Security for Developers Threat Modeling and the Security Development Lifecycle Steven Borg & Richard Hundhausen Accentient, Inc.

Security for DevelopersSecurity for DevelopersThreat Modeling and the Threat Modeling and the Security Development LifecycleSecurity Development Lifecycle

Steven Borg & Richard HundhausenSteven Borg & Richard HundhausenAccentient, IncAccentient, Inc

AgendaAgendaCosts of Lax SecurityCosts of Lax Security

Common ThreatsCommon Threats

Secure Coding Design PrinciplesSecure Coding Design Principles

Threat ModelingThreat Modeling

Wrap UpWrap Up

$ 0.9 Million$ 0.9 Million

$ 0.9 Million$ 0.9 Million

$ 1 Million$ 1 Million

$ 2.7 Million$ 2.7 Million

$ 4 Million$ 4 Million

$ 4.3 Million$ 4.3 Million

$ 6.7 Million$ 6.7 Million

Cost of Security ThreatsCost of Security Threats

Web site defacement

Misuse of public Web applications

Telecom fraud

Sabotage

Unauthorized access

Laptop theft

$ 7.7 Million$ 7.7 MillionFinancial fraud

$ 10.2 Million$ 10.2 MillionAbuse of wireless networks

$ 10.6 Million$ 10.6 MillionInsider abuse of Net access

$ 11.5 Million$ 11.5 MillionTheft of proprietary information

$ 26.1 Million$ 26.1 MillionDenial of service

$ 55.1 Million$ 55.1 MillionViruses

System penetration

Why Security?Why Security?

Reported security breaches in the last 12 months

Acknowledged financial losses as a result

Identified Internet connection as frequent source of attacks

Reported intrusions to authorities

90%

ihttp://www.gocsi.com/press/20020407.html

2002 Computer Crime and Security Survey

80%

74%

34%

Percentages of companies who participated in the survey

How Does This Happen?How Does This Happen?

Session management 79%

Common Software VulnerabilitiesPercentages of apps that have "serious design flaws" in the indicated areas

Access control 64%

Cryptographic algorithms 61%

Parameter manipulation 73%

Handling of sensitive data 41%

Input validation 32%

Administrative controls 36%

Your DilemmaYour DilemmaPrinciple #1: The defender must defend all points; the attacker can choose the weakest point.

Principle #2: The defender can defend only against known attacks; the attacker can probe for unknown vulnerabilities.

Principle #3: The defender must be constantly vigilant; the attacker can strike at will.

Principle #4: The defender must play by the rules; the attacker can play dirty.

Trustworthy ComputingTrustworthy Computing

Resilient to attackResilient to attack

Protects confidentiality, integrity, Protects confidentiality, integrity, availability and dataavailability and data

DependableDependable

Available when neededAvailable when needed

Performs at expected levelsPerforms at expected levels

Individuals control personal dataIndividuals control personal data

Products and online services adhere to Products and online services adhere to fair information principles fair information principles

Vendors provide quality productsVendors provide quality products

Product support is appropriateProduct support is appropriate

AvailabilityAvailabilityReliabilityReliability

AvailabilityAvailabilityReliabilityReliability

PrivacyPrivacyPrivacyPrivacy

Business Business IntegrityIntegrity

Business Business IntegrityIntegrity

SecuritySecuritySecuritySecurity

SDSD33 + Communications + Communications

Clear security commitmentClear security commitmentFull member of the security communityFull member of the security communityMicrosoft Security Response Center Microsoft Security Response Center

SecuritySecurity

Secure Secure by Designby Design

Secure Secure by Defaultby Default

Secure in Secure in DeploymentDeployment

CommunicationsCommunications

Writing Secure CodeWriting Secure CodePublishing of book by same namePublishing of book by same nameDesigning Secure ProductsDesigning Secure Products

Reduce attack surface areaReduce attack surface areaUnused features off by defaultUnused features off by defaultPrinciple of least privilegePrinciple of least privilege

