eop_card game images
TRANSCRIPT
-
7/29/2019 EoP_Card Game Images
1/95
Instruction
Elevation of Privilege InstructionsDraw a diagram of the system you want to threat model
before you deal the cards.
Deal the deck to 3-6 players. Play starts with the 3 of
Tampering. Play clockwise, and each player in turn follows
in the suit if they have a card in the suit. If they dont
have that suit, they can play another suit. The high card
played takes the trick, with Elevation of Privilege taking
precedence over the suit lead. Only Elevation of Privilege
(EoP) or the lead suit can take a trick.
To play a card, read the card, announce your threat and
record it. If the player cant link the threat to the system,
play proceeds.
Take few minutes between hands to think about threats.
Points:
1 for a threat on your card, +1 for taking the trick
Instructions 1
-
7/29/2019 EoP_Card Game Images
2/95
Instruction
Threats should be articulated clearly, testable, and
addressable. In the event that a threat leads to an
argument, the threat should resolve by asking the
question: Would we take an actionable bug, feature
request or design change for that? If the answer is yes,
it is a real threat. (This doesnt mean that threats outside
of that arent real, its simply a way to focus discussion onactionable threats.) Questions that start with Theres a
way should be read as Theres a wayand heres how
while questions that start with Your code should be read
The code were collectively creatingand heres how.
The deck contains a number of special cards: trumps andopen threats. EoP cards are trumps. They take the trick
even if they are lower value than the suit that was led. The
ace of each suit is an open threat card. When played, the
player must identify a threat not listed on another card.
When all the cards have been played, whoever has themost points wins.
Remember to have fun!
Elevation of Privilege Instructions
-
7/29/2019 EoP_Card Game Images
3/95
Instruction
Elevation of Privilege Variants
Instructions 2
Optional/variants:
You may pass cards after the third trick. This ishelpful if you have cards that you cant tie to
the system. Someone else may be able to.
Double the number of points, and give
one point for threats on other peoples cards.
Other players may riff on the threat and if they
do, they get one point per additional threat. Limit riffing to no more than 60 seconds.
Mark up the diagram with where the threat occurs.
Questions are listed on the threat cards to help
with the Aces.
Thanks to Laurie Williams for inspiration.
-
7/29/2019 EoP_Card Game Images
4/95
Instruction
2009 Microsoft Corporation. This work is licensed under the
Creative Commons Attribution 3.0 United States License. To view
the full content of this license, visit http://creativecommons.org/
licenses/by/3.0/us/or send a letter to Creative Commons, 171Second Street, Suite 300, San Francisco, California, 94105, USA.
-
7/29/2019 EoP_Card Game Images
5/95
-
7/29/2019 EoP_Card Game Images
6/95
Strategy
You need toselect a card
You have acard in the suit
that was
lead?
Do youhave any EoP
Cards?
Card with athread you can
apply?
no
Do youhave the high
card?
Play a low card,see if anyone else
has a threat
Play it so you cantake lead next hand
Play the threat thatyou can apply
yes
Must play in suit:all other arrows are advice
Choice: Play EoP or another card. For example, someone elsemay have played the Jack of EoP, and you only have a 9.
