eop_card game images

7/29/2019 EoP_Card Game Images

1/95

Instruction

Elevation of Privilege InstructionsDraw a diagram of the system you want to threat model

before you deal the cards.

Deal the deck to 3-6 players. Play starts with the 3 of

Tampering. Play clockwise, and each player in turn follows

in the suit if they have a card in the suit. If they dont

have that suit, they can play another suit. The high card

played takes the trick, with Elevation of Privilege taking

precedence over the suit lead. Only Elevation of Privilege

(EoP) or the lead suit can take a trick.

To play a card, read the card, announce your threat and

record it. If the player cant link the threat to the system,

play proceeds.

Take few minutes between hands to think about threats.

Points:

1 for a threat on your card, +1 for taking the trick

Instructions 1


2/95

Instruction

Threats should be articulated clearly, testable, and

addressable. In the event that a threat leads to an

argument, the threat should resolve by asking the

question: Would we take an actionable bug, feature

request or design change for that? If the answer is yes,

it is a real threat. (This doesnt mean that threats outside

of that arent real, its simply a way to focus discussion onactionable threats.) Questions that start with Theres a

way should be read as Theres a wayand heres how

while questions that start with Your code should be read

The code were collectively creatingand heres how.

The deck contains a number of special cards: trumps andopen threats. EoP cards are trumps. They take the trick

even if they are lower value than the suit that was led. The

ace of each suit is an open threat card. When played, the

player must identify a threat not listed on another card.

When all the cards have been played, whoever has themost points wins.

Remember to have fun!

Elevation of Privilege Instructions


3/95

Instruction

Elevation of Privilege Variants

Instructions 2

Optional/variants:

You may pass cards after the third trick. This ishelpful if you have cards that you cant tie to

the system. Someone else may be able to.

Double the number of points, and give

one point for threats on other peoples cards.

Other players may riff on the threat and if they

do, they get one point per additional threat. Limit riffing to no more than 60 seconds.

Mark up the diagram with where the threat occurs.

Questions are listed on the threat cards to help

with the Aces.

Thanks to Laurie Williams for inspiration.


4/95

Instruction

2009 Microsoft Corporation. This work is licensed under the

Creative Commons Attribution 3.0 United States License. To view

the full content of this license, visit http://creativecommons.org/

licenses/by/3.0/us/or send a letter to Creative Commons, 171Second Street, Suite 300, San Francisco, California, 94105, USA.


5/95


6/95

Strategy

You need toselect a card

You have acard in the suit

that was

lead?

Do youhave any EoP

Cards?

Card with athread you can

apply?

no

Do youhave the high

card?

Play a low card,see if anyone else

has a threat

Play it so you cantake lead next hand

Play the threat thatyou can apply

yes

Must play in suit:all other arrows are advice

Choice: Play EoP or another card. For example, someone elsemay have played the Jack of EoP, and you only have a 9.

yes

yes

no

Play a low card ina suit where you

have few cards

ust p ay n su t:a ot er arrows are a v ce

no


7/95

elevation of privilege


8/95

SpoongAn attacker could squat on therandom port or socket that the

server normally uses

2


9/95

SpoongAn attacker could try onecredential after another and

theres nothing to slow themdown (online or ofine)

3


10/95

SpoongAn attacker can anonymouslyconnect, because we expect

authentication to be done ata higher level

4


11/95

SpoongAn attacker can confuse a clientbecause there are too many

ways to identify a server

5


12/95

SpoongAn attacker can spoof a serverbecause identiers arent stored

on the client and checked forconsistency on re-connection(that is, theres no keypersistence)

6


13/95

SpoongAn attacker can connectto a server or peer over a

link that isnt authenticated(and encrypted)

7


14/95

SpoongAn attacker could stealcredentials stored on the

server and reuse them(for example, a key is storedin a world readable le)

8


15/95

SpoongAn attacker who gets apassword can reuse it

(Use stronger authenticators)

