Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Modeling Michael Howard Principal Security Program Manager

Similar presentations

Presentation on theme: "Threat Modeling Michael Howard Principal Security Program Manager"— Presentation transcript:

1 Threat Modeling Michael Howard Principal Security Program Manager
Microsoft Corp. Last Update: 8-Feb-2006

2 Who is this Guy? Microsoft employee for >15 years
Always in security Editor for IEEE Security & Privacy A pragmatist!

3 Overview of Course Why Model Threats? The Modeling process
DFD, Threat Types, Risk, Mitigations Exercise (yes, a short exercise!)

4 Where Threat Modeling Lives in the Security Development Lifecycle
Security Training Use Security Development Tools and Security Best Dev and Test Practices Create Security Docs and Tools For Product Security Push Prepare Security Response Plan Final Security Review Security Servicing and Response Execution Security Kickoff and Register with SWI Security Arch and Attack Surface Review Security Design Best Practices Pen Testing Threat Modeling Traditional Microsoft Software Product Development Lifecycle Tasks and Processes Testing and Verification Feature Lists Quality Guidelines Arch Docs Schedules Design Specifications Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates Functional Specifications Development of New Code Bug Fixes Design Implementation Verification Release Requirements Support and Servicing

5 To find security design flaws!
Why Threat Modeling? To find security design flaws!

6 The Process In a Nutshell
Vision Model Identify Threats Mitigate Validate

7 Vision Define Scenarios & Background Info
Define the most common and realistic use scenarios for the application Example from Windows Server 2003 and Internet Explorer “Think about an admin browsing the Internet from a Domain Controller” Example from Windows CE “The stolen device” Define your users

8 Model the Application with DFDs
A Data Flow Diagram (DFD) is a graphical representation of how data enters, leaves, and traverses your component It is not a Class Diagram or Flow Chart! Shows all data sources and destinations Shows all relevant processes that data goes through Good DFDs are critical to the process This point can’t be emphasised enough! Building DFDs == understanding the system Analysing DFDs == understanding the threats

9 Model the Application with DFDs
Most “whiteboard architectures” are DFD-like External Entity Complex-Process Process Data Store Dataflow Privilege Boundary

10 Privilege Boundaries Specific DFD addition to TMs
Boundary between DFD elements with different privilege levels Machine boundary (data from the other machine could be anonymous) Integrity boundary (Low  Medium trust) Process boundary (e.g.; User process  SYSTEM process) Kernel  User mode

11 Types of DFDs Context Diagram Level 0 Diagram Level 1 Diagram
Very high-level; entire component / product / system Level 0 Diagram High level; single feature / scenario Level 1 Diagram Low level; detailed sub-components of features Level n Diagram Even more detailed; unlikely to go beyond Level 2

12 A Real Context Diagram (Castle)

13 A Real Level-0 DFD (Castle)

14 DFD Element Threat Types
Each DFD element (Asset) is susceptible to certain kinds of threats Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

15 What is Repudiation? Something you probably won’t need to worry too much about! Usually involves policies (read: you’ll need a lawyer) Mitigate with Non-repudiation techniques Non-repudiation services generate evidence which will help a disinterested party that a specific subject performed a specific action Evidence of Origination, Submission & Receipt

16 Every Asset is Subject to Attack
How are each of these elements protected?

17 Determining Threats Prime Threat Secondary Threat
Based on DFD asset type Secondary Threat Based on threat trees Related issues

18 Prime Threats by Asset Type
S T R I D E External Entity Process Data Store Dataflow

19 Threat Trees A graphical representation of security-relevant pre-conditions in a system First outlined in Amoroso’s “Fundamentals of Computer Security Technology” Based on hardware fault trees There are many “threat tree patterns”

20 Threat Tree Pattern Example Spoofing
Primary Threat Each leaf is a secondary threat to be evaluated

21 A Special Note about Information Disclosure threats
All information disclosure threats are potential privacy issues. Raising the Risk. Is the data sensitive or PII?

22 Calculating Risk with Numbers
DREAD etc. Very subjective Often requires the analyst be a security expert On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key? Where do you draw the line? Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?

