Assignment - Threat Modeling

ISOL536 Security Architecture

and Design Threat Modeling

Week 1

Agenda

• About this course • About threat modeling

About this course About this course

About threat modeling

Threat Modeling in Depth

• 8 weeks • 8 weeks of deep material • 8 Lectures • 5 Quizzes (Drop lowest grade) • 2 Exams (Mid-term and Final)

• Text: Threat Modeling: Designing for Security (Wiley, 2014)

Course Description

• This course discusses useful models used to address potential threats in software systems and how to apply such models in developing secure software and systems. Areas of study focus on threat modeling strategies, including finding threats, addressing threats, and threat modeling technologies.

Major Instructional Areas

• Understanding threat modeling • Strategies for finding threats • Techniques for managing threats • Validating threat handling activities • Understanding environment-specific threats

Course Objectives

• Explain threat modeling and its importance to secure architecture. • Explore strategies for threat modeling. • Understand how techniques, such as STRIDE, are useful in finding

threats. • Find threats using attack trees. • Identify threats with attack libraries. • Explore privacy tools. • Show how to process and manage threats. • Employ defensive tactics and technologies.

Course Objectives

• Consider key tradeoffs when addressing threats. • Validate that threats are addressed. • Survey common threat modeling tools. • Develop a repository of requirements. • Examine web and cloud threats. • Understand user accounts and identity. • Explore how human factors and usability affect threat

modeling.

SCANS Objectives

• SCANS is an acronym for Secretary’s Commission on Achieving Necessary Skills. The committee, appointed by the National Secretary of Labor in 1990, created a list of skills and competencies that continue to be a valuable resource for individuals developing their careers in a high- tech job market. For more information on the SCANS objectives, visit The U.S. Department of Labor Employment andTraining Administration: www.doleta.gov.

Required and Recommended Resources

• Required Resources • Shostack, Adam. Threat Modeling: Designing for Security,

Indianapolis, IN: Wiley, 2014

• Recommended Resources • Please use the following author’s names, book/article titles, Web

sites, and/or keywords to search for supplementary information to augment your learning in this subject.

• Tony UcedaVelez and Marco M. Morana. Rick CentricThreat Modeling: Process for Attack Simulation andThreat Analysis

Information Search

• Use the following keywords to search for additional online resources that may be used for supporting your work on the course assignments:

• Threat modeling, Security architecture, STRIDE, Countermeasure, Attack tree, Computer security, Information security, Threat, Vulnerability, Software security assurance

Tentative Course Outline

Tentative Course Outline

Tentative Course Outline

Tentative Course Outline

Evaluation Criteria

Grade Conversion

Class Participation

• Students are expected to: • Be fully prepared for each class session by studying the assigned

reading material and preparation of the material assigned.

• Participate in group discussions, assignments, and panel discussions.

• Complete specific assignments when due and in a professional manner.

• Take exams when specified on the attached course schedule.

Academic Integrity • At a Christian liberal arts University committed to the pursuit of truth and

understanding, any act of academic dishonesty is especially distressing and cannot be tolerated. In general, academic dishonesty involves the abuse and misuse of information or people to gain an undeserved academic advantage or evaluation.The common forms of academic dishonesty include:

• cheating - using deception in the taking of tests or the preparation of written work, using unauthorized materials, copying another person’s work with or without consent, or assisting another in such activities

• lying—falsifying, fabricating, or forging information in either written, spoken, or video presentations

• plagiarism—using the published writings, data, interpretations, or ideas of another without proper documentation

• Episodes of academic dishonesty are reported to theVice President for Academic Affairs. The potential penalty for academic dishonesty includes a failing grade on a particular assignment, a failing grade for the entire course, or charges against the student with the appropriate disciplinary body.

Students with Disabilities

• Students who may have a disability meriting an academic accommodation should contact Dr. Tom Fish in LIB 21 to ensure that their needs are properly evaluated and that documentation is on file. Any accommodations for disabilities must be re-certified each semester by the Academic Affairs Office before course adjustments are made by individual instructors.

Student Responsibilities

• Students are expected to login several times per week to participate in class discussions.

• Students are expected to find out if any changes have been made in the class or assignment schedule.

• Students are expected to be self-motivating in an online, asynchronous course.

Schedule & Grading

• Due date/time: Sunday 11:59 PM • NOTTHE FINAL EXAM

• Quizzes 10% • Mid-term exam 10% • Final exam 10% • Discussions 30% • Homework Assignments 40%

Administrative Notes

• Read the course syllabus • Check your email and course announcements • Be proactive • Check course announcements • Read the text (don’t just fake it) • Apply the material to what you already know

About threat modeling About this course

About threat modeling

Wouldn’t it be better to find security issues

before you write or deploy a line of code?

So how can you do that?

How DoYou Find Security Issues?

Ways to Find Security Issues

• Static analysis of code • Fuzzing or other dynamic testing • Pen test/red team • Wait for bug reports after release

Ways to Find Security Issues (2)

• Threat modeling! • Think about security issues early • Understand your requirements better • Don’t write bugs into the code • And the subject of this lesson

So…how do you threat model?

Definitions

• What is a threat? • How is it different from a

• vulnerability, • risk, • or just a problem?

