ISOL 536 Security Architecture and Design Threat Modeling Session 3 “What Can Go Wrong?” Agenda • STRIDE (in depth!) • Reading: Chapter 3 Approach • “What can go wrong” & “what to do about it” are often (and reasonably) tied together in practice • This course splits them because they are distinct questions & skills Security mavens Experts in other areas STRIDE Trees Libraries STRIDE STRIDE Agenda • Recap: A mnemonic for finding threats • Details as examples • Variants STRIDE (review) Threat Property Violated Definition Example Spoofing Authentication Impersonating something or someone else. Pretending to be any of Bill Gates, Paypal.com or ntdll.dll Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it traverses the network Repudiation Non-repudiation Claiming to have not performed an action. “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!” Information Disclosure Confidentiality Exposing information to someone not authorized to see it Allowing someone to read the Windows source code; publishing a list of customers to a web site. Denial of Service Availability Deny or degrade service to users Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole. Elevation of Privilege Authorization Gain capabilities without proper authorization Allowing a remote Internet user to run commands is the classic example, but going from a limited user to admin is also EoP. Spoofing By Lego Envy, http://www.eurobricks.com/forum/index.php?showtopic=64532 Spoofing On the Local Machine Threat Example What the Attacker Does Notes/Examples Spoofing a process Creates a file before the real process Then your process relies on it Abuses names Create a version of “sudo” and alter PATH Spoofing a filename Creates a file in the local directory Library, executable or config file Creates a link, changes it Also called ‘race condition’ or TOCTOU Creates many files in a target directory Code can easily create all possible /tmp/foo.random Spoofing Over a Network Threat Example What the Attacker Does Notes/Examples Spoofing a machine ARP spoofing IP spoofing DNS spoofing DNS compromise Can be at the TLD, registrar or DNS server IP redirection Spoofing a person Take over account “Stranded in London” Set the display name Spoofing a role Declares themselves to be that role Sometimes opening a special account, setting up a domain/website, other “verifiers” Tampering http://pinlac.com/LegoDSTractorBeam.html Tampering with a File Threat Example What the Attacker Does Notes/Examples Modifying a file… … which you own and you rely on … which they own and you rely on Modifying a file on a server… …you own …they own (or take over) Modifies links or redirects Redirects are supercommon on the web, and often rot away Tampering with Memory Threat Example What the Attacker Does Notes/Examples Modifying code Changes your code to suit themselves Hard to defend against if the attacker is running code inside the trust boundaries Modifying data they’ve supplied Supplies data to a pass by reference API, then changes it Works because of TOCTOU issues Supplies data into a shared memory segment, then changes it Tampering with a Network Threat Example What the Attacker Does Notes/Examples Redirects the flow of data to their machine Uses an attack at some network layer to redirect traffic Pakistan/YouTube Modifies data flowing over the network Easier (and more fun) with wireless networks Uses network tampering to improve spoofing attacks Repudiation Repudiation By Seb H http://www.flickr.com/photos/88048956@N04/8531040850/ Repudiation Threat Example What the Attacker Does Notes/examples Repudiating an action Claims to have not clicked Maybe they did, maybe they didn’t, maybe they’re honestly confused Claims to not have received 1. Electronic or physical 2. Receipt is strange; does a client downloading email mean you’ve seen it? Did a network proxy prefetch images? Was a package left on a porch? Claims to be a fraud victim Uses someone else’s account Repudiation Attacks on Logs Threat Example What the Attacker Does Notes/Examples Discovers there are no logs Modifies data flowing over the network Puts data in the logs to confuse you Information Disclosure Photo by Simon Liu http://www.flickr.com/photos/simocs/6999508124/ Information Disclosure (and impact) Information Disclosure (Processes) Threat Example What the Attacker Does Notes/Examples Extracts user data Exploits bugs like SQL injection to read db tables Can find this by looking to data stores, but here the issue is the process returning data it shouldn’t Reads error messages Extracts machine secrets Reads error messages Cannot connect to database ‘foo’ as user ‘sql’ with password ‘&IO*(^&’ Exploits bugs “Heartbleed” Information Disclosure (Data Stores) Sub-category What the Attacker Does Permissions Take advantage of missing or inappropriate ACLs Take advantage of bad database permissions File files protected by obscurity Security Find crypto keys on disk or in memory Get data from logs/temp files Get data from swap files See interesting information in filenames/directory names Network See data traversing a network Misc Obtain device, boot in new OS Information Disclosure (Data Flow) Sub-category What the Attacker Does Network Read data on a network Redirects traffics to enable reading data on the network Metadata Learns secrets by analyzing traffic Learns who talks to whom by watching the DNS Learns who talks to whom by analyzing social network information Denial of Service Model by Nathan Sawaya http://brickartist.com/gallery/han-solo-in-carbonite/ Denial of Service Threat Example What the Attacker Does Notes/Examples Against a process Absorb memory (ram or disk) Absorb CPU Uses a process as an amplifier Against business logic “Too many login attempts” Against a data store Fills the data store Makes enough requests to slow the system Against a data flow Consumes network resources Can be temporary or persistent Elevation of Privilege http://www.flickr.com/photos/prodiffusion/ Elevation of Privilege (“EoP”) Threat Example What the Attacker Does Notes/Examples EoP Against process via corruption Sends inputs the code doesn’t handle properly Very common, usually high impact Gains read/write access to memory Writing memory more obviously bad EoP via misused authorization checks EoP via buggy authorization checks Centralizing checking makes consistency, correctness easier EoP via data tampering Modify bits on disk STRIDE Variants • Ways to focus on likely threats – STRIDE per element – STRIDE per interaction • Elevation of Privilege game – Training, structure and execution –DESIST – Dispute – Elevation of Privilege – Spoofing – Information Disclosure – Service Denial – Tampering Spoofing Tamper. Rep. Info.Disc. DoS EoP Process Data Store Dataflow External Entity             STRIDE per Element This is Microsoft’s chart; it may not be the issues you need to worry about (privacy) Next up … • Attack trees (chapter 4) • Attack libraries (chapter 5)