Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Confidential. © Microsoft Corp. 2005 Threat Modeling Michael Howard Principal Security Program Manager Microsoft Corp.

Similar presentations


Presentation on theme: "Microsoft Confidential. © Microsoft Corp. 2005 Threat Modeling Michael Howard Principal Security Program Manager Microsoft Corp."— Presentation transcript:

1 Microsoft Confidential. © Microsoft Corp Threat Modeling Michael Howard Principal Security Program Manager Microsoft Corp. Last Update: 8-Feb-2006

2 Microsoft Confidential. © Microsoft Corp Who is this Guy? Microsoft employee for >15 years Always in security Editor for IEEE Security & Privacy A pragmatist!

3 Microsoft Confidential. © Microsoft Corp Overview of Course Why Model Threats? The Modeling process DFD, Threat Types, Risk, Mitigations Exercise (yes, a short exercise!)

4 Microsoft Confidential. © Microsoft Corp Where Threat Modeling Lives in the Security Development Lifecycle

5 Microsoft Confidential. © Microsoft Corp Why Threat Modeling? To find security design flaws!

6 Microsoft Confidential. © Microsoft Corp The Process In a Nutshell Model Identify Threats Mitigate Validate Vision

7 Microsoft Confidential. © Microsoft Corp Vision Define Scenarios & Background Info Define the most common and realistic use scenarios for the application Example from Windows Server 2003 and Internet Explorer “Think about an admin browsing the Internet from a Domain Controller” Example from Windows CE “The stolen device” Define your users

8 Microsoft Confidential. © Microsoft Corp Model the Application with DFDs A Data Flow Diagram (DFD) is a graphical representation of how data enters, leaves, and traverses your component It is not a Class Diagram or Flow Chart! Shows all data sources and destinations Shows all relevant processes that data goes through Good DFDs are critical to the process This point can’t be emphasised enough! Building DFDs == understanding the system Analysing DFDs == understanding the threats

9 Microsoft Confidential. © Microsoft Corp Model the Application with DFDs Most “whiteboard architectures” are DFD-like External Entity Process Complex-Process Data Store Dataflow PrivilegeBoundary

10 Microsoft Confidential. © Microsoft Corp Privilege Boundaries Specific DFD addition to TMs Boundary between DFD elements with different privilege levels Machine boundary (data from the other machine could be anonymous) Integrity boundary (Low  Medium trust) Process boundary (e.g.; User process  SYSTEM process) Kernel  User mode

11 Microsoft Confidential. © Microsoft Corp Types of DFDs Context Diagram Very high-level; entire component / product / system Level 0 Diagram High level; single feature / scenario Level 1 Diagram Low level; detailed sub-components of features Level n Diagram Even more detailed; unlikely to go beyond Level 2

12 Microsoft Confidential. © Microsoft Corp A Real Context Diagram (Castle)

13 Microsoft Confidential. © Microsoft Corp A Real Level-0 DFD (Castle)

14 Microsoft Confidential. © Microsoft Corp DFD Element Threat Types Each DFD element (Asset) is susceptible to certain kinds of threats Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

15 Microsoft Confidential. © Microsoft Corp What is Repudiation? Something you probably won’t need to worry too much about! Usually involves policies (read: you’ll need a lawyer) Mitigate with Non-repudiation techniques Non-repudiation services generate evidence which will help a disinterested party that a specific subject performed a specific action Evidence of Origination, Submission & Receipt

16 Microsoft Confidential. © Microsoft Corp Every Asset is Subject to Attack How are each of these elements protected?

17 Microsoft Confidential. © Microsoft Corp Determining Threats Prime Threat Based on DFD asset type Secondary Threat Based on threat trees Related issues

18 Microsoft Confidential. © Microsoft Corp Prime Threats by Asset Type External Entity Process Data Store Dataflow STRIDESTRIDESTRIDESTRIDE        Asset 

19 Microsoft Confidential. © Microsoft Corp Threat Trees A graphical representation of security-relevant pre-conditions in a system First outlined in Amoroso’s “Fundamentals of Computer Security Technology” Based on hardware fault trees There are many “threat tree patterns”

20 Microsoft Confidential. © Microsoft Corp Threat Tree Pattern Example Spoofing Primary Threat Each leaf is a secondary threat to be evaluated

21 Microsoft Confidential. © Microsoft Corp A Special Note about Information Disclosure threats All information disclosure threats are potential privacy issues. Raising the Risk. Is the data sensitive or PII?

22 Microsoft Confidential. © Microsoft Corp Calculating Risk with Numbers DREAD etc. Very subjective Often requires the analyst be a security expert On a scale of 0.0 to 1.0, just how likely is it that an attacker could access a private key? Where do you draw the line? Do you fix everything above 0.4 risk and leave everything below as “Won’t Fix”?

