pattern recognition and applications lab threat modeling · 2021. 1. 5. · leverage the os full...
TRANSCRIPT
Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic
Engineering
THREAT MODELING
Giorgio Giacinto
Spring Semester 2019/2020
http://pralab.diee.unica.it 2
Books
http://pralab.diee.unica.it
Definition
[Application] Threat Modeling – a strategic process aimed at considering possible attack scenarios and vulnerabilities within a proposed or existing application environment for the purpose of clearly identifying risk and impact levels
Tony UcedaVelez and Marco M. Morana, Risk Centric Threat Modeling, 2015
Tony UcedaVélez is the CEO & Founder of VERSPRITE (Cybersecurity Consultants)
Marco Morana is the Head of Security Architecture at JPMorgan Chase & Co
3
http://pralab.diee.unica.it
Threat Scenarios• An application could become a target when an attack
provides a return on investment to the attacker
• Threat scenarios1. Capturing the application business context and
identifying the application assets2. Identifying the possible threat agents and their goals
• Generalization for all applications with similar functionalities and data assets stored and processed.
• Prioritization the security measures to mitigate the risk
4
http://pralab.diee.unica.it
Threats: Technical and Business ImpactsThreat Technical Impact Business Impact
Malware infected PC taking over online banking credentials
Loss of users’ authentication data allowing fraudsters to take over the account(impersonation)
Money loss due to fraudulent transactions by impersonating the logged user to move money to fraudulent accounts through third party accounts (money mules)
External threat agent exploiting application’s SQL injection vulnerabilities
Unauthorized access to users’ data includingconfidential and PII, trading secrets, and intellectual property.
Liabilities for loss of users’ PII, lawsuits for unlawful noncompliance, security incident recovery costs, and revenue loss
Denial of service attack against the application
Unavailability of web server due to exploit of application and network vulnerabilities and lack of redundancies to cope with traffic overloads
Revenue loss due to loss and/or disruption of service denying customer access to services and goods. Lawsuits from customers and businesses and recovery costs
5
http://pralab.diee.unica.it
Threat Agents• Characterizing threats is essential for analyzing risks
• Three factors– The type of a threat– The threat agent– The targets
• Threat Agents– Humans (hactivists, cyber-criminals, cyber-spies, etc.)– Tools
• Malware, key-loggers, spyware, etc.– Nonhuman
• Storms, earthquakes, tornados, etc.
6
http://pralab.diee.unica.it
Reasons to Threat Model• Find security bugs early
• Understand your security requirements
• Engineer and deliver better products
• Address issues other techniques won’t
7
http://pralab.diee.unica.it
Addressing each threat
8
Mitigating Threats Eliminating Threats
Transferring ThreatsAccepting the Risk
http://pralab.diee.unica.it
Software threat modeling
9
http://pralab.diee.unica.it
Security Development Lifecycle• Developed by Microsoft starting in 2002• Established as a mandatory policy in 2004 for Microsoft
products• Adopted worldwide by many software development teams
since its public release in 2008
10https://www.microsoft.com/en-us/securityengineering/sdl/
http://pralab.diee.unica.it
SDL Practices
11https://www.microsoft.com/en-us/securityengineering/sdl/practices
http://pralab.diee.unica.it
Threat Modeling: a four-step process
1. What are you building?
2. What can go wrong with it once it’s built?
3. What should you do about those things that can go wrong?
4. Did you do a decent job of analysis?
12
http://pralab.diee.unica.it
Model the system• Graphical sketches
• Identification of Trust Boundaries
13
http://pralab.diee.unica.it
What can go wrong?• STRIDE taxonomy (Microsoft)
– Spoofing
– Tampering
– Repudiation
– Information Disclosure
– Denial of Service
– Elevation of Privilege
14
http://pralab.diee.unica.it 15
STRIDETHREAT PROPERTY VIOLATED TYPICAL VICTIM
Spoofing AuthenticationProcessesExternal entitiesPeople
Tampering IntegrityProcessesData storesData flows
Repudiation Non-Repudiation Processes
Information Disclosure ConfidentialityProcessesData storesData flows
Denial of Service AvailabilityProcessesData storesData flows
Elevation of Privilege Authorization Processes
http://pralab.diee.unica.it
Addressing SpoofingTHREAT TARGET MITIGATION STRATEGY MITIGATION TECHNIQUE
Spoofing a person Identification and authentication
Username & password, or biometrics, tokens, etc.Issues: enrollment, expiration, etc.
