Real World Application Threat Modelling By Example · •Threat modelling requires good...
Transcript of Real World Application Threat Modelling By Example · •Threat modelling requires good...
![Page 1: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/1.jpg)
Real World Application Threat Modelling
By Example
44Con 2013
![Page 2: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/2.jpg)
Agenda
Threat modelling 101
Our goals
Doing it
![Page 3: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/3.jpg)
Threat modelling 101
Why threat model?
Help with risk analysis (defensive)
Help with efficient effort investment (offensive)
![Page 4: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/4.jpg)
Threat modelling 101
Attacker centric aka attack trees
Software, system, design or architecture
centric
Asset centric aka traditional risk analysis
![Page 5: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/5.jpg)
Threat modelling 101
![Page 6: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/6.jpg)
Our goals
Asses a virtual appliance with zero initial
knowledge
Map its attack surface
Develop a threat model
![Page 7: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/7.jpg)
Our goals another perspective
![Page 8: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/8.jpg)
Target
Djigzo Email Encryption Gateway
http://www.djigzo.com/gateway.html
![Page 9: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/9.jpg)
Steps?
![Page 10: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/10.jpg)
Steps
Enumeration / Discovery
Dataflow
Threat model
![Page 11: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/11.jpg)
Phase 1 - Enumeration
![Page 12: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/12.jpg)
Step #0 – Tools
Notepad / VIM / Whatever
Mind Mapper (FreeMind etc.)
Diagram Drawer (Visio etc.)
OS specific tooling (enumeration / debug)
![Page 13: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/13.jpg)
Step #1 – Get shell
• Possible approaches
• Mount virtual disk image
• Live CD – add a user
• Single user mode
• Allowed functionality
• Allowed functionality
• Default username and password
![Page 14: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/14.jpg)
Step #2 – Get root
• Possible approaches
• Mount virtual disk image
• Live CD – add a user
• Single user mode
• Product configuration issue
• Product configuration issue
• They allow a shell
• They made a mistake / overlooked
![Page 15: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/15.jpg)
Step #3 – Enumerate?
![Page 16: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/16.jpg)
Step #3 – Enumerate
• Product functionality
• Technologies in use
• Processes
• Listening ports
• Process to port mappings
• Users processes are running as
• Mooch around the interfaces (*scientific)
• Dig into the database (if there is one)
![Page 17: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/17.jpg)
Step #3 – Enumerate – Product functionality
Source: Administration / Installation manual
• Console administration interface
• Web administration interface
• Email gateway
• Email encryption solution
![Page 18: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/18.jpg)
Step #3 – Enumerate – Technology
• Linux
• Postfix
• Java
• Apache Tomcat 6
• Spring (web framework)
• Apache James (mail)
• Tanuk Software Wrapper (allow Java to run as a
daemon)
• Jetty web server (SOAP interface)
• Postgres
![Page 19: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/19.jpg)
Step #3 – Enumerate – Processes
![Page 20: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/20.jpg)
Step #3 – Enumerate – Listening Ports
![Page 21: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/21.jpg)
Step #3 – Enumerate – Processes to ports
![Page 22: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/22.jpg)
Step #3 – Enumerate – Listening Ports
Port Process Description Verified who
22 SSHD SSH daemon No need
25 Master Postfix mail transfer agent No need / experience
8080 Java Tomcat /etc/tomcat6/server.xml
8443 Java Tomcat /etc/tomcat6/server.xml
![Page 23: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/23.jpg)
Step #3 – Enumerate – Listening Ports
Port Process Description / Function Verified how
5400 Java RMI for JMX /etc/djihzo/spring/services.xml
5432 Postgres Database server Obvious from the process
name
8005 Java Tomcat shutdown port Internet knowledge
9000 Java SOAP interface /etc/djigzo/djigzo.properties
10025 Java Mail content filter port /etc/djigzo/james/config.xml
/etc/james/smtp_server.xml
/etc/postfix/main.cf
10026 Master Postfix mail transfer
agent – mail reinjection
/etc/djigzo/james/config.xml
/etc/postfix/main.cf
15012 Java Wrapper /etc/djigzo/djigzo.wrapper.conf
58490 Java Unknown
![Page 24: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/24.jpg)
Step #3 – Enumerate – Listening Ports
![Page 25: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/25.jpg)
Step #3 – Enumerate – Listening Ports
![Page 26: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/26.jpg)
Step #3 – Enumerate – Listening Ports
![Page 27: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/27.jpg)
Step #3 – Enumerate – What’s missing?
