Discussion Paper (STRIDE Variations)
ISOL536 Security Architecture
and Design Threat Modeling
Week 2
Agenda
• STRIDE (in depth!) • Attack trees • Attack libraries
• Reading: Chapter 3, 4, 5
Approach
• “What can go wrong” & “what to do about it” are often (and reasonably) tied together in practice
• This course splits them because they are distinct questions & skills
Security mavens Experts in other areas
STRIDE Trees Libraries
STRIDE
STRIDE Agenda
• Recap: A mnemonic for finding threats • Details as examples • Variants
STRIDE (review)
Threat Property Violated
Definition Example
Spoofing Authentication Impersonating something or someone
else.
Pretending to be any of Bill Gates, Paypal.com or
ntdll.dll
Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it traverses the network
Repudiation Non-repudiation Claiming to have not performed an action.
“I didn’t send that email,” “I didn’t modify that
file,” “I certainly didn’t visit that web site, dear!”
Information Disclosure
Confidentiality Exposing information
to someone not
authorized to see it
Allowing someone to read the Windows source
code; publishing a list of customers to a web site.
Denial of Service Availability Deny or degrade service to users
Crashing Windows or a web site, sending a
packet and absorbing seconds of CPU time, or
routing packets into a black hole.
Elevation of Privilege Authorization Gain capabilities without proper
authorization
Allowing a remote Internet user to run
commands is the classic example, but going from
a limited user to admin is also EoP.
Spoofing
By Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532
Spoofing On the Local Machine Threat Example What the Attacker Does Notes/Examples
Spoofing a process Creates a file before the real process
Then your process relies on it
Abuses names Create a version of “sudo” and alter PATH
Spoofing a filename Creates a file in the local directory
Library, executable or config file
Creates a link, changes it Also called ‘race condition’ or TOCTOU
Creates many files in a target directory
Code can easily create all possible /tmp/foo.random
Spoofing Over a Network Threat Example What the Attacker Does Notes/Examples
Spoofing a machine ARP spoofing
IP spoofing
DNS spoofing
DNS compromise Can be at the TLD, registrar or DNS server
IP redirection
Spoofing a person Take over account “Stranded in London”
Set the display name
Spoofing a role Declares themselves to be that role
Sometimes opening a special account, setting up a domain/website, other “verifiers”
Tampering
http://pinlac.com/LegoDSTractorBeam.html
Tampering with a File Threat Example What the Attacker Does Notes/Examples
Modifying a file… … which you own and you rely on
… which they own and you rely on
Modifying a file on a server… …you own
…they own (or take over)
Modifies links or redirects Redirects are super-common on the web, and often rot away
Tampering with Memory Threat Example What the Attacker Does Notes/Examples
Modifying code Changes your code to suit themselves
Hard to defend against if the attacker is running code inside the trust boundaries
Modifying data they’ve supplied
Supplies data to a pass by reference API, then changes it
Works because of TOCTOU issues
Supplies data into a shared memory segment, then changes it
Tampering with a Network Threat Example What the Attacker Does Notes/Examples
Redirects the flow of data to their machine
Uses an attack at some network layer to redirect traffic
Pakistan/YouTube
Modifies data flowing over the network
Easier (and more fun) with wireless networks
Uses network tampering to improve spoofing attacks
Repudiation
Repudiation
By Seb H http://www.flickr.com/photos/88048956@N04/8531040850/
Repudiation Threat Example What the Attacker Does Notes/examples
Repudiating an action Claims to have not clicked Maybe they did, maybe they didn’t, maybe they’re honestly confused
Claims to not have received 1. Electronic or physical 2. Receipt is strange; does a client downloading email mean you’ve seen it? Did a network proxy pre-fetch images? Was a package left on a porch?