Patch management and installationPatch management and installationProtect, detect, defend, recover, manageProtect, detect, defend, recover, manageProcess: How to’s, architecture guidesProcess: How to’s, architecture guides

Call to ActionCall to ActionSecure software requires Secure software requires knowledgeable and dedicated IT knowledgeable and dedicated IT personnelpersonnel

Software isn't secure if the network is notSoftware isn't secure if the network is not

Administration is the bedrock of securityAdministration is the bedrock of security

Secure software also requires Secure software also requires knowledgeable and dedicated knowledgeable and dedicated developersdevelopers

Proper administration is meaningless if Proper administration is meaningless if the code you write isn't securethe code you write isn't secure

Most developers today Most developers today don't knowdon't know they're they're writing insecure codewriting insecure code

AgendaAgendaCosts of Lax SecurityCosts of Lax Security

Common ThreatsCommon Threats

Secure Coding Design PrinciplesSecure Coding Design Principles

Threat ModelingThreat Modeling

Wrap UpWrap Up

Types of ThreatsTypes of Threats

Spoofed packets, etc.

Buffer overflows, illicit paths, etc.

SQL injection, XSS, input tampering, etc.

Network Host Application

Threats againstthe network

Threats against the host

Threats against the application

Network ThreatsNetwork Threats

ThreatThreat ExamplesExamplesInformation Information gatheringgathering

Port scanningPort scanning

Trace routing to detect network topologiesTrace routing to detect network topologies

Using broadcast requests to enumerate Using broadcast requests to enumerate subnet hostssubnet hosts

EavesdroppingEavesdropping Using packet sniffers to steal passwordsUsing packet sniffers to steal passwords

Denial of service Denial of service (DoS)(DoS)

SYN floodsSYN floods

ICMP echo request floodsICMP echo request floods

Malformed packetsMalformed packets

SpoofingSpoofing Packets with spoofed source addressesPackets with spoofed source addresses

Defending the NetworkDefending the Network

Harden firewalls

Harden routers and switches

Encrypt sensitive communications

•Stay current with patches and updates•Block unused ports and protocols•Use filtering to reject illicit requests

•Stay current with patches and updates•Use ingress/egress filtering to reject spoofed packets•Screen ICMP traffic from the internal network•Screen directed broadcast requests from the internal network•Reject trace routing requests

Host ThreatsHost ThreatsThreatThreat ExamplesExamples

Arbitrary code Arbitrary code executionexecution

Buffer overflows in ISAPI DLLs (e.g., MS01-Buffer overflows in ISAPI DLLs (e.g., MS01-033)033)

Directory traversal attacks (MS00-078)Directory traversal attacks (MS00-078)

File disclosureFile disclosure Malformed HTR requests (MS01-031)Malformed HTR requests (MS01-031)

Virtualized UNC share vulnerability (MS00-Virtualized UNC share vulnerability (MS00-019)019)

Denial of service Denial of service (DoS)(DoS)

Malformed SMTP requests (MS02-012)Malformed SMTP requests (MS02-012)

Malformed WebDAV requests (MS01-016)Malformed WebDAV requests (MS01-016)

Malformed URLs (MS01-012)Malformed URLs (MS01-012)

Brute-force file uploadsBrute-force file uploads

Unauthorized accessUnauthorized access Resources with insufficiently restrictive Resources with insufficiently restrictive ACLsACLs

Spoofing with stolen login credentialsSpoofing with stolen login credentials

Exploitation of open Exploitation of open ports and protocolsports and protocols

Using NetBIOS and SMB to enumerate Using NetBIOS and SMB to enumerate hostshosts

Connecting remotely to SQL ServerConnecting remotely to SQL Server

Defending the HostDefending the Host

Stay current with service packs and updates

Harden IIS with IISLockdown and URLScan

Harden the Web server's TCP/IP stack

Run ASP.NET using principle of least privilege

ACL resources to prevent unauthorized access

Disable unused shares and services

Move Web root to drive other than C:

Defending The HostDefending The HostDisable unused shares and servicesDisable unused shares and services

Harden user accountsHarden user accounts

Delete nonessential shares and restrict access to othersDelete nonessential shares and restrict access to others

Disable nonessential services and protocols (e.g., SMB and NetBIOS)Disable nonessential services and protocols (e.g., SMB and NetBIOS)

Remove or secure Remote Data Services (RDS)Remove or secure Remote Data Services (RDS)

Disable the Guest accountDisable the Guest account

Use strong passwords on all accountsUse strong passwords on all accounts

Rename the administrator accountRename the administrator account

Disallow null sessions (anonymous logons)Disallow null sessions (anonymous logons)

Restrict remote logons to only those who need itRestrict remote logons to only those who need it

Be aggressive about logging and auditingBe aggressive about logging and auditingLog failed logon attemptsLog failed logon attempts

Log failed actions anywhere in the systemLog failed actions anywhere in the system

Secure IIS log files with NTFS permissionsSecure IIS log files with NTFS permissions

Audit access to Metabase.binAudit access to Metabase.bin

Application ThreatsApplication ThreatsThreatThreat ExamplesExamples

SQL injectionSQL injection Including a DROP TABLE command in text Including a DROP TABLE command in text typed into an input fieldtyped into an input field

Cross-site scriptingCross-site scripting Using malicious client-side script to steal Using malicious client-side script to steal cookiescookies

Hidden-field Hidden-field tamperingtampering

Maliciously changing the value of a hidden Maliciously changing the value of a hidden fieldfield

EavesdroppingEavesdropping Using a packet sniffer to steal passwords and Using a packet sniffer to steal passwords and cookies from traffic on unencrypted cookies from traffic on unencrypted connectionsconnections

Session hijackingSession hijacking Using a stolen session ID cookie to access Using a stolen session ID cookie to access someone else's session statesomeone else's session state

Identity spoofingIdentity spoofing Using a stolen forms authentication cookie to Using a stolen forms authentication cookie to pose as another userpose as another user

Information Information disclosuredisclosure

Allowing client to see a stack trace when an Allowing client to see a stack trace when an unhandled exception occursunhandled exception occurs

Defending the ApplicationDefending the Application

Never trust user input (validate!)

Access databases securely

Store secrets securely

Avoid vulnerabilities in forms authentication

Secure ASP.NET session state

Anticipate errors and handle them appropriately

AgendaAgendaCosts of Lax SecurityCosts of Lax Security

Common ThreatsCommon Threats

Secure Coding Design PrinciplesSecure Coding Design Principles

Threat ModelingThreat Modeling

Wrap UpWrap Up

Understand The ThreatsUnderstand The Threats

Need to understand threats to build Need to understand threats to build secure applicationssecure applications

Modeling finds different flaws than Modeling finds different flaws than code reviews and testingcode reviews and testing

Design flaws vs. implementation flawsDesign flaws vs. implementation flaws

Modeling finds flaws that might Modeling finds flaws that might otherwise be found by attackersotherwise be found by attackers

Designing Secure CodeDesigning Secure CodeDefense in DepthDefense in Depth

Secure by DesignSecure by DesignSecurity features != Secure featuresSecurity features != Secure features

Do Not Depend on Security Through Do Not Depend on Security Through ObscurityObscurity

Least PrivilegeLeast Privilege

Secure by DefaultSecure by Default

Fail to a Secure ModeFail to a Secure Mode

Learn from Past MistakesLearn from Past Mistakes

AgendaAgendaCosts of Lax SecurityCosts of Lax Security

Common ThreatsCommon Threats

Secure Coding Design PrinciplesSecure Coding Design Principles

Threat ModelingThreat Modeling

Wrap UpWrap Up

Threat ModelingThreat Modeling

Structured approach to identifying, Structured approach to identifying, quantifying, and addressing threatsquantifying, and addressing threats

