorization checks EoP via data tampering Centralizing checking makes consistency, correctness easier Modify bits on disk STRIDE Variants • Ways to focus on likely threats – STRIDE per element – STRIDE per interaction • Elevation of Privilege game – Training, structure and execution – DESIST – – – – – – Dispute Elevation of Privilege Spoofing Information Disclosure Service Denial Tampering STRIDE per Element Spoofing External Entity Process Data Store Tamper. Rep. Info.Disc. DoS EoP                Dataflow This is Microsoft’s chart; it may not be the issues you need to worry about (privacy) Next up … • Attack trees (chapter 4) • Attack libraries (chapter 5)
Purchase answer to see full attachment