CSCE790 Computer Systems Security Threat Modeling
Transcript of CSCE790 Computer Systems Security Threat Modeling
![Page 1: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/1.jpg)
CSCE 790Computer Systems Security
Threat Modeling
Qiang Zeng, PhD
![Page 2: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/2.jpg)
Previous Class
• The CIA Triad as security objectives• Threat: potential• Attack: attempt• Compromise: success• Vulnerability: security flaw• Attack Vectors vs. Exploits vs. Payloads
CSCE 790 – Computer Systems Security 2
![Page 3: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/3.jpg)
Previous class…
CSCE 790 – Computer Systems Security 3
Attack Vector vs. Exploit vs. Payload
An attack vector is an attack delivery method;An exploit is some specially crafted code or input that takes advantage of vulnerabilities The payload in an exploit is to be used to achieve the attacker’s goal
An attack vector is to deliver an attack; an exploit is used to deliver the payload
![Page 4: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/4.jpg)
CSCE 790 – Computer Systems Security 4
Analogy: in an air attack mission, “delivering missiles through an F-35” is the “attack vector”, “the missile” is the “exploit”, and “the warhead in the missile” is the “payload”, “the fragile part of the fort” is the “vulnerability”
![Page 5: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/5.jpg)
Outline
• Attack Surface and Attack Surface Reduction• Threat model and Threat modeling– STRIDE model– Attack Tree
CSCE 790 – Computer Systems Security 5
![Page 6: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/6.jpg)
Attack Surface
• The attack surface of a system is a collection of components (e.g., network ports, programming interfaces, services) that can be reached and exploited by attackers– Keywords: reachable & exploitable
• From the perspective of social engineering, is an employee with access to sensitive information part of the attack surface?– Yes
CSCE 790 – Computer Systems Security 6
![Page 7: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/7.jpg)
Attack Surface Reduction
• One practice to improve security is to reduce the attack surface, called Surface Reduction
• Example: the attack surface of a server contains all the ports that are used to receive requests (due to various services running on the server). Now, if you use firewall to block all the requests except at port 80 (used by web service), then the attack surface is reduced to the port 80 only (even you accidentally run some other services)
CSCE 790 – Computer Systems Security 7
![Page 8: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/8.jpg)
Attack Surface Reduction
• Strategies of attack surface reduction are to – reduce entry points available to attackers– eliminate unneeded services running on a server– reduce the number of users that can access a system– …
CSCE 790 – Computer Systems Security 8
![Page 9: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/9.jpg)
Adversaries and Adversary Model
• An adversary is a malicious entity trying to circumvent the security measures– Synonyms for Attackers, threat agents
• An Adversary model is to describe who the adversaries are and their capabilities
• Consider the online system of the university library– The adversaries include both unauthorized users and
authorized users– Unauthorized users can request connecting to the service,
scan the ports of the web server, etc.– Authorized users can, in addition, submit SQL queries, etc.
CSCE 790 – Computer Systems Security 9
![Page 10: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/10.jpg)
Threat Model
• A threat model is a collection of threats to a specific system
• What is the threat model of the university grading system?– The instructor’s password may by leaked– The instructor’s computer may be remotely controlled– The sever for the grading system may be hacked– Disgruntled sysadmin may delete all the data– …
CSCE 790 – Computer Systems Security 10
![Page 11: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/11.jpg)
Threat Modeling
• Threat Modeling is a process of identifying (and prioritizing) threats to a system. It involves– Characterizing the system– Identifying the attack surface and adversary model– Identifying threats
CSCE 790 – Computer Systems Security 11
![Page 12: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/12.jpg)
Threat Modeling and Security Engineering
• Security engineering should be incorporated into the system design process as early as possible. It would be much more costly if security is later retrofitted into an existing system
• Threat modeling should be the first step taken for security engineering
CSCE 790 – Computer Systems Security 12
![Page 13: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/13.jpg)
Threat Modeling and Security Requirements
• Threat modeling helps define security requirements. But note that it is unlikely to mitigate all the threats. When defining the security requirements, it is important to distinguish threats that should be omitted and ones that we should address
• E.g., earthquakes in CA vs. earthquakes in PA
CSCE 790 – Computer Systems Security 13
![Page 14: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/14.jpg)
Microsoft’s STRIDE Model
• During threat modeling, you can consider the following categories
CSCE 790 – Computer Systems Security 14
![Page 15: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/15.jpg)
Example
CSCE 790 – Computer Systems Security 15
Identify example threats to the university online library system using the STRIDE model
Spoofing: an attacker may construct a fake website to collect the usernames and passwords of library users
Tampering: an attacker may tamer with the database
Repudiation: one may deny she/he has borrowed some book
Information disclosure: the list of books a client has borrowed can be leaked
Elevation-of-privilege: an adversary may compromise the library’s online service and obtain the sysadmin privileges
![Page 16: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/16.jpg)
Attack Trees
• An Attack Tree is a tree-structured graph showing how a system can be attacked– Root node is the goal of the adversary; in a complex
system, usually there are several goals, each needing a separate tree
– Child nodes are the ways or steps to achieve the parent node
CSCE 790 – Computer Systems Security 16
![Page 17: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/17.jpg)
How to construct an Attack Tree
1. Identify goals. Each goal needs a separate attack tree
2. Identify attacks against goals; repeat if necessary
3. Existing attack (sub-)trees can be plugged in as appropriate
CSCE 790 – Computer Systems Security 17
![Page 18: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/18.jpg)
Example: Assume the system is a safe, and the adversary’s goal is to open the safe
CSCE 790 – Computer Systems Security 18
![Page 19: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/19.jpg)
How to use the tree: Once a tree is created, different values can be assigned to the leaf nodes
CSCE 790 – Computer Systems Security 19
![Page 20: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/20.jpg)
How to use the tree: Then, these values can be propagated up the tree
CSCE 790 – Computer Systems Security 20
P
P
![Page 21: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/21.jpg)
You can specify values that represent other different meanings
CSCE 790 – Computer Systems Security 21
![Page 22: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/22.jpg)
You can specify values that represent other different meanings
CSCE 790 – Computer Systems Security 22
![Page 23: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/23.jpg)
You can specify values that represent other different meanings
CSCE 790 – Computer Systems Security 23
![Page 24: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/24.jpg)
Combining Node Values
• Each node can have several values• Can be used to make statements about attacks• For example:– Cheapest low-risk attack– Most likely non-intrusive attack– Best low-skilled attack
CSCE 790 – Computer Systems Security 24
![Page 25: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/25.jpg)
Cheapest attack requiring no special equipment
CSCE 790 – Computer Systems Security 25
![Page 26: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/26.jpg)
The tree changes when you apply countermeasures
CSCE 790 – Computer Systems Security 26
![Page 27: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/27.jpg)
Using the Attack Tree to evaluate whether a security measure is worthwhile
• The analyst can check the difference of the cost of an attack before and after a security measure is applied
CSCE 790 – Computer Systems Security 27
![Page 28: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/28.jpg)
Summary
• Attack surface reduction• Adversary model• Three Big Steps in Security engineering• Threat modeling– STRIDE– Attack trees
CSCE 790 – Computer Systems Security 28
![Page 29: CSCE790 Computer Systems Security Threat Modeling](https://reader031.fdocuments.in/reader031/viewer/2022013001/61ca1d052d4e475b1321ad6a/html5/thumbnails/29.jpg)
Writing Assignments
• What is the Attack Surface with regard to entering the FBI building illegally?
• Draw an Attack Tree representing the attack that tampers with the university library database
CSCE 790 – Computer Systems Security 29