9


16/95

SpoongAn attacker can choose to useweaker or no authentication

10


17/95

SpoongAn attacker could stealcredentials stored on the

client and reuse them

J


18/95

SpoongAn attacker could go after theway credentials are updated

or recovered (account recoverydoesnt require disclosing theold password)

Q


19/95

SpoongYour system ships with a defaultadmin password, and doesnt

force a change

K


20/95

SpoongYouve invented a newSpoong attack

A


21/95

TamperingAn attacker can take advantageof your custom key exchange or

integrity control which you builtinstead of using standard crypto

3


22/95

TamperingYour code makes accesscontrol decisions all over

the place, rather than witha security kernel

4


23/95

TamperingAn attacker can replay datawithout detection because your

code doesnt provide timestampsor sequence numbers

5


24/95

TamperingAn attacker can write to a datastore your code relies on

6


25/95

TamperingAn attacker can bypasspermissions because you

dont make names canonicalbefore checking accesspermissions

7


26/95

TamperingAn attacker can manipulatedata because theres no

integrity protection fordata on the network

8


27/95

TamperingAn attacker can provide orcontrol state information

9


28/95

Tampering10 An attacker can alterinformation in a data store

because it has weak ACLs orincludes a group which isequivalent to everyone(all Live ID holders)


29/95

TamperingAn attacker can write to someresource because permissions

are granted to the world orthere are no ACLs

J


30/95

TamperingAn attacker can changeparameters over a trust boundary

and after validation (for example,important parameters in ahidden eld in HTML, or passinga pointer to critical memory)

Q


31/95

01

00100101

0010

TamperingAn attacker can load codeinside your process via an

extension point

K


32/95

TamperingYouve invented a newTampering attack

A


33/95

RepudiationAn attacker can pass datathrough the log to attack a

log reader, and theres nodocumentation of what sortsof validation are done

2


34/95

RepudiationA low privilege attacker canread interesting security

information in the logs

3


35/95

RepudiationAn attacker can alter digitalsignatures because the digital

signature system youreimplementing is weak, oruses MACs where it shoulduse a signature

4


36/95

RepudiationAn attacker can alter logmessages on a network

because they lack strongintegrity controls

5


37/95

RepudiationAn attacker can create a logentry without a timestamp

(or no log entry is timestamped)

6


38/95

RepudiationAn attacker can make the logswrap around and lose data

7


39/95

RepudiationAn attacker can make alog lose or confuse

security information

8


40/95

RepudiationAn attacker can use a sharedkey to authenticate as different

principals, confusing theinformation in the logs

9


41/95

RepudiationAn attacker can getarbitrary data into logs from

unauthenticated (or weaklyauthenticated) outsiderswithout validation

10


42/95

RepudiationAn attacker can edit logs andtheres no way to tell (perhaps

because theres no heartbeatoption for the logging system)

J


43/95

RepudiationAn attacker can say I didntdo that, and youd have no

way to prove them wrong

Q


44/95

logs = 0

RepudiationThe system has no logsK


45/95

RepudiationYouve invented a newRepudiation attack

A


46/95

InformationDisclosureAn attacker can brute-forcele encryption because theres

no defense in place (exampledefense: password stretching)

2


47/95

InformationDisclosureAn attacker can see errormessages with security

sensitive content

3


48/95

InformationDisclosureAn attacker can read contentbecause messages (say, an

email or HTTP cookie) arentencrypted even if the channelis encrypted

4


49/95

InformationDisclosureAn attacker may be able to reada document or data because

its encrypted with anon-standard algorithm

5


50/95

InformationDisclosureAn attacker can read databecause its hidden or occluded

(for undo or change tracking)and the user might forgetthat its there

6


51/95

InformationDisclosureAn attacker can act as a manin the middle because you

dont authenticate endpointsof a network connection

7


52/95

InformationDisclosureAn attacker can accessinformation through a

search indexer, logger,or other such mechanism

8


53/95

InformationDisclosureAn attacker can read sensitiveinformation in a le with

bad ACLs

9


54/95

InformationDisclosureAn attacker can read informationin les with no ACLs

10


55/95

Found it!