Essential part of development processEssential part of development processJust like specing and designingJust like specing and designing

Just like coding and testingJust like coding and testing

One technique presented hereOne technique presented here

There are others (e.g., OCTAVE)There are others (e.g., OCTAVE)

The Threat Modeling The Threat Modeling ProcessProcess

Identify assetsIdentify assets

Document architectureDocument architecture

Decompose applicationDecompose application

Identify threatsIdentify threats

Document threatsDocument threats

Rate threatsRate threats

11

22

33

44

55

66

Identifying AssetsIdentifying AssetsWhat is it that you want to protect?What is it that you want to protect?

Private data (e.g., customer list) Private data (e.g., customer list)

Proprietary data (e.g., intellectual Proprietary data (e.g., intellectual property)property)

Potentially injurious data (e.g., credit card Potentially injurious data (e.g., credit card numbers, decryption keys)numbers, decryption keys)

These also count as "assets"These also count as "assets"Integrity of back-end databasesIntegrity of back-end databases

Integrity of the Web pages (no Integrity of the Web pages (no defacement)defacement)

Integrity of other machines on the networkIntegrity of other machines on the network

Availability of the applicationAvailability of the application

11

Documenting ArchitectureDocumenting Architecture

Define what the app does and how it's Define what the app does and how it's usedused

Users view pages with catalog itemsUsers view pages with catalog items

Users perform searches for catalog itemsUsers perform searches for catalog items

Users add items to shopping cartsUsers add items to shopping carts

Users check outUsers check out

Diagram the applicationDiagram the applicationShow subsystemsShow subsystems

Show data flowShow data flow

List assetsList assets

22

ExampleExample

Bob

Alice

Bill

Asset #4

Asset #1 Asset #2 Asset #3

Asset #5 Asset #6

IIS ASP.NET

Web Server

Login

State

Main

Database Server

Firew

allF

irewall

Decomposing the AppDecomposing the App

Refine the architecture diagramRefine the architecture diagramShow authentication mechanismsShow authentication mechanisms

Show authorization mechanismsShow authorization mechanisms

Show technologies (e.g., DPAPI)Show technologies (e.g., DPAPI)

Diagram trust boundariesDiagram trust boundaries

Identify entry pointsIdentify entry points

Begin to think like an attackerBegin to think like an attackerWhere are my vulnerabilities?Where are my vulnerabilities?

What am I going to do about them?What am I going to do about them?

33

ExampleExample

Bob

Alice

BillIIS ASP.NET

Web Server Database ServerTrust

Forms Authentication URL Authorization

DPAPI Windows Authentication

Firew

allF

irewall

Login

State

Main

Identifying ThreatsIdentifying Threats

Method #1: Threat listsMethod #1: Threat listsStart with laundry list of possible threatsStart with laundry list of possible threats

Identify the threats that apply to your appIdentify the threats that apply to your app

Method #2: STRIDEMethod #2: STRIDECategorized list of threat typesCategorized list of threat types

Identify threats by type/categoryIdentify threats by type/category

Optionally draw Optionally draw threat treesthreat treesRoot nodes represent attacker's goalsRoot nodes represent attacker's goals

Trees help identify threat conditionsTrees help identify threat conditions

44

STRIDESTRIDE

SS

TT

RR

II

DD

Tampering

Repudiation

Information disclosure

Denial of service

Can an attacker gain access using a false identity?

Can an attacker modify data as it flows through the application?

If an attacker denies an exploit, can you prove him or her wrong?

Can an attacker gain access to private or potentially injurious data?

Can an attacker crash or reduce the availiability of the system?

EEElevation of privilegeCan an attacker assume the identity of a privileged user?

