Presentation on theme: "1 Software Fault Tolerance (SWFT) Threat Modeling Dependable Embedded Systems & SW Group www.deeds.informatik.tu-darmstadt.de Prof. Neeraj Suri Daniel."— Presentation transcript:
1 Software Fault Tolerance (SWFT) Threat Modeling Dependable Embedded Systems & SW Group Prof. Neeraj Suri Daniel Germanus Abdelmajid Khelil Dept. of Computer Science TU Darmstadt, Germany
2 Terminology Threat: The adversary‘s goals Threat Profile: The collection of all threats of a system Threat Model: A document that provides background information on a system, its threat profile, and analysis of the current system against that threat profile. Threat modeling results in a living threat model. Vulnerability: A security flaw in the system. Risk: A characterization of the danger of a vulnerability or condition. Security Weakness: An insufficient mitigation of a threat (usually resulting in a vulnerability). Asset: An abstrat/concrete resource that a system must protect from misuse by an adversary. Trust Level: A charcterization of an external entity, often based on how it is authenticated and what privileges it has.
3 Motivation Threat Model is a master plan for securing software systems Reckoning applications and technologies w.r.t. their attackability Acquire attacker’s way of thinking Minimize impact in case of successful attack Prioritize development of fixes for discovered weaknesses
5 Threat Model Components D. Germanus, A. Johansson, N. Suri “Threat Modeling and Dynamic Profiling”, Book chapter in Annals of Emerging Research in Information Assurance, Security and Privacy Services, Elsevier Press, 2008.
15 Threat Modeling: Reaction Phase Previously generated lists and export knowledge are required to distill potential threats Threats are directed against assets, put assets at risk, Reflect an attacker‘s intentions. Next: STRIDE & DREAD ratings, Threat trees …
16 Reaction Phase: STRIDE STRIDE scheme used for classification of expected impact Acronym for: Spoofing – allows attackers to act as another user or component Tampering – illegal modification of data Repudiation – inability of tracing operations back to a specific user Information disclosure – gain access to data in transit or in a data store DoS – denial of service attack Elevation of privilege – illegal raise of access privileges
17 Reaction Phase: Threat Tree Threat trees helpful to understand dependencies among a threat‘s partial requirements Semantics of threat trees similar to that of fault trees in fault tree analysis (FTA) Root node represents a threat, Leaves represent entry points to be used for an attack, Inner nodes represent partial goals during an attack. By default, nodes on the same level underlie OR-relationship, i.e., sufficient to fulfill one condition on level n to proceed on level n-1 Very important node attribute: if condition is mitigated or not
18 Threat Tree Example Below: threat tree on information leakage of a precious document Right subtree is mitigated (as leaves 2.1 and 2.2 are mitigated) Left subtree unmitigated, potential entry point: condition 1.2
19 Reaction Phase: DREAD DREAD: used to classify each node in threat trees Acronym for: Damage potential – rates the affected assets and the expected impact Reproducibility – rates the effort to bring the attack about Exploitability – estimates the threat‘s value and an attacker‘s objectives Affected users – estimates the fraction of installation which are subject to the attack Discoverability – a measure for the likelihood of discovering the attack Rates are measured on a discrete scale, for simplicity in further assessments not too large, e.g., 1: low; 2: medium; 3: high.
31 Attack Surface Measure P. Manadhata and J. Wing. “An Attack Surface Metric" CMU-CS , July P. Manadhata, J. Wing, M. Flynn, M. McQueen. "Measuring the Attack Surfaces of Two FTP Daemons", QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection, 2006.
40 Microsoft Threat Modeling Tool Download: familyid=62830f95-0e61-4f87-88a6- e7c663444ac1&displaylang=en
42 Literature  D. Germanus, A. Johansson, N. Suri “Threat Modeling and Dynamic Profiling”, In Annals of Emerging Research in Information Assurance, Security and Privacy Services, Elsevier Press,  F. Swiderski, and W. Snyder “Threat Modeling”, Microsoft Press,  S. Lipner, and M. Howard, “The Trustworthy Computing Security Development Lifecycle”, us/dnsecure/html/sdl.asp Microsoft,  P. Manadhata and J. Wing. “An Attack Surface Metric" CMU-CS , July  P. Manadhata, J. Wing, M. Flynn, M. McQueen. "Measuring the Attack Surfaces of Two FTP Daemons", QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection,  B. Schneier "Attack Trees: Modeling security threats", Dr. Dobb's Journal, Dec  Boström et al., “Extending XP practices to support security requirements engineering”, SESS '06: Proceedings of the 2006 international workshop on Software engineering for secure systems, 2006.