• What is a model?

So…how do you threat model?

What are the problems associated with the

“Think like an Attacker” mentality?

Think Like an Attacker?

• Like thinking like a professional chef! • Even if you cook well, are you the chef at a popular restaurant?

• Thinking like an attacker – or focusing on them is risky • What do they know? What will they do? • If you get these wrong, your threat modeling will go astray

• So don’t start from attackers!

What are the problems associated with starting from

assets as an approach to threat

modeling?

What do you learn by making an asset list?

Focus on Assets?

• Assets: valuable things – the business cares! • But what’s an asset?

• Something an attacker wants? • Something you want to protect? • A stepping stone?

Engineering Real Technology

• Need an engineering approach • Predictable • Reliable • Scalable to a large product

• Can’t be dependent on one brilliant person

Focus on What You’re Building!

• Ideally, you understand it • Concrete and testable?

“HowToThreat Model”

How to Threat Model

• What are you building? • What can go wrong? • What are you going to do about it? • Check your work on 1-3 • The course will teach you practical skills for each of these

What Are You Building?

• Create a model of the software/system/technology • A model abstracts away the details so you can look at the

whole

• Diagraming is a key approach • Mathematical models of software are rare in commercial

environments

What Are You Building?

• Whiteboard diagrams are a great way to start • Software models for threat modeling usually focus on

data flows and boundaries

• DFDs, “swim lanes”, state machines can all help (next slides)

What Are Some Modeling Methods?

• Whiteboard diagrams • Brainstorming • Structured (“formal”) diagrams

• Data flow diagrams • Swim lanes • State machines

• Mathematical representations of code

Trust Boundaries

• Sometimes left implicit in development

• • Effective threat modeling requires making boundaries explicit

A trust boundary is everywhere two (or more) principals interact • Principals are UIDs (unix)/SIDs (Windows) etc. • Apps on mobile platforms • (Two or more)

• Need to be enforced in some way • Best to rely on the OS • Sometimes not possible (e.g., building a database)

Trust Boundaries

• All interesting boundaries are semi-permeable • Air gaps • Firewalls • Require policy mechanisms (which are hard)

• Formal methods help build boundaries • Isolation • Type safety • Policy languages • Reference monitors/kernels

DFD (Data Flow Diagram) • Developed in the early 70s, and still useful

• Simple: easy to learn, sketch • Threats often follow data

• Abstracts programs into: • Processes: your code • Data stores: files, databases, shared memory • Data flows: connect processes to other elements • External entities: everything but your code & data Includes people &

cloud software

• Trust boundaries (now made explicit)

Data Flow Diagram (Example)

Swim Lane Diagrams

• Show two or more entities communicating, each “in a lane”

• Useful for network communication • Lanes have implicit boundaries between

them

State Machines • Helpful for considering what changes security state

• For example, unauthenticated to authenticated • User to root/admin

• Rarely shows boundaries

How to Threat Model (Summary)

• What are you building? • What can go wrong? • What are you going to do about it? • Check your work on 1-3

What Can Go Wrong?

• Fun to brainstorm • Mnemonics, trees, or libraries of threats can all help

structure thinking

• Structure helps get you towards completeness and predictability

What Can Go Wrong?

• STRIDE is a mnemonic • Spoofing • Tampering • Repudiation • Information Disclosure • Denial of Service • Elevation of Privilege

• Easy, right?

Spoofing

By Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532

Spoofing

Tampering

http://pinlac.om/LegoDSTractorBeam.html

Tampering

Repudiation

By Seb H http://www.flickr.com/photos/88048956@N04/8531040850/

Repudiation

Information DisclosureInformation Disclosure

Denial of Service

Model by Nathan Sawaya http://brickartist.com/gallery/han-solo-in-carbonite/

Denial of Service

Elevation of Privilege

http://www.flickr.com/photos/prodif sion/

Elevation of Privilege

STRIDE

Threat Property Violated

Definition Example

Spoofing Authentication Impersonating something or someone else.

Pretending to be any of Bill Gates, Paypal.com or ntdll.dll

Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it traverses the network

Repudiation Non-repudiation Claiming to have not performed an action.

“I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”

Information Disclosure

Confidentiality Exposing information to someone not authorized to see it

Allowing someone to read the Windows source code; publishing a list of customers to a web site.

Denial of Service Availability Deny or degrade service to users

Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.

Elevation of Privilege Authorization Gain capabilities without proper authorization

Allowing a remote Internet user to run commands is the classic example, but going from a limited user to admin is also EoP.

Using STRIDE

• Consider how each STRIDE threat could impact each part of the model • “How could a clever attacker spoof this part of the

system?...tamper with?… etc.”

• Easier with aids • Elevation of Privilege game • Attack trees (see Threat Modeling: Designing for Security, Appendix B) • Experience

What Can Go Wrong?

• Track issues as you find them • “attacker could pretend to be a client & connect”

• Track assumptions • “I think that connection is always over SSL”

• Both lists are inputs to “what are you going to do about it?”

Recap

• What are you building? • Diagrams of various sorts • Trust boundaries

• What can go wrong? • STRIDE

What’s next?

• For next week • Read chapters 3, 4, and 5