Spoofing a “file” on disk
Leverage the OS Full Paths, ACL, etc.
Cryptographic Authenticators Digital signatures or authenticators
Spoofing a network address Cryptographic DNSSEC, HTTPS/SSL, IPSec
Spoofing a program in memory Leverage the OS Application identifiers
enforced by OSs
16
http://pralab.diee.unica.it
Addressing Tampering
17
THREAT TARGET MITIGATION STRATEGY MITIGATION TECHNIQUE
Tampering with a fileOperating Systems ACLs
Cryptographic Digital signatures, Keyed MAC
Racing to create a file (tampering the operating system)
Using a directory that’s protected from arbitrary user tampering
ACLs, Private Directory Structures, Randomizing file names, etc.
Tampering with a network packet
Cryptographic HTTPS/SSL, IPSec
Anti-pattern Network isolation
http://pralab.diee.unica.it
Addressing Repudiation
18
THREAT TARGET MITIGATION STRATEGY MITIGATION TECHNIQUE
No logs (you can’t prove anything)
Maintaining a Log Log all the security relevant information
Logs come under attack Log protection Send over the network, ACL
Logs as a channel for attack Tightly specified logs
Early documentation of log design in the development process
http://pralab.diee.unica.it
Addressing Information Disclosure
19
THREAT TARGET MITIGATION STRATEGY MITIGATION TECHNIQUE
Network monitoring Encryption HTTPS/SSL, IPSec
Directory or filename Leverage the OS ACLs
File contents
Leverage the OS ACLs
Cryptography File encryption, Diskencryption
API information disclosure Design Design control
Pass by reference or value
http://pralab.diee.unica.it
Addressing Denial of Service
20
THREAT TARGET MITIGATION STRATEGY MITIGATION TECHNIQUE
Network flooding Look for exhaustible resources
Elastic resourcesEnsure that attack resources consumption is as high as or higher than yours
Network ACLs
Program resources
Careful design Elastic resource management, proof of work
Avoid multipliers
Look for places where attackers can multiply CPU consumption on your end with minimal effort on their end
System resources Leverage the OS OS settings
http://pralab.diee.unica.it
Addressing Elevation of Privilege
21
THREAT TARGET MITIGATION STRATEGY MITIGATION TECHNIQUE
Data/code confusionTools and Architectures that separate data and code
Prepared statements or stored procedures in SQLLate validation that data is what the next function expects
Control flow / memory corruption
Use a type-safe language
Type-safe languages protect against entire classes of attack
Leverage the OS for memory protection Provided by most modern OS
Sandboxing
AppArmor in LinuxAppContainer in WindowsSandboxlib in Mac OSCreate a new account for each app
Command injectionattacks Be careful Input validation
Don’t sanitize. Log and throw away
http://pralab.diee.unica.it
Validation of the threat model• Checking the model– Completeness– Accurateness– Coverage of all the security decisions– Representativeness of the diagram
• Updating the diagram– Focus on data flow, rather than on control flow– Change vague arguments such as “sometimes”, “also”, by
considering all the cases– Don’t have data sinks: show who uses it– Show the process that moves data from one data store to
another
22
http://pralab.diee.unica.it
Structured approaches to threat modeling
23
http://pralab.diee.unica.it
Three Focus Areas
24
Assets, Attackers, SoftwareExample of a data flow diagram of the Acme/SQL database
http://pralab.diee.unica.it
• Things Attackers Want– User passwords– SSN, identifiers– Credit card numbers– Confidential business data
• Things You Want to Protect– Reputation– Goodwill– Unused assets
• Stepping Stones– Everything that can be used
to attack other assets
25
Focusing on assets
http://pralab.diee.unica.it
• Need a list of types of attackers– Different motivations, skills, background and perspective
• Humanizing the attacker bears the risk of ending up with “no one would ever do that”
Risk based Threat Modelingfocuses on assets and on attackers
for prioritizing threat mitigation tasks
Security-Centric Threat Modelingavoids enumerating
and focuses on the technical analysis
Focusing on attackers
26
http://pralab.diee.unica.it
