1 / 16

Threat Modeling for Hostile Client Systems

Threat Modeling for Hostile Client Systems. Avni Rambhia. Outline. Goals of threat modeling Quick overview of generic threat modeling Quirks of a hostile user system Threat modeling for hostile user systems Interactive threat model for PKI signature verification Summary

swain
Download Presentation

Threat Modeling for Hostile Client Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Threat Modeling for Hostile Client Systems Avni Rambhia

  2. Outline • Goals of threat modeling • Quick overview of generic threat modeling • Quirks of a hostile user system • Threat modeling for hostile user systems • Interactive threat model for PKI signature verification • Summary • Questions and discussion

  3. What is threat modeling? • Discover and document threats to a system or application • Threat = system is compromised in a certain way • Fake transaction is created • Determine severity of each threat • Severity = measure of danger if the threat were successfully executed. • 20,000 dollar car shipped to different address • Determine vulnerabilities or mitigations for each threat path • Threat path = way in which threat is executed • Session number can be guessed and fake cookie created

  4. Conventional Threat Modeling • Create a threat model • APIs or entry points (trusted/untrusted) • Data flows • Assets • Determine the severity of each threat • Decompose application to discover vulnerabilities • Document external dependencies and assumptions

  5. PKI-based Authentication System Quick and Dirty overview R E Q U E S T E R V E R I F I E R 1 Random Challenge = n 2 Certificate + signed n Verify Certificate 3 Verify Signed n 4 Authentication success or failure 5

  6. Conventional Threat Modeling Integer overflow Buffer overflow Repeated or predictable n R E Q U E S T E R V E R I F I E R Random Challenge = n M I M Certificate + signed n Verify Certificate Private key discovered using known plaintext Verify Signed n M I M Authentication success or failure

  7. Hostile User Threat Modeling • What is hostile user scenario? • Administrator of system has reason to attack the system to subvert it. • virus running in kernel or with admin privilege • user of multimedia management system • More effective to threat model based on • Assumptions • Assets

  8. Some assumptions in PKI Verifier • Root public key used to verify the certificate is correct • Local time used to check certificate expiry is correct • Cryptography functions correctly perform operations and correctly report results • Authentication does not succeed unless certificate and signature are correctly verified

  9. Some assets in Verifier • Challenge • Random number generator • Certificate verification • Root public key (certificate chain) • System clock • Cryptography routines (signature verification)

  10. Hostile Threat Modeling - Verifier Replace random no. generator V E R I F I E R Random Challenge = n Change code to not call random no. fn. Certificate + signed n Bypass verification routines Tamper clock Verify Certificate Replace public key! Verify Signed n Replace hash calculation function Replace hash calculation function success or failure Tamper (hash == hash) condition to if (1)

  11. You have the threats. What next? • Determine severity/risk of each threat • Relative to the security requirements of the system (penny sale auditing v/s NSA auditing) • DREAD (conventional) • Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability • FACE (For hostile user systems) • Feasibility, Asset value, Collateral Damage, Execution Difficulty • In general, don’t consider will-do mitigations while calculating risks.

  12. Mitigating Risk • For all threats with unacceptable risk, determine mitigations • Some mitigations for hostile user systems: • Obfuscation/Fragilization • Integrity verification • In-lining critical functions • Server-based security • Stack checking • Privileged execution • (more useful for safety against virus)

  13. Summary • Hostile user threat modeling has a much larger threat surface than conventional threat modeling • Asset and Assumption based investigation is best approach for hostile user systems • Systems needing resistance to hostile users have unique mitigation needs • Breach of crypto algorithms is the least of your worries for such systems

  14. Key Takeaway • Design of hostile user systems is challenging. Whenever you design a system, identify all portions which must be resistant against hostile users, and ensure that your design can achieve the requisite level of security

  15. Resources/Contact • Avni Rambhia, Principal, Security Matters • www.avnirambhia.com • avni@avnirambhia.com • Conventional Threat Modeling resources • Writing Secure Code, Second Edition • Mike Howard, Dave LeBlanc (MS Press) • Threat Modeling • Frank Swiderski, Window Snyder (MS Press)

  16. Questions/Discussion

More Related