RIDL vurrnability - Rouge in flight data load
ISOL536 | Security Architecture and Design
Dr. Justin O. Hensley
School of Computer and Information Sciences
1
Overview and stride review
2
Ways to Find Security Issues
Static analysis of code
Fuzzing or other dynamic testing
Pen test/red team
Wait for bug reports after release
All of these are fine, but as you go down the list, you’re going later and later in the development process. So when you find bugs, you may have a hard time fixing them, because you might have dependencies on behavior such as taking large complex input from an untrusted party, or your libraries may not handle issues like sql injection well, or you might be using an untyped language like C.
3
Ways to Find Security Issues
Threat modeling!
Think about security issues early
Understand your requirements better
Don’t write bugs into the code
And the subject of this course
4
Definitions
What is a threat?
How is it different from a
vulnerability,
risk,
or just a problem?
What is a model?
Many people get stuck on these. Definitions matter. Many people don’t understand the definition of a threat and how it’s different from a vulnerability, a risk, or a problem.
“Threat” means the bad thing that might happen. “Threat” can also refer to a person, or a piece of malware, but we don’t use those definitions here.
“Vulnerability” is a term of art for code that can be automatically exploited, or more generally, a weakness that can be exploited.
MODEL: a system or thing used as an example to follow or imitate.
5
How to Threat Model
What are you building?
What can go wrong?
What are you going to do about it?
Did you complete a good analysis?
The course will teach you practical skills for each of these
6
Addressing the Threat
7
Mitigate
Eliminate
Transfer
Accept
Validation of the Model
8
Check the model
Check each threat
Check the tests
STRIDE
| Threat | Property Violated | Definition | Example |
| Spoofing | Authentication | Impersonating something or someone else. | Pretending to be any of Bill Gates, Paypal.com or ntdll.dll |
| Tampering | Integrity | Modifying data or code | Modifying a DLL on disk or DVD, or a packet as it traverses the network |
| Repudiation | Non-repudiation | Claiming to have not performed an action. | “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!” |
| Information Disclosure | Confidentiality | Exposing information to someone not authorized to see it | Allowing someone to read the Windows source code; publishing a list of customers to a web site. |
| Denial of Service | Availability | Deny or degrade service to users | Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole. |
| Elevation of Privilege | Authorization | Gain capabilities without proper authorization | Allowing a remote Internet user to run commands is the classic example, but going from a limited user to admin is also EoP. |
9
What Can Go Wrong?
Track issues as you find them
“attacker could pretend to be a client & connect”
Track assumptions
“I think that connection is always over SSL”
Both lists are inputs to “what are you going to do about it?”
10
Spoofing On the Local Machine
| Threat Example | What the Attacker Does | Notes/Examples |
| Spoofing a process | Creates a file before the real process | Then your process relies on it |
| Abuses names | Create a version of “sudo” and alter PATH | |
| Spoofing a filename | Creates a file in the local directory | Library, executable or config file |
| Creates a link, changes it | Also called ‘race condition’ or TOCTOU | |
| Creates many files in a target directory | Code can easily create all possible /tmp/foo.random |
11
Tampering with Memory
| Threat Example | What the Attacker Does | Notes/Examples |
| Modifying code | Changes your code to suit themselves | Hard to defend against if the attacker is running code inside the trust boundaries |
| Modifying data they’ve supplied | Supplies data to a pass by reference API, then changes it | Works because of TOCTOU issues |
| Supplies data into a shared memory segment, then changes it |
12
Repudiation
| Threat Example | What the Attacker Does | Notes/examples |
| Repudiating an action | Claims to have not clicked | Maybe they did, maybe they didn’t, maybe they’re honestly confused |
| Claims to not have received | 1. Electronic or physical 2. Receipt is strange; does a client downloading email mean you’ve seen it? Did a network proxy pre-fetch images? Was a package left on a porch? | |
| Claims to be a fraud victim | ||
| Uses someone else’s account |
13
Information Disclosure (Processes)
| Threat Example | What the Attacker Does | Notes/Examples |
| Extracts user data | Exploits bugs like SQL injection to read db tables | Can find this by looking to data stores, but here the issue is the process returning data it shouldn’t |
| Reads error messages | ||
| Extracts machine secrets | Reads error messages | Cannot connect to database ‘foo’ as user ‘sql’ with password ‘&IO*(^&’ |
| Exploits bugs | “Heartbleed” |
14
Information Disclosure (Data Stores)
| Sub-category | What the Attacker Does |
| Permissions | Take advantage of missing or inappropriate ACLs |
| Take advantage of bad database permissions | |
| File files protected by obscurity | |
| Security | Find crypto keys on disk or in memory |
| Get data from logs/temp files | |
| Get data from swap files | |
| See interesting information in filenames/directory names | |
| Network | See data traversing a network |
| Misc | Obtain device, boot in new OS |
15
Information Disclosure (Data Flow)
| Sub-category | What the Attacker Does |
| Network | Read data on a network |
| Redirects traffics to enable reading data on the network | |
| Metadata | Learns secrets by analyzing traffic |
| Learns who talks to whom by watching the DNS | |
| Learns who talks to whom by analyzing social network information |
16
Denial of Service
| Threat Example | What the Attacker Does | Notes/Examples |
| Against a process | Absorb memory (ram or disk) | |
| Absorb CPU | ||
| Uses a process as an amplifier | ||
| Against business logic | “Too many login attempts” | |
| Against a data store | Fills the data store | |
| Makes enough requests to slow the system | ||
| Against a data flow | Consumes network resources |
Can be temporary (as the attack continues; fill the network) or persist beyond that (fill a disk)
17
Elevation of Privilege (“EoP”)
| Threat Example | What the Attacker Does | Notes/Examples |
| EoP Against process via corruption | Sends inputs the code doesn’t handle properly | Very common, usually high impact |
| Gains read/write access to memory | Writing memory more obviously bad | |
| EoP via misused authorization checks | ||
| EoP via buggy authorization checks | Centralizing checking makes consistency, correctness easier | |
| EoP via data tampering | Modify bits on disk |
18
ISOL536 | Security Architecture and Design
Dr. Justin O. Hensley
School of Computer and Information Sciences
19