Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threats and Threat Modeling Murat Gökşin Bakır Microsoft Regional Director Yage Ltd.

Similar presentations


Presentation on theme: "Threats and Threat Modeling Murat Gökşin Bakır Microsoft Regional Director Yage Ltd."— Presentation transcript:

1 Threats and Threat Modeling Murat Gökşin Bakır Microsoft Regional Director Yage Ltd

2 Session Agenda Types of threats Threats against the application SQL injection Cross-site scripting Input tampering Session hijacking More Threat modeling

3 Types of Threats Spoofed packets, etc. Buffer overflows, illicit paths, etc. SQL injection, XSS, input tampering, etc. NetworkHostApplication Threats against the network Threats against the host Threats against the application

4 Threats Against the Network ThreatExamples Information gathering Port scanning Using trace routing to detect network topologies Using broadcast requests to enumerate subnet hosts Eavesdropping Using packet sniffers to steal passwords Denial of service (DoS) SYN floods ICMP echo request floods Malformed packets Spoofing Packets with spoofed source addresses i frame=true#c _004

5 Threats Against the Host ThreatExamples Arbitrary code execution Buffer overflows in ISAPI DLLs (e.g., MS01-033) Directory traversal attacks (MS00-078) File disclosure Malformed HTR requests (MS01-031) Virtualized UNC share vulnerability (MS00-019) Denial of service (DoS) Malformed SMTP requests (MS02-012) Malformed WebDAV requests (MS01-016) Malformed URLs (MS01-012) Brute-force file uploads Unauthorized access Resources with insufficiently restrictive ACLs Spoofing with stolen login credentials Exploitation of open ports and protocols Using NetBIOS and SMB to enumerate hosts Connecting remotely to SQL Server i frame=true#c _004

6 Threats Against the Application ThreatExamples SQL injection Including a DROP TABLE command in text typed into an input field Cross-site scripting Using malicious client-side script to steal cookies Hidden-field tampering Maliciously changing the value of a hidden field Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections Session hijacking Using a stolen session ID cookie to access someone else's session state Identity spoofing Using a stolen forms authentication cookie to pose as another user Information disclosure Allowing client to see a stack trace when an unhandled exception occurs frame=true#c _004 i

7 SQL Injection Exploits applications that use external input in database commands Input from fields Input from query strings The technique: Find a field or query string parameter used to generate SQL commands Submit input that modifies the commands Compromise, corrupt, and destroy data

8 How SQL Injection Works SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ Model Query Malicious Query "or 1=1" matches every record in the table "--" comments out the remainder of the query

9 SQL Injection

10 Cross-Site Scripting (XSS) Exploits applications that echo raw, unfiltered input to Web pages Input from fields Input from query strings The technique: Find a field or query string parameter whose value is echoed to the Web page Enter malicious script and get an unwary user to navigate to the infected page Steal cookies, deface and disable sites

11 How Cross-Site Scripting Works … Query string contains embedded JavaScript that redirects to attacker’s page and transmits cookies issued by Search.aspx in a query string URL of the site targeted by the attack

12 XSS – How it Works Hello, If Request.Form(“cookie”) <> “” Then data = Request.Form(“cookie”) ‘ Do whatever I want with the cookie End If Response.Redirect idForm.cookie.value=document.cookie; idForm.submit(); The Bad URL

13 Cross-Site Scripting

14 Cross-Site Scripting Attacks Based on Tags (2) idForm.cookie.value=document.cookie; idForm.submit(); > here

15 Hidden-Field Tampering HTTP is a stateless protocol No built-in way to persist data from one request to the next People are stateful beings Want data persisted between requests Shopping carts, user preferences, etc. Web developers sometimes use hidden fields to persist data between requests Hidden fields are not really hidden!

16 How HF Tampering Works Page contains this… Postback data should contain this… price="$10,000" Instead it contains this… price="$1" type="hidden" prevents the field from being seen on the page but not in View Source

17 Session Hijacking Web applications use sessions to store state Sessions are private to individual users Sessions can be compromised Threat Risk Factor Theft and replay of session ID cookies High* Links to sites that use cookieless session state Medium* Predictable session IDs Low* Remote connection to state server service Medium Remote connection to state server database Medium Eavesdropping on state server connection Medium * Shorter session time-outs mitigate the risk by reducing the attack window

18 Identity Spoofing Threat Risk Factor Theft of Windows authentication credentials High Theft of forms authentication credentials High Theft and replay of authentication cookies Medium* Dictionary attacks and password guessing High Security depends on authentication If authentication can be compromised, security goes out the window Authentication can be compromised * Depends on the time-out values assigned to authentication cookies