yes
yes
no
Play a low card ina suit where you
have few cards
ust p ay n su t:a ot er arrows are a v ce
no
-
7/29/2019 EoP_Card Game Images
7/95
elevation of privilege
-
7/29/2019 EoP_Card Game Images
8/95
SpoongAn attacker could squat on therandom port or socket that the
server normally uses
2
-
7/29/2019 EoP_Card Game Images
9/95
SpoongAn attacker could try onecredential after another and
theres nothing to slow themdown (online or ofine)
3
-
7/29/2019 EoP_Card Game Images
10/95
SpoongAn attacker can anonymouslyconnect, because we expect
authentication to be done ata higher level
4
-
7/29/2019 EoP_Card Game Images
11/95
SpoongAn attacker can confuse a clientbecause there are too many
ways to identify a server
5
-
7/29/2019 EoP_Card Game Images
12/95
SpoongAn attacker can spoof a serverbecause identiers arent stored
on the client and checked forconsistency on re-connection(that is, theres no keypersistence)
6
-
7/29/2019 EoP_Card Game Images
13/95
SpoongAn attacker can connectto a server or peer over a
link that isnt authenticated(and encrypted)
7
-
7/29/2019 EoP_Card Game Images
14/95
SpoongAn attacker could stealcredentials stored on the
server and reuse them(for example, a key is storedin a world readable le)
8
-
7/29/2019 EoP_Card Game Images
15/95
SpoongAn attacker who gets apassword can reuse it
(Use stronger authenticators)
9
-
7/29/2019 EoP_Card Game Images
16/95
SpoongAn attacker can choose to useweaker or no authentication
10
-
7/29/2019 EoP_Card Game Images
17/95
SpoongAn attacker could stealcredentials stored on the
client and reuse them
J
-
7/29/2019 EoP_Card Game Images
18/95
SpoongAn attacker could go after theway credentials are updated
or recovered (account recoverydoesnt require disclosing theold password)
Q
-
7/29/2019 EoP_Card Game Images
19/95
SpoongYour system ships with a defaultadmin password, and doesnt
force a change
K
-
7/29/2019 EoP_Card Game Images
20/95
SpoongYouve invented a newSpoong attack
A
-
7/29/2019 EoP_Card Game Images
21/95
TamperingAn attacker can take advantageof your custom key exchange or
integrity control which you builtinstead of using standard crypto
3
-
7/29/2019 EoP_Card Game Images
22/95
TamperingYour code makes accesscontrol decisions all over
the place, rather than witha security kernel
4
-
7/29/2019 EoP_Card Game Images
23/95
TamperingAn attacker can replay datawithout detection because your
code doesnt provide timestampsor sequence numbers
5
-
7/29/2019 EoP_Card Game Images
24/95
TamperingAn attacker can write to a datastore your code relies on
6
-
7/29/2019 EoP_Card Game Images
25/95
TamperingAn attacker can bypasspermissions because you
dont make names canonicalbefore checking accesspermissions
7
-
7/29/2019 EoP_Card Game Images
26/95
TamperingAn attacker can manipulatedata because theres no
integrity protection fordata on the network
8
-
7/29/2019 EoP_Card Game Images
27/95
TamperingAn attacker can provide orcontrol state information
9
-
7/29/2019 EoP_Card Game Images
28/95
Tampering10 An attacker can alterinformation in a data store
because it has weak ACLs orincludes a group which isequivalent to everyone(all Live ID holders)
-
7/29/2019 EoP_Card Game Images
29/95
TamperingAn attacker can write to someresource because permissions
are granted to the world orthere are no ACLs
J
-
7/29/2019 EoP_Card Game Images
30/95
TamperingAn attacker can changeparameters over a trust boundary
and after validation (for example,important parameters in ahidden eld in HTML, or passinga pointer to critical memory)
Q
-
7/29/2019 EoP_Card Game Images
31/95
01
00100101
0010
TamperingAn attacker can load codeinside your process via an
extension point
K
-
7/29/2019 EoP_Card Game Images