InformationDisclosureAn attacker can discover thexed key being used to encrypt

J


56/95

Dont tell anyone, but...

InformationDisclosureAn attacker can read theentire channel because the

channel (say, HTTP or SMTP)isnt encrypted

Q


57/95

What!*#@!No cryptography was used?

InformationDisclosureAn attacker can read networkinformation because theres

no cryptography used

K


58/95

InformationDisclosureYouve invented a newInformation Disclosure attack

A


59/95

Denial ofServiceAn attacker can make yourauthentication system unusable

or unavailable

2


60/95

Denial ofServiceAn attacker can make a clientunavailable or unusable but

the problem goes away whenthe attacker stops

3


61/95

Denial ofServiceAn attacker can make a serverunavailable or unusable but

the problem goes away whenthe attacker stops

4


62/95

Denial ofServiceAn attacker can make a clientunavailable or unusable

without ever authenticatingbut the problem goes awaywhen the attacker stops

5


63/95

Denial ofServiceAn attacker can make a serverunavailable or unusable

without ever authenticatingbut the problem goes awaywhen the attacker stops

6


64/95

Denial ofServiceAn attacker can make a clientunavailable or unusable and

the problem persists afterthe attacker goes away

7


65/95

Denial ofServiceAn attacker can make a serverunavailable or unusable and

the problem persists afterthe attacker goes away

8


66/95

Denial ofServiceAn attacker can make a clientunavailable or unusable

without ever authenticatingand the problem persists afterthe attacker goes away

9


67/95

Denial ofServiceAn attacker can make a serverunavailable or unusable without

ever authenticating and theproblem persists after theattacker goes away

10


68/95

Denial ofServiceAn attacker can cause thelogging subsystem to

stop working

J


69/95

Denial ofServiceAn attacker can amplify a Denialof Service attack through this

component with amplicationon the order of 10:1

Q


70/95

Denial ofServiceAn attacker can amplify a Denialof Service attack through this

component with amplicationon the order of 100:1

K


71/95

Denial ofServiceYouve invented a newDenial of Service attack

A


72/95

Elevationof PrivilegeAn attacker can forcedata through different

validation paths whichgive different results

5


73/95

Elevationof PrivilegeAn attacker could takeadvantage of .NET permissions

you ask for, but dont use

6


74/95

Elevationof PrivilegeAn attacker can provide apointer across a trust boundary,

rather than data which canbe validated

7


75/95

Elevationof PrivilegeAn attacker can enter data thatis checked while still under their

control and used later on theother side of a trust boundary

8


76/95

Elevationof PrivilegeTheres no reasonable wayfor a caller to gure out what

validation of tainted data youperform before passing itto them

9


77/95

Elevationof PrivilegeTheres no reasonable way for acaller to gure out what security

assumptions you make

10


78/95

Elevationof PrivilegeAn attacker can reect input backto a user, like cross site scripting

J


79/95

Elevationof PrivilegeYou include user-generatedcontent within your page,

possibly including the content ofrandom URLs

Q


80/95

Elevationof PrivilegeAn attacker can inject acommand that the system will

run at a higher privilege level

K


81/95

Elevationof PrivilegeYouve invented a newElevation of Privilege attack

A


82/95

Spoofng2. An attacker could squat on the random port or socket

that the server normally uses

3. An attacker could try one credential after anotherand theres nothing to slow them down (online or ofine)

4. An attacker can anonymously connect because weexpect authentication to be done at a higher level

5. An attacker can confuse a client because there aretoo many ways to identify a server

6. An attacker can spoof a server because identiersarent stored on the client and checked for consistency onre-connection (that is, theres no key persistence)

