RIDL vurrnability - Rouge in flight data load

profileAbhi
Residency_OverviewSTRIDE.pptx

ISOL536 | Security Architecture and Design

Dr. Justin O. Hensley

School of Computer and Information Sciences

1

Overview and stride review

2

Ways to Find Security Issues

Static analysis of code

Fuzzing or other dynamic testing

Pen test/red team

Wait for bug reports after release

All of these are fine, but as you go down the list, you’re going later and later in the development process. So when you find bugs, you may have a hard time fixing them, because you might have dependencies on behavior such as taking large complex input from an untrusted party, or your libraries may not handle issues like sql injection well, or you might be using an untyped language like C.

3

Ways to Find Security Issues

Threat modeling!

Think about security issues early

Understand your requirements better

Don’t write bugs into the code

And the subject of this course

4

Definitions

What is a threat?

How is it different from a

vulnerability,

risk,

or just a problem?

What is a model?

Many people get stuck on these. Definitions matter. Many people don’t understand the definition of a threat and how it’s different from a vulnerability, a risk, or a problem.

“Threat” means the bad thing that might happen. “Threat” can also refer to a person, or a piece of malware, but we don’t use those definitions here.

“Vulnerability” is a term of art for code that can be automatically exploited, or more generally, a weakness that can be exploited.

MODEL: a system or thing used as an example to follow or imitate.

5

How to Threat Model

What are you building?

What can go wrong?

What are you going to do about it?

Did you complete a good analysis?

The course will teach you practical skills for each of these

6

Addressing the Threat

7

Mitigate

Eliminate

Transfer

Accept

Validation of the Model

8

Check the model

Check each threat

Check the tests

STRIDE

Threat Property Violated Definition Example
Spoofing Authentication Impersonating something or someone else. Pretending to be any of Bill Gates, Paypal.com or ntdll.dll
Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it traverses the network
Repudiation Non-repudiation Claiming to have not performed an action. “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”
Information Disclosure Confidentiality Exposing information to someone not authorized to see it Allowing someone to read the Windows source code; publishing a list of customers to a web site.
Denial of Service Availability Deny or degrade service to users Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.
Elevation of Privilege Authorization Gain capabilities without proper authorization Allowing a remote Internet user to run commands is the classic example, but going from a limited user to admin is also EoP.

9

What Can Go Wrong?

Track issues as you find them

“attacker could pretend to be a client & connect”

Track assumptions

“I think that connection is always over SSL”

Both lists are inputs to “what are you going to do about it?”

10

Spoofing On the Local Machine

Threat Example What the Attacker Does Notes/Examples
Spoofing a process Creates a file before the real process Then your process relies on it
Abuses names Create a version of “sudo” and alter PATH
Spoofing a filename Creates a file in the local directory Library, executable or config file
Creates a link, changes it Also called ‘race condition’ or TOCTOU
Creates many files in a target directory Code can easily create all possible /tmp/foo.random

11

Tampering with Memory

Threat Example What the Attacker Does Notes/Examples
Modifying code Changes your code to suit themselves Hard to defend against if the attacker is running code inside the trust boundaries
Modifying data they’ve supplied Supplies data to a pass by reference API, then changes it Works because of TOCTOU issues
Supplies data into a shared memory segment, then changes it

12

Repudiation

Threat Example What the Attacker Does Notes/examples
Repudiating an action Claims to have not clicked Maybe they did, maybe they didn’t, maybe they’re honestly confused
Claims to not have received 1. Electronic or physical 2. Receipt is strange; does a client downloading email mean you’ve seen it? Did a network proxy pre-fetch images? Was a package left on a porch?
Claims to be a fraud victim
Uses someone else’s account

13

Information Disclosure (Processes)

Threat Example What the Attacker Does Notes/Examples
Extracts user data Exploits bugs like SQL injection to read db tables Can find this by looking to data stores, but here the issue is the process returning data it shouldn’t
Reads error messages
Extracts machine secrets Reads error messages Cannot connect to database ‘foo’ as user ‘sql’ with password ‘&IO*(^&’
Exploits bugs “Heartbleed”

14

Information Disclosure (Data Stores)

Sub-category What the Attacker Does
Permissions Take advantage of missing or inappropriate ACLs
Take advantage of bad database permissions
File files protected by obscurity
Security Find crypto keys on disk or in memory
Get data from logs/temp files
Get data from swap files
See interesting information in filenames/directory names
Network See data traversing a network
Misc Obtain device, boot in new OS

15

Information Disclosure (Data Flow)

Sub-category What the Attacker Does
Network Read data on a network
Redirects traffics to enable reading data on the network
Metadata Learns secrets by analyzing traffic
Learns who talks to whom by watching the DNS
Learns who talks to whom by analyzing social network information

16

Denial of Service

Threat Example What the Attacker Does Notes/Examples
Against a process Absorb memory (ram or disk)
Absorb CPU
Uses a process as an amplifier
Against business logic “Too many login attempts”
Against a data store Fills the data store
Makes enough requests to slow the system
Against a data flow Consumes network resources

Can be temporary (as the attack continues; fill the network) or persist beyond that (fill a disk)

17

Elevation of Privilege (“EoP”)

Threat Example What the Attacker Does Notes/Examples
EoP Against process via corruption Sends inputs the code doesn’t handle properly Very common, usually high impact
Gains read/write access to memory Writing memory more obviously bad
EoP via misused authorization checks
EoP via buggy authorization checks Centralizing checking makes consistency, correctness easier
EoP via data tampering Modify bits on disk

18

ISOL536 | Security Architecture and Design

Dr. Justin O. Hensley

School of Computer and Information Sciences

19