23 Calculating Risk with Heuristics
Simple rules of thumb Derived from the MSRC bulletin rankings

24 Security Risk Rankings (Examples)
Critical Run malicious code Most ‘E’ vulns Important Denial of service against a server And now it’s dead Moderate Server DoS that stops once attack stops Low DoS against a client

25 Mitigating Threats Options: Leave as-is Remove from product
Remedy with technology countermeasure Warn user

26 Mitigation Techniques
Threat Mitigation Feature Spoofing Authentication Tampering Integrity Repudiation Nonrepudiaton Information Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization

27 An Example: Castle

28 Assumptions and Scenarios
Home environment only, non-domain, 10 machines max Abby is the user Relying on the OS for most security technology

29 Castle Level-0 DFD

30 Castle DFD Elements External Entities (SR)

31 Castle DFD Elements Processes (STRIDE)
2, 3, 4 & 8

32 Castle DFD Elements Data Stores (TID and possibly R)
5, 6 & 7

33 Castle DFD Elements Data Flows (TID)
[12, 21] [23, 32] etc

34 Spoofing “The other end”
Threat Spoofing Remote Castle Service Example “I’m castle, honest!” Mitigation ??

35 Tamper with ‘Bits’ on disk
Threat Tampering with Castle Service Example Replace bits on disk with rogue Mitigation Good ACL, Signature

36 Denial of Service against Castle
Threat Castle no longer responds Example Flood RPC endpoint Mitigation Require authn

37 Priv Elev against Castle
Threat Bug in design/code leads to EoP Example No need, you will have bugs! Mitigation Run in lower priv/drop privs

38 Info Disc of data flow Castle-Castle
Threat View sensitive data on network Example Use network sniffer Mitigation RPC with encryption

39 Exercise: Threat Modeling and Mitigation
Objective: Identifying, Categorizing and Mitigating Threats Refer to Exercise handout Work in pairs Estimated time to complete: 10 mins

40 Exercise: Identify all the DFD assets
External Entities Admin (1.0) Processes iNTegrity Host (3.0) iNTegrity Admin Console (2.0) Data Stores Registry (7.0) File System (6.0) Config Data (4.0) Integrity Files (5.0) Data Flows 7.0 -> 3.0, 6.0 -> 3.0 3.0 -> 2.0, 2.0 -> 3.0 1.0 -> 2.0, 2.0 -> 1.0 4.0 -> 2.0 5.0 -> 2.0, 2.0 -> 5.0

41 Exercise: Identify all threat types per asset
P (STRIDE): 3.0 and 2.0 E (SR): 1 DF (TID): 7.0->3.0, 6.0->3.0, 3.0<->2.0, 1.0<->2.0, 5.0<->2.0, 4.0->2.0 DS (TID): 7.0, 6.0, 4.0, 5.0 DS (R): 5.0

42 Exercise: Threat Modeling and Mitigation
Identify three threats, one for a data flow, one for a data store and one for a process STRIDE TID TRID

43 Exercise: Threat Modeling and Mitigation
Identify first order mitigations for each threat TRID STRIDE TID Server auth: SSL/TLS Encryption: SSL/TLS Integrity: ACL, Signature, MAC

44 Questions?

45 Resources Technical Communities, Webcasts, Blogs, Chats & User Groups Microsoft Learning and Certification Microsoft Developer Network (MSDN) & TechNet Trial Software and Virtual Labs New, as a pilot for 2007, the Breakout sessions will be available post event, in the TechEd Video Library, via the My Event page of the website learn support connect subscribe MSDN Library Knowledge Base Forums MSDN Magazine User Groups Newsgroups E-learning Product Evaluations Videos Webcasts V-labs Blogs MVPs Certification Chats Visit MSDN in the ATE Pavilion and get a FREE 180-day trial of MS Visual Studio Team System!

46 Complete your evaluation on the My Event pages of the website at the CommNet or the Feedback Terminals to win! All attendees who submit a session feedback form within 12 hours after the session ends will have the chance to win the very latest HTC 'Touch' smartphone complete with Windows Mobile® 6 Professional

47 © 2007 Microsoft Corporation. All rights reserved
© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Threat Modeling Michael Howard Principal Security Program Manager"

Similar presentations

Ads by Google