02 threat modeling

8/8/2019 02 Threat Modeling

1/85

Copyright Microsoft Corp. 2004

Threat ModelingThreat Modeling

Dan SellersDan Sellers.Net Developer Specialist.Net Developer Specialist

Microsoft CanadaMicrosoft Canada


2/85


22

What is Threat Modeling?What is Threat Modeling?

A process to understand and documentA process to understand and documentsecurity threats to a system that:security threats to a system that:

Is methodical and complete.Is methodical and complete.

Will describe the systems threat profile.Will describe the systems threat profile.Allows the security of the system to beAllows the security of the system to becharacterized.characterized.

May find vulnerabilities.May find vulnerabilities.


3/85


33

Key ConceptsKey Concepts

A Threat Model describes a systemsA Threat Model describes a systemsthreat profile.threat profile.

A threat is not a vulnerability.A threat is not a vulnerability.

The point of a threat model is more thanThe point of a threat model is more thanjust finding vulnerabilities.just finding vulnerabilities.

A system is anything that exposesA system is anything that exposes

functionality to an end user, and canfunctionality to an end user, and candescribe anything from a single feature todescribe anything from a single feature toa web application and its supportinga web application and its supportinginfrastructure.infrastructure.


4/85

Threat Modeling ProcessCollect

BackgroundInformation

Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams /ProcessModels

Identify Threats

Analyze Threats/

Determine

Vulnerabilities


5/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams/ProcessModels

Identify Threats

Analyze Threats /

Determine

Vulnerabilities


6/85


66

Collect Background InformationCollect Background Information

Background information bounds theBackground information bounds thethreat modeling discussion.threat modeling discussion.

It gathers information aboutIt gathers information aboutdependencies that are security-critical.dependencies that are security-critical.

It provides necessary information forIt provides necessary information for

people to understand the threat model.people to understand the threat model.


7/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow


Identify Threats

Analyze Threats/

Determine

Vulnerabilities


8/85Copyright Microsoft Corp. 2004

88

Identify Use ScenariosIdentify Use Scenarios

A use scenario explains how the system isA use scenario explains how the system isintended or not intended to be used inintended or not intended to be used indeployment.deployment.

Use scenarios help bound the threat modelingUse scenarios help bound the threat modeling

by describing the situations that wereby describing the situations that wereconsidered during the security design of theconsidered during the security design of thesystem.system.

They can also explain situations where, if theThey can also explain situations where, if thesystem is deployed in an unsupportedsystem is deployed in an unsupportedconfiguration, the security can beconfiguration, the security can becompromised.compromised.

Use scenarios can be used as mitigation forUse scenarios can be used as mitigation forthreats to the system.threats to the system.


9/85

Tool: Use Scenarios Table

If the Phone 1.0 is installed in a location where untrusted users can access it, it should

have local access control enabled.

2

The Fabrikam Phone 1.0 will be connected to the public switched telephone network.The security of this network is beyond the control of the Phone 1.0.

1

DescriptionID

Use Scenarios


10/85

Use Scenarios: Relevance Who uses the information? Use scenarios are used by the threat

modeling team to limit the scope of the analysis. Managers anddevelopment leads must sign off on the individual use scenarios for theThreat Model to be valid. Later, the security test team can use thesescenarios when conducting a penetration test, either to verify theirvalidity or prove that they are not consistent with actual deployment.

How is the information collected? The information is best

provided by the designer of the system being modeled. If the system isa component that other teams are using, those teams may have inputas to how the component is being used.

How is it used in the rest of the Threat Model? Use scenarioscan limit the discussion by describing scenarios that will not beconsidered (in other words, that are outside of the safe use of thesystem). During threat analysis, use scenarios can be used as the

mitigation for conditions (for example, a condition may only be true if thesystem is used in an unsupported or unsafe scenario). Use scenariosmay also help identify additional assets. For example, if a system isexpected to run at a certain elevated privilege level, execution rights atthat privilege level is an asset.


11/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow


Identify Threats

Analyze Threats/

Determine

Vulnerabilities



1212

Identify External DependenciesIdentify External Dependencies

External dependencies are requirements levied onExternal dependencies are requirements levied onsystems outside of the system being modeled.systems outside of the system being modeled.

They are dependencies on a certain behavior orThey are dependencies on a certain behavior or

specification compliance in an external system that, ifspecification compliance in an external system that, ifbroken, could cause threats in the system beingbroken, could cause threats in the system beingmodeled to manifest vulnerabilities.modeled to manifest vulnerabilities.

Often, these dependencies describe functions such asOften, these dependencies describe functions such as

algorithm consistency across systems. For example, ifalgorithm consistency across systems. For example, iftwo systems both normalize a string of text and taketwo systems both normalize a string of text and takeaction based on the result, it is typically important thataction based on the result, it is typically important thatthe normalized representation is the same across boththe normalized representation is the same across bothsystems.systems.


13/85

Tool: External Dependencies

Table

The Fabrikam Phone 1.0 depends on the PSTN for providing power. There is a 2-daypower cell in the Phone 1.0 that provides backup power should the power provided bythe PSTN go down.

1DescriptionID

External Dependencies


14/85

External Dependencies:

Relevance Who uses the information? External dependencies are primarily

used by the threat modeling team to validate assumptions betweensystems being modeled. The act of identifying, documenting, andinvestigating external dependencies can ensure that disparate systemsand groups do not result in inconsistencies leading to vulnerabilities.

