Threat Modeling - Writing Secure Code

Threat Modeling
an introduction toSecurity Principals and Patterns in Application Architectural Design
Caleb Jenkins
Software Ninja | Architecthttp://DevelopingUX.com

Threat

+
Threat
Attack

or is your world more like this?

Agenda
Threat Analysis
Basic Security Concepts
Security Code Review
Summary / Q&A

T.J. Maxx theft believed largest hack ever
TJX cos. put number to loss Wednesday, acknowledges it could still go up
By Mark Jewell
Associated Press
March 30, 2007
BOSTON - A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information.
Experts say TJX’s disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.

T.J. Maxx theft believed largest hack ever
TJX cos. put number to loss Wednesday, acknowledges it could still go up
By Mark Jewell
Associated Press
March 30, 2007
Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.

Assets are the things an attacker wants to take from you
Threats are the ways in which the attacker will try to get at your assets
Mitigations are the ways you block the attacker from getting the assets
Vulnerabilities are unmitigated threats
Threat Models are an assessment of the Assets, Threats, Mitigations and Vulnerabilities of the system you are building or have built

Assets are more than money…
Reputation & Customer Confidence
Confidential Data
Processor, Storage, Bandwidth
Availability
Performance

Threat Analysis
Secure software starts with understanding the threats
Threats are not vulnerabilities
Threats live forever
How will attackers attempt to compromise the system?
Asset
Mitigation
Threat
Vulnerability

Security User Stories
Describes something the bad guy wants to do (a threat)
Short and to the point
Written by the user in non-technical language
As an attacker
I want to <attack>
So that <crime>
By <method>

Security User Stories
As an attacker
I want to obtain credentials
So that I can plunder bank accounts
By tricking users into logging into my bogus site with a Phishing mail

Security Objectives
What do you not want to happen?
Confidentiality
“I do not want unauthorized users to gain access to confidential information”
Integrity
“I do not want unauthorized users to tamper with data”
Availability
“I do not want the system to be unavailable because of an attack”
Agree on security objectives up front
Helps to scope and focus your security efforts

Agenda
Threat Analysis
Summary / Q&A

Reduce Attack Surface
Defense In Depth
Least Privilege
Fail to Secure Mode

Attack Surface
The “Attack Surface” is the sum of the ways in which an attacker can get at you
Smaller Attack Surface is better

Attack Surface
Which one has the
Smaller attack surface?

Attack Surface
Hint: No way to know… what’s on the other side?

Understand Your Attack Surface
Networking protocols that are enabled by default
Network Endpoints
Code that auto-starts or will execute when accessed
Examples: Services, daemons, ISAPI filters and applications, SOAP services, and Web roots
Reusable components
ActiveX controls, COM objects, and .NET Framework assemblies, especially those marked with the AllowParticallyTrustedCallersAttribute)
Process identities for all the code you run
User accounts installed

Reducing Attack Surface
TCP/UDP
TCP/UDP
TCP/UDP
Service: Autostart SYSTEM

TCP/UDP
TCP/UDP
TCP/UDP
Turn off less-used ports

TCP/UDP
TCP only
Turn off UDP connections

TCP only
Restrict requests
to subnet/IP range

TCP only
Authenticate connections

TCP only
Service: Manual NetService
Lower privilege
Turn feature off

TCP only
Service: Manual NetService
Everyone (Full Control)
Admin (Full Control)
Everyone (Read)
Service (RW)
Harden ACLs on
data store

Defense In Depth
Least Privilege
Fail to Secure Mode

Defense In Depth
Don’t count on one line of defense for everything
What if the attacker penetrates that defense?
Contain the damage
Example – Nuclear Plants

“
Multiple redundant safety systems. Nuclear plants are designed according to a "defense in depth" philosophy that requires redundant, diverse, reliable safety systems. Two or more safety systems perform key functions independently, such that, if one fails, there is always another to back it up, providing continuous protection.
- Nuclear Energy Institute
“

System Failures can be Bad

Defense in Depth (MS03-007)Windows Server 2003 Unaffected
Microsoft Security Bulletin MS03-007
Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)
Originally posted: March 17, 2003
Impact of vulnerability: Run code of attacker's choice
Maximum Severity Rating: Critical
Affected Software:
Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP
Not Affected Software:
Microsoft Windows Server 2003

The underlying DLL (NTDLL.DLL) not vulnerable
Code made more conservative during Security Push
Affected Software:

IIS 6.0 not running by default on Windows Server 2003
Even if it was vulnerable
Affected Software:

IIS 6.0 doesn’t have WebDAV enabled by default
Even if it was running
Affected Software:

Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed)
Even if it did have WebDAV enabled
Affected Software:

Even if the buffer was large enough
Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)
Affected Software:

Even if the buffer was large enough
Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)
Even if it there was an exploitable buffer overrun
Would have occurred in w3wp.exe which is now running as ‘network service’
Affected Software:

Defense In Depth
Least Privilege
Fail to Secure Mode

Least Privilege
A defense in depth measure
Code should run with only the permissions it requires
Attackers can only do whatever the code was already allowed to do
Recommendations
Use least privilege accounts
Use code access security
Write Apps that non-admins can actually use

Fail To Secure Mode
Function Authenticate(UserID As String, Password As String)
Dim Authenticated As Boolean = True
Try
Dim conn As New SqlConnection(connString)
conn.Open()
Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”)
Dim count As Integer
count = cmd.ExecuteScalar()
Authenticated = (count = 1)
Catch ex As Exception
MessageBox.Show("Error logging in " + ex.Message)
End Try
Return Authenticated
End Function

Fail To Secure Mode
Try
conn.Open()
End Try
End Function
Authenticated As Boolean = True
Danger!!
Assumes Success