Focusing on software• Security-centric approach to threat modeling
• Based on software models described by diagrams
– Data flow diagrams
– UML
– Swin Lane Diagrams
– State diagrams
• Based on the definition of Trust Boundaries
27
http://pralab.diee.unica.it
Finding Threats
28
http://pralab.diee.unica.it
Spoofing ThreatsTHREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Spoofing a process on the same machine
Creates a file before the real process
Renaming / linking Creating a Trojan “su” and altering the path
Renaming Naming your process “sshd”
Spoofing a file
Creates a file in the local directory
A library, executable or config file
Creates a link and changes it
The change should happen between the link being checked and the link being accessed
Creates many files in the expected directory
e.g., automatic creation of 10,000 files in the /tmpdirectory to fill all the available space
29
http://pralab.diee.unica.it
Spoofing Threats
THREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Spoofing a machine
ARP spoofing
IP spoofing
DNS spoofing Forward or reverse
DNS compromise Compromise TLD, registrar or DNS operator
IP redirection At the switch or router level
Spoofing a personSets e-mail display name
Take over a real account
Spoofing a role Declares themselves to be that role
Sometimes opening a special account with a relevant name
30
http://pralab.diee.unica.it
Tampering ThreatsTHREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Tampering with a file
Modifies a file they own and on which you rely
Modify a file you own
Modifies a file on a file server that you own
Modifies a file on their file server
Effective when you include files from remote domains
Modifies links or redirects
Tampering with memory
Modifies your code
Hard to defend against once the attacker is
running code as the same user
Modifies data they’ve supplied to your API
Pass by values, not by reference when crossing a
trust boundary
31
http://pralab.diee.unica.it
Tampering Threats
THREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Tampering with a network
Redirects the flow of data to their machine Often stage 1 of tampering
Modifies data flowing over the network
Even easier when the network is wireless (e.g., WiFi, 3G, etc.)
Enhance spoofing attacks
32
http://pralab.diee.unica.it
Repudiation Threats
THREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Repudiating an action
Claims to have not clicked
Claims to have not received How reliable are receipts of delivery / download?
Claims to have been a fraud victim
Uses someone else’s account
Uses someone else’s payment instrument without
authorization
Attacking the logs
Notices you have no logs
Puts attacks in the logs to confuse logs, log-reading code,
or persons reading the log
33
http://pralab.diee.unica.it
Information Disclosure Threats
THREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Information disclosureagainst a process
Extracts secrets from error messages
Reads the error messages from username/passwords to entire database tables
Extracts machine secretes from error cases
Can make defense against memory corruption such as ASLR far less useful
Extracts business/personal secrets from error cases
34
http://pralab.diee.unica.it
Information Disclosure Threats
THREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Information disclosureagainst data stores
Takes advantage of inappropriate or missing ACLs
Takes advantage of bad database permissions
Finds file protected by obscurity
Finds crypto keys on disk (or in memory)
Sees interesting information in filenames
Reads files as they traverse the network
Gets data from logs or temp files
Gets data from swap or other temp storage
Extracts data by obtaining device, changing OS
35
http://pralab.diee.unica.it
Information Disclosure Threats
THREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Information disclosureagainst a data flow
Reads data on the network
Redirects traffic to enable reading data on the network
Learns secretes by analyzing traffic
Learns who’s talking to whom by watching the DNS
Learns who’s talking to whom by social network infodisclosure