7. An attacker can connect to a server or peer over a linkthat isnt authenticated (and encrypted)

8. An attacker could steal credentials stored on theserver and reuse them (for example, a key is stored in aworld readable le)

9. An attacker who gets a password can reuse it (Use

stronger authenticators)

10. An attacker can choose to use weaker or noauthentication

continued on back

Spoofn


83/95

J. An attacker could steal credentials stored on the client

and reuse them

Q. An attacker could go after the way credentials areupdated or recovered (account recovery doesnt requiredisclosing the old password)

K. Your system ships with a default admin password,and doesnt force a change

A. Youve invented a new Spoong attack

Spoofng cont.

Spoofn


84/95

Tamperin

Tampering3. An attacker can take advantage of your custom key

exchange or integrity control which you built insteadof using standard crypto

4. Your code makes access control decisions all over theplace, rather than with a security kernel

5. An attacker can replay data without detectionbecause your code doesnt provide timestamps orsequence numbers

6. An attacker can write to a data store your coderelies on

7. An attacker can bypass permissions because youdont make names canonical before checking access

permissions

8. An attacker can manipulate data because theresno integrity protection for data on the network

9. An attacker can provide or control state information

10. An attacker can alter information in a data store

because it has weak ACLs or includes a group which isequivalent to everyone (all LIve ID holders)

J. An attacker can write to some resource becausepermissions are granted to the world or there are no ACLs

continued on back


85/95

Tampering cont.Q. An attacker can change parameters over a trust

boundary and after validation (for example, importantparameters in a hidden feld in HTML, or passing apointer to critical memory)

K. An attacker can load code inside your process via anextension point

A. Youve invented a new Tampering attack

Tamperin


86/95

Repudiation

Repudiatio

2. An attacker can pass data through the log to attack a

log reader, and theres no documentation of what sortsof validation are done

3. A low privilege attacker can read interesting securityinformation in the logs

4. An attacker can alter digital signatures because thedigital signature system youre implementing is weak, or

uses MACs where it should use a signature

5. An attacker can alter log messages on a networkbecause they lack strong integrity controls

6. An attacker can create a log entry without a time-stamp (or no log entry is timestamped)

7. An attacker can make the logs wrap around and losedata

8. An attacker can make a log lose or confusesecurity information

9. An attacker can use a shared key to authenticate as

different principals, confusing the information in the logs

10. An attacker can get arbitrary data into logs fromunauthenticated (or weakly authenticated) outsiderswithout validation

continued on back


87/95

Repudiation cont.

Repudiatio

10. An attacker can get arbitrary data into logs from

unauthenticated (or weakly authenticated) outsiderswithout validation

J. An attacker can edit logs and theres no way to tell(perhaps because theres no heartbeat option for thelogging system)

Q. An attacker can say I didnt do that, and youd have

no way to prove them wrong

K. The system has no logs

A. Youve invented a new Repudiation attack


88/95

Information Disclosure2. Anattackercanbrute-forceleencryptionbecause

theresnodefenseinplace(exampledefense:passwordstretching)

3. Anattackercanseeerrormessageswithsecurity-sensitivecontent

4. Anattackercanreadcontentbecausemessages(say,anemailorHTTPcookie)arentencryptedevenifthechannelisencrypted

5. Anattackermaybeabletoreadadocumentordatabecauseitsencryptedwithanon-standardalgorithm

6. Anattackercanreaddatabecauseitshiddenoroccluded(forundoorchangetracking)andtheusermight

forgetthatitsthere

7. Anattackercanactasamaninthemiddlebecauseyoudontauthenticateendpointsofanetworkconnection

8. Anattackercanaccessinformationthroughasearchindexer,logger,orothersuchmechanism

9. AnattackercanreadsensitiveinformationinalewithbadACLs

10.AnattackercanreadinformationinleswithnoACLs

continuedonback

Information Disclosur


89/95

J. Anattackercandiscoverthexedkeybeingused

toencrypt

Q. Anattackercanreadtheentirechannelbecausethechannel(say,HTTPorSMTP)isntencrypted

K. Anattackercanreadnetworkinformationbecausetheresnocryptographyused

A. YouveinventedanewInformationDisclosureattack

Information Disclosure cont.

