Microsoft SDL Threat Modeling Michael Howard [email protected] Who Is This Guy? [email protected] Microsoft employee for 17 years Always in security Worked on the SDL since inception Overview Introduction Goals of Threat Modeling The approach Exercise
Learning resources Threat Modeling Basics Who? What? When? Why? How? Who Building a threat model Dev owns DFD (diagram) Test owns ID threats (analyze)
PM owns overall process Customers for threat models Your team Other feature, product teams Customers, via user education External QA resources like pen testers Security Advisors What Reason about, document and discuss security in a structured way Threat model & document
The product as a whole The security-relevant features The attack surfaces Assurance that threat modeling has been done well Why Threat Model Produce software thats secure by design Improve designs the same way weve improved code Because attackers think differently Creator blindness/new perspective The Approach In a Nutshell Vision Diagra m Identif
y Threat s Validat e Mitigat e STRIDE/Element: Vision Vision Diagra m Identif y Threat s Validat e Mitigat e
Vision Scenarios Where do you expect the product to be used? XBOX is different from Windows 7 xbox.com is different from XBOX Use cases/Use Stories Add security to scenarios, use cases Assurances/Guarantees Structured way to think about what are you telling customers about the products security? STRIDE/Element: Diagramming Diagra Vision
m Identif y Threat s Validat e Mitigat e How to Create Diagrams Go to the whiteboard Start with an overview which has: A few external interactors (some use actors) One or two processes
One or two data stores (maybe) Data flows to connect them Check your work Can you tell a story without edits? Does it match reality? Diagramming Use DFDs (Data Flow Diagrams) Include processes, data stores, data flows Include trust boundaries Diagrams per scenario may be helpful Update diagrams as product changes
Enumerate assumptions, dependencies Number everything (if manual) Diagram Elements - Examples External entity People Other systems Microsoft.com etc Process DLLs EXEs Components Services Web Services Assemblies etc Trust Boundary Process boundary File system Data Flow Function call
Network traffic Etc Data Store Database File Registry Shared Memory Queue/Stack etc Diagrams: Trust Boundaries Add trust boundaries that intersect data flows Points/surfaces where an attacker can interject Machine boundaries, privilege boundaries, integrity boundaries are examples of trust boundaries Threads in a native process are often inside a trust boundary, because they share the same privs, rights, identifiers and access Processes talking across a network always have a trust boundary Diagram Iteration
Iterate over processes, data stores, and see where they need to be broken down How to know it needs to be broken down? More detail is needed to explain security impact of the design Object crosses a trust boundary Words like sometimes and also indicate you have a combination of things that can be broken out Sometimes this datastore is used for Xprobably add a second datastore to the diagram Diagram layers Context Diagram Level 1 Diagram
High level; single feature / scenario Level 2 Diagram Very high-level; entire component / product / system Low level; detailed sub-components of features Level 3 Diagram More detailed Rare to need more layers, except in huge projects or when youre drawing more trust boundaries A Real Context Diagram (Castle) Castle Config Castle Service
Local User Feedback Join/Leave Castle Remote Castle A Real Level-0 DFD (Castle) Registry SSDP 8 7 Get version info Set version Query other info Castle info Cache Castle
info Read Castle info Local User 1 Manage Castle Feedback SSDP 10 Publish this Castle info Manage Castle Explorer (or rundll32) 2 Feedback Join, leave,
Set users props Castle Service 3 Query users props Set acct info Get acct info Get machine password Set psswd Shacct 4 Set acct info SAM LSA Get acct info
5 6 Remote Castle Service 9 STRIDE/Element: Identifying Threats Diagra m Vision Identif y Threat s Validat e Mitigat e
Understanding the threats Threat Property Definition Example Spoofing Authentication Impersonating something or someone else. Pretending to be any of billg, xbox.com or a system update Tampering Integrity Modifying data or code
Modifying a game config file on disk, or a packet as it traverses the network Repudiation Non-repudiation Claiming to have not performed an action I didnt cheat! Information Confidentiality Exposing information to someone not authorized to see it Reading key material from an app Denial of Service Availability Deny or degrade
service to users Crashing the web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole Elevation of Privilege Authorization Gain capabilities without proper authorization Allowing a remote internet user to run commands is the classic example, but running kernel code from lower trust levels is also EoP Disclosure Different threats affect each type of element Element External Entity S
T R I D E Process Data Store Dataflow ? Apply STRIDE Threats To Each Element For each thing on the diagram: Apply relevant parts of STRIDE
External Entity: SR Process: STRIDE Data Store, Data Flow: TID Data stores which are logs: TID+R Data flow inside a process: Dont worry about T,I or D Number things so you dont miss them A Real Level-0 DFD (Castle) TID Registry 7 Get version info TID Set version Query other info Castle info Cache Castle
info Read Castle info Local User 1 Manage Castle Feedback SSDP 10 SSDP 8 Publish this Castle info Manage Castle Explorer (or rundll32) 2
STRIDE Feedback Join, leave, TID Set users props Castle Service 3 Query users props TID Set acct info Get acct info Get machine password Remote Castle Service 9
STRIDE Set psswd Shacct 4 Set acct info LSA 6 Get acct info Etc SAM 5 Use the trust boundaries Trusted/high code reading from untrusted/low Validate everything for specific uses High code writing to low Make sure your errors dont give away too much
STRIDE/Element: Mitigating Diagra m Vision Identif y Threat s Validat e Mitigat e Mitigation is the point of threat modeling Mitigation:
Protect customers Design secure software Why bother if you: To address or alleviate a problem Create a great model Identify lots of threats Stop So find problems and fix them File bugs to track them Mitigate Address each threat Four ways to address threats:
Redesign to eliminate Apply standard mitigations Invent new mitigations Riskier Accept vulnerability in design Address each threat! Standard Mitigations Spoofing Authentication
To authenticate principals: Basic & Digest authentication LiveID authentication Cookie authentication Windows authentication (NTLM) Kerberos authentication PKI systems such as SSL/TLS and certificates IPSec Digitally signed packets To authenticate code or data: Digital signatures Message authentication codes Hashes Tampering Integrity
Windows Mandatory Integrity Controls ACLs Digital signatures Message Authentication Codes Repudiation Non Repudiation Strong Authentication Secure logging and auditing Digital Signatures Secure time stamps Trusted third parties Information Disclosure Confidentiality
Encryption ACLS Denial of Service Availability ACLs Filtering Quotas Authorization High availability designs Elevation of Privilege Authorization
ACLs Group or role membership Privilege ownership Permissions Input validation Inventing Mitigations is Hard Mitigations are an area of expertise like networking, databases, or cryptography Amateurs make mistakes, so do pros Mitigation failures will appear to work Until an expert looks at them
We hope that expert will work for us When you need to invent mitigations, get expert help We will try to talk you off the ledge STRIDE/Element: Validating Vision Model Identif y Threat s Validat e Mitigat e Validating Threat Models Validate the whole TM
Does diagram match final code? Are threats enumerated? Minimum: STRIDE per element that touches a trust boundary Has Test reviewed the model? Is each threat mitigated? Created appropriate test plans Tester approach often finds issues with TM, or details Are mitigations done right Did you check these before FSR? Shipping will be more predictable
Validate Quality of Threats & Mitigations Threats Describe the attack Describe the context Describe the impact Mitigations: Associate with a threat Describe the mitigation(s) File a bug Fuzzing is a test tactic, not a mitigation Validate Information Captured
Dependencies What other code are you using? What security functions are in that other code? Are you sure? Assumptions Things you note as you build the threat model HTTP.sys will protect us against SQL Injection LPC will protect us from malformed messages CryptGenRandom will give us crypto-strong randomness Effective Threat Modeling Meetings
Start with a DFD walkthrough Identify most interesting elements Assets (if you identify any) Entry points/trust boundaries Walk through STRIDE against those Threats that cross elements/recur Consider library, redesigns PAUSE FOR QUESTIONS BEFORE EXERCISE Exercise Handout Work in teams to:
Identify all diagram elements Identify threat types to each element Identify at least 3 threats Identify first order mitigations Extra credit: improve the diagram Identify all Elements: 16 Elements 7 Registry 7.0 8 9 6 Raw Registry Data
Raw FS Data File System 6.0 and 2 trust boundaries, which dont have threats against them 3 iNTegrity Host Software 3.0 10 Commands 11 Resource Integrity Data 2 Read
5 Admin 1.0 1 Identify threat types to each element Threats Elements Administrator Admin console (2) , Host SW (3) Config data (4), Integrity data (5), Filesystem data (6), registry (7) 8. raw reg data 9. raw filesystem data 10. commands 11. resource integrity data 12. read settings 13. read .... 16 Identify Threats!
Specific Understand threat and impact Identify 1st order mitigations END EXERCISE Call to Action Threat model your work! Start early Track changes Work with your Security Advisors! Talk to your dependencies about security assumptions Learn more
http://blogs.msdn.com/sdl Learning Resources MSDN Magazine Lots more SDL: Training and Resources Uncover Security Design Flaws Using the STRIDE Approach http://msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/ default.aspx http://msdn.microsoft.com/en-us/magazine/cc700352.aspx Getting Started with the SDL TM Too http://msdn.microsoft.com/en-us/magazine/2009.01.securitybriefs.as px
http://msdn.microsoft.com/en-us/security/cc448120.aspx Books: lots of info which drove evolution of better processes
Derivative of ?? ??? ??=??????. In other words, keep the exponent the same and multiply by the derivative of the exponent. This is a process called differentiation by substitution. (though it may not be necessary for all problems) Remember: ?...
In this context, I would like to create a set of new business opportunities for the xxxx market segment. I expect this sector to undergo some serious change in the future, reflecting changes in xxxx. ... Shift the mean quality...
carleton.ca/edc. Key Take-Away. Know the resources available . Take preventative measures . Communicate/consult with relevant parties. Know when to take action quickly, & when to take action more slowly . Check your assumptions, keep an open mind, and try to...
time line. questions . how to respond. point of contact. PROPOSAL DEVELOPMENT & REVIEW (PART I) OVERVIEW OF RFP REQUIREMENTS. Common Federal RFP Sections. Part I. Section B: Supplies/Services & Prices/Costs. Section C: Descriptions, Specifications, Scope of Work.
Criticisms of Polity IV. On the plus side, the Polity IV measure is rich in historical detail, the coding rules are transparent, and the amount of raw information that goes into a country's score is impressive.
Epic Conventions- rules that epics follow. In Media Res- An epic begins in the middle of the action to grab our attention. Episodes- The whole epic is told in separate stories or episodes. The Odyssey . has 24. Two-Part Division-
Reading Incentive Programs ... Accelerated Reader Book Adventure Book It Great Books Read Across America Read to Succeed Scholastic Reading Counts Reading Incentive Programs What does this this this topic have to do with our school? ... can check students'...
Largest slum in Kenya. 60% of the people that live in Nairobi live in slums. Between 800,000 and 1 million people live in Kibera. 255 ha (around the size of 255 football pitches) Extremely high population density . 1 meter...
Ready to download the document? Go ahead and hit continue!