security archeticture
ISOL 536 Security Architecture and Design
Threat Modeling Session 7a
“Defensive Tactics and Technologies”
Agenda
• For each STRIDE Threat:
– Defensive tactics and technologies
– Operations and development
• Reading: Chapter 8
STRIDE (Review) Threat Property
Violated Definition Example
Spoofing Authentication Impersonating something or someone
else.
Pretending to be any of Bill Gates, Paypal.com or
ntdll.dll
Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it traverses the network
Repudiation Non-repudiation Claiming to have not performed an action.
“I didn’t send that email,” “I didn’t modify that
file,” “I certainly didn’t visit that web site, dear!”
Information Disclosure
Confidentiality Exposing information
to someone not
authorized to see it
Allowing someone to read the Windows source
code; publishing a list of customers to a web
site.
Denial of Service Availability Deny or degrade service to users
Crashing Windows or a web site, sending a
packet and absorbing seconds of CPU time, or
routing packets into a black hole.
Elevation of Privilege Authorization Gain capabilities without proper
authorization
Allowing a remote Internet user to run
commands is the classic example, but going
from a limited user to admin is also EoP.
AUTHENTICATION: ADDRESSING SPOOFING
Understanding Authentication
• To prove or show (something, esp. a claim or an artistic work) to be true or genuine
• Applies to all sorts of things
– Programs or libraries on disk
– Remote machines
– People (a complex subject, covered later in the course)
Tactics for Authentication
• Local – Leverage the OS/program (database, web server, etc) – Defaults are not always secure
• Remote machines – Cryptographic methods (more reliable) – Consistency checking DNS, IP, route (less reliable)
• Hostname validation just isn’t enough
• Cryptographic key exchange – DNSSec, PKI, etc: All involve trust delegation – Manual: expensive, sometimes worthwhile for existing
business relationships
Developer Ways to Address Spoofing
• Leverage the OS
– Use full pathnames (what does open(“foo.txt”) find?)
– Make pathnames canonical
• Resolving links including ../ or symlinks
• Remove %20 or other encoding
– Check permissions
– Shared directories are usually troublesome
• Cryptographic identifiers & validation
Operational Ways to Address Spoofing
• Difficult to improve local (on-system) name resolution when the code is done
• Possible to use SSH or IPSec or other crypto tunneling to reduce spoofing issues over the network
Technologies for Addressing Spoofing
• Authenticating computers
– IPSec, DNSSec, SSH Host keys
– Kerberos
– Windows Domain authentication
– PKI with SSL/TLS
• Authenticating bits (files, messages, etc)
– Digital signatures
– Hashes (appropriately managed)
Technologies for Addressing Spoofing (2)
1. Something you know, like a password (Type I) 2. Something you have, like an access card (Type II) 3. Something you are (or are measured to be) (Type III)
– “Biometrics” – Fingerprints, vein patterns, photographs
4. Someone you know who can authenticate you • The first three are traditional, #4 is new • “Multi-factor authentication” usually means more than
one from the list – Some people call channels a factor – Many of them should threat model better
Understanding Integrity
• To interfere with (something) in order to cause damage or make unauthorized alterations
• Can apply to data wherever it is, including:
– Disk
– Network
– Memory
Tactics for Integrity
• System defenses – Permissions (operating system/program)
– Full paths
• Cryptographic defenses – Digital signatures
– Hashes/MACs
• Logging and audit – These do not prevent, but may deter
– Generally used as a fallback or defense in depth
Developer Ways to Address Integrity
• Use permissions as provided
• Cryptography is required over a network
• Implementing a permission system is hard
– Lots of mistakes have been made & documented
Operational Ways to Address Integrity
• Add additional protections – Tripwire-like systems on local machine
– Tunneling over network
• Tripwire: acting on alerts is key! – Don’t be these folks ->
• Good alert design is a pre-requisite – Too many alerts, people will be overwhelmed
– Too few, they’ll miss stuff
Technologies for Addressing Integrity
• Protect files with – Digital signatures – ACLs/permissions – Hashes – Windows Mandatory Integrity Control features – Unix immutability
• Protect network traffic with – SSL – SSH – IPSec – Digital signatures
Understanding Non-Repudiation
• Repudiation: To refuse to accept or be associated with; deny the truth or validity of some statement
• Non-repudiation are the tools & technologies to establish what happened — ideally to the satisfaction of everyone involved or impacted
• Bridges business & technical levels
• Repudiation can be a feature – “Off The Record”
Tactics for Non-Repudiation
• Fraud prevention
– Internal fraud such as embezzlement
– “Customer” fraud prevention
• Logs
– As much as you can, keep for as long as you can
• Cryptography
“Customer” Fraud Prevention
• Alice’s account is taken over & abused (or)
• Bob creates an account for fraud
• Must manage both
• Stable customers are good, predictable
• Technologies/services – Validation services
– Customer history sharing
– Multi-merchant data
– Purchase device tracking
Developer Ways to Address Repudiation
• Log business logic
– Eg “For this transaction, we saw that geolocate(ip) was ‘Seattle,’ which is typical for this account.”