36
http://pralab.diee.unica.it
Denial of Service Threats
THREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Denial of service against a process
Absorbs memory (RAM or disk)
Absorbs CPU
Uses process as an amplifier
Denial of service against a data store
Fills data store up
Makes enough requests to slow down the system
Denial of serviceagainst a data flow Consumes network resources
37
http://pralab.diee.unica.it
Elevation of Privilege Threats
THREAT EXAMPLES WHAT THE ATTACKER DOES NOTES
Elevation of privilege against a process by corrupting the process
Sends inputs that the codedoesn’t handle properly
These errors are very common, and have high impact
Gains access to read or write memory inappropriately
Reading memory can enable further attacks
Elevation through missed authorization checks
Elevation through buggy authorization checks
Centralizing such checks make bugs easier to manage
Elevation through data tampering
Modifies bits on disk to do things other than what the authorized user intends
38
http://pralab.diee.unica.it
Attack Trees
39
http://pralab.diee.unica.it
Benefits of modeling with attack trees
Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes
(Bruce Schneier, 1999)
40
http://pralab.diee.unica.it
Example of an attack tree
41
https://www.schneier.com/cryptography/archives/1999/12/attack_trees.html
http://pralab.diee.unica.it 42
Example of an attack tree: Repudiationagainst a Process
http://pralab.diee.unica.it
Example of an attack tree - SSL
43
mind map representation
http://pralab.diee.unica.it
Mitigating Threats
44
http://pralab.diee.unica.it
Tactics and Technologies• Authentication -> Mitigating Spoofing– Tactics: cryptographic keys, PKI, CAs– Technologies: IPSec, SSH, Kerberos, hashes, etc.
• Integrity -> Mitigating Tampering– Tactics: permissions, cryptographic mechanisms, logs– Technologies: ACLs, digital signatures, hashes, etc.
• Non-Repudiation -> Mitigating Repudiation– Tactics: fraud prevention, logs and cryptography– Technologies: log analysis tools, digital signatures, etc.
45
http://pralab.diee.unica.it
Tactics and Technologies• Confidentiality-> Mitigating Information Disclosure– Tactics: ACLs, cryptography– Technologies: ACLs, encryption, key management, etc.
• Availability -> Mitigating Denial of Service– Tactics: proof of work, ensure the attacker can receive data– Technologies: filters, quotas, cloud services, etc.
• Authorization -> Mitigating Elevation of Privilege– Tactics: limiting the use of privileged accounts, sandboxing,
defense layers, etc.– Technologies: ACLs, RBAC, chroot, etc.
46
http://pralab.diee.unica.it
Risk-based approach to Application threat modeling
47
http://pralab.diee.unica.it
The DREAD model• Damage Potential– How extensive is the damage (impact) upon a vulnerability
becoming successfully exploited?
• Reproducibility– How easy is it for this type of attack to be reproduced?
• Exploitability– How easy is it for a known vulnerability to be exploited?
• Affected Users– Impact on a user base
• Discoverability– How easily a vulnerability is detected
48
http://pralab.diee.unica.it
Risk rating using DREAD• For each element of the DREAD model a qualitative
assessment of risk is performed by assigning one out of three values– HIGH or 3– MEDIUM or 2– LOW or 1
49
THREAT D R E A D Total Rating
Attacker obtain authentication credentials by monitoring the network 3 3 2 2 2 12 High
SQL commands injected into application 3 3 3 3 2 14 High
http://pralab.diee.unica.it
Example of a Threat Rating TableThreat HIGH (3) MEDIUM (2) LOW (1)
D Damage Potential
The attacker can subvert the security system; get full trust authorization; run as administrator; upload content.
Leaking sensitive information
Leaking trivial information
R Reproducibility
The attack can be reproduced every time and does not require a timing window.
The attack can be reproduced, but only with a timing window and a particular race situation.
The attack is very difficult to reproduce, even with knowledge of the security hole
E ExploitabilityA novice programmer could make the attack in a short time frame.