Fail To Secure Mode
Try
conn.Open()
End Try
End Function
Authenticated As Boolean = True
Danger!!
Assumes Success
Authenticated flag may still be true here

Agenda
Threat Analysis
Summary / Q&A

Try
Dim conn As SqlConnection = Nothing
Dim results As New DataSet()
conn = New SqlConnection("data source=localhost;" _
+ "user id=sa;password=password;" + _
"Initial Catalog=SqlInjectionDemo")
conn.Open()
sqlString = "SELECT HasShipped" + _
" FROM Shipment WHERE ID='" + ID + "'"
cmd = New SqlCommand(sqlString, conn)
Dim adapter As New SqlDataAdapter(cmd)
adapter.Fill(results)
Catch se As SqlException
Dim status As String
status = sqlString + " failed"
For Each err As SqlError In se.Errors
status = status + err.Message
Next
MesssageBox.Show(status)
End Try

Try
conn.Open()
Next
End Try
Never connect as SA
Don’t Embed Secrets
user id=sa
password=password
Unencrypted & Weak Password

Try
conn.Open()
Next
End Try
Never connect as SA
user id=sa
password=password
WHERE ID='" + ID + "'"
Don’t Concatenate arguments

Try
conn.Open()
Next
End Try
Never connect as SA
user id=sa
password=password
WHERE ID='" + ID + "'"
Don’t Concatenate arguments
Don’t reveal everything to an attacker
For Each err As SqlError

Why not connect as SA?
Violates the principle of least privilege
Threat: Code is subject to attacker elevating privilege
Mitigation Recommendation
Defense in depth
Action: Run SQL as Network Service rather than Local System
Reduce surface area: eliminate privileges on everything except for the required stored procedures
Action: Create stored procedures
Least privilege: run as a lesser privileged user when connecting to database
Action: Fix the connection string

Why not embed secrets?
Violates the principle of avoiding security by obscurity
Threat: Secrets are easily discovered
Don’t Store Secrets
Tip: Use Windows Authentication
Encrypt secrets
For .NET 1.1 consider Enterprise Library
For .NET 2.0 use Enterprise Library or System.Security.Cryptography.ProtectedData
For SQL Server 2005 use EncryptByKey / DecryptByKey

Storing Secrets
Hackers use search engines to locate secrets
Search engines will find anything you have hidden

Storing Secrets
MySQL Data Dumps
Config Files on *nix systems

Fix Connection String
Not good
Much Better

Never create your own encryption

Why not use easy passwords?
Because they are easily broken by brute force attacks
Threat: Attacker guesses or brute forces password to access secrets
Mitigation:
Enforce a strong password policy
Enable password policy enforcement on SQL Server
Uses Windows Server 2003 policy

Brute Force Dictionary Attacks

Password Policy
SQL Server 2005 Management Studio Tool Shown

Why not concatenate arguments?
Violates the principle of All Input Is Evil (Until Proven Otherwise)
Threat: Code is subject to luring attacks via SQL Injection
Use parameters with SQL
Create stored procedures and grant access only to the stored procedure
Consider Table-Valued Functions in SQL 2005
Disable unneeded SQL Server Features

Using Parameters and Sprocs

Reduce SQL Surface Area

Reduce SQL Surface Area
If you don’t connect in a sysadmin role the account used by xp_cmdshell will be the one defined by xp_cmdshell_proxy_account which may have reduced privilege

Evil Input Attack - Hotmail
October 2001 an XSS vulnerability which allowed an attacker to steal a user's Microsoft .NET Passport session cookies.
Exploit for this vulnerability consisted of sending a malicious email to a Hotmail user, which contained malformed HTML.
The script filtering code in Hotmail's site failed to remove the broken HTML and Internet Explorer's parsing algorithm happily interpreted the malicious code.

Security Fix: Validate Input
Constrain
Look for valid data and reject everything else
Set Max Length to 5
Use Regular Expressions to permit only what you want
Integer expression: “^[0-9]{0,5}$”
Reject
Reject things you know are bad
Sanitize
Use SQL Parameters
HTMLEncode output

discussion: White Listing vs Black Listing Input
“Look for valid data and reject everything else”
SQL Example: string.Replace(“delete”, “”)

“deldeleteete”

“deldeleteete”
“deldeleteete”

“deldeleteete”
“deldeleteete”
“delete”

demo: SQL Injection
Sanitizing User Input
Select Count(*) From Users
Where User Name = ‘’ OR
1+1=2; -- ‘ and password = ‘’

demo: SQL Injection

Discussion: XSS

Why not reveal all exceptions?
Most users won’t understand the details anyway
Threat: Code is subject to information disclosure threats
Map low level error messages to meaningful messages for your users
Never disclose secrets in error messages

Meaningful Error Messages
What this error really means…
No SmartCard inserted in card reader

observe: Security Architectureis a moving target.

review

Threat Model Checklist
No design is complete without a threat model!
Capture your work in a threat model document
Investigate threats
Track and prioritize vulnerabilities through to mitigation and testing
Take advantage of security guidance http://msdn.microsoft.com/securityguidance
vuln
threat
asset

Architects Must
Understand security terminology and best practices
Pay attention to what is happening in the industry
Instill security thinking throughout the application lifecycle
Ensure that the team has an up to date threat model
Ensure that the team has operational procedures that will ensure ongoing security

exercise: Use the Threat Analysis & Modeling Tool

Resources
Patterns & Practices Security Guidance
http://msdn.microsoft.com/securityguidance
http://del.icio.us/calebjenkins/SecurityTools

Thank you
DevelopingUX.com

http://developingux.com	135
http://www.slideshare.net	2
http://www.linkedin.com	1

Threat Modeling - Writing Secure Code

by Caleb Jenkins

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 138

Statistics