How is the information collected? The designers andimplementers of the system should be able to identify external systemsthat it depends on. Further, they can characterize the functionality ofthe external system that is used, thus providing a list of dependencies.

How is it used in the rest of the Threat Model? Externaldependencies result in action items that must be resolved with the

target systems team before a Threat Model can be considered valid.They validate cross-system assumptions that, if incorrect, mightotherwise result in vulnerabilities.


15/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams/Process

Models

Identify Threats

Analyze Threats/

Determine

Vulnerabilities

1616



1616

Identify Implementation AssumptionsIdentify Implementation Assumptions

It is good to start the Threat Modeling process before aIt is good to start the Threat Modeling process before asystem is implemented.system is implemented.

Implementation Assumptions are used when some orImplementation Assumptions are used when some or

all of the system is in the design phase, and dictateall of the system is in the design phase, and dictatespecifics about how features must be implemented forspecifics about how features must be implemented forthe system to remain secure.the system to remain secure.

Implementation Assumptions should be validated onImplementation Assumptions should be validated oncompletion of the implementation, in addition to revisingcompletion of the implementation, in addition to revising

the Threat Model as a whole to reflect thethe Threat Model as a whole to reflect theimplementation.implementation.


17/85

Tool: Implementation

Assumptions Table

If encrypted communication is added, key exchange should be done according toindustry-accepted standards.2

The voice-command dialing option has yet to be implemented. When this is added, itshould not introduce a way to bypass current security features, such as long-distancecall lockout.

1DescriptionID

Implementation Assumptions


18/85

Implementation

Assumptions: Relevance Who uses the information? The information is used by the implementer of

the relevant feature in the system. It is essentially a coding guideline that theimplementer must adhere to. Post-implementation, the Threat Model teamshould validate that the implementation assumption holds true. Implementationassumptions can also be validated in code reviews and during penetration

testing. How is the information collected? When threats are being identified, they

often include threats that are common globally or to the team responsible for thesystem. If the threat is best mitigated in implementation and not design, theteam usually has a common method of mitigating that threat in code.Implementation assumptions are then simply notes for the coder that include thisinformation.

How is it used in the rest of the Threat Model? Implementationassumptions are invalidation points for the Threat Model if they do not remaintrue after the functionality is implemented. In addition, they are used asdiscussion points during the revising of a Threat Model if it is started during thedesign phase.


19/85


Background

Information

Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams/Process

Models

Identify Threats

Analyze Threats/

Determine

Vulnerabilities

2020


20/85


2020

Identify External Security NotesIdentify External Security Notes

External Security Notes are the counterpart to externalExternal Security Notes are the counterpart to externaldependencies.dependencies.

They provide security-relevant information to users that interfaceThey provide security-relevant information to users that interfacewith the system being modeled.with the system being modeled.

This information can be in the form of warnings against potentialThis information can be in the form of warnings against potentialmisuse that, while not constituting a vulnerability in the systemmisuse that, while not constituting a vulnerability in the systembeing modeled, may surface a vulnerability in another system if itbeing modeled, may surface a vulnerability in another system if itis not used correctly.is not used correctly.

Or, the information can be in the form of guarantees that theOr, the information can be in the form of guarantees that the

system makes for users.system makes for users.

As an example, it may contain the specification for how filenamesAs an example, it may contain the specification for how filenamesare normalized internal to the system.are normalized internal to the system.


21/85

Tool: External Security

Notes Table

If the end user wants to protect the speed dial list and whether the remoteadministration is enabled, he should enable local access control.2

The Phone 1.0 has a remote administration interface that has a default numericpassword. While the interface is disabled by default, the end user should ensure thatthe password is changed if it the feature is enabled.

1DescriptionID

External Security Notes


22/85

External Security Notes:

Relevance Who uses the information? The information is primarily consumed by

users whose systems in turn depend upon this system. Those users canvalidate dependencies based on this information, or request explanation offunctionality to be added.

How is the information collected? During the threat model process,potential misuses of externally-supplied functionality are often identified. Thisinformation should be proactively included in the Threat Model. In addition,external dependencies on this system can force investigations that result ininformation in this table.

How is it used in the rest of the Threat Model? External security notesare used as validation of external dependencies. In addition, they can

sometimes be used as mitigation for threats. In this case, the threat is mitigatedthrough end-user education rather than design or implementation changes.


23/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow


Identify Threats

Analyze Threats /

Determine

Vulnerabilities

2424


24/85


2424

Identify Internal Security NotesIdentify Internal Security Notes

Internal security notes are information thatInternal security notes are information thatreaders of the threat model should know toreaders of the threat model should know tomake the model more clear.make the model more clear.

They are often used to explain tradeoffs madeThey are often used to explain tradeoffs madein the design or implementation of the systemin the design or implementation of the systemthat affect security.that affect security.

They should not be used as a replacement forThey should not be used as a replacement forthreats and vulnerabilities.threats and vulnerabilities.


25/85

Tool: Internal Security Notes

TableSpeed dial information, messages, and the outgoing message are all stored in volatile

RAM. The combination of volatile RAM and a battery backup for the Phone 1.0 is

cheaper to manufacture than to use non-volatile RAM. This means, however, that

power loss to the Phone 1.0 can cause loss of information if the battery backup isdepleted.