Information Disclosur


90/95

Denial of Servic

Denial of Service2. An attacker can make your authentication system

unusable or unavailable

3. An attacker can make a client unavailable or unusablebut the problem goes away when the attacker stops(client, authenticated, temporary)

4. An attacker can make a server unavailable or unusablebut the problem goes away when the attacker stops(server, authenticated, temporary)

5. An attacker can make a client unavailable or unusablewithout ever authenticating but the problem goes awaywhen the attacker stops (client, anonymous, temporary)

6. An attacker can make a server unavailable or unusable

without ever authenticating but the problem goes awaywhen the attacker stops (server, anonymous, temporary)

7. An attacker can make a client unavailable or unusableand the problem persists after the attacker goes away(client, authenticated, persistent)

8. An attacker can make a server unavailable or unusableand the problem persists after the attacker goes away(server, authenticated, persistent)

9. An attacker can make a client unavailable or unusablewithout ever authenticating and the problem persists afterthe attacker goes away (client, anonymous, persistent)

continued on back


91/95

Denial of Service cont.10. An attacker can make a server unavailable or

unusable without ever authenticating and theproblem persists after the attacker goes away (server,anonymous, persistent)

J. An attacker can cause the logging subsystem to stopworking

Q. An attacker can amplify a Denial of Service attack

through this component with amplifcation on the orderof 10:1

K. An attacker can amplify a Denial of Service attackthrough this component with amplifcation on the orderof 100:1

A. Youve invented a new Denial of Service attack

Denial of Servic


92/95

Elevation of Privilege (EoP)5. An attacker can force data through different

validation paths which give different results

6. An attacker could take advantage of .NET permissionsyou ask for, but dont use

7. An attacker can provide a pointer across a trustboundary, rather than data which can be validated

8. An attacker can enter data that is checked while stillunder their control and used later on the other side of atrust boundary

9. Theresnoreasonablewayforacallertogureoutwhat validation of tainted data you perform beforepassing it to them

10.Theresnoreasonablewayforacallertogureout what security assumptions you make

J. Anattackercanreectinputbacktoauser,likecross site scripting

Q. You include user-generated content within your page,

possibly including the content of random URLs

K. An attacker can inject a command that the system willrun at a higher privilege level

A. Youve invented a new Elevation of Privilege attack

Elevation of Privileg


93/95

Elevation of Privileg


94/95

Abou

Threat ModelingAboutElevation of Privilege is designed to be the easiest way to

start looking at your design from a security perspective.

Its one way to threat model, intended to be picked up

and used by any development group. Because it uses the

STRIDE threats, it gives you a framework for thinking, and

specic actionable examples of those threats.

STRIDE stands for:

Spoong Impersonating something or someone else.

Tampering Modifying data or code

Repudiation Claiming to have not performed an action

Information Disclosure Exposing information to

someone not authorized to see it

Denial of Service Deny or degrade service to usersElevation of Privilege Gain capabilities without proper

authorization

At www.microsoft.com/security/sdl/eop we have resources

for you including videos, score sheets and tips and tricks

for playing.


95/95

SDLElevation of Privilege is a fun and easy way to get started

understanding the security of your systems by threat

modeling. As you discover and correct design-level security

problems, its worth thinking about the other ways

security issues can creep into your code. Microsoft has a

large collection of free resources available to help you get

started with the Security Development Lifecycle (SDL).

To learn more about threat modeling and the Microsoft

Security Development Lifecycle, visit our website at

microsoft.com/sdl/

eop_card game images

Documents