Presentation on theme: "1 OS II: Dependability & Trust Threat Modeling & Security Metrics Dependable Embedded Systems & SW Group www.deeds.informatik.tu-darmstadt.de Prof. Neeraj."— Presentation transcript:
1 OS II: Dependability & Trust Threat Modeling & Security Metrics Dependable Embedded Systems & SW Group www.deeds.informatik.tu-darmstadt.de Prof. Neeraj Suri Abdelmajid Khelil Daniel Germanus Dept. of Computer Science TU Darmstadt, Germany
2 Terminology Threat: The adversary‘s goals Threat Profile: The collection of all threats of a system Threat Model: A document that provides background information on a system, its threat profile, and analysis of the current system against that threat profile. Threat modeling results in a living threat model. Vulnerability: A security flaw in the system. Risk: A characterization of the danger of a vulnerability or condition. Security Weakness: An insufficient mitigation of a threat (usually resulting in a vulnerability). Asset: An abstrat/concrete resource that a system must protect from misuse by an adversary.
3 Motivation Threat Model is a master plan for securing software systems Reckoning applications and technologies w.r.t. their attackability Acquire attacker’s way of thinking Minimize impact in case of successful attack Prioritize development of fixes for discovered weaknesses
5 Threat Model Components D. Germanus, A. Johansson, N. Suri “Threat Modeling and Dynamic Profiling”, Book chapter in Annals of Emerging Research in Information Assurance, Security and Privacy Services, Elsevier Press, 2008.
16 Threat Modeling: Reaction Phase Previously generated lists and export knowledge are required to distill potential threats Threats are directed against assets put assets at risk Reflect an attacker‘s intentions Next: STRIDE & DREAD ratings, Threat trees …
17 Reaction Phase: STRIDE STRIDE scheme used for classification of expected impact Acronym for: Spoofing – allows attackers to act as another user or component ( vs. authentication) Tampering – illegal modification of data (integrity) Repudiation – inability of tracing operations back to a specific user (non- repudation) Information disclosure – gain access to data in transit or in a data store (confidentiality) DoS – denial of service attack (availability) Elevation of privilege – illegal raise of access privileges (authorization)
18 Reaction Phase: Threat Tree Threat trees helpful to understand dependencies among a threat‘s partial requirements Semantics of threat trees similar to that of fault trees in fault tree analysis (FTA) Root node represents a threat, Leaves represent entry points to be used for an attack, Inner nodes represent partial goals during an attack. By default, nodes on the same level underly OR-relationship, i.e., sufficient to fulfill one condition on level n to proceed on level n-1 Very important node attribute: if condition is mitigated or not
19 Threat Tree Example Below: threat tree on information leakage of a precious document Right subtree is mitigated (as leaves 2.1 and 2.2 are mitigated) Left subtree unmitigated, potential entry point: condition 1.2
20 Reaction Phase: DREAD DREAD: used to classify each node in threat trees Acronym for: Damage potential – rates the affected assets and the expected impact Reproducibility – rates the effort to bring the attack about Exploitability – estimates the threat‘s value and an attacker‘s objectives Affected users – estimates the fraction of installation which are subject to the attack Discoverability – a measure for the likelihood of discovering the attack Rates are measured on a discrete scale, for simplicity in further assessments not too large, e.g., 1: low; 2: medium; 3: high.
24 Attack Surface Measure P. Manadhata and J. Wing. “An Attack Surface Metric" CMU-CS-05-155, July 2005. P. Manadhata, J. Wing, M. Flynn, M. McQueen. "Measuring the Attack Surfaces of Two FTP Daemons", QoP '06: Proceedings of the 2nd ACM workshop on Quality of Protection, 2006.
30 Attack Surface Measure – FTP Daemons (2) Damage potential estimation Define ordering in each resource class Assign values Table: Numeric values assigned to the values of the attributes Channel’s damage potential in terms of the channel’s protocol A data item’s damage potential in terms of the data item’s type Estimate a method’s damage potential in terms of the method’s privilege. Estimate the effort the attacker needs to spend to use a resource in an attack in terms of the resource’s access rights.
31 Attack Surface Measure – FTP Daemons (3) : M : C : D ProFTPD attack surface
32 Attack Surface Measure – FTP Daemons (4) ProFTPD Attack Surface: Wu-FTPD Attack Surface: - Wu-FTPD has a higher measure along the method dimension as it has a larger number of methods running with root privilege and accessible with unauthenticated user access rights. – ProFTPD has a higher measure along the data dimension as it has a larger number of files accessible with world access rights.
33 Other Comparisons of FTP Daemons There are more vulnerability reports for Wu-FTPD 2.6.2 than for ProFTPD 1.2.10. From vulnerability databases:
34 Literature  D. Germanus, A. Johansson, N. Suri “Threat Modeling and Dynamic Profiling”, In Annals of Emerging Research in Information Assurance, Security and Privacy Services, Elsevier Press, 2008.  F. Swiderski, and W. Snyder “Threat Modeling”, Microsoft Press, 2004.  S. Lipner, and M. Howard, “The Trustworthy Computing Security Development Lifecycle”, http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnsecure/html/sdl.asp Microsoft, 2005.  P. Manadhata and J. Wing. “An Attack Surface Metric" CMU-CS-05-155, July 2005.  P. Manadhata, J. Wing, M. Flynn, M. McQueen. "Measuring the Attack Surfaces of Two FTP Daemons", QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection, 2006.  B. Schneier "Attack Trees: Modeling security threats", Dr. Dobb's Journal, Dec. 1999.  Boström et al., “Extending XP practices to support security requirements engineering”, SESS '06: Proceedings of the 2006 international workshop on Software engineering for secure systems, 2006.