• Cryptographic digital signatures
– Most useful today between business partners, not consumer-usable
Operational Ways to Address Repudiation
• Operations get stuck investigating
– Table-top exercises may expose issues that the logs don’t exist
• Scaling
– Logs may end up in diverse places
– Dedicated people
– Specialized tooling
Technologies for Addressing Repudiation
• Logs
– Logging
– Log analysis tools
– Secured log storage
• Digital signatures
• Secure time stamps
• Trusted third parties
Understanding Confidentiality
• To ensure that information is only disclosed to authorized parties
• Secrets in data – Yours: financial results, new product plans
– Entrusted to you: private data
– Complex rules: Who can see that Facebook post?
• Secrets also exist in metadata – “Layoff letter for Alice.docx”, “Janlayoff/alice.docx”
– Calls to an STD clinic (repeatedly?!)
Tactics for Confidentiality
• On a system
– ACLs/permissions
– Cryptography
• Between systems
– Cryptography
• To hide the existence of information
– Steganography
Developer Ways to Address Confidentiality
• Permissions/ACLs
• Cryptography
– Data (file on disk, email message)
– Container (volume encryption, email connections)
– Requires proper key management
• (Don’t write your own!)
– Remember: Encryption doesn’t provide authentication or integrity
Operational Ways to Address Confidentiality
• Add permissions/ACLs
• Volume encryption
– Protects if the machine is stolen and powered down
– Doesn’t protect against an attacker who breaks in
• Network encryption (SSH, SSL, IPSec)
Technologies for Confidentiality
• Protecting files – ACLs/Permissions – Encryption – Appropriate key management
• Protecting network data – Encryption – Appropriate key management
• Communication headers/act of communication – Mix networks – Onion routing – Steganography
Understanding Availability
• Being able to meet a defined or implied SLA
• Attacks can absorb any resource
– Disk, network, CPU
• Attacks can be transient or require intervention
– Network flooding stops when attacker does
– Fork bomb (eg: while(1) {fork();}) might need reboot
– Full disk might require human intervention
Tactics for Availability
• Have enough resources to serve requests
• Proof of work
– … “Proves Not to Work”
– Bitcoin uses high cost proofs
• Proof of communication
Developer Ways to Address Availability
• Avoid fixed-size buffers
– For example, 5 half-open TCP connections
• Consider
– Resources you consume per request
– How many requests you’ll serve
– Clever attacks that balloon resource use
– Recovery
Operational Ways to Address Availability
• Quotas
• Elastic cloud systems to add more resources
Technologies for Addressing DoS
• ACLs
• Filters
• Quotas (rate limits, thresholding, throttling)
• High availability design
• Extra bandwidth
• Cloud services
Understanding Authorization
• Elevation of Privilege is one class of authorization bypass
– The only one covered here
– Authorization systems are their own sub-field
Tactics for Authorization
• Limit the attack surface
– For example, small number of setuid programs
– Use sandboxes for network-exposed code
– Don’t run as root/admin
– Be aware that there’s often elevation paths for semi-privileged accounts
• Comprehensible, manageable permissions systems
Developer Ways to Address Authorization
• Limit the attack surface
• Carefully define purpose & validation rules for inbound data
• Define what you’ll accept, not what you reject
• Reject bad input, don’t try to sanitize
Operational Ways to Address Authorization
• Defense in depth
• Run each target as its own unique limited user
– Unix “nobody” account ended up quite privileged
• Sandboxes
Technologies for Addressing Authorization
• ACLs
• Groups or role membership
• Role based access controls
• Windows privileges (runas)/Unix sudo
• Chroot, apparmor, other unix sandboxes
• MOICE Windows sandbox
• Input validation for defined purposes
Recap
• STRIDE
– The threat
– Tactics for managing it
– Developer tactics
– Operational tactics
– Technologies for addressing
• Phew! That’s a lot to know!
– It will be on the final exam.