Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security Testing Fundamentals Different Stages of Security Testing Threat Modeling Security Testing Security Code Review Summary Q/A? Tarun Banga, Adobe 1
Security Principles If you do not perform Security Testing for your application, Someone else not working for your company will. The defender must defend all points, the attacker can choose the weakest point The defender can defend only against known attacks, the attackers can probe for unknown vulnerabilities The defender must be constantly vigilant, the attackers can strike at will The defender must play by the rules, the attackers can play dirty Why Security Testing? Security, like performance, affects ALL users of a product It s transparent until something goes wrong ALL applications are security sensitive, to some degree They are a potential attack vector against the user s computer (and data) Interconnected application & Interconnected computers can be attacked Lot of script kiddies Competitor s sales force will whisper to your potential customers Security Vulnerabilities are expensive to fix Tarun Banga, Adobe 2
Before We Begin Before we start, it is important that you understand the following basic terminology: Asset. A resource of value, such as the data in a database or on the file system. A system resource. Threat. A potential occurrence, malicious or otherwise, that might damage or compromise your assets. Vulnerability. A weakness in some aspect or feature of a system that makes a threat possible. Vulnerabilities might exist at the network, host, or application levels. Attack (or exploit). An action taken by someone or something that harms an asset. This could be someone following through on a threat or exploiting a vulnerability. Countermeasure. A safeguard that addresses a threat and mitigates risk. System: A group of a related components Process: Anything that transforms or manipulates data Security Testing Fundamentals Security testing is generally negative testing Standard QA testing (functional testing) ensures that the application does everything it is supposed to do. Security testing ensures that the application does not do anything it is not supposed to do. White Box vs. Black Box Testing White Box is usually a more efficient way of finding everything that a black box test can find Black Box is usually closer to what an actual attacker would do and may be quicker Tools exist for both of these types of testing. Both of these types of testing have value. Tarun Banga, Adobe 3
Stages of Security Testing Secuirty Testing can be done at following: Network Security Host Security Application Security We are discussing about Application Security Threat Modeling (Design Stage) Security Testing (Testing stage) Security Code Review (Coding Stage) Threat Modeling Threat Modeling is a process of understanding and evaluating threats in a system by analyzing its assets and how data is passed around. We will cover Goals, Responsibilities Threat Modeling Process DFD, Attack/Threat Trees, Identify, Document, rate & Prioritize threats how to mitigate threats. Tarun Banga, Adobe 4
Goals of Threat Modeling Ship more complete and secure product Help the team understand better: how the systems really works how the systems really interacts with other systems Validate designs Find bugs Create a record of security related design & coding decisions Help systems that build on top of your system to understand better their dependency Help testers to drive well-designed security test plan Output Tarun Banga, Adobe 5
Identify the Assets Identify the assets that you need to protect. This could range from confidential data, such as your customer or orders database, to your Web pages or Web site availability. Architecture Overview Tarun Banga, Adobe 6
Application Decomposition Break down your application to create a security profile Identify trust boundaries. Identify data flow. Identify entry points. Identify privileged code. Document the security profile. Identify Threats Apply S.T.R.I.D.E. threat categorizing technique on threat targets in your system Spoofing: allowing an adversary to pose as another user, component, or other system that has an identity in the system being modeled. Tampering: modifying data within the system to achieve a malicious goal. Repudiation: deny performing some malicious activity because the system does not have sufficient evidence to prove otherwise. Information Disclosure: exposing protected data to a user that is otherwise not allowed to access that data. Denial of Service: preventing legitimate users from using the normal functionality of the system. Elevation of Privilege: using illegitimate ways to access a system with higher privileges than assigned. Tarun Banga, Adobe 7
Rate and Prioritize Threats Use DREAD to calculate a threat s risk (each of these are a scale 1 10) Damage Potential: damage if a vulnerability is exploited 1 (no damage) - 10 ( allowing the attacker to circumvent all security restrictions and do virtually anything.) Reproducibility: how easy is to get a potential threat to work (a threat to became exploit) 1 (Can t make it happen) - 10 (happens every time) Exploitability: ranks effort and expertise required to exploit the vulnerability 1 (requires massive resources and time) - 10 (Novice programmer can mount the attack from his home PC) Affected Users: percentage of users impacted by an exploit 1 (0-10 % of users) - 10 (91 100% of users) Discoverability: likelihood it would be found by external security researchers, hackers, etc. 1 = (?) - 10 (come on, you know someone will find it!) Risk = (D + R + E + A + D) / 5 Low values 0 3 not very risky, should have a mitigation Medium values 4 6; team judgment call. High values 7 10 very risky; should be totally mitigated Document Threats (Threat Modeling) Document the threats identified by entering the data into the Threat Modeling (title, target, type, risk, threat tree, bug number) Associate a bug with each threat. Threat trees allow identify failure modes and better understanding of how a threat might become an attack. Tarun Banga, Adobe 8
Attack/Threat Trees Attack/Threat Tree is a representation of conditions, with the root node being the threat. It is used to determine valid attack paths which are in fact vulnerabilities. Root node is a high level goal. Example: Gain access to the user profile store Child nodes show paths to that goal. Child nodes that both need to be true for the parent to be true are ANDed using a line connecting them. Tree should be broken down such that a tester can easily understand what to test to verify a leaf node. Example Threat Tree Tarun Banga, Adobe 9