23 Microsoft Confidential. © Microsoft Corp Calculating Risk with Heuristics Simple rules of thumb Derived from the MSRC bulletin rankings

24 Microsoft Confidential. © Microsoft Corp Security Risk Rankings (Examples) Critical Run malicious code Most ‘E’ vulns Important Denial of service against a server And now it’s dead Moderate Server DoS that stops once attack stops Low DoS against a client

25 Microsoft Confidential. © Microsoft Corp Mitigating Threats Options: Leave as-is Remove from product Remedy with technology countermeasure Warn user

26 Microsoft Confidential. © Microsoft Corp Mitigation Techniques

27 Microsoft Confidential. © Microsoft Corp An Example: Castle

28 Microsoft Confidential. © Microsoft Corp Assumptions and Scenarios Home environment only, non-domain, 10 machines max Abby is the user Relying on the OS for most security technology

29 Microsoft Confidential. © Microsoft Corp Castle Level-0 DFD

30 Microsoft Confidential. © Microsoft Corp Castle DFD Elements External Entities (SR) 1

31 Microsoft Confidential. © Microsoft Corp Castle DFD Elements Processes (STRIDE) 2, 3, 4 & 8

32 Microsoft Confidential. © Microsoft Corp Castle DFD Elements Data Stores (TID and possibly R) 5, 6 & 7

33 Microsoft Confidential. © Microsoft Corp Castle DFD Elements Data Flows (TID) [1  2, 2  1] [2  3, 3  2] etc

34 Microsoft Confidential. © Microsoft Corp Spoofing “The other end” Threat Spoofing Remote Castle Service Example “I’m castle, honest!” Mitigation ??

35 Microsoft Confidential. © Microsoft Corp Tamper with ‘Bits’ on disk Threat Tampering with Castle Service Example Replace bits on disk with rogue Mitigation Good ACL, Signature

36 Microsoft Confidential. © Microsoft Corp Denial of Service against Castle Threat Castle no longer responds Example Flood RPC endpoint Mitigation Require authn

37 Microsoft Confidential. © Microsoft Corp Priv Elev against Castle Threat Bug in design/code leads to EoP Example No need, you will have bugs! Mitigation Run in lower priv/drop privs

38 Microsoft Confidential. © Microsoft Corp Info Disc of data flow Castle-Castle Threat View sensitive data on network Example Use network sniffer Mitigation RPC with encryption

39 Microsoft Confidential. © Microsoft Corp Exercise: Threat Modeling and Mitigation Objective: Identifying, Categorizing and Mitigating Threats Refer to Exercise handout Work in pairs Estimated time to complete: 10 mins

40 Microsoft Confidential. © Microsoft Corp Exercise: Identify all the DFD assets External Entities Admin (1.0) Processes iNTegrity Host (3.0) iNTegrity Admin Console (2.0) Data Stores Registry (7.0) File System (6.0) Config Data (4.0) Integrity Files (5.0) Data Flows 7.0 -> 3.0, 6.0 -> > 2.0, 2.0 -> > 2.0, 2.0 -> > > 2.0, 2.0 -> 5.0

41 Microsoft Confidential. © Microsoft Corp Exercise: Identify all threat types per asset P (STRIDE): 3.0 and 2.0 E (SR): 1 DF (TID): 7.0->3.0, 6.0->3.0, , , , 4.0->2.0 DS (TID): 7.0, 6.0, 4.0, 5.0 DS (R): 5.0

42 Microsoft Confidential. © Microsoft Corp Exercise: Threat Modeling and Mitigation Identify three threats, one for a data flow, one for a data store and one for a process T RID S TRIDE TIDTIDTIDTID

43 Microsoft Confidential. © Microsoft Corp Exercise: Threat Modeling and Mitigation Identify first order mitigations for each threat T RID S TRIDE TIDTIDTIDTID Server auth: SSL/TLS Encryption: SSL/TLS Integrity: ACL, Signature, MAC

44 Microsoft Confidential. © Microsoft Corp Questions?

45 Resources Technical Communities, Webcasts, Blogs, Chats & User Groups Microsoft Learning and Certification Microsoft Developer Network (MSDN) & TechNet Trial Software and Virtual Labs ult.mspx ult.mspx New, as a pilot for 2007, the Breakout sessions will be available post event, in the TechEd Video Library, via the My Event page of the website MSDN Library Knowledge Base Forums MSDN Magazine User Groups Newsgroups E-learning Product Evaluations Videos Webcasts V-labs Blogs MVPs Certification Chats learnsupportconnectsubscribe Visit MSDN in the ATE Pavilion and get a FREE 180-day trial of MS Visual Studio Team System!

46 Complete your evaluation on the My Event pages of the website at the CommNet or the Feedback Terminals to win!

47 © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.


Download ppt "Microsoft Confidential. © Microsoft Corp. 2005 Threat Modeling Michael Howard Principal Security Program Manager Microsoft Corp."

Similar presentations


Ads by Google