1DescriptionID

Internal Security Notes


26/85

Internal Security Notes:

Relevance Who uses the information? Internal security notes are

used by reviewers of the threat model to understand securitytradeoffs that were made in the design or implementation of thesystem.

How is the information collected?Internal securitynotes are usually collected when the system is being modeled orwhen threats are being investigated. Often internal securitynotes come about when a threat exists because of a particulardesign decision, but that design decision was made to satisfyother, non-security requirements.

How is it used in the rest of the Threat Model?Internal security notes are used when the threat model isreviewed for completeness. They are also used when mitigationfor vulnerabilities is discussed.


27/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow


Identify Threats

Analyze Threats/

Determine

Vulnerabilities

2828


28/85


Model the SystemModel the System

Modeling the system is critical toModeling the system is critical todetermining threats.determining threats.

It helps the threat modeling teamIt helps the threat modeling team

understand the adversarys view of theunderstand the adversarys view of thesystem.system.

It helps the team understand the internalIt helps the team understand the internal

workings of the system, allowing them toworkings of the system, allowing them toidentify design- and implementation-identify design- and implementation-specific threats.specific threats.


29/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams/Process

Models

Identify Threats

Analyze Threats/

Determine

Vulnerabilities

3030


30/85


Identify Entry PointsIdentify Entry Points

Entry Points define the boundary of the system beingEntry Points define the boundary of the system beingmodeled.modeled.

They list all places where the system consumes dataThey list all places where the system consumes datafrom, provides data to, or performs actions on behalf offrom, provides data to, or performs actions on behalf ofexternal entities.external entities.

Entry points are often obvious: exposed APIs, listeningEntry points are often obvious: exposed APIs, listeningsockets, RPC servers, Web Services, etc. Notesockets, RPC servers, Web Services, etc. Notehowever, thathowever, that anyanyplace where the system interactsplace where the system interactswith external entities could be considered an entrywith external entities could be considered an entry

point. For example, reading data from the file system ispoint. For example, reading data from the file system isan entry point because the file system is likely notan entry point because the file system is likely notprivate to the system being modeled.private to the system being modeled.


31/85

Tool: Entry Points Table

(1) AdministratorRemove administration is a menu-driven interfacethat is accessed remotely over the PSTN. It isenabled when the answering machine feature ofthe Phone 1.0 is enabled, and is accessed bypressing 9 once the phone answers.

Remote Administration6

(1) Administrator(2) Long-distance user(3) Local call user(4) Denied user

The ringer is an exit point used to alert the enduser of incoming calls.Audible Ringer5


The alphanumeric display shows information,such as speed dial numbers, caller ID,administrative menus, etc.

Alphanumeric Display4

(5) Anonymous remote userThe telephone line is where the Phone 1.0interfaces with the public switched telephonenetwork.

Telephone Line3


The keypad is used for dialing, entering localaccess passwords, and other administrativefunctions on the Phone 1.0.

Keypad2


The handset is used by the end user for voicecommunication. Voice dialing will also beimplemented via this interface.

Handset1Trust LevelDescriptionNameID

Entry Point


32/85

Entry Points: Relevance

Who uses the information? The entry points are primarily usedinternally to the threat modeling process as described below.

How is the information collected? Both the designers andimplementers of the system provide the list of entry points.Occasionally, additional entry points surface during the data flowmodeling of the system.

How is it used in the rest of the Threat Model? Entry pointsare used to prioritize the threat modeling discussion. They also providethe basis for discussion. For each entry point, the question must beanswered: What functionality does the entry point expose? Thisinformation is used to decompose security-critical processing using dataflow diagrams. Further, they are used to ensure a complete analysis.

That is, a Threat Model can only be considered thorough if all entrypoints are identified and explored.


33/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams/Process

Models

Identify Threats

Analyze Threats /

Determine

Vulnerabilities

3434


34/85


Identify AssetsIdentify Assets

Assets are those things, both concreteAssets are those things, both concreteand abstract, that could be targets of anand abstract, that could be targets of anattack by an adversary.attack by an adversary.

Because of the widely varied functionalityBecause of the widely varied functionalityof systems, protected resources can alsoof systems, protected resources can alsobe widely varied. For example, abe widely varied. For example, aconcrete example might be corporateconcrete example might be corporate

data stored in a database. A moredata stored in a database. A moreabstract example might be networkabstract example might be networkcoherency in a peer to peer application.coherency in a peer to peer application.

Assets should be nouns.Assets should be nouns.


35/85

Tool: Assets Table

(1) Administrator(2) Long-distance user(3) Local call user

Messages left by callers when the Phone 1.0has the answering machine feature enabled.Messages6

(1) AdministratorThe administrative configuration for the

Phone 1.0Phone configuration5

(1) Administrator(2) Long-distance user

The Phone 1.0 has optional lock-out for longdistance calling so that only authorized userscan make long distance calls.

Long-distance calls4


The Phone 1.0 indirectly protects access tothe PSTN.Access to the PSTN3


Provides information about the incomingcaller.Caller ID2


The speed dial list contains the names andnumbers of often-used contacts.Speed-dial list1

Trust LevelDescriptionNameIDAssets


36/85

Assets: Relevance Who uses the information? The Threat Modeling team

uses the information when identifying threats. When analyzingsecurity-critical processing, points where an asset is referencedshould be scrutinized. The assets are, in essence, the targets ofthreats to the system. That is, a threat is what an attacker mighttry to do to or with an asset that would result in a violation of thesystems expected security bounds.

