Presentation on theme: "Threat Modeling Michael Howard Principal Security Program Manager"— Presentation transcript:
1Threat Modeling Michael Howard Principal Security Program Manager Microsoft Corp.Last Update: 8-Feb-2006
2Who is this Guy? Microsoft employee for >15 years Always in securityEditor for IEEE Security & PrivacyA pragmatist!
3Overview of Course Why Model Threats? The Modeling process DFD, Threat Types, Risk, MitigationsExercise (yes, a short exercise!)
4Where Threat Modeling Lives in the Security Development Lifecycle Security TrainingUse Security Development Tools and Security Best Dev and Test PracticesCreate Security Docs and Tools For ProductSecurity PushPrepare Security Response PlanFinal Security ReviewSecurity Servicing and Response ExecutionSecurity Kickoff and Register with SWISecurity Arch and Attack Surface ReviewSecurity Design Best PracticesPen TestingThreat ModelingTraditional Microsoft Software Product Development Lifecycle Tasks and ProcessesTesting and VerificationFeature Lists Quality Guidelines Arch Docs SchedulesDesign SpecificationsCode Signing A Checkpoint Express SignoffRTMProduct Support Service Packs/ QFEs Security UpdatesFunctional SpecificationsDevelopment of New CodeBug FixesDesignImplementationVerificationReleaseRequirementsSupport and Servicing
6The Process In a Nutshell VisionModelIdentify ThreatsMitigateValidate
7Vision Define Scenarios & Background Info Define the most common and realistic use scenarios for the applicationExample from Windows Server 2003 and Internet Explorer“Think about an admin browsing the Internet from a Domain Controller”Example from Windows CE“The stolen device”Define your users
8Model the Application with DFDs A Data Flow Diagram (DFD) is a graphical representation of how data enters, leaves, and traverses your componentIt is not a Class Diagram or Flow Chart!Shows all data sources and destinationsShows all relevant processes that data goes throughGood DFDs are critical to the processThis point can’t be emphasised enough!Building DFDs == understanding the systemAnalysing DFDs == understanding the threats
9Model the Application with DFDs Most “whiteboard architectures” are DFD-likeExternal EntityComplex-ProcessProcessData StoreDataflowPrivilegeBoundary
10Privilege Boundaries Specific DFD addition to TMs Boundary between DFD elements with different privilege levelsMachine boundary (data from the other machine could be anonymous)Integrity boundary (Low Medium trust)Process boundary (e.g.; User process SYSTEM process)Kernel User mode
11Types of DFDs Context Diagram Level 0 Diagram Level 1 Diagram Very high-level; entire component / product / systemLevel 0 DiagramHigh level; single feature / scenarioLevel 1 DiagramLow level; detailed sub-components of featuresLevel n DiagramEven more detailed; unlikely to go beyond Level 2
14DFD Element Threat Types Each DFD element (Asset) is susceptible to certain kinds of threatsSpoofingTamperingRepudiationInformation DisclosureDenial of ServiceElevation of Privilege
15What is Repudiation?Something you probably won’t need to worry too much about!Usually involves policies (read: you’ll need a lawyer)Mitigate with Non-repudiation techniquesNon-repudiation services generate evidence which will help a disinterested party that a specific subject performed a specific actionEvidence of Origination, Submission & Receipt
16Every Asset is Subject to Attack How are each of these elements protected?
17Determining Threats Prime Threat Secondary Threat Based on DFD asset typeSecondary ThreatBased on threat treesRelated issues
18Prime Threats by Asset Type S T R I D EExternal EntityProcessData StoreDataflow
19Threat TreesA graphical representation of security-relevant pre-conditions in a systemFirst outlined in Amoroso’s “Fundamentals of Computer Security Technology”Based on hardware fault treesThere are many “threat tree patterns”
20Threat Tree Pattern Example Spoofing Primary ThreatEach leaf is a secondary threat to be evaluated
21A Special Note about Information Disclosure threats All information disclosure threats are potential privacy issues. Raising the Risk.Is the data sensitive or PII?
22Calculating Risk with Numbers DREAD etc.Very subjectiveOften requires the analyst be a security expertOn a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key?Where do you draw the line?Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?
23Calculating Risk with Heuristics Simple rules of thumbDerived from the MSRC bulletin rankings
24Security Risk Rankings (Examples) CriticalRun malicious codeMost ‘E’ vulnsImportantDenial of service against a serverAnd now it’s deadModerateServer DoS that stops once attack stopsLowDoS against a client
25Mitigating Threats Options: Leave as-is Remove from product Remedy with technology countermeasureWarn user
26Mitigation Techniques ThreatMitigation FeatureSpoofingAuthenticationTamperingIntegrityRepudiationNonrepudiatonInformation DisclosureConfidentialityDenial of ServiceAvailabilityElevation of PrivilegeAuthorization
45ResourcesTechnical Communities, Webcasts, Blogs, Chats & User GroupsMicrosoft Learning and CertificationMicrosoft Developer Network (MSDN) & TechNetTrial Software and Virtual LabsNew, as a pilot for 2007, the Breakout sessions will be available post event, in the TechEd Video Library, via the My Event page of the websitelearnsupportconnectsubscribeMSDN Library Knowledge Base Forums MSDN Magazine User Groups NewsgroupsE-learning Product Evaluations Videos Webcasts V-labs Blogs MVPs Certification ChatsVisit MSDN in the ATE Pavilion and get a FREE 180-day trial of MS Visual Studio Team System!
46Complete your evaluation on the My Event pages of the website at the CommNet or the Feedback Terminals to win!All attendees who submit a session feedback form within 12 hours after the session ends will have the chance to win the very latest HTC 'Touch' smartphone complete with Windows Mobile® 6 Professional