threat modeling
DESCRIPTION
Threat Modeling. James Walden. Topics. Threat Generation. Data Flow Diagrams. Attack Trees. Risk Modeling. Threat Modeling Exercise. Requirements. Actors People (roles) who interact with system. Assets Specific pieces of data attacker wants. Actions What Actors do to Assets. - PowerPoint PPT PresentationTRANSCRIPT
Threat Modeling
James Walden
Topics
1. Threat Generation.2. Data Flow Diagrams.3. Attack Trees.4. Risk Modeling.5. Threat Modeling Exercise.
Requirements
Actors People (roles) who interact with system.
Assets Specific pieces of data attacker wants.
Actions What Actors do to Assets. Ex: Create, Read, Update, Delete.
Trike7: Actors
Trike7: Actor-Asset-Action Matrix
Rules
Rules apply to each Action. Limit circumstances in which Actions
can occur. Boolean tree of conditionals.
Actors are represented as rule: User is in Role
Trike7: Part of Rules Tree
Threat Generation
Use Actor-Asset-Action matrix. Two types of threats via Rules:
Denial of Service: Actor prevented from performing allowed Action.
Elevation of Privilege: Actor performs an action which is prohibited by matrix.
Data Flow Diagrams Visual model of system data flow.
Rectangles: External actors. Circles: Processes. Double Lines: Data stores. Lines: Data flows. Dotted Lines: Trust boundaries.
Hierarchical decomposition Until no process crosses trust
boundaries.
Trike3 Example: Data Flow Context Diagram
Anonymous Administrator
User
Blog
Trike3 Example: Data Flow Diagram Level 0
Anonymous
Administrator
Database
Logs
UserWeb
Server
HTTP/HTTPS over public internet, form
logins
Apache 2.0.54 on
OpenBSD 3.7 with
mod_lisp and
CMUCL
FirewallLocal
Filesystem
Machine
Boundary
ODBC over SSL on
switched 100bT,
user/pass login
Flat text file
on OpenBSD
3.7
PostgreSQL 8.0.3
on OpenBSD 3.7
Trike3 Example: Data Flow Diagram Level 1
Anonymous
Administrator
Content viewer
User Database Logs
Account Creation
Login
Admin
Content Creation
SSL
Only
SSL Only
Module with log & account creation privs
Module with
password hash access
Machine
Boundary
Firewall
Module with DB
write access
Module with log &
DB admin privs
Attack Trees
Root node is a threat. Subnodes are attacks to realize
threat. Attacks may be re-used in other
trees. Hierarchical decomposition
Until determine risk is acceptable or not.
Trike7 Attack Tree Example
Attack Graph
Encompasses all attacks vs system. Set of interlinked attack trees.
Auto-generation High-level attack skeleton. Attack libraries
Many sub-trees re-appear. Attached to tagged technologies in DFD.
Need security expertise for full tree.
Risk Modeling
1. Business assigns values($) to Assets.
2. Rate Actions on each Asset. 1-5 relative scale, with 5 being worst. Ranked twice: denial, elevation
3. Assign each Actor a risk level 1-5.
Risk = Value of Asset * Action risk.
Trike7 Threat Risk Grid
Threat Modeling Process Preparation.
Develop requirements, DFDs. Brainstorming.
Brainstorm possible threats. Drafting. Review. Verification.
QA team develops tests. Closure.
Exercise: Online news site.
Actors Authors, Editors, Readers.
Data Stores Database: articles, comments, users. Logs
Processes Web server
Exercise: Rules. Authors can submit Articles for publish. Editors can publish Articles. Editors can C, R, U, D Articles, Comments. Readers can read Articles, Comments. Readers can C, R, U, D their own
Comments to Articles. Anonymous can create Reader accounts. Editors can C, R, U, D accounts.
Exercise: Deliverables
Actor-Asset-Action Matrix Rules Tree DFDs Attack Tree Risk Model
References1. Ben Hickman, “Application Security and Threat Modeling,”
http://cpd.ogi.edu/seminars04/hickmanthreatmodeling.pdf, 2004.
2. Michael Howard and David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press, 2003.
3. Paul Saitta, Brenda Larcom, and Michael Eddington, “Trike v.1 Methodology Document [draft],” http://dymaxion.org/trike/, 2005.
4. Frank Swiderski and Window Snyder, Threat Modeling, Microsoft Press, 2004.
5. Peter Torr, “Demystifying the Threat-Modeling Process,” IEEE Security & Privacy, Oct/Nov 2005.
6. Peter Torr, “Guerilla Threat Modeling,” http://blogs.msdn.com/ptorr/archive/2005/02/22/GuerillaThreatModelling.aspx, 2005.
7. Trike Threat Modeling Tool, http://www.octotrike.org/, 2005.