How is the information collected? Many assets areidentified when discussing system functionality, use scenarios,and other background information. Questions to ask are: Doesthe system have access to any resources that an external entitywould not normally have access to? What aspects of thesystem are critical to proper functionality?

How is it used in the rest of the Threat Model?Assets are used during threat identification to identify anadversarys goals. Assuming that an adversary picks aprotected resource as a target, what might he try to do to it?


37/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow


Identify Threats

Analyze Threats/

Determine

Vulnerabilities

3838


38/85


Identify Trust LevelsIdentify Trust Levels

Trust levels characterize either entry points orTrust levels characterize either entry points orassets.assets.

In the case of entry points, they describe the externalIn the case of entry points, they describe the externalentity that can interface with the entry point.entity that can interface with the entry point.

For assets, they should indicate what privilege levelFor assets, they should indicate what privilege levelwould normally be able to access the resource.would normally be able to access the resource.

The type of trust level is specific to the entryThe type of trust level is specific to the entrypoint or protected resource. For example,point or protected resource. For example,

some trust levels may correspond to NTsome trust levels may correspond to NTgroups. Other trust levels may simply describegroups. Other trust levels may simply describewhat is known about the external entity (remotewhat is known about the external entity (remoteanonymous user, in the case of a public webanonymous user, in the case of a public webserver).server).

3939


39/85


Identify Trust LevelsIdentify Trust Levels

Trust Levels that have moreTrust Levels that have morepreconditions (such as requiringpreconditions (such as requiring

authentication) typically have a lower risk.authentication) typically have a lower risk.The Trust Level table can be used toThe Trust Level table can be used toprioritize further discussion based onprioritize further discussion based onwhich categories pose the highest risk.which categories pose the highest risk.


40/85

Tool: Trust Levels Table

The anonymous remote user represents any data or incoming callsover the PSTN.Anonymous remote user5The Phone 1.0 can be configured to not allow access to the phonewithout a password. The denied user is a user with no access.Denied user4The local call user can only place outgoing local calls.Local call user3

The Phone 1.0 can be configured to restrict long distance calling.

The long-distance user is a phone user that is allowed to make long-distance calls.Long-distance user2

The Phone 1.0 administrator has access to all features, and canbypass all security checks.Administrator1DescriptionNameID

Trust Levels


41/85

Trust Levels: Relevance

Who uses the information?The Threat Modeling team

uses trust levels to determine high-risk entry points and prioritizethe discussion. The team can also use them when discussingassets. They are particularly relevant in elevation of privilegeattacks.

How is the information collected? The designers of

the system should have this information readily available. It issimply an enumeration of who should and should not haveaccess to an entry point or asset.

How is it used in the rest of the Threat Model?Trust levels are used to prioritize discussion. They are alsoused when discussing mitigation and risk. For example, one

could argue that a buffer overflow at an entry point that requiresadministrative-level privileges is not high risk because theadministrator would not gain access to any assets that he or shedoes not already have access to. (Of course, this depends onthe definition of administrator, and is system-specific.)


42/85



Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams/Process

Models

Identify Threats

Analyze Threats/

Determine

Vulnerabilities

4343


43/85


Describe Processing on the ThreatDescribe Processing on the ThreatPathPath

The Threat Path is the processing thatThe Threat Path is the processing thatoccurs based on the input to theoccurs based on the input to the

enumerated entry points.enumerated entry points.Follow processing from the componentsFollow processing from the componentsentry point and determine what it does toentry point and determine what it does tothe input data, or based on the input data.the input data, or based on the input data.

4444


44/85


Describe Processing on the ThreatDescribe Processing on the ThreatPathPath

While a threat path can simply be describedWhile a threat path can simply be describedbased on a components inputs, outputs, andbased on a components inputs, outputs, andprocessing based on the input, it can help toprocessing based on the input, it can help to

use a visual tool such as a Data Flow Diagram.use a visual tool such as a Data Flow Diagram.

DFDs should start with both Context and LevelDFDs should start with both Context and Level0 diagrams0 diagrams

More detailed diagrams should be created toMore detailed diagrams should be created tofurther describe security-critical processing.further describe security-critical processing.


45/85

Tool: Data Flow Diagram

Auth Data

A ProcessTransforms or manipulates

data.

Multiple Processes

Transforms or manipulates

data.

A Data Store

A location that stores

temporary or permanent

data

Boundary

A machine, physical,

address space or trust

boundary.

Data Flow

Depicts data flow from

data stores, processes or

interactors.

Interactor

Input to the system.

Context

Level 0

Level 2Level 1

* Diagrams taken from Writing Secure Code, 2nd

Edition


46/85


1 Fabrikam

Phone 1.0Local User PSTN

Audible input via handset

Numeric keypad input

Visual display

output

Telephone

conversation

Ringer

DTMF input for admin

interface

Telephone

conversation

Telephone

conversation

Adminmenus/data


47/85


User viaPSTN

1.5Administrative

interface

1.4 Enableadmin

mode

1.3 Check if

buffermatchespassword

1.1 Enablepassword

enteringmode

1.2 Read digit

Password r ingbuffer (stores

8 digits)

Administrative privilege

boundaryInterface enabledprivilege boundary

User dials 9 afteranswering machine

picks up

User entersdigit in

passwordentering mode

Password enterenable

Digit

8-digit password

Wait fornext digit

Successfulcompletion

Admin enable

Menus,data

Selections,

data


48/85

Data Flow Diagrams:

Relevance Who uses the information? DFDs can be used by security

testers to get a better understanding of the systems functionality andimplementation. The visual representation of the data flows allows thetester to create attack hypotheses.

