Security 2

College 2 – Threat Modeling

Academie voor Technologie en Innovatie x

|1
SDLC software security best practice

Threat Modeling

|2
Threat Modeling

What is it?

 Reason about, document and discuss security in a structured way

 Security by design

 Focus on Architecture/Design driven threat modeling

 DFDs

|3
Vision

Vision
Diagram

Identify
Validate
Threats

Mitigate

|4
Diagram

Vision
Diagram

Identify
Validate
Threats

Mitigate

|5
DFD notation

Also called: terminator, external entity

Agent
Data destination or data source, outside the system

Data flow

Data store

Process; transforms of manipulates data

Boundary (machine/address space/trust boundary)

Threat modeling addition to standard DFDs |6
Identify threats

Vision
Diagram

Identify
Validate
Threats

Security goals/properties:
CIA + authentication + non-repudiation + authorization

Microsoft: Mitigate
• STRIDE
• Card game Elevation of Privilege
• Threat Modeling Tool
|7
STRIDE

Framework and mnemonic designed to help people

developing software identify the types of attacks that
software tends to experience.

 Spoofing
 Tampering
 Repudiation
 Information Disclosure
 Denial of Service
 Elevation of Privilege

|8
 STRIDE threats  Security goals
Threat Most
related
security goal
Spoofing Authentication

Tampering Integrity

Repudiation Non-repudiation

Information Confidentiality
Disclosure

Denial of Service Availability

Elevation of Privilege Authorization

|9
 STRIDE threats  Security goals
Threat Most Definition Example
related
security goal
Spoofing Authentication Impersonating Pretending to be any of billg, xbox.com or a
something or system update
someone else.
Tampering Integrity Modifying data or Modifying a game config file on disk, or a
code packet as it traverses the network

Repudiation Non-repudiation Claiming to have not “I didn’t cheat!”

performed an action

Information Confidentiality Exposing information Reading key material from an app

Disclosure to someone not
authorized to see it
Denial of Service Availability Deny or degrade Crashing the web site, sending a packet and
service to users absorbing seconds of CPU time, or routing
packets into a black hole

Elevation of Privilege Authorization Gain capabilities Allowing a remote internet user to run
without proper commands is the classic example, but running
| 10
authorization kernel code from lower trust levels is also EoP
DFD elements and STRIDE

S T R I D E
External
Entity
 
Process
  
Data Store

Dataflow
  | 11
STRIDE analysis of DFDs

 For each element on the diagram:

 Apply relevant parts of STRIDE
 External Entity: SR
 Process: STRIDE
 Data Store, Data Flow: TID
o Data stores which are logs: TID+R
 Data flow inside a process:
o Don’t worry about T,I or D

 Number things so you don’t miss them

 Manual execution = error-prone
 Let’s automate this!
 But don’t forget you have a brain!

| 12
Threat modeling tooling

 Microsoft Threat Modeling Tool

 Supports architecture/design driven threat modeling
 Creation of DFDs
 Automatic STRIDE analysis on all DFD-elements
 Add mitigation information (justification) per threat

 Alternatief: OWASP Threat Dragon

| 13
Microsoft Threat Modeling Tool

 Let’s use it
 Osiris case

| 14
Mitigate

Vision
Diagram

• Address the threats: Validate Identify

• Apply standard mitigations Threats
• Invent new mitigations (Riskier!)
• Accept vulnerability in design

Mitigate

| 15
Standard mitigations
Mitigation sources are: cheatsheetseries.owasp.org, Threat Modeling tool

Spoofing Authentication To authenticate principals:

 Basic & Digest authentication
 LiveID authentication
 Cookie authentication
 Windows authentication (NTLM)
 Kerberos authentication
 PKI systems such as SSL/TLS and certificates
 IPSec
 Digitally signed packets
To authenticate code or data:
 Digital signatures
 Message authentication codes
 Hashes
Tampering Integrity  Windows Mandatory Integrity Controls
 ACLs
 Digital signatures
 Message Authentication Codes

| 16
Standard mitigations

Repudiation Non-repudiation  Strong Authentication

 Secure logging and auditing
 Digital Signatures
 Secure time stamps
 Trusted third parties
Information Confidentiality  Encryption
 ACLs
Disclosure
Denial of Service Availability  ACLs
 Filtering
 Quotas
 Authorization
 High availability designs
Elevation of Privilege Authorization  ACLs
 Group or role membership
 Privilege ownership
 Permissions
 Input validation

Note: not complete; just examples.

| 17
Validate

Vision
Diagram

Identify
Validate
Threats

• Does diagram match final code?

• Mitigate
Minimum: STRIDE per element that touches a trust boundary
• Create tests
• …

| 18
Elevation of Privilege

 Serious Game

 Let’s play!

 Casus = Osiris

| 19
Portfolio

Assignment 1 – see Brightspace

| 20