Spoofing

Threat TreesThreat TreesTheft of

Auth Cookies

Theft ofAuth Cookies

Obtain auth cookie to spoof identity

Obtain auth cookie to spoof identity

UnencryptedConnection

UnencryptedConnection

Cookies travel over unencrypted HTTP

Cookies travel over unencrypted HTTP

EavesdroppingEavesdropping

Attacker uses sniffer to monitor HTTP traffic

Attacker uses sniffer to monitor HTTP traffic

Cross-SiteScripting

Cross-SiteScripting

Attacker possesses means and knowledge

Attacker possesses means and knowledge

XSSVulnerability

XSSVulnerability

Application is vulnerable to XSS attacks

Application is vulnerable to XSS attacks

OR

AND AND

Documenting ThreatsDocumenting Threats

Theft of Auth Cookies by Eavesdropping on ConnectionTheft of Auth Cookies by Eavesdropping on ConnectionThreat targetThreat target Connections between browsers and Web Connections between browsers and Web

serverserver

RiskRisk

Attack techniquesAttack techniques Attacker uses sniffer to monitor trafficAttacker uses sniffer to monitor traffic

CountermeasuresCountermeasures Use SSL/TLS to encrypt trafficUse SSL/TLS to encrypt traffic

Document threats using a templateDocument threats using a template

Theft of Auth Cookies via Cross-Site ScriptingTheft of Auth Cookies via Cross-Site Scripting

Threat targetThreat target Vulnerable application codeVulnerable application code

RiskRisk

Attack techniquesAttack techniques Attacker sends e-mail with malicious link to Attacker sends e-mail with malicious link to usersusers

CountermeasuresCountermeasures Validate input; HTML-encode outputValidate input; HTML-encode output

55

Rating ThreatsRating Threats

Simple modelSimple model

DREAD modelDREAD modelGreater granularization of threat potentialGreater granularization of threat potential

Rates (prioritizes) each threat on scale of Rates (prioritizes) each threat on scale of 1-151-15

Developed and widely used by MicrosoftDeveloped and widely used by Microsoft

Risk = Probability * Damage Potential

1-10 Scale1 = Least probable10 = Most probable

1-10 Scale1 = Least probable10 = Most probable

1-10 Scale1 = Least damage10 = Most damage

1-10 Scale1 = Least damage10 = Most damage

66

DREADDREAD

DD

RR

EE

AA

DD

Reproducibility

Exploitability

Affected users

Discoverability

What are the consequences of a successful exploit?

Would an exploit work every time or only under certain circumstances?

How skilled must an attacker be to exploit the vulnerability?

How many users would be affected by a successful exploit?

How likely is it that an attacker will know the vulnerability exists?

Damage potential

DREAD, Cont.DREAD, Cont.High (3)High (3) Medium (2)Medium (2) Low (1)Low (1)

Damage Damage potentialpotential

Attacker can Attacker can retrieve retrieve extremely extremely sensitive data sensitive data and corrupt or and corrupt or destroy datadestroy data

Attacker can Attacker can retrieve sensitive retrieve sensitive data but do little data but do little elseelse

Attacker can only Attacker can only retrieve data that retrieve data that has little or no has little or no potential for harmpotential for harm

Reproduc-Reproduc-abilityability

Works every Works every time; does not time; does not require a timing require a timing windowwindow

Timing-dependent; Timing-dependent; works only within a works only within a time windowtime window

Rarely worksRarely works

ExploitabiltyExploitabilty Bart Simpson Bart Simpson could do itcould do it

Attacker must be Attacker must be somewhat somewhat knowledgeable and knowledgeable and skilledskilled

Attacker must be Attacker must be VERY VERY knowledgeable and knowledgeable and skilledskilled

Affected Affected usersusers

Most or all Most or all usersusers

Some usersSome users Few if any usersFew if any users

Discover-Discover-abiltyabilty

Attacker can Attacker can easily discover easily discover vulnerabilityvulnerability

Attacker might Attacker might discover the discover the vulnerabilityvulnerability

Attacker will have to Attacker will have to dig to discover the dig to discover the vulnerabilityvulnerability

ExampleExampleThreatThreat DD RR EE AA DD SumSum

Auth cookie theft Auth cookie theft (eavesdropping)(eavesdropping)

33 22 33 22 33 1313

Auth cookie theft (XSS)Auth cookie theft (XSS) 33 22 22 22 33 1212

Potential for damage is high(spoofed identities, etc.)