How is the information collected? The designers andimplementers of the system provide this information. It is often partiallycompleted before any threat modeling meetings. During the meetings,however, they are usually expanded and more diagrams are created asthe team analyzes the system.

How is it used in the rest of the Threat Model? TheDFDs are used during threat identification as a way to direct threathypotheses. They allow the threat modeling team to better understandthe functionality exposed by the system, and what an attackers goalsmight be.


49/85


Background

Information

Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams/Process

Models

Identify Threats

Analyze Threats/

Determine

Vulnerabilities

5050

D i ThD t i Th t


50/85


Determine ThreatsDetermine Threats

Enumerating threats creates a threat profile forEnumerating threats creates a threat profile fora system, describing all of the potential attacksa system, describing all of the potential attacksthat should be mitigated against.that should be mitigated against.

Threats with valid attack paths areThreats with valid attack paths are

vulnerabilities.vulnerabilities.The security of a system can be expressed inThe security of a system can be expressed interms of threats with appropriate mitigation vs.terms of threats with appropriate mitigation vs.total threats, taking into account the severity oftotal threats, taking into account the severity of

the threats with insufficient mitigationthe threats with insufficient mitigation(vulnerabilities).(vulnerabilities).


51/85


Background

Information

Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams/Process

Models

Identify Threats

Analyze Threats/

Determine

Vulnerabilities

5252

E t Th tE t Th t


52/85


Enumerate ThreatsEnumerate Threats

Identifying threats, as the critical point in creating aIdentifying threats, as the critical point in creating a

usable threat model, is appropriately the most difficultusable threat model, is appropriately the most difficultstep in the process.step in the process.

The Threat Modeling team must take the informationThe Threat Modeling team must take the informationproduced up to this point and create attack hypotheses.produced up to this point and create attack hypotheses.

The team should not limit themselves to knownThe team should not limit themselves to knownvulnerabilities, rather, they should consider threatsvulnerabilities, rather, they should consider threatsregardless of known mitigation.regardless of known mitigation.

For a given entry point where a specific external entityFor a given entry point where a specific external entity

interfaces with the system, what security-criticalinterfaces with the system, what security-criticalprocessing occurs, and what might a malicious externalprocessing occurs, and what might a malicious externalentity try to do to thwart that processing or otherwiseentity try to do to thwart that processing or otherwiseuse an asset outside of its expected use?use an asset outside of its expected use?

5353

E t Th tE t Th t


53/85



It is important not to confuse threats withIt is important not to confuse threats withvulnerabilities. A threat is simply what anvulnerabilities. A threat is simply what anadversary mightadversary might trytryto do to a protectedto do to a protectedresource in the system. A vulnerability isresource in the system. A vulnerability is

a specific way that a threat is exploitablea specific way that a threat is exploitablebased on an unmitigated attack path.based on an unmitigated attack path.

Threats become more specific as theThreats become more specific as theprocess model becomes more specific.process model becomes more specific.

5454

E t Th tE t Th t


54/85



A key aspect to enumerating threats is understandingA key aspect to enumerating threats is understandingspecifications (and whether or not they are adhered to).specifications (and whether or not they are adhered to).Protocol specifications, file format specifications, etc.Protocol specifications, file format specifications, etc.can define the adversarys sandbox. While they arecan define the adversarys sandbox. While they areoften constrained by specifications, they can oftenoften constrained by specifications, they can oftencreate spec-valid data that causes corruption or othercreate spec-valid data that causes corruption or other

errors.errors.As specifications become more complex, the cornerAs specifications become more complex, the cornercases that allow for spec-valid but malicious datacases that allow for spec-valid but malicious dataincrease.increase.

Note that if the system includes a parser for a givenNote that if the system includes a parser for a given

specification, then the adversary will also try spec-specification, then the adversary will also try spec-invalid data to attack the parser itself.invalid data to attack the parser itself.

5555

E t Th tE t Th t


55/85



Threats can apply a verb to an assetThreats can apply a verb to an asset(adversary does something(adversary does something toto an asset):an asset):

AdversaryAdversary capturescaptures [password data] using a sniffer.[password data] using a sniffer.

Or, they can resultOr, they can result inin an asset:an asset:

AdversaryAdversary supplies a path name that exceedssupplies a path name that exceedsMAX_PATHMAX_PATH, causing a buffer overflow that may, causing a buffer overflow that mayresult in the [ability to execute native code].result in the [ability to execute native code].

In either case, threats are verbs.In either case, threats are verbs.

5656

U i STRIDEU i STRIDE


56/85


Using STRIDEUsing STRIDE

STRIDE is used to classify theSTRIDE is used to classify the effecteffectof threats.of threats.

SpoofingSpoofing. Spoofing allows an adversary to pose as another. Spoofing allows an adversary to pose as anotheruser, component, or other system that has an identity in theuser, component, or other system that has an identity in thesystem being modeled.system being modeled.

TamperingTampering. Tampering is the modification of data within the. Tampering is the modification of data within thesystem to achieve a malicious goal.system to achieve a malicious goal.

RepudiationRepudiation. Repudiation is the ability of an adversary to. Repudiation is the ability of an adversary todeny performing some malicious activity because thedeny performing some malicious activity because thesystem does not have sufficient evidence to provesystem does not have sufficient evidence to proveotherwise.otherwise.

