Day O’ Security

advertisement
Day O’ Security
An Introduction to the Microsoft
Security Development Lifecycle
Day 1:
Threat Modelling - CIA and STRIDE
A Threat Modelling Conversation
http://msdn.microsoft.com/en-us/magazine/dd727503.aspx
The Thespians
Paige: a young, bright software developer.
Michael: a simple security guy at Microsoft.
Scene I
A small hallway between two sets of cubicles, supposedly designed to enhance agile software
development and communication.
Paige: Hey, grumps. I need your help building some software.
Michael: So?
Paige: Seriously, I want your help building this system I'm working on.
Michael: You mean you're going to design something, build it, pretend to test it, and then ask me
to find the security vulnerabilities?
Paige: Don't be so grumpy. No, I want your help up front.
Pause: Michael wipes his hand down his face and forces a smile.
http://mycodehere.blogspot.com
http://mycodehere.blogspot.com/2009/08/securityglossary.html
Some Definitions
• Asset - any valuable resource, e.g. database data, file
system data, system resource.
• Threat - any potential occurrence (malicious or
inadvertent) that could harm or impede an asset.
• Vulnerability - any weakness which makes possible a threat
to an asset.
• Exploit - the implementation of a threat against a
vulnerability (previously synonymous with Attack).
• Attack - application of an exploit; any action designed to
harm an asset.
• Mitigation - any strategy, technique or circumstance that
reduces the threat posed by a vulnerability.
• Spam - cooked meat, nice in sandwiches.
C.I.A.
• C is for Intecrity
Data cannot be modified undetectably.
• I is for Availability
Data must be available when needed.
• A is for Confidentiality
Data cannot be disclosed to unauthorized
individuals / systems.
I.A.C.
• I is for Integrity
Data cannot be modified undetectably.
• A is for Availability
Data must be available when needed.
• C is for Confidentiality
Data cannot be disclosed to unauthorized
individuals / systems.
Security Development Lifecycle (SDL)
• Trustworthy Computing – Directive issued by
Bill Gates, January 2002.
• Encapsulated “S3+C”:
Security (and privacy) by design;
Security (and privacy) by default;
Security (and privacy) in deployment;
Communications.
• Set of policies, processes, tools, resources.
• Example tool: SDL Process Template for VSTS.
So Just What’s So Good about the
SDL Process Template for VSTS?
• Installs SDL requirements as work items.
• Includes SDL-based check-in policies.
• Customizes security bugs and queries.
• Includes extensive SDL how-to and guidance
documentation.
• Generates auditable Final Security Review report
• Accommodates third-party tool integration, e.g.
the SDL Threat Modeling Tool.
• Includes project plans and security risk assessment
templates.
SDL Mandatory Security Activities in a
Traditional (or should that be Legacy)
Software Development Lifecycle
A New Process: SDL + Agile
• SDL predates Agile
• Adaptation involves
identifying three
requirement
categories:
1. One-Time
2. Every-Sprint
3. Bucket
Optimizing Secure Software
Development
Four levels of business maturity
The Classic Saltzer and Schroeder
Design Principles
• Open design: Assume the attackers have the sources and
the specs.
• Fail-safe defaults: Fail closed; no single point of failure.
• Least privilege: No more privileges than what is needed.
• Economy of mechanism: Keep it simple, stupid.
• Separation of privileges: Don’t permit an operation based
on a single condition.
• Total mediation: Check everything, every time.
• Least common mechanism: Beware of shared resources.
• Psychological acceptability: Will they use it?
Security Properties
• Confidentiality: Data is only available to the people
intended to access it.
• Integrity: Data and system resources are only changed
in appropriate ways by appropriate people.
• Availability: Systems are ready when needed and
perform acceptably.
• Authentication: The identity of users is established (or
you’re willing to accept anonymous users).
• Authorization: Users are explicitly allowed or denied
access to resources.
• Non-repudiation: Users can’t perform an action and
later deny performing it.
Threat Types - S.T.R.I.D.E.
•
•
•
•
•
•
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
Elevation of Privilege (EoP)
Card Game
Examples
• http://mycodehere.blogspot.com/2011/01/el
evation-of-privilege-revisited.html
Spoofing
• Spoofing describes any threat allowing an
attacker to:
Pretend to be someone or something else.
• Threat against: Authentication.