Cookie can be stolen any time, but is only useful until expired

Anybody can run a packet sniffer; XSS attacks require moderate skill

All users could be affected, but in reality most won't click malicious links

Easy to discover: just type a <script> block into a field

PrioritizedRisks

PrioritizedRisks

Sample Threat TreeSample Threat Tree1.2.1Parse

Request

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

DREADThreat

SubthreatCondition

Threat Threat

ConditionCondition DREAD

Sub threat

Threat

Condition

KEY

Pruning Threat TreesPruning Threat Trees

Threat (Goal)

Subthreat

SubthreatCondition

Subthreat Subthreat

ConditionCondition

Mitigated

Ongoing Threat ModelingOngoing Threat Modeling

Threat Modeling is a Design ActivityThreat Modeling is a Design Activity

Start EarlyStart Early

Update Model RegularlyUpdate Model RegularlyNew featuresNew features

New threatsNew threats

New ways of attacking systemsNew ways of attacking systems

Microsoft Threat Modeling ToolMicrosoft Threat Modeling ToolAllows users to create threat model Allows users to create threat model documentsdocuments

Organizes relevant data pointsOrganizes relevant data pointsEntry pointsEntry points

AssetsAssets

Trust levelsTrust levels

Data Flow DiagramsData Flow Diagrams

ThreatsThreats

Threat TreesThreat Trees

Other VulnerabilitiesOther Vulnerabilities

Supports XML, HTML and MHTSupports XML, HTML and MHT

Microsoft Threat Microsoft Threat Modeling ToolModeling Tool

AgendaAgendaCosts of Lax SecurityCosts of Lax Security

Common ThreatsCommon Threats

Secure Coding Design PrinciplesSecure Coding Design Principles

Threat ModelingThreat Modeling

Wrap UpWrap Up

Common Defects: Trusting User Common Defects: Trusting User InputInput

Do Not Trust User InputDo Not Trust User Input

Validate, Validate, ValidateValidate, Validate, Validate

Look for correct data, reject all elseLook for correct data, reject all else

““All input is evil, until All input is evil, until proven otherwise”proven otherwise”

Michael HowardMicrosoft Corporation

RantRantDo not provide users with security Do not provide users with security warnings they must accept to get their warnings they must accept to get their job done!!!job done!!!

Users are way too Pavlovian!Users are way too Pavlovian!

““Don’t trust anybody. Even the Don’t trust anybody. Even the people you do trust, don’t trust people you do trust, don’t trust ‘em” – Fahrenheit 9/11‘em” – Fahrenheit 9/11

Create trust boundariesCreate trust boundaries

Create input choke pointsCreate input choke pointsAuthenticationAuthentication

ValidationValidation

Authorisation?Authorisation?

Trust nothing and no one!Trust nothing and no one!

Information DisclosureInformation Disclosure

Which is the better error message?

Some Things Can’t Be AvoidedSome Things Can’t Be Avoided

Writing Secure CodeWriting Secure CodeSecond EditionSecond Edition

http://www.microsoft.com/MSPress/http://www.microsoft.com/MSPress/books/5957.aspbooks/5957.asp

ResourcesResources

Steve’s Blog: http://blog.accentient.com

Rich’s Blog: http://blog.hundhausen.com

MS Security: http://www.microsoft.com/security

Threat Modeling:http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx

Security Wiki / Book:https://www.threatsandcountermeasures.com/wiki/default.aspx

Your FeedbackYour Feedbackis Important!is Important!

Please Fill Out a Survey forPlease Fill Out a Survey forThis Session on CommNetThis Session on CommNet

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.