Mitigate Threats Response Options: Do Nothing at least turn the feature off by default Warn the user to decide to use or not the feature Warnings, Documentation, Log the warnings, Audit Events Remove the feature Fix it If the product is changed to mitigate a threat, that change should be included in the Threat Model The mitigation might pose a security risk Mitigations need to be tested When is a Threat Model done? All entry points are explored All external dependencies are listed and the risks are understood Threat models are reviewed by people not familiar with the components. Every part of the system is fully implemented. Every implementation assumption is verified and moved to one of the following sections: External Dependencies, Security Notes for Client systems, Internal Security Notes All the threats have been listed, analyzed and entered as bugs. Tarun Banga, Adobe 10
Security Testing Major step of Security Testing is covered in threat modeling Buffer Overflow Bad Parameter Leak testing Access Control Spoofing identity Security Boundary Denial of Service Named Object permissions Inject Mutated Data SQL Injection, Function Injection, EOF, New line character injected for logs etc. On Wire Attacks Different Tools can be used for different types of testing Common Web Vulnerabilities Cross Site Scripting (XSS) SQL Injection Cookie issues Session issues Authentication and Authorization issues Directory traversal Information leakage Cross Site Request Forgery (XSRF/CSRF ) 22 Tarun Banga, Adobe 11
Cross-Site Scripting (XSS) An attack on input and output validation on the website. Special characters are submitted into the web application and returned within the HTML response. Special characters can include: Double-quote, single-quote, less-than, greater-than, ampersand, space and more http://ha.ckers.org/xss.html If you can inject a special character without it being escaped, then you have probably found a cross-site scripting vulnerability Two types of cross-site scripting: Persistent Temporary Bypassing Filters One way to try and stop cross-site scripting is to remove/block certain strings used during an XSS exploit like script Different encodings can bypass a simple filter like this : script is blocked But what about sc ri ipt? Filters need to be validated they need to stop every encoding of an attack Good reference for filter evasion : http://ha.ckers.org/xss.html 24 Tarun Banga, Adobe 12
SQL Injection What does SQL injection consist of? A form accepts username and password from the user The username and password are passed into the following SQL statement: select * from customers where username = $username and password = $password ; A malicious attacker sends the following values to the form: username = admin password = %20or%201=1;-- These values are put into the SQL statement: select * from customers where username = admin and password = or 1=1;-- ; This results in the SQL query being interpreted as: Select all users from customers where the username is admin and (the password is NULL or true); Cookie, Authentication and Authorization Issues Is the HTTPOnly flag set? (where appropriate) Is the Secure flag set? (where appropriate) Does the cookie contain sensitive information encoded in plain text or an easily reversible manner? Try Base64 decoding it, for example, and see if you can see something you shouldn t Authentication and Authorization Issues Passwords length/strength, Password reset expiration, single use, no passwords sent in plain text! Brute forcing lockouts and delays Bypassing authorization do all pages do checks? Masquerading as another user modifying username or user ID in a request, Can you access another user s or admin information? 26 Tarun Banga, Adobe 13
Directory Traversal Try this anywhere you can supply a file name or path name! The canonical string to try is../../../../ etc. Example from our Tech Summit talk : http://www.adobe.com/shockwave/download/download.cgi?p1_p rod_version=../../../../../../../../..//usr/local/apache/conf/ssl.key/www.adobe.com.key%00 Note the extra %00 NULL terminator that is used/needed! Don t forget to try encoding -..\ might be blocked but is %2e%2e%2f? 27 Information Leakage Helping the Attacker This is less severe issue in general, but also one that is consistently found and reported by 3 rd party audits The idea is that any information about the server or application can help the attacker in their understanding and aid their attacks Common information leakages : Server version File paths / locations if you can upload content, this is more serious Detailed error messages particularly stack traces Errors messages Hidden Fields Comments & Privacy 28 Tarun Banga, Adobe 14
Tools The best tool for web application testing is your browser! Tests for many vulnerabilities like XSS can be conducted easily manually via the browser The view source option can help you understand how an application works and give you insight into what values are passed in posts Cookies can be viewed Firefox in particular has a wide array of plugins designed for web testing including : FireBug web debugger Cookie editors Add and Edit Cookies Header modification LiveHTTPHeaders GET <-> POST modification Tools AppScan is a commercial product that scans web applications for vulnerabilities. It can scan content automatically or process new content that is explored manually Web proxy tool Charles : Charles intercepts requests made by your browser and the responses to them and logs them. It logs both the structure of the site and also the sequence of requests/responses. It lets you modify and replay requests. If your application uses AMF calls, Charles even decodes these including parameters There are other web proxy tools also, notably OWASP s WebScarab Many, many open source and free web security testing tools out there. Try everything! pick your favorites (Eatmem, Eat Hard disk, Netthrottle etc..) Tarun Banga, Adobe 15
Security Code Review Seem to be much same as an ordinary code review We can follow Multiple-Pass Approach Target the low hanging fruit first I.e. Use of Dangerous APIs, strncpy instead of strcpy, use of TCHAR, integer overflow & underflow, Checking returns Perform Extra review of pointer code Never Trust Data Overall Summary Do Threat modeling File TM related bugs and close once they are fixed Security test Plan and Test Cases Execute Security Related Test Cases, file & close security related bugs. Use Different Tools Security code review Tarun Banga, Adobe 16
References & Resources Writing Secure Code, 2 nd Edition: MS Press. Their web site is at OWASP.org They are constantly adding new content and projects Their mission is to advance the state of web security for everyone In particular, the OWASP Testing Guide is an exhaustive reference on different web security issues and how to test for them Q&A Please email to tarunbanga@rocketmail.com (Preferred) tbanga@adobe.com Tarun Banga, Adobe 17