32/95
TamperingYouve invented a newTampering attack
A
-
7/29/2019 EoP_Card Game Images
33/95
RepudiationAn attacker can pass datathrough the log to attack a
log reader, and theres nodocumentation of what sortsof validation are done
2
-
7/29/2019 EoP_Card Game Images
34/95
RepudiationA low privilege attacker canread interesting security
information in the logs
3
-
7/29/2019 EoP_Card Game Images
35/95
RepudiationAn attacker can alter digitalsignatures because the digital
signature system youreimplementing is weak, oruses MACs where it shoulduse a signature
4
-
7/29/2019 EoP_Card Game Images
36/95
RepudiationAn attacker can alter logmessages on a network
because they lack strongintegrity controls
5
-
7/29/2019 EoP_Card Game Images
37/95
RepudiationAn attacker can create a logentry without a timestamp
(or no log entry is timestamped)
6
-
7/29/2019 EoP_Card Game Images
38/95
RepudiationAn attacker can make the logswrap around and lose data
7
-
7/29/2019 EoP_Card Game Images
39/95
RepudiationAn attacker can make alog lose or confuse
security information
8
-
7/29/2019 EoP_Card Game Images
40/95
RepudiationAn attacker can use a sharedkey to authenticate as different
principals, confusing theinformation in the logs
9
-
7/29/2019 EoP_Card Game Images
41/95
RepudiationAn attacker can getarbitrary data into logs from
unauthenticated (or weaklyauthenticated) outsiderswithout validation
10
-
7/29/2019 EoP_Card Game Images
42/95
RepudiationAn attacker can edit logs andtheres no way to tell (perhaps
because theres no heartbeatoption for the logging system)
J
-
7/29/2019 EoP_Card Game Images
43/95
RepudiationAn attacker can say I didntdo that, and youd have no
way to prove them wrong
Q
-
7/29/2019 EoP_Card Game Images
44/95
logs = 0
RepudiationThe system has no logsK
-
7/29/2019 EoP_Card Game Images
45/95
RepudiationYouve invented a newRepudiation attack
A
-
7/29/2019 EoP_Card Game Images
46/95
InformationDisclosureAn attacker can brute-forcele encryption because theres
no defense in place (exampledefense: password stretching)
2
-
7/29/2019 EoP_Card Game Images
47/95
InformationDisclosureAn attacker can see errormessages with security
sensitive content
3
-
7/29/2019 EoP_Card Game Images
48/95
InformationDisclosureAn attacker can read contentbecause messages (say, an
email or HTTP cookie) arentencrypted even if the channelis encrypted
4
-
7/29/2019 EoP_Card Game Images
49/95
InformationDisclosureAn attacker may be able to reada document or data because
its encrypted with anon-standard algorithm
5
-
7/29/2019 EoP_Card Game Images
50/95
InformationDisclosureAn attacker can read databecause its hidden or occluded
(for undo or change tracking)and the user might forgetthat its there
6
-
7/29/2019 EoP_Card Game Images
51/95
InformationDisclosureAn attacker can act as a manin the middle because you
dont authenticate endpointsof a network connection
7
-
7/29/2019 EoP_Card Game Images
52/95
InformationDisclosureAn attacker can accessinformation through a
search indexer, logger,or other such mechanism
8
-
7/29/2019 EoP_Card Game Images
53/95
InformationDisclosureAn attacker can read sensitiveinformation in a le with
bad ACLs
9
-
7/29/2019 EoP_Card Game Images
54/95
InformationDisclosureAn attacker can read informationin les with no ACLs
10
-
7/29/2019 EoP_Card Game Images
55/95
Found it!
InformationDisclosureAn attacker can discover thexed key being used to encrypt
J
-
7/29/2019 EoP_Card Game Images
56/95
Dont tell anyone, but...
InformationDisclosureAn attacker can read theentire channel because the
channel (say, HTTP or SMTP)isnt encrypted
Q
-
7/29/2019 EoP_Card Game Images
57/95
What!*#@!No cryptography was used?