Claims to be a fraud victim
Uses someone else’s account
Repudiation Attacks on Logs Threat Example What the Attacker Does Notes/Examples
Discovers there are no logs
Modifies data flowing over the network
Puts data in the logs to confuse you
</tr></html>
Information Disclosure
Information Disclosure (Processes) Threat Example What the Attacker Does Notes/Examples
Extracts user data Exploits bugs like SQL injection to read db tables
Can find this by looking to data stores, but here the issue is the process returning data it shouldn’t
Reads error messages
Extracts machine secrets Reads error messages Cannot connect to database ‘foo’ as user ‘sql’ with password ‘&IO*(^&’
Exploits bugs “Heartbleed”
Information Disclosure (Data Stores)Sub-category What the Attacker Does
Permissions Take advantage of missing or inappropriate ACLs
Take advantage of bad database permissions
File files protected by obscurity
Security Find crypto keys on disk or in memory
Get data from logs/temp files
Get data from swap files
See interesting information in filenames/directory names
Network See data traversing a network
Misc Obtain device, boot in new OS
Information Disclosure (Data Flow) Sub-category What the Attacker Does
Network Read data on a network
Redirects traffics to enable reading data on the network
Metadata Learns secrets by analyzing traffic
Learns who talks to whom by watching the DNS
Learns who talks to whom by analyzing social network information
Denial of Service
Model by Nathan Sawaya http://brickartist.com/gallery/han-solo-in-carbonite/
Denial of Service Threat Example What the Attacker Does Notes/Examples
Against a process Absorb memory (ram or disk)
Absorb CPU
Uses a process as an amplifier
Against business logic “Too many login attempts”
Against a data store Fills the data store
Makes enough requests to slow the system
Against a data flow Consumes network resources
Can be temporary (as the attack continues; fill the network) or persist beyond that (fill a disk)
Elevation of Privilege
http://www.flickr.com/photos/prodiffusion/
Elevation of Privilege (“EoP”) Threat Example What the Attacker Does Notes/Examples
EoP Against process via corruption
Sends inputs the code doesn’t handle properly
Very common, usually high impact
Gains read/write access to memory
Writing memory more obviously bad
EoP via misused authorization checks
EoP via buggy authorization checks
Centralizing checking makes consistency, correctness easier
EoP via data tampering Modify bits on disk
STRIDE Variants
• Ways to focus on likely threats
• STRIDE per element
• STRIDE per interaction
• Elevation of Privilege game
• Training, structure and execution
• DESIST
• Dispute
• Elevation of Privilege
• Spoofing
• Information Disclosure
• Service Denial
• Tampering
Spoofing Tamper. Rep. Info.Disc. DoS EoP
Process
Data Store
Dataflow
External Entity
STRIDE per Element
This is Microsoft’s chart; it may not be the issues you need to worry about (privacy)
Attack Trees • Structured relationship between attack details
• Detail (This is a subcategory of that)
• Present as outline, picture
• Creation vs. use
Using an Attack Tree
• Find an appropriate tree • Web search
• Appendix B of Threat Modeling
• Iterate through your diagram & tree • “Does this apply here?”
• More precise iteration is more useful when you’re learning, or for high-stakes analysis
Creating Attack Trees
• Creating attack trees • for a project • for general use (very hard!)
• Steps: • Choose a representation • Create a root node (goal, “Get root”) • Add subnodes • Consider completeness • Prune • Check
Attack libraries
Libraries
• Collections of knowledge for you to apply • More structured than a mnemonic • More detailed than a tree • CAPEC is the most detailed library available today,
offering great structure
Checklists & Literature Search
• Checklists • Static
• Useful for commonly recurring threats
• May limit creativity
• Literature search • Review of past attacks
• Useful to leverage work on similar systems
Recap
• Memonics like STRIDE, trees, and libraries can all support finding threats—what can go wrong.
• The best tool is the one that works for you/your team • Those may be different
• Familiarity with a spectrum will help you
What's next?
• Quiz 2 • Due Sunday 11:59 PM
• 10 questions
• 20 minutes
• You have 2 chances (take highest grade)
• Reach chapters 6 and 7