1Software Fault Tolerance (SWFT) Threat Modeling Prof. Neeraj SuriDaniel GermanusAbdelmajid KhelilDept. of Computer ScienceTU Darmstadt, GermanyDependable Embedded Systems & SW Group
2Terminology Threat: The adversary‘s goals Threat Profile: The collection of all threats of a systemThreat Model: A document that provides background information on a system, its threat profile, and analysis of the current system against that threat profile. Threat modeling results in a living threat model.Vulnerability: A security flaw in the system.Risk: A characterization of the danger of a vulnerability or condition.Security Weakness: An insufficient mitigation of a threat (usually resulting in a vulnerability).Asset: An abstrat/concrete resource that a system must protect from misuse by an adversary.Trust Level: A charcterization of an external entity, often based on how it is authenticated and what privileges it has.
3Motivation Threat Model is a master plan for securing software systems Reckoning applications and technologies w.r.t. their attackabilityAcquire attacker’s way of thinkingMinimize impact in case of successful attackPrioritize development of fixes for discovered weaknesses
5Threat Model Components D. Germanus, A. Johansson, N. Suri “Threat Modeling and Dynamic Profiling”, Book chapter in Annals of Emerging Research in Information Assurance, Security and Privacy Services, Elsevier Press, 2008.
15Threat Modeling: Reaction Phase Previously generated lists and export knowledge are required to distill potential threatsThreats aredirected against assets,put assets at risk,Reflect an attacker‘s intentions.Next: STRIDE & DREAD ratings, Threat trees …
16Reaction Phase: STRIDE STRIDE scheme used for classification of expected impactAcronym for:Spoofing – allows attackers to act as another user or componentTampering – illegal modification of dataRepudiation – inability of tracing operations back to a specific userInformation disclosure – gain access to data in transit or in a data storeDoS – denial of service attackElevation of privilege – illegal raise of access privileges
17Reaction Phase: Threat Tree Threat trees helpful to understand dependencies among a threat‘s partial requirementsSemantics of threat trees similar to that of fault trees in fault tree analysis (FTA)Root node represents a threat,Leaves represent entry points to be used for an attack,Inner nodes represent partial goals during an attack.By default, nodes on the same level underlie OR-relationship, i.e., sufficient to fulfill one condition on level n to proceed on level n-1Very important node attribute: if condition is mitigated or not
18Threat Tree ExampleBelow: threat tree on information leakage of a precious documentRight subtree is mitigated (as leaves 2.1 and 2.2 are mitigated)Left subtree unmitigated, potential entry point: condition 1.2
19Reaction Phase: DREADDREAD: used to classify each node in threat treesAcronym for:Damage potential – rates the affected assets and the expected impactReproducibility – rates the effort to bring the attack aboutExploitability – estimates the threat‘s value and an attacker‘s objectivesAffected users – estimates the fraction of installation which are subject to the attackDiscoverability – a measure for the likelihood of discovering the attackRates are measured on a discrete scale, for simplicity in further assessments not too large, e.g., 1: low; 2: medium; 3: high.
31Attack Surface Measure P. Manadhata and J. Wing. “An Attack Surface Metric" CMU-CS , July 2005.P. Manadhata, J. Wing, M. Flynn, M. McQueen. "Measuring the Attack Surfaces of Two FTP Daemons", QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection, 2006.
42Literature D. Germanus, A. Johansson, N. Suri “Threat Modeling and Dynamic Profiling”, In Annals of Emerging Research in Information Assurance, Security and Privacy Services, Elsevier Press, 2008. F. Swiderski, and W. Snyder “Threat Modeling”, Microsoft Press, 2004. S. Lipner, and M. Howard, “The Trustworthy Computing Security Development Lifecycle”, Microsoft, 2005. P. Manadhata and J. Wing. “An Attack Surface Metric" CMU-CS , July 2005. P. Manadhata, J. Wing, M. Flynn, M. McQueen. "Measuring the Attack Surfaces of Two FTP Daemons", QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection, 2006. B. Schneier "Attack Trees: Modeling security threats", Dr. Dobb's Journal, Dec Boström et al., “Extending XP practices to support security requirements engineering”, SESS '06: Proceedings of the 2006 international workshop on Software engineering for secure systems, 2006.