two tasks
venkatesh2512
Threat_Modeling_16wk_session_3a.pdf
ISOL 536 Security Architecture and Design
Threat Modeling Session 3
“What Can Go Wrong?”
Agenda
• STRIDE (in depth!)
• Reading: Chapter 3
Approach
• “What can go wrong” & “what to do about it” are often (and reasonably) tied together in practice
• This course splits them because they are distinct questions & skills
Security mavens Experts in other areas
STRIDE Trees Libraries
STRIDE
STRIDE Agenda
• Recap: A mnemonic for finding threats • Details as examples • Variants
STRIDE (review) Threat Property
Violated Definition Example
Spoofing Authentication Impersonating something or someone
else.
Pretending to be any of Bill Gates, Paypal.com or
ntdll.dll
Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it traverses the network
Repudiation Non-repudiation Claiming to have not performed an action.
“I didn’t send that email,” “I didn’t modify that
file,” “I certainly didn’t visit that web site, dear!”
Information Disclosure
Confidentiality Exposing information
to someone not
authorized to see it
Allowing someone to read the Windows source
code; publishing a list of customers to a web
site.
Denial of Service Availability Deny or degrade service to users
Crashing Windows or a web site, sending a
packet and absorbing seconds of CPU time, or
routing packets into a black hole.
Elevation of Privilege Authorization Gain capabilities without proper
authorization
Allowing a remote Internet user to run
commands is the classic example, but going
from a limited user to admin is also EoP.
Spoofing
By Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532
Spoofing On the Local Machine
Threat Example What the Attacker Does Notes/Examples
Spoofing a process Creates a file before the real process
Then your process relies on it
Abuses names Create a version of “sudo” and alter PATH
Spoofing a filename Creates a file in the local directory
Library, executable or config file
Creates a link, changes it Also called ‘race condition’ or TOCTOU
Creates many files in a target directory
Code can easily create all possible /tmp/foo.random
Spoofing Over a Network
Threat Example What the Attacker Does Notes/Examples
Spoofing a machine ARP spoofing
IP spoofing
DNS spoofing
DNS compromise Can be at the TLD, registrar or DNS server
IP redirection
Spoofing a person Take over account “Stranded in London”
Set the display name
Spoofing a role Declares themselves to be that role
Sometimes opening a special account, setting up a domain/website, other “verifiers”
Tampering
http://pinlac.com/LegoDSTractorBeam.html
Tampering with a File
Threat Example What the Attacker Does Notes/Examples
Modifying a file… … which you own and you rely on
… which they own and you rely on
Modifying a file on a server…
…you own
…they own (or take over)
Modifies links or redirects Redirects are super- common on the web, and often rot away
Tampering with Memory
Threat Example What the Attacker Does Notes/Examples
Modifying code Changes your code to suit themselves
Hard to defend against if the attacker is running code inside the trust boundaries
Modifying data they’ve supplied
Supplies data to a pass by reference API, then changes it
Works because of TOCTOU issues
Supplies data into a shared memory segment, then changes it
Tampering with a Network
Threat Example What the Attacker Does Notes/Examples
Redirects the flow of data to their machine
Uses an attack at some network layer to redirect traffic
Pakistan/YouTube
Modifies data flowing over the network
Easier (and more fun) with wireless networks
Uses network tampering to improve spoofing attacks
RepudiationRepudiation
By Seb H http://www.flickr.com/photos/88048956@N04/8531040850/
Repudiation
Threat Example What the Attacker Does Notes/examples
Repudiating an action Claims to have not clicked
Maybe they did, maybe they didn’t, maybe they’re honestly confused
Claims to not have received
1. Electronic or physical 2. Receipt is strange; does a client downloading email mean you’ve seen it? Did a network proxy pre- fetch images? Was a package left on a porch?
Claims to be a fraud victim
Uses someone else’s account
Repudiation Attacks on Logs
Threat Example What the Attacker Does Notes/Examples
Discovers there are no logs
Modifies data flowing over the network
Puts data in the logs to confuse you
</tr></html>
Information Disclosure
Photo by Simon Liu http://www.flickr.com/photos/si- mocs/6999508124/
Information Disclosure (and impact)
Information Disclosure (Processes)
Threat Example What the Attacker Does Notes/Examples
Extracts user data Exploits bugs like SQL injection to read db tables
Can find this by looking to data stores, but here the issue is the process returning data it shouldn’t
Reads error messages
Extracts machine secrets Reads error messages Cannot connect to database ‘foo’ as user ‘sql’ with password ‘&IO*(^&’
Exploits bugs “Heartbleed”
Information Disclosure (Data Stores)
Sub-category What the Attacker Does
Permissions Take advantage of missing or inappropriate ACLs
Take advantage of bad database permissions
File files protected by obscurity
Security Find crypto keys on disk or in memory
Get data from logs/temp files
Get data from swap files
See interesting information in filenames/directory names
Network See data traversing a network
Misc Obtain device, boot in new OS
Information Disclosure (Data Flow)
Sub-category What the Attacker Does
Network Read data on a network
Redirects traffics to enable reading data on the network
Metadata Learns secrets by analyzing traffic
Learns who talks to whom by watching the DNS
Learns who talks to whom by analyzing social network information
Denial of Service
Model by Nathan Sawaya http://brickartist.com/gallery/han-solo-in-carbonite/
Denial of Service
Threat Example What the Attacker Does Notes/Examples
Against a process Absorb memory (ram or disk)
Absorb CPU
Uses a process as an amplifier
Against business logic “Too many login attempts”
Against a data store Fills the data store
Makes enough requests to slow the system
Against a data flow Consumes network resources
Can be temporary or persistent
Elevation of Privilege
http://www.flickr.com/photos/prodiffusion/
Elevation of Privilege (“EoP”)
Threat Example What the Attacker Does Notes/Examples
EoP Against process via corruption
Sends inputs the code doesn’t handle properly
Very common, usually high impact
Gains read/write access to memory
Writing memory more obviously bad
EoP via misused authorization checks
EoP via buggy authorization checks
Centralizing checking makes consistency, correctness easier
EoP via data tampering Modify bits on disk
STRIDE Variants
• Ways to focus on likely threats – STRIDE per element – STRIDE per interaction
• Elevation of Privilege game – Training, structure and execution
– DESIST – Dispute
– Elevation of Privilege
– Spoofing
– Information Disclosure
– Service Denial
– Tampering
Spoofing Tamper. Rep. Info.Disc. DoS EoP
Process
Data Store
Dataflow
External Entity
STRIDE per Element
This is Microsoft’s chart; it may not be the issues you need to worry about (privacy)
Next up …
• Attack trees (chapter 4) • Attack libraries (chapter 5)