• Example: “Phishing”
Tampering
• Tampering describes any threat allowing an
attacker to:
Alter or destroy data, where this would
normally be disallowed by the application.
• Threat against: Integrity.
• Tampering attacks can be directed against
static data files or network packets.
Repudiation
• Repudiation describes any threat allowing an
attacker to:
Perform an action, then deny that they ever
did it.
• Threat against: Non-repudiation.
• Mitigation example: secure log file with time
stamps.
Information Disclosure
• Information Disclosure describes any threat
allowing an attacker to:
Expose information to someone not
authorised to see it.
• Threat against: Confidentiality.
• Can occur with static data files as well as
network packets.
Denial of Service
• Denial of Service describes any threat allowing
an attacker to:
Degrade or deny service to users.
• Threat against: Availability.
• Examples: crash or flood your server.
Elevation of Privilege
• Elevation of Privilege describes any threat
allowing an attacker to:
Gain privileges they would not normally have.
• Threat against: Authorization.
• Example: buffer overflow in an app running as
SYSTEM - lets attacker run arbitrary code at a
very high privilege level.
• Mitigation: principle of least privilege.
http://google-gruyere.appspot.com/
Auntie Beeb's Virus
Your Password Sucks
Threat Modelling
• http://msdn.microsoft.com/enus/magazine/cc163519.aspx
• Threat modelling is an integral part of the
Security Development Lifecycle.
• Start with a Data Flow Diagram.
Data Flow Diagram Symbols
•
•
•
•
•
•
Data flow: One way arrow
Data store: Two parallel horizontal lines
Process: Circle
Multi-process: Two concentric circles
Interactors: Rectangle
Trust boundary: Dotted line
Threats Affecting Elements
Element
Data Flows
Data Stores
Spoofing
Tampering
*
*
Repudiation
Information
Disclosure
Denial of
Service
Elevation of
Privilege
*
*
*
*
Processes
*
*
*
*
*
*
Interactors
*
*
Analyzer Database
•
•
•
•
•
•
•
•
•
•
Let's say you need a system to collect the accounting files from your sales force,
compute sales data on your database server, and produce weekly reports.
We'll call the system the Analyzer Database.
The goal is fairly simple: getting files from a set of systems and performing some
analysis of the files on a centralized server.
There are many obvious potential threats to this system, and many of them come
from the implicit security requirements of the problem statement.
The collection process alone raises a number of questions.
Collecting information means moving it from one place to another.
How are you going to secure it in transit?
You'll be manipulating accounting files, which by their very nature are sensitive
and often subject to legal requirements.
And you'll need to identify a specific group of people—the sales force.
How will you know them?
An Initial DFD for the
Analyzer Database
General Rules for a DFD
• First, be careful of magic data sources or sinks:
data isn't created out of thin air.
• Second, beware of psychokinesis as a data
transport.
• Third, collapse similar elements within a single
trust boundary into a single element for
modelling purposes.
• Fourth, be careful when modelling details on
either side of a trust boundary.
A Better DFD
Analyzing Data Flows
Element
Data Flows
Data Stores
Spoofing
Tampering
*
*
Repudiation
Information
Disclosure
Denial of
Service
Elevation of
Privilege
*
*
*
*
Processes
*
*
*
*
*
*
Interactors
*
*
Analyzing Data Stores
Element
Data Flows
Data Stores
Spoofing
Tampering
*
*
Repudiation
Information
Disclosure
Denial of
Service
Elevation of
Privilege
*
*
*
*
Processes
*
*
*
*
*
*
Interactors
*
*
Analyzing Processes
Element
Data Flows
Data Stores
Spoofing
Tampering
*
*
Repudiation
Information
Disclosure
Denial of
Service
Elevation of
Privilege
*
*
*
*
Processes
*
*
*
*
*
*
Interactors
*
*
Mitigations
• Mitigate a threat with a strong, wellunderstood solution.
• Example: strong cryptography against
Information Disclosure threats.
• Q1: can the technology be used to mitigate
the threat?
• Q2: would it actually be used in the given
scenario?
Attack Patterns
• The manifestation of one or more threats in
the context of some specific technology.
• Example: strcpy in C may let an attacker input
long strings to corrupt program memory,
allowing arbitrary code execution.
• Same vulnerability may be used in other ways.
Download