19 Information Disclosure Which is the better error message?

20 Information Disclosure

21 Threat Modeling Structured approach to identifying, quantifying, and addressing threats Essential part of development process Just like specing and designing Just like coding and testing One technique presented here There are others (e.g., OCTAVE) i

22 The Threat Modeling Process Identify assets Document architecture Decompose application Identify threats Document threats Rate threats

23 Identifying Assets What is it that you want to protect? Private data (e.g., customer list) Proprietary data (e.g., intellectual property) Potentially injurious data (e.g., credit card numbers, decryption keys) These also count as "assets" Integrity of back-end databases Integrity of the Web pages (no defacement) Integrity of other machines on the network Availability of the application 1 1

24 Documenting Architecture Define what the app does and how it's used Users view pages with catalog items Users perform searches for catalog items Users add items to shopping carts Users check out Diagram the application Show subsystems Show data flow List assets 2 2

25 Example Bob Alice Bill Asset #4 Asset #1Asset #2Asset #3 Asset #5Asset #6 IISASP.NET Web Server Login State Main Database Server Firewall

26 Decomposing the App Refine the architecture diagram Show authentication mechanisms Show authorization mechanisms Show technologies (e.g., DPAPI) Diagram trust boundaries Identify entry points Begin to think like an attacker Where are my vulnerabilities? What am I going to do about them? 3 3

27 Example Bob Alice Bill IISASP.NET Web Server Database Server Trust Forms AuthenticationURL Authorization DPAPIWindows Authentication Firewall Login State Main

28 Identifying Threats Method #1: Threat lists Start with laundry list of possible threats Identify the threats that apply to your app Method #2: STRIDE Categorized list of threat types Identify threats by type/category Optionally draw threat trees Root nodes represent attacker's goals Trees help identify threat conditions 4 4

29 STRIDE S S T T R R I I D D Tampering Repudiation Information disclosure Denial of service Can an attacker gain access using a false identity? Can an attacker modify data as it flows through the application? If an attacker denies an exploit, can you prove him or her wrong? Can an attacker gain access to private or potentially injurious data? Can an attacker crash or reduce the availiability of the system? E E Elevation of privilege Can an attacker assume the identity of a privileged user? Spoofing

30 Threat Trees Theft of Auth Cookies Theft of Auth Cookies Obtain auth cookie to spoof identity Unencrypted Connection Unencrypted Connection Cookies travel over unencrypted HTTP Eavesdropping Attacker uses sniffer to monitor HTTP traffic Cross-Site Scripting Cross-Site Scripting Attacker possesses means and knowledge XSS Vulnerability XSS Vulnerability Application is vulnerable to XSS attacks OR AND

31 Documenting Threats Theft of Auth Cookies by Eavesdropping on Connection Threat target Connections between browsers and Web server Risk Attack techniques Attacker uses sniffer to monitor traffic Countermeasures Use SSL/TLS to encrypt traffic Document threats using a template Theft of Auth Cookies via Cross-Site Scripting Threat target Vulnerable application code Risk Attack techniques Attacker sends with malicious link to users Countermeasures Validate input; HTML-encode output 5 5

32 Rating Threats Simple model DREAD model Greater granularization of threat potential Rates (prioritizes) each threat on scale of 1-15 Developed and widely used by Microsoft Risk = Probability * Damage Potential 1-10 Scale 1 = Least probable 10 = Most probable 1-10 Scale 1 = Least probable 10 = Most probable 1-10 Scale 1 = Least damage 10 = Most damage 1-10 Scale 1 = Least damage 10 = Most damage 6 6

33 DREAD D D R R E E A A D D Reproducibility Exploitability Affected users Discoverability What are the consequences of a successful exploit? Would an exploit work every time or only under certain circumstances? How skilled must an attacker be to exploit the vulnerability? How many users would be affected by a successful exploit? How likely is it that an attacker will know the vulnerability exists? Damage potential

34 DREAD, Cont. High (3) Medium (2) Low (1) Damage potential Attacker can retrieve extremely sensitive data and corrupt or destroy data Attacker can retrieve sensitive data but do little else Attacker can only retrieve data that has little or no potential for harm Reproduc- ability Works every time; does not require a timing window Timing-dependent; works only within a time window Rarely works Exploitabilty Bart Simpson could do it Attacker must be somewhat knowledgeable and skilled Attacker must be VERY knowledgeable and skilled Affected users Most or all users Some users Few if any users Discoverabilty Attacker can easily discover the vulnerability Attacker might discover the vulnerability Attacker will have to dig to discover the vulnerability

