Threat Modeling: Introduction¶
With more and more data and software go to internet, the security becomes crucial for software development. OWASP (Open Web Application Security Project) lists top 10 security risks:
Injection
Broken Authentication and session management
Cross-site scripting
Insecure Direct Object Reference
Security Misconfiguration
Sensitive data exposure
Missing function level access control
Cross site request forging
Components with known vulnerabilities
Invalidated requests and forwards
Security risks are everywhere and it is difficult to make secure software.
Threat modeling is a systematic way to ensure that your software is designed for security. This blog explains briefly what is threat modeling.
Contents
Thrust boundaries¶
Identify thrust boundaries is the first step, which is equivalent to attack surface. There are several ways to identify thrust boundaries by:
Accounts
Network interfaces
Different physical computers
Virtual machines
Organizational boundaries
Almost everywhere you can argue for different privilege
STRIDE¶
‘STRIDE’ is mnemonic way to describe threat types.
Spoofing: Pretending to be something or someone you’re not
Tampering: Modifying something you’re not supposed to modify. It can include packets on the wire (or wireless network), bits on disks or bits in memory.
Repudiation: Means claiming you didn’t do something (regardless of whether you did or not)
Information disclosure: Exposing information to people who are not authorized to see it.
Denial of service: Attacks designed to prevent a system from providing service, including by crashing it, making it unusually slow, or filling all its storage.
Elevation of privilege: A program or user is technically able to do things that they are not supposed to do.
Actions strategy¶
For each threat, you can have different action strategy accordingly.
Mitigate threats: Doing things to make it harder to take advantage of a threat.
Eliminate threats: It is almost always achieved by eliminating features.
Transferring threats: It is about letting someone or something else handle the risk.
Accepting the risk: It is the final approach to addressing threats.
Authentication: Mitigating Spoofing¶
In general, only programs running at the same or lower level of trust are spoofable, and you should endeavor to trust only code running at a higher level of trust, such as in the OS.
Tactics for authentication¶
Without crypto: for example, verify IP or DNS entry which is unreliable
Using crypto: That validation cannot be delegated entirely to machines. You can choose to delegate it to one or the many companies that assert they validate these things. For example: PKI (public key infrastructure); CA (certification authorities)
PKI is a cryptographic technique that enables entities to securely communicate on an insecure public network, and reliably verify the identity of an entity via digital signatures.
A PKI is an arrangement that binds public keys with respective identities of entities (like people and organizations). The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA).
Authentication technologies¶
For computer (or accounts): IPSec, DNSSEC, SSH host keys, Kerberos authentication, HTTP Digest or Basic authentication, Windows authentication (NTLM), PKI system, such as SSL or TLS with certificates
For bits (files, messages, etc): Digital signatures, hashes
For people:
Something you know, e.g. password;
Something you have, e.g. access card;
Something you are, e.g. biometrics, photo graphs;
Something you know who can authenticate you
For maintaining authentication across connection, e.g. Cookies
Developer ways to address spoofing: Within an operating system, you should aim to use full and canonical path names for libraries, pipes, and so on to help mitigate spoofing.
Integrity: Mitigating Tampering¶
Tactics¶
Relying on system defense such as permission
Use cryptographic mechanisms
Use of logging technology and audit activities as a deterrent
If you are implementing a permission system, you should ensure that there’s a single permission kernel also called a reference monitor.
The most important element of assuring integrity is about process, not technology.
Technology¶
For protecting files: ACL or permission, Digital signature, Hashes, Window Mandatory Integrity Control (MIC) feature, Unix immutable bits
For protecting network traffic: SSL, SSH, IPSec, Digital signature
Non-Repudiation: Mitigating Repudiation¶
Repudiation is a somewhat different threat because it bridges the business realm, in which there are four elements to addressing:
Preventing fraudulent transactions
Taking note of contested issues
Investigating them
Responding to them
Non-Repudiation Technologies¶
Logging, log analysis tools, Secured log storage, Digital signature, Secure time stamps, Trusted third parties, Hash trees, tools for preventing fraud
Confidentiality: Mitigating Information Disclosure¶
Information disclosure can happen at rest (in storage) or in motion (over a network)
Tactics¶
Within the confines of a system, you can use ACL
Outside the confines, you must use cryptography
Technologies¶
Protecting files: ACL/Permissions, Encryption, Appropriate key management
Protecting network data: Encryption, Appropriate key management
Protecting communication headers or the fact of communication: Mix network, Onion routing, Stenography
Availability: Mitigating Denial of Service¶
Technologies¶
ACL, Filters, Quotas (rate limiting, thresholding, throttling), High-availability design, Extra bandwidth (rate limiting, throttling), Cloud services
Authorization: Mitigating Elevation of Privilege¶
Technologies¶
ACL, Group or role membership, Role based access control, Claims-based access control, Windows privileges, Unix sudo, Chroot, AppArmor or other unix sandboxes, The ‘MOICE” Windows Sandbox pattern, Input validation for a defined purpose