![Page 28: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/28.jpg)
Step #3 – Enumerate – Processes
![Page 29: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/29.jpg)
Step #3 – Enumerate – Open Handles
ls /proc/[pid]/fd
![Page 30: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/30.jpg)
Step #3 – Enumerate – Missing Process
![Page 31: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/31.jpg)
Step #3 – Enumerate – Missing Process
![Page 32: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/32.jpg)
Step #3 – Enumerate – Missing Process
![Page 33: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/33.jpg)
Step #3 – Enumerate – Mooch
![Page 34: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/34.jpg)
Step #3 – Enumerate – Mooch
![Page 35: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/35.jpg)
Step #3 – Enumerate – Mooch
![Page 36: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/36.jpg)
Step #3 – Enumerate – Firewall Rules
![Page 37: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/37.jpg)
Step #3 – Enumerate – Database
![Page 38: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/38.jpg)
Step #3 – Enumerate – Other Tools
Tool Purpose
checksec.sh Operating system and binary defense in depth
find File system permissions, SUID binaries etc.
tcpdump Sniff loopback adapter for database, SOAP and other IPC traffic
lsof List open files for a particular process or path
strace System call trace – see which system calls are being made by a
process
ltrace Library call tract – see which library calls are being made by a process
unzip For extracting JAR and WAR files containing the Java classes
JD-GUI Java decompiler for the Java classes
![Page 39: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/39.jpg)
Summary so far
We have a shell and file system access
We have root on the appliance
We know the technologies
We know product functionality
We know roughly how it is built
We know what speaks to what
We have mooched around the interfaces
We have had a quick look at the database
![Page 40: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/40.jpg)
Phase 2 – Dataflow
![Page 41: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/41.jpg)
Step #0 – Dataflow - High-level
![Page 42: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/42.jpg)
Step #1 – Dataflow – With Boundaries
![Page 43: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/43.jpg)
What’s still missing?
![Page 44: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/44.jpg)
What still missing
High-level: Logging, Platform defences
etc.
Low-level: Detailed functional flows
e.g. authentication, actions, commands,
mail transiting
![Page 45: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/45.jpg)
Phase 3 – Threat Model based on High-Level
![Page 46: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/46.jpg)
Threats: The Microsoft Way
![Page 47: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/47.jpg)
Threats?
![Page 48: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/48.jpg)
Threats: Web Interface
![Page 49: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/49.jpg)
Threats: Admin Console
![Page 50: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/50.jpg)
Threats: Daemon
![Page 51: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/51.jpg)
Threats: Mail Transfer Agent
![Page 52: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/52.jpg)
So what’s next?
We now ‘test’, ‘assess’ and or ask the
architects / developers what has been
considered and any present mitigations
![Page 53: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/53.jpg)
How do we summarize?
Threat Impact / Risk Mitigation Residual Risk
Malformed
document
Memory corruption
leading to arbitrary code
execution in the main
daemon or wrapper
process
Written in Java Denial of Service
![Page 54: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/54.jpg)
Phase 4 – Going Deeper
![Page 55: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/55.jpg)
Going deeper
• Rip into database
• Application passwords stored in clear-text
• File system contents
• Soap interface credentials in clear-text
• Certificates are dynamically generated
== a more complete real world threat model
![Page 56: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/56.jpg)
Going deeper
• Grab the Tomcat configurations
• Work out the filter chains
• See which URLs don’t’ need authentication
• Chain URLs back to Java classes
• Grab the JAR and WAR files contain the classes
• Disassemble
• Review code
== a more complete real world threat model
![Page 57: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/57.jpg)
Conclusions for now…
![Page 58: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/58.jpg)
The ideal process
![Page 59: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/59.jpg)
Challenges
• Development may not have the deep threat /
mitigation knowledge
• Brainstorming with a security person helps here
• Organisations under estimate the effort, size and
complexity required to do threat modelling right
![Page 60: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/60.jpg)
Conclusions
• Threat modelling requires good understanding of
security risks
• Developing a good threat model takes a lot of time /
effort and resource
• Enumeration of technologies and interfaces is key
• Think about possible attacks and how they are
mitigated
• Verify threats either statically or dynamically
… this presentation was only the beginning
![Page 61: Real World Application Threat Modelling By Example · •Threat modelling requires good understanding of security risks •Developing a good threat model takes a lot of time / effort](https://reader036.fdocuments.in/reader036/viewer/2022081513/5f1069c37e708231d448fca5/html5/thumbnails/61.jpg)
UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich - Germany
Zurich - Switzerland
Thanks! Questions?
Ollie Whitehouse [email protected]