35 ExampleThreatDREADSum Auth cookie theft (eavesdropping) Auth cookie theft (XSS) Potential for damage is high (spoofed identities, etc.) Cookie can be stolen any time, but is only useful until expired Anybody can run a packet sniffer; XSS attacks require moderate skill All users could be affected, but in reality most won't click malicious links Easy to discover: just type a block into a field Prioritized Risks Prioritized Risks

36 Additional Resources Sanctum AppScan Developer Edition (DE) Automated unit testing tool that enables rapid development of Secure, Quality Web applications Integrates directly into Visual Studio.NET Integrates directly into Visual Studio.NET Real-time scanning of potential vulnerabilities Real-time scanning of potential vulnerabilities Comprehensive defect analysis of any ASP.NET site Comprehensive defect analysis of any ASP.NET site For more product information For a free product trial For a free product trial

37 Microsoft Developer Network Patterns and Practices Guides

38 SafeApps™SafeApps™ Secure Code Assurance (SCA) engine Replaces a manual security code expert code reviewer in a box. Detects the programming errors that lead to security vulnerabilities. Assists in remediating the errors. Detects programming errors that lead to viruses and worms Prioritizes risk of each error from severe error to warning. Optimizes programmer’s time. Guides the programmer to fix the source of error. Most programmers don’t know how to fix security errors. Target user Developer, QA Engineer, Security Engineer Development teams that use SafeApps can drastically reduce the number of vulnerabilities in their software. Secure Code Assurance (SCA) engine Replaces a manual security code expert code reviewer in a box. Detects the programming errors that lead to security vulnerabilities. Assists in remediating the errors. Detects programming errors that lead to viruses and worms Prioritizes risk of each error from severe error to warning. Optimizes programmer’s time. Guides the programmer to fix the source of error. Most programmers don’t know how to fix security errors. Target user Developer, QA Engineer, Security Engineer Development teams that use SafeApps can drastically reduce the number of vulnerabilities in their software.

39 Resources/Next Steps NGSCB is part of the Longhorn SDK Ask your hardware and software vendors what NGSCB-enabled components they will provide Visit our site and read the white papers and specs Send questions to our Q&A alias Sign up for updates Subscribe to the NGSCB information newsletter for ongoing updates. Send blank to: NGSCB is part of the Longhorn SDK Ask your hardware and software vendors what NGSCB-enabled components they will provide Visit our site and read the white papers and specs Send questions to our Q&A alias Sign up for updates Subscribe to the NGSCB information newsletter for ongoing updates. Send blank to:

40 ASP.NET Whidbey Book Now available for PDC bits 13 Chapters, 470 Pages Topics Covered Introduction, Tools & Architecture, Data Source Controls and Data Binding, GridView & DetailsView Controls, Master Pages & Navigation, Security, Personalization & Themes, Web Parts, Mobile Device Support, SQL Cache Invalidation, Precompilation, Confuguration & Administration and more. Now available for PDC bits 13 Chapters, 470 Pages Topics Covered Introduction, Tools & Architecture, Data Source Controls and Data Binding, GridView & DetailsView Controls, Master Pages & Navigation, Security, Personalization & Themes, Web Parts, Mobile Device Support, SQL Cache Invalidation, Precompilation, Confuguration & Administration and more. Purchase and review at:

41 FxCop

42 Integer Arithmetic Vulns Once rare, now common Sun RPC xdr_array (http://www.securityfocus.com/bid/5356) OpenSSH authentication (http://www.securityfocus.com/bid/5093) Apache Chunked Encoding (http://www.securityfocus.com/bid/5033) Microsoft JScript (http://www.microsoft.com/technet/security/bulletin/MS asp) FreeBSD socket and system calls (http://www.securityfocus.com/bid/5493) Snort TCP Packet Reassembly (http://www.securityfocus.com/bid/7178) Microsoft MIDI Decoder (http://www.microsoft.com/technet/security/bulletin/MS asp) OpenSSL ASN.1 Parsing (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN ) Once rare, now common Sun RPC xdr_array (http://www.securityfocus.com/bid/5356) OpenSSH authentication (http://www.securityfocus.com/bid/5093) Apache Chunked Encoding (http://www.securityfocus.com/bid/5033) Microsoft JScript (http://www.microsoft.com/technet/security/bulletin/MS asp) FreeBSD socket and system calls (http://www.securityfocus.com/bid/5493) Snort TCP Packet Reassembly (http://www.securityfocus.com/bid/7178) Microsoft MIDI Decoder (http://www.microsoft.com/technet/security/bulletin/MS asp) OpenSSL ASN.1 Parsing (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN )

43 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "Threats and Threat Modeling Murat Gökşin Bakır Microsoft Regional Director Yage Ltd."

Similar presentations


Ads by Google