InformationDisclosureAn attacker can read networkinformation because theres
no cryptography used
K
-
7/29/2019 EoP_Card Game Images
58/95
InformationDisclosureYouve invented a newInformation Disclosure attack
A
-
7/29/2019 EoP_Card Game Images
59/95
Denial ofServiceAn attacker can make yourauthentication system unusable
or unavailable
2
-
7/29/2019 EoP_Card Game Images
60/95
Denial ofServiceAn attacker can make a clientunavailable or unusable but
the problem goes away whenthe attacker stops
3
-
7/29/2019 EoP_Card Game Images
61/95
Denial ofServiceAn attacker can make a serverunavailable or unusable but
the problem goes away whenthe attacker stops
4
-
7/29/2019 EoP_Card Game Images
62/95
Denial ofServiceAn attacker can make a clientunavailable or unusable
without ever authenticatingbut the problem goes awaywhen the attacker stops
5
-
7/29/2019 EoP_Card Game Images
63/95
Denial ofServiceAn attacker can make a serverunavailable or unusable
without ever authenticatingbut the problem goes awaywhen the attacker stops
6
-
7/29/2019 EoP_Card Game Images
64/95
Denial ofServiceAn attacker can make a clientunavailable or unusable and
the problem persists afterthe attacker goes away
7
-
7/29/2019 EoP_Card Game Images
65/95
Denial ofServiceAn attacker can make a serverunavailable or unusable and
the problem persists afterthe attacker goes away
8
-
7/29/2019 EoP_Card Game Images
66/95
Denial ofServiceAn attacker can make a clientunavailable or unusable
without ever authenticatingand the problem persists afterthe attacker goes away
9
-
7/29/2019 EoP_Card Game Images
67/95
Denial ofServiceAn attacker can make a serverunavailable or unusable without
ever authenticating and theproblem persists after theattacker goes away
10
-
7/29/2019 EoP_Card Game Images
68/95
Denial ofServiceAn attacker can cause thelogging subsystem to
stop working
J
-
7/29/2019 EoP_Card Game Images
69/95
Denial ofServiceAn attacker can amplify a Denialof Service attack through this
component with amplicationon the order of 10:1
Q
-
7/29/2019 EoP_Card Game Images
70/95
Denial ofServiceAn attacker can amplify a Denialof Service attack through this
component with amplicationon the order of 100:1
K
-
7/29/2019 EoP_Card Game Images
71/95
Denial ofServiceYouve invented a newDenial of Service attack
A
-
7/29/2019 EoP_Card Game Images
72/95
Elevationof PrivilegeAn attacker can forcedata through different
validation paths whichgive different results
5
-
7/29/2019 EoP_Card Game Images
73/95
Elevationof PrivilegeAn attacker could takeadvantage of .NET permissions
you ask for, but dont use
6
-
7/29/2019 EoP_Card Game Images
74/95
Elevationof PrivilegeAn attacker can provide apointer across a trust boundary,
rather than data which canbe validated
7
-
7/29/2019 EoP_Card Game Images
75/95
Elevationof PrivilegeAn attacker can enter data thatis checked while still under their
control and used later on theother side of a trust boundary
8
-
7/29/2019 EoP_Card Game Images
76/95
Elevationof PrivilegeTheres no reasonable wayfor a caller to gure out what
validation of tainted data youperform before passing itto them
9
-
7/29/2019 EoP_Card Game Images
77/95
Elevationof PrivilegeTheres no reasonable way for acaller to gure out what security
assumptions you make
10
-
7/29/2019 EoP_Card Game Images
78/95
Elevationof PrivilegeAn attacker can reect input backto a user, like cross site scripting
J
-
7/29/2019 EoP_Card Game Images
79/95
Elevationof PrivilegeYou include user-generatedcontent within your page,
possibly including the content ofrandom URLs
Q
-
7/29/2019 EoP_Card Game Images
80/95
Elevationof PrivilegeAn attacker can inject acommand that the system will
run at a higher privilege level
K
-
7/29/2019 EoP_Card Game Images
81/95
Elevationof PrivilegeYouve invented a newElevation of Privilege attack
A
-
7/29/2019 EoP_Card Game Images
82/95
Spoofng2. An attacker could squat on the random port or socket
that the server normally uses
3. An attacker could try one credential after anotherand theres nothing to slow them down (online or ofine)
4. An attacker can anonymously connect because weexpect authentication to be done at a higher level
5. An attacker can confuse a client because there aretoo many ways to identify a server
6. An attacker can spoof a server because identiersarent stored on the client and checked for consistency onre-connection (that is, theres no key persistence)
7. An attacker can connect to a server or peer over a linkthat isnt authenticated (and encrypted)
8. An attacker could steal credentials stored on theserver and reuse them (for example, a key is stored in aworld readable le)
9. An attacker who gets a password can reuse it (Use
stronger authenticators)
10. An attacker can choose to use weaker or noauthentication
continued on back
Spoofn
-
7/29/2019 EoP_Card Game Images
83/95
J. An attacker could steal credentials stored on the client
and reuse them
Q. An attacker could go after the way credentials areupdated or recovered (account recovery doesnt requiredisclosing the old password)
K. Your system ships with a default admin password,and doesnt force a change
A. Youve invented a new Spoong attack
Spoofng cont.
