Real World Application Threat Modelling By Example

8,332 views

Published on

Slides from Ollie Whitehouse's Workshop at 44CON 2013

Published in: Technology
2 Comments
1 Like
Statistics
Notes
  • @MartijnBrinkers the goal was not to focus on DJIGZO specifically but more use it as an example virtual appliance. When delivering this presentation was talk about the fact that the product should be the focus as it was one of the first virtual appliances that would run on VMWare that we could find via Google and thus it was used.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Interesting. The DJIGZO gateway is open source so I'm not sure what the goal is of this 'Threat Modeling' since all information is available from the source code. Anyway, there are some inaccuracies, for example a PDF is generated by the system, no PDF is used from an outsider so the part about 'corrupt pdf' is incorrect. This 'threat analysis' is in my view only a summation of some internals and not really addressing any threats.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
8,332
On SlideShare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
286
Comments
2
Likes
1
Embeds 0
No embeds

No notes for slide

Real World Application Threat Modelling By Example

  1. 1. Real World Application Threat Modelling By Example 44Con 2013
  2. 2. Agenda Threat modelling 101 Our goals Doing it
  3. 3. Threat modelling 101 Why threat model? Help with risk analysis (defensive) Help with efficient effort investment (offensive)
  4. 4. Threat modelling 101 Attacker centric aka attack trees Software, system, design or architecture centric Asset centric aka traditional risk analysis
  5. 5. Threat modelling 101
  6. 6. Our goals Asses a virtual appliance with zero initial knowledge Map its attack surface Develop a threat model
  7. 7. Our goals another perspective
  8. 8. Target Djigzo Email Encryption Gateway http://www.djigzo.com/gateway.html
  9. 9. Steps?
  10. 10. Steps Enumeration / Discovery Dataflow Threat model
  11. 11. Phase 1 - Enumeration
  12. 12. Step #0 – Tools Notepad / VIM / Whatever Mind Mapper (FreeMind etc.) Diagram Drawer (Visio etc.) OS specific tooling (enumeration / debug)
  13. 13. Step #1 – Get shell • Possible approaches • Mount virtual disk image • Live CD – add a user • Single user mode • Allowed functionality • Allowed functionality • Default username and password
  14. 14. Step #2 – Get root • Possible approaches • Mount virtual disk image • Live CD – add a user • Single user mode • Product configuration issue • Product configuration issue • They allow a shell • They made a mistake / overlooked
  15. 15. Step #3 – Enumerate?
  16. 16. Step #3 – Enumerate • Product functionality • Technologies in use • Processes • Listening ports • Process to port mappings • Users processes are running as • Mooch around the interfaces (*scientific) • Dig into the database (if there is one)
  17. 17. Step #3 – Enumerate – Product functionality Source: Administration / Installation manual • Console administration interface • Web administration interface • Email gateway • Email encryption solution
  18. 18. Step #3 – Enumerate – Technology • Linux • Postfix • Java • Apache Tomcat 6 • Spring (web framework) • Apache James (mail) • Tanuk Software Wrapper (allow Java to run as a daemon) • Jetty web server (SOAP interface) • Postgres
  19. 19. Step #3 – Enumerate – Processes
  20. 20. Step #3 – Enumerate – Listening Ports
  21. 21. Step #3 – Enumerate – Processes to ports
  22. 22. Step #3 – Enumerate – Listening Ports Port Process Description Verified who 22 SSHD SSH daemon No need 25 Master Postfix mail transfer agent No need / experience 8080 Java Tomcat /etc/tomcat6/server.xml 8443 Java Tomcat /etc/tomcat6/server.xml
  23. 23. Step #3 – Enumerate – Listening Ports Port Process Description / Function Verified how 5400 Java RMI for JMX /etc/djihzo/spring/services.xml 5432 Postgres Database server Obvious from the process name 8005 Java Tomcat shutdown port Internet knowledge 9000 Java SOAP interface /etc/djigzo/djigzo.properties 10025 Java Mail content filter port /etc/djigzo/james/config.xml /etc/james/smtp_server.xml /etc/postfix/main.cf 10026 Master Postfix mail transfer agent – mail reinjection /etc/djigzo/james/config.xml /etc/postfix/main.cf 15012 Java Wrapper /etc/djigzo/djigzo.wrapper.conf 58490 Java Unknown
  24. 24. Step #3 – Enumerate – Listening Ports
  25. 25. Step #3 – Enumerate – Listening Ports
  26. 26. Step #3 – Enumerate – Listening Ports
  27. 27. Step #3 – Enumerate – What’s missing?
  28. 28. Step #3 – Enumerate – Processes
  29. 29. Step #3 – Enumerate – Open Handles ls /proc/[pid]/fd
  30. 30. Step #3 – Enumerate – Missing Process
  31. 31. Step #3 – Enumerate – Missing Process
  32. 32. Step #3 – Enumerate – Missing Process
  33. 33. Step #3 – Enumerate – Mooch
  34. 34. Step #3 – Enumerate – Mooch
  35. 35. Step #3 – Enumerate – Mooch
  36. 36. Step #3 – Enumerate – Firewall Rules
  37. 37. Step #3 – Enumerate – Database
  38. 38. Step #3 – Enumerate – Other Tools Tool Purpose checksec.sh Operating system and binary defense in depth find File system permissions, SUID binaries etc. tcpdump Sniff loopback adapter for database, SOAP and other IPC traffic lsof List open files for a particular process or path strace System call trace – see which system calls are being made by a process ltrace Library call tract – see which library calls are being made by a process unzip For extracting JAR and WAR files containing the Java classes