InformationInformationDisclosureDisclosure. Information Disclosure is the. Information Disclosure is the

exposure of protected data to a user that is not otherwiseexposure of protected data to a user that is not otherwiseallowed access to that data.allowed access to that data.

DenialDenialofofServiceService. Denial of Service is when an adversary. Denial of Service is when an adversarycan prevent legitimate users from using the normalcan prevent legitimate users from using the normalfunctionality of the system.functionality of the system.

ElevationElevationofofPrivilegePrivilege. Elevation of Privilege is when and. Elevation of Privilege is when and

adversary assumes a Trust Level with different privilegesadversary assumes a Trust Level with different privileges* Some information taken from Writing Secure Code, 2nd

Edition


57/85

Tool: Threats Table

(5) Phone configurationAssets

(6) Remote Administration(3) Telephone Line(2) Keypad

Entry Points

(none)Investigation Notes

If the remote administration interface is enabled, the end user should change thedefault password.Known MitigationNoMitigated?

TamperingInformation DisclosureDenial of ServiceElevation of Privilege

STRIDE Classification

The Phone 1.0 has a remote administration interface that allows an authorizeduser to configure it via the PSTN. The interface is disabled by default, but can beenabled using the local keypad.

Description

Adversary gains access to the remote administration interface resulting in accessto the phone configuration.Name1IDThreat

Threats


58/85

Tool: Threats Table

Threats

(1) Speed-dial listAssets

(2) Keypad

(4) Alphanumeric Display

Entry Points


Related Use Scenarios:

(2) If the Phone 1.0 is installed in a location where

Known Mitigation

NoMitigated?

Information DisclosureSTRIDE Classification

The speed dial list has sensitive information (names and telephone numbers).DescriptionAdversary reads the speed dial listName2ID

Threat


59/85

Tool: Threats TableThreats

(4) Long distance callingAssets

(1) Handset(2) Keypad

Entry Points


Related Use Scenarios:

(2) If the Phone 1.0 is installed in a location where

Known Mitigation

NoMitigated?

Elevation of PrivilegeSTRIDE Classification

Access to long distance can be restricted. Often it is not desirable for arbitrary

users to make long distance calls.DescriptionAdversary makes a long distance callName3IDThreat

6060

Update DFD for Threat TypesUpdate DFD for Threat Types


60/85


Update DFD for Threat TypesUpdate DFD for Threat Types

Each element inEach element in

the DFD isthe DFD is

susceptible tosusceptible toone or moreone or more

threat typesthreat types

1.01.0

5.05.0

2.0.2.0.

3.03.0

4.04.0

10.010.08.08.0

6.06.0

11.011.0 9.09.0

7.07.0

STRISTRIDEDE

STRISTRIDEDE

STRISTRIDEDE

TIDTID

TIDTID

TIDTID

TIDTID

TIDTID

TIDTID

SRSR

SRSR


61/85

Threats: Relevance Who uses the information? Managers use threats to

determine the security strengths of the system they areresponsible for. Security testers use threats and theirassociated threat trees to test how well the system is resilient toattacks. Further, threats can be used as a plan of attack for apenetration test.

How is the information collected? Personsresponsible for the systems implementation and design aregood sources. However, it is best to also include persons whodid not work on the system during the threat modeling process.They are often able to think more critically about the system.

How is it used in the rest of the Threat Model?Threats are later analyzed to determine if there are anyvulnerabilities associated with them. They provide the basis fordetermining the strengths and weaknesses of the system.


62/85


Background

Information

Model the

System

Determine

Threats

Use Scenarios

Implementation

Assumptions

External

Dependencies

External Security

Notes

Internal Security

Notes

Entry Points

Assets

Trust Levels

Data Flow

Diagrams/Process

Models

Identify Threats

Analyze Threats/

Determine

Vulnerabilities

6363

Determine if Vulnerabilities ExistDetermine if Vulnerabilities Exist


63/85


Determine if Vulnerabilities ExistDetermine if Vulnerabilities Exist

A Threat that has no (or insufficient)A Threat that has no (or insufficient)mitigating factors results in a Vulnerabilitymitigating factors results in a Vulnerabilitythat is, something an attacker canthat is, something an attacker canexploit.exploit.

For each Threat, determine if there areFor each Threat, determine if there aresufficient protections. Enumerate thosesufficient protections. Enumerate those

that are Vulnerabilities.that are Vulnerabilities.

6464

Formulate AttacksFormulate Attacks


64/85


Formulate AttacksFormulate Attacks

Using threat treesUsing threat trees

Threat trees start with what an attacker might try toThreat trees start with what an attacker might try todo to or with a protected resource (threat), and createdo to or with a protected resource (threat), and createa tree of conditions that must be met in order obtaina tree of conditions that must be met in order obtainaccess to that protected resource.access to that protected resource.

Each condition can be translated to a test that can beEach condition can be translated to a test that can beperformed programmatically or confirmed via code orperformed programmatically or confirmed via code ordesign review. Conditions may or may not havedesign review. Conditions may or may not havemitigation, but do have DREAD ratings.mitigation, but do have DREAD ratings.

Access to one protected resource can facilitateAccess to one protected resource can facilitate

access to others. Chaining threat trees can createaccess to others. Chaining threat trees can createmore complex attacks (attack chaining).more complex attacks (attack chaining).