Spoofn
-
7/29/2019 EoP_Card Game Images
84/95
Tamperin
Tampering3. An attacker can take advantage of your custom key
exchange or integrity control which you built insteadof using standard crypto
4. Your code makes access control decisions all over theplace, rather than with a security kernel
5. An attacker can replay data without detectionbecause your code doesnt provide timestamps orsequence numbers
6. An attacker can write to a data store your coderelies on
7. An attacker can bypass permissions because youdont make names canonical before checking access
permissions
8. An attacker can manipulate data because theresno integrity protection for data on the network
9. An attacker can provide or control state information
10. An attacker can alter information in a data store
because it has weak ACLs or includes a group which isequivalent to everyone (all LIve ID holders)
J. An attacker can write to some resource becausepermissions are granted to the world or there are no ACLs
continued on back
-
7/29/2019 EoP_Card Game Images
85/95
Tampering cont.Q. An attacker can change parameters over a trust
boundary and after validation (for example, importantparameters in a hidden feld in HTML, or passing apointer to critical memory)
K. An attacker can load code inside your process via anextension point
A. Youve invented a new Tampering attack
Tamperin
-
7/29/2019 EoP_Card Game Images
86/95
Repudiation
Repudiatio
2. An attacker can pass data through the log to attack a
log reader, and theres no documentation of what sortsof validation are done
3. A low privilege attacker can read interesting securityinformation in the logs
4. An attacker can alter digital signatures because thedigital signature system youre implementing is weak, or
uses MACs where it should use a signature
5. An attacker can alter log messages on a networkbecause they lack strong integrity controls
6. An attacker can create a log entry without a time-stamp (or no log entry is timestamped)
7. An attacker can make the logs wrap around and losedata
8. An attacker can make a log lose or confusesecurity information
9. An attacker can use a shared key to authenticate as
different principals, confusing the information in the logs
10. An attacker can get arbitrary data into logs fromunauthenticated (or weakly authenticated) outsiderswithout validation
continued on back
-
7/29/2019 EoP_Card Game Images
87/95
Repudiation cont.
Repudiatio
10. An attacker can get arbitrary data into logs from
unauthenticated (or weakly authenticated) outsiderswithout validation
J. An attacker can edit logs and theres no way to tell(perhaps because theres no heartbeat option for thelogging system)
Q. An attacker can say I didnt do that, and youd have
no way to prove them wrong
K. The system has no logs
A. Youve invented a new Repudiation attack
-
7/29/2019 EoP_Card Game Images
88/95
Information Disclosure2. Anattackercanbrute-forceleencryptionbecause
theresnodefenseinplace(exampledefense:passwordstretching)
3. Anattackercanseeerrormessageswithsecurity-sensitivecontent
4. Anattackercanreadcontentbecausemessages(say,anemailorHTTPcookie)arentencryptedevenifthechannelisencrypted
5. Anattackermaybeabletoreadadocumentordatabecauseitsencryptedwithanon-standardalgorithm
6. Anattackercanreaddatabecauseitshiddenoroccluded(forundoorchangetracking)andtheusermight
forgetthatitsthere
7. Anattackercanactasamaninthemiddlebecauseyoudontauthenticateendpointsofanetworkconnection
8. Anattackercanaccessinformationthroughasearchindexer,logger,orothersuchmechanism
9. AnattackercanreadsensitiveinformationinalewithbadACLs
10.AnattackercanreadinformationinleswithnoACLs
continuedonback
Information Disclosur
-
7/29/2019 EoP_Card Game Images
89/95
J. Anattackercandiscoverthexedkeybeingused
toencrypt
Q. Anattackercanreadtheentirechannelbecausethechannel(say,HTTPorSMTP)isntencrypted
K. Anattackercanreadnetworkinformationbecausetheresnocryptographyused
A. YouveinventedanewInformationDisclosureattack
Information Disclosure cont.
