1
Rapid Threat Modeling
Akshay Aggarwal
IOActive Inc.
Akshay Aggarwal - Black Hat '05
Outline
• Introduction to Threat Modeling (TM 101)– Objectives of TM– Suggested process– Rapid TM concepts
• Basic Concept Definitions• Utilizing Software Development Lifecycle (SDLC )
documents• Case Study
– DFD– Use Case– Threat Visualization– Attack Tree
2
Akshay Aggarwal - Black Hat '05
Threat Modeling 101
• Allows systematic identification of systemic threats
• What that actually means:
– Maps out business risks
– Business threats are derived from business goals
– Gives holistic view of the security of a system
Akshay Aggarwal - Black Hat '05
Objectives of Rapid TM
• Identify architecture and design flaws• Understand and prioritize risk• Evaluate effects of system changes• Mount complex, multistage attacks• Repeatable, verifiable and consistent model• Reutilize data generated in Software
Development Lifecycle• High-level picture of system security• Identify conflicts in policy, requirements and trust
3
Akshay Aggarwal - Black Hat '05
Process
• Suggested process– Initial TM during design phase
– TM enhanced and flushed as technology decisions are taken
– Threats, risks and mitigations reviewed before implementation
– TM refined and verified during security review
– Repeated for next version
The Threat Model is a living document !!
Akshay Aggarwal - Black Hat '05
Rapid TM
• Present a quick method to derive and represent threats
• Brief glimpse into ongoing automation of threatgeneration
• Attack libraries: speed up the process
4
Akshay Aggarwal - Black Hat '05
Definitions
• Subject: An actor, usually a human, interacting with thesystem
• Object: An asset that is in the business rules
• Action: Something done by subject on object
• Rule: Conditions governing a valid action
• Threat: Inversion of any rule
Akshay Aggarwal - Black Hat '05
Definitions
• Attack: A process realizing a vulnerability• Attack Trees: Map technical implementation and
technology choices to threats• Mitigation: reason why a threat is not realized• Weakness: reason a specific attack succeeds• Vulnerability: an unmitigated path from the leaves of an
attack tree to the threat• Attack Library: The IP that speeds up the process by
pre-populating known threats against documentedtechnologies/scenarios
5
It isn’t a threat if it doesn’taffect business
Akshay Aggarwal - Black Hat '05
Utilizing SDLC Documentation
• Requirements:– Requirements documentation are essential– Unambiguous requirements lead to unambiguous rules– Examples of unambiguous rules:
• Subject foo can create object bar• Subject X can update object Y if Subject X created object Y
• DFD– Describe data flow between processes and data stores
• State Machines:– Represent application state representing business logic
• Use Cases:– Map state machines to DFD– Tend to represent state in Use cases
6
Akshay Aggarwal - Black Hat '05
Case Study: noFUD.org
• Creating noFUD.org ezine:
The editors of this information security magazine(noFUD.org) wish to rid the world of infosec related FUD(or atleast die trying). They aim to:– Attract top security researchers to submit articles– Maintain tight editorial control to maintain quality– Allow all Internet users to browse articles free of cost
at all times– Allow users to comment on articles
Akshay Aggarwal - Black Hat '05
noFUD.org Rules
• Rules:– Author can create Submitted Article
– Author can update own Submitted Article and oldversion archived
– Editor can create/delete/update/publish anySubmitted Article
– Editor can delete any Published Article
– Readers can read all Published Articles
– Readers can comment on all Published Articles
7
Akshay Aggarwal - Black Hat '05
Author
Editor
Repository
Submission
Reader
1.0 Online Magazine System
Req
uest
Response
Req
uest
Res
pon s
e
Display
Context Diagram for nofud.org
Web Server/ Database
Akshay Aggarwal - Black Hat '05
1.2 Editor Interface
1.3 Author Interface
Submitted articles
Published Articles
Reader
Editor
Author
Request
Request
Request
Response
Response
Response
1.1 Reader Interface
Article
Return Edited SubmissionView Submission
Submit Article
View Submitted Article
Publish Article
View Articles for Editing
Web Server /Database
Data Flow Diagram Level 1
Article
8
Akshay Aggarwal - Black Hat '05
System
Submitted Article
Editor
1. <<Read >>
Published Article<<Create>>
3 <<Delete>>Reader
Author
Editor
<<Read>>
<<Read>>
<<Read>>State Change
for submitted
article
Use Case for Creating Published Articles
Akshay Aggarwal - Black Hat '05
CRDU
Sub
mitt
ed A
r ti c
le
Pu b
lish e
d A
r ti c
le
Co m
me n
ts
L ay o
ut
Reader
Author
Editor
SU
BJE
CT
OBJECT
noFUD.org Subject Object Matrix v1.0
Acknowledgement: Brenda Larcom
ACTION
Allow
Conditional Allow
Disallow
Action Color Key
9
Akshay Aggarwal - Black Hat '05
Threat: Reader creates/updates/deletes PublishedArticle
Akshay Aggarwal - Black Hat '05
Threat: Reader cannot read Published Articles
10
Akshay Aggarwal - Black Hat '05
Threat: Author creates comment as other author
Akshay Aggarwal - Black Hat '05
Updating noFUD.org
• Subscription service added for archives
• Google ads
• Change: Editor cannot publish his own article
• Consequence: Rules added/changed
• Examples:– Subscription user can read archived articles
– Anonymous Reader should always view (read) ads
– Editor creates Published article if Editor not author of Published Article
11
Akshay Aggarwal - Black Hat '05
CRDU
Su
bm
itte
d A
rti c
l e
Pu
bl is
hed
Art
icle
Co
mm
e nts
Lay
ou
t
`
Reader
Author
Editor
SU
BJE
CT
noFUD.org Subject Object Matrix v2.0
ACTION
Allow
Conditional Allow
Disallow
Action Color Key
OBJECT
Authenticated Reader
Ad Generator
Arc
hiv
ed A
rti c
l es
Ad
vert
ism
ents
Akshay Aggarwal - Black Hat '05
Exciting TM work
“Trike Methodology” by Paul Saitta, Brenda Larcom andMichael Eddington– Threat Modeling methodology
– Partial automation of TM process
– Tool released soon (Hopefully!!)
http://www.hhhh.org/trike/papers/Trike_v1_Methodology_Document-draft.pdf
12
Akshay Aggarwal - Black Hat '05
Conclusion
• Understand the process of developing RapidTMs
• Reutilize SDLC elements
• Need for unambiguous requirements
• Subject Object Matrix for developing threats
• Visualization of threats
• Speed up the TM process by automated threatgeneration and Attack Libraries
Akshay Aggarwal - Black Hat '05
Contact
Akshay Aggarwal