A skilled programmer could make the attack, then repeat the steps.
The attack requires an extremely skilled person and in-depth knowledge every time to exploit
50
http://pralab.diee.unica.it
Example of a Threat Rating Table
THREAT HIGH (3) MEDIUM (2) LOW (1)
A Affected UsersAll users, default configuration, key customers
Some users, non-default configuration
Very small percentage of users, obscure feature; affects anonymous users
D Discoverability
Published information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable
The vulnerabilityis a seldom-used part of the product, and only a few users should come across it. It would take some thinking to see malicious use.
The bug is obscure and it is unlikely that users will work out damage potential
51
http://pralab.diee.unica.it
Application threat modeling
52
http://pralab.diee.unica.it
PASTAProcess for Attack Simulation and Threat Analysis
• Identify business objectives• Identify security & compliance requirements• Technical / Business impact analysis
Define Objectives
• Enumerate Software Components• Dependencies: Network / Software (COTS) / Services• Data flow diagramming• Third Party Infrastructures (cloud, SaaS, ASP Models)
Define Technical Scope
• Use cases / Abuse (misuse) cases / Define app entry points• Actions / Assets / Services / Roles / Data sources• Data Flow Diagramming (DFDs) / Trust Boundaries
Application Decomposition
53
http://pralab.diee.unica.it
PASTAProcess for Attack Simulation and Threat Analysis
• Probabilistic Attack Scenarios• Regression analysis on security events• Threat Intelligence correlation & analytics
Threat Analysis
• Vulnerability database (CVE)• Identifying vulnerability & abuse case tree nodes• Design flaws & weaknesses• Scoring (CVSS / CWSS)
Vulnerability & weaknesses mapping
• Attack Tree Development / Attack Library Management• Attack node mapping to Vulnerability nodes• Exploit to vulnerability match making
Attack Modeling
• Qualify & Quantify Business Impact• Residual Risk Analysis• ID risk mitigation strategies / Develop countermeasures
Risk and Impact Analysis
54
http://pralab.diee.unica.it
User stories, Misuse cases, and Countermeasures
55
User
Application / Server
Enter username and password
User Authentication
Show Generic Error Message
Validate Password Minimum Length and
Complexity
Lock Account After N Failed Login Attempts
includes
includes
includes
includes
Malicious User
Brute Force Authentication
Harvest / Guess Valid User Accounts
Dictionary Attack
includes
includesmitigates
threatens
mitigates
mitigates
mitigates
Additional examples can be found at http://www.se.rit.edu/~se555/Misuse%20Cases.pdf
http://pralab.diee.unica.it
DFD with Risk Analysis
56
http://pralab.diee.unica.it
Threat Modelling in Practice
57
http://pralab.diee.unica.it 58
Requirements-Threats-Mitigations
Requirements
Threats Mitigations
Impossible to mitigate implies non-requirement
Compliance
Threats help identify requirements
Real threats violate requirements
http://pralab.diee.unica.it
• Allow listing the concrete threats out of the abstractterms used in STRIDE
– CAPEC (MITRE)Common Attack Pattern Enumeration and ClassificationV3.2 (September 2019 - 517 attack patterns)
– ATT&CK (MITRE)knowledge base of adversary tactics and techniques based on real-world observations
– OWASP Cheat Sheet Seriesa concise collection of high value information on specific web application security topics
59
Attack Libraries
http://pralab.diee.unica.it 60
Threat Modeling a software product
http://pralab.diee.unica.it 61
Threat Modeling an internal network
http://pralab.diee.unica.it 62
Threat Modeling a One Time Token Authentication Systems
http://pralab.diee.unica.it
Threat Modeling Tools
63
http://pralab.diee.unica.it
Software tools• Microsoft SDL Threat Modeling Tool
https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling– Available for free from Microsoft (latest release: 2020)
• OWASP Threat Dragon (open source – web application)https://threatdragon.org/
• ThreatModeler (commercial)https://threatmodeler.com– A defense-oriented tool– It uses a set of attack libraries
64