Threat modeling. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Transcription

1 Threat modeling Tuomas Aura T Information security technology Aalto University, autumn 2011

2 Threats Threat = something bad that can happen Given an system or product what are the threats against it? how serious are the threats i.e. what is the risk? 2

3 Threat modeling approaches Different angles to threat modeling: Checklists: what have we learned from the past? Engineering: what parts are there in the system and how could they be caused to fail? Attackers and their motivations: who would want to do something bad and why? Assets: where is the value in the system and how could it be lost? Defenses: what could still be done to prevent or mitigate attacks? 3

4 Basic security goals Consider first the well-known security goals: Confidentiality Integrity Availability Authentication Authorization Non-repudiation Which goals apply to the system? How could they be violated? 4

5 STRIDE STRIDE model used at Microsoft: Spoofing vs. authentication Tampering vs. integrity Repudiation vs. non-repudiation Information disclosure vs. confidentiality Denial of service vs. availability Elevation of privilege vs. authorization Idea: divide the system into components and analyze each component for these threats Note: security of components is necessary but not sufficient for the security of the system 5

6 STRIDE Model the system as a data flow diagram (DFD) Data flows: network connections, RPC Data stores: files, databases Processes: programs, services Interactors: users, clients, services etc. connected to the system Also mark the trust boundaries in the DFD Consider the following threats: Spoofing Tampering Repudiation Information disclosure Denial of service Data flow x x x Data store x x x Elevation of privilege Process x x x x x x Interactor x x 6

7 7

8 Threat trees [Microsoft] 8

9 Risk assessment Risk assessment is very subjective Risk = probability of attack damage in euros 0 < Risk < 1 Risk = low / medium / high Numerical risk values tend to be meaningless: What does risk level 0.4 mean in practice? Usually difficult to assess absolute risk but easier to prioritize threats Risk assessment models, e.g. DREAD Damage: how much does the attack cost to defender? Reproducibility: how reliable is the attack Exploitability: how much work to implement the attack? Affected users: how many people impacted? Discoverability: how likely are the attackers to discover the vulnerability? 9

10 Saltzer and Schroeder Saltzer and Schroeder design principles [CACM 1974]: Economy of mechanism: keep the design simple Fail-safe defaults: fail towards denying access Complete mediation: check authorization of every access request Open design: assume attacker knows the system internals Separation of privilege: require two separate keys or checks whenever possible Least privilege: give only the necessary access rights Least common mechanisms: ensure failures stay local Psychological acceptability: design security mechanism that are easy to use correctly Violations of these principles usually indicate vulnerabilities 10

11 Security pixie dust Security mechanism are often applied without particular reason Cryptography, especially encryption If there is no explanation why some security mechanism is used, ask questions: What threats does it protect against? What if we just remove it? Is there something simpler or more suitable for the purpose? 11

12 Case studies GPS-based road tolls Public transportation tickets Library card with bar code 12

13 GPS-based road toll: system 13

14 Data-flow diagram, STRIDE 14

15 Threats 1 15

16 Threats 2 16

17 What next? After identifying threats, we should assess the risk, prioritize the threats and choose countermeasures The process is iterative i.e. new analysis should be done after designing the system with countermeasures More detailed threat models can be done for each system component Threat analysis should be done during system design but can also be done on exisiting systems 17

18 Reading material Dieter Gollmann: Computer Security, 2nd ed., chapter Ross Anderson: Security Engineering, 2nd ed., chapter 25 Online resources: OWASP, Threat Risk Modeling, MSDN, Uncover Security Design Flaws Using The STRIDE Approach, MSDN, Improving Web Application Security: Threats and Countermeasures, Chapter

19 Exercises Analyze the threats in the following systems: Oodi student register, Noppa Remote read electric meter University card keys Traffic light priority control for public transportation Lyyra student card, (based on Sony FeliCa contactless ICC) Apply the STRIDE model or threat trees 19