6565

Tool: Threat TreesTool: Threat Trees


65/85



Threat Trees (also called Attack Trees: Bruce Schneier,Threat Trees (also called Attack Trees: Bruce Schneier,Dr. Dobb's Journal December 1999, Modeling SecurityDr. Dobb's Journal December 1999, Modeling SecurityThreats) are used in Threat Modeling to analyze how aThreats) are used in Threat Modeling to analyze how athreat might be accomplished.threat might be accomplished.

A threat tree is a hierarchical representation ofA threat tree is a hierarchical representation ofconditions, with the root node being the threat.conditions, with the root node being the threat.

AnAn attack pathattack path is a route from a leaf condition to theis a route from a leaf condition to theroot threat, inclusive of anyroot threat, inclusive of any andandcondition.condition.

Threat Trees are used to determine valid attack pathsThreat Trees are used to determine valid attack pathsfor a threat. That is, any attack path that does not havefor a threat. That is, any attack path that does not havea mitigating node is classified as a vulnerability.a mitigating node is classified as a vulnerability.

In its most basic form, a Threat Tree consists of aIn its most basic form, a Threat Tree consists of asingle Threat, and multiple Mitigated Conditions andsingle Threat, and multiple Mitigated Conditions andUnmitigated Conditions.Unmitigated Conditions.


66/85

Tool: Threat Trees

6767



67/85



In the previous Threat Tree, MitigatedIn the previous Threat Tree, MitigatedConditions are represented with whiteConditions are represented with whiteboxes, and Unmitigated Conditions areboxes, and Unmitigated Conditions arerepresented as orange boxes.represented as orange boxes.

This example shows four possible attackThis example shows four possible attackpaths, of which only one (the path 1.3.2paths, of which only one (the path 1.3.2-> 1.3 -> 1) has no mitigating nodes and-> 1.3 -> 1) has no mitigating nodes and

thus represents a valid attack orthus represents a valid attack orvulnerability.vulnerability.

6868

Sample: Threat MitigationsSample: Threat Mitigations


68/85


Sample: Threat MitigationsSample: Threat Mitigations

Threat #1 (I)

Compromise

password

1.1

Access in-use

password

1.1.1

Sniff network

1.1.2

Phishing attack

1.2

Guess password

1.2.1

Password is weak

1.2.2

Brute force attack

1.3

Access password

in database

1.3.1

Password is in

cleartext

1.3.2

Compromise

database

1.3.2.1

SQL injection

attack

1.3.2.2

Access database

directly

1.3.2.2.1

Port open

1.3.2.2.2

Weak db accountpassword(s)

Application

Defenses

Infrastructure

Defenses

Encryption Education

Store Salted

Hash

Close ports

to Internet

Enforce strong

passwords

Enforce strong

passwords

Programming

Best Practice

6969

Using DREADUsing DREAD


69/85


Using DREADUsing DREADDREAD is a method of characterizing the riskDREAD is a method of characterizing the riskassociated with a vulnerability. It is an acronym forassociated with a vulnerability. It is an acronym forthe following categories, and is calculated as anthe following categories, and is calculated as anaverage of values assigned to each of:average of values assigned to each of:

Damage PotentialDamage Potential. Damage Potential ranks the extent of the. Damage Potential ranks the extent of thedamage that occurs if a vulnerability is exploited.damage that occurs if a vulnerability is exploited.

ReproducibilityReproducibility. Reproducibility ranks how often an attempt. Reproducibility ranks how often an attempt

at exploiting a vulnerability works.at exploiting a vulnerability works.

ExploitabilityExploitability. Exploitability assigns a number to the effort. Exploitability assigns a number to the effortrequired to exploit the vulnerability, and also considersrequired to exploit the vulnerability, and also considerspreconditions (such as whether the user must bepreconditions (such as whether the user must beauthenticated).authenticated).

AffectedAffectedUsersUsers. Affected Users is a numeric value. Affected Users is a numeric valuecharacterizing the ratio of installed instances of the systemcharacterizing the ratio of installed instances of the systemthat would be affected if an exploit became widelythat would be affected if an exploit became widelyavailable.available.

DiscoverabilityDiscoverability. Discoverability is the likelihood that, if the. Discoverability is the likelihood that, if thevulnerability were to go unpatched, it would be found byvulnerability were to go unpatched, it would be found by

external security researchers, hackers, etc.external security researchers, hackers, etc.* Some information taken from Writing Secure Code, 2nd Edition


70/85

Tool: Vulnerabilities Table

1 (Adversary gains access to the remote administration interface resulting in

access to the phone configuration.)

Corresponding Threat

7.6 (D: 10, R: 10, E: 8, A: 2, D: 8)DREAD Rating



If the default password is left unchanged, and the remote administration

interface is enabled, then remote anonymous users can easily obtain access tothe interface.Description

A user gains access to the administration interface.Name1ID

Vulnerability

Vulnerabilities


71/85

Tool: Vulnerabilities Table

1 (Adversary gains access to the remote administration interface resulting inaccess to the phone configuration.)