Information Disclosur
-
7/29/2019 EoP_Card Game Images
90/95
Denial of Servic
Denial of Service2. An attacker can make your authentication system
unusable or unavailable
3. An attacker can make a client unavailable or unusablebut the problem goes away when the attacker stops(client, authenticated, temporary)
4. An attacker can make a server unavailable or unusablebut the problem goes away when the attacker stops(server, authenticated, temporary)
5. An attacker can make a client unavailable or unusablewithout ever authenticating but the problem goes awaywhen the attacker stops (client, anonymous, temporary)
6. An attacker can make a server unavailable or unusable
without ever authenticating but the problem goes awaywhen the attacker stops (server, anonymous, temporary)
7. An attacker can make a client unavailable or unusableand the problem persists after the attacker goes away(client, authenticated, persistent)
8. An attacker can make a server unavailable or unusableand the problem persists after the attacker goes away(server, authenticated, persistent)
9. An attacker can make a client unavailable or unusablewithout ever authenticating and the problem persists afterthe attacker goes away (client, anonymous, persistent)
continued on back
-
7/29/2019 EoP_Card Game Images
91/95
Denial of Service cont.10. An attacker can make a server unavailable or
unusable without ever authenticating and theproblem persists after the attacker goes away (server,anonymous, persistent)
J. An attacker can cause the logging subsystem to stopworking
Q. An attacker can amplify a Denial of Service attack
through this component with amplifcation on the orderof 10:1
K. An attacker can amplify a Denial of Service attackthrough this component with amplifcation on the orderof 100:1
A. Youve invented a new Denial of Service attack
Denial of Servic
-
7/29/2019 EoP_Card Game Images
92/95
Elevation of Privilege (EoP)5. An attacker can force data through different
validation paths which give different results
6. An attacker could take advantage of .NET permissionsyou ask for, but dont use
7. An attacker can provide a pointer across a trustboundary, rather than data which can be validated
8. An attacker can enter data that is checked while stillunder their control and used later on the other side of atrust boundary
9. Theresnoreasonablewayforacallertogureoutwhat validation of tainted data you perform beforepassing it to them
10.Theresnoreasonablewayforacallertogureout what security assumptions you make
J. Anattackercanreectinputbacktoauser,likecross site scripting
Q. You include user-generated content within your page,
possibly including the content of random URLs
K. An attacker can inject a command that the system willrun at a higher privilege level
A. Youve invented a new Elevation of Privilege attack
Elevation of Privileg
-
7/29/2019 EoP_Card Game Images
93/95
Elevation of Privileg
-
7/29/2019 EoP_Card Game Images
94/95
Abou
Threat ModelingAboutElevation of Privilege is designed to be the easiest way to
start looking at your design from a security perspective.
Its one way to threat model, intended to be picked up
and used by any development group. Because it uses the
STRIDE threats, it gives you a framework for thinking, and
specic actionable examples of those threats.
STRIDE stands for:
Spoong Impersonating something or someone else.
Tampering Modifying data or code
Repudiation Claiming to have not performed an action
Information Disclosure Exposing information to
someone not authorized to see it
Denial of Service Deny or degrade service to usersElevation of Privilege Gain capabilities without proper
authorization
At www.microsoft.com/security/sdl/eop we have resources
for you including videos, score sheets and tips and tricks
for playing.
-
7/29/2019 EoP_Card Game Images
95/95
SDLElevation of Privilege is a fun and easy way to get started
understanding the security of your systems by threat
modeling. As you discover and correct design-level security
problems, its worth thinking about the other ways
security issues can creep into your code. Microsoft has a
large collection of free resources available to help you get
started with the Security Development Lifecycle (SDL).
To learn more about threat modeling and the Microsoft
Security Development Lifecycle, visit our website at
microsoft.com/sdl/