Corresponding Threat

3.8 (D: 10, R: 5, E: 1, A: 2, D: 1)DREAD Rating



If a user takes advantage of the fact that the password for the admin interface is

a ring buffer, the attack could take significantly less than 10^8 attemptsDescription

A user takes advantage of the password ring bufferName2ID

Vulnerability

Vulnerabilities

7272

Applying RiskApplying Risk


72/85


Applying RiskApplying Risk

Threat

Condition Condition

Condition Condition

Condition Condition Condition

Damage potential

Affected Users

-or-

Damage

Reproducibility

Exploitability

Discoverability

-or-Chance

V l biliti R l


73/85

Vulnerabilities: Relevance Who uses the information? Vulnerabilities are

entered as bugs for the system. Designers andimplementers must fix or mitigate these bugs.Security testers can use vulnerabilities to look forsimilar problems, or create regression tests.

How is the information collected?Vulnerabilities are collected by analyzing theenumerated threats, and determining which threatshave insufficient mitigation. This can be done usingthreat trees or other techniques.

How is it used in the rest of the ThreatModel? Vulnerabilities are an output of the threatmodeling process.

7474

Knowing when you are doneKnowing when you are done


74/85



A complete model is one that explores all entryA complete model is one that explores all entrypoints.points.

The model should also consider externalThe model should also consider externaldependencies (i.e., are you dependent on filedependencies (i.e., are you dependent on filesystem normalization matching your internalsystem normalization matching your internalnormalization).normalization).

Threat models should include participation andThreat models should include participation andreview by persons not familiar with thereview by persons not familiar with thecomponents.components.

7575



75/85



If the component is not yet implemented,If the component is not yet implemented,an update to the threat model should bean update to the threat model should bedone post-implementation.done post-implementation.

Finally, models are done when there areFinally, models are done when there areno more threats left that require furtherno more threats left that require furtherinvestigation. It does not depend on theinvestigation. It does not depend on the

number of vulnerabilities found.number of vulnerabilities found.

7676

ConclusionConclusion


76/85


ConclusionConclusion

Analyzing the security of an application is not simplyAnalyzing the security of an application is not simplyabout finding security bugs.about finding security bugs.

Methodologies for analyzing the security in anMethodologies for analyzing the security in an

application are only recently appearing.application are only recently appearing.

Threat Modeling takes into account all types of attacksThreat Modeling takes into account all types of attacks

against the system.against the system.

While this sounds like an extensive amount of work andWhile this sounds like an extensive amount of work and

that it would be easier to just look for vulnerabilities,that it would be easier to just look for vulnerabilities,such an approach would not only be incomplete, butsuch an approach would not only be incomplete, butwould not be able to characterize thewould not be able to characterize the security strengthssecurity strengths

of a system.of a system.

7777

Additional ResourcesAdditional Resources


77/85


Additional ResourcesAdditional Resources

http://www.microsoft.com/downloads/details.aspx?FamilyID

=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en

7878

Questions?Questions?


78/85


Questions?Questions?

7979

DefinitionsDefinitions


79/85



8080



80/85



System: Anything that exposes functionality toSystem: Anything that exposes functionality toan end user. It can describe anything from aan end user. It can describe anything from asingle feature to a web application and itssingle feature to a web application and itssupporting infrastructure.supporting infrastructure.

Entry Point: A location where an external entityEntry Point: A location where an external entityinterfaces with the component and componentinterfaces with the component and componentprocessing begins. Examples include anyprocessing begins. Examples include anyaccessible API, or a socket endpoint.accessible API, or a socket endpoint.

8181



81/85



Asset: Those things, both concrete andAsset: Those things, both concrete andabstract, that could be targets of an attack byabstract, that could be targets of an attack byan adversary.an adversary.

Trust Level: A classification for an externalTrust Level: A classification for an external

entity that interfaces to a component orentity that interfaces to a component orsupplies it with data. It describes thesupplies it with data. It describes thecharacteristics of that entity that are relevant tocharacteristics of that entity that are relevant tosecurity processing, such as credentials andsecurity processing, such as credentials andassumptions.assumptions.

8282



82/85



Threat Path: A data or processing flow thatThreat Path: A data or processing flow thatstarts at an Entry Point. Threat Paths diagramstarts at an Entry Point. Threat Paths diagramthe critical processing that an external entitythe critical processing that an external entitycan cause to execute. Threat Paths alsocan cause to execute. Threat Paths alsocontain security-specific information, such ascontain security-specific information, such as

process and trust boundaries.process and trust boundaries.

Threat: What a malicious external entity boundThreat: What a malicious external entity boundto a specific Access Category might try to do toto a specific Access Category might try to do toattack the processing along a threat path. Aattack the processing along a threat path. A

Threat does not constitute a VulnerabilityThreat does not constitute a Vulnerability

8383



83/85



Effect Classification: Categorization ofEffect Classification: Categorization ofthe result of an adversary realizing athe result of an adversary realizing aThreat. Example: STRIDEThreat. Example: STRIDE

Vulnerability: A weakness in a systemVulnerability: A weakness in a system

that can be exploited by an externalthat can be exploited by an externalentity. A Vulnerability exists when thereentity. A Vulnerability exists when thereis a Threat that goes unmitigated.is a Threat that goes unmitigated.

8484



84/85



Attack Path: In a threat tree, an attackAttack Path: In a threat tree, an attackpath is a path from a leaf condition to thepath is a path from a leaf condition to theroot threat, inclusive of any andedroot threat, inclusive of any andedconditions.conditions.

Threat Profile: An enumeration of allThreat Profile: An enumeration of allpotential threats to a system, regardlesspotential threats to a system, regardlessof whether that system is vulnerable toof whether that system is vulnerable tothem.them.

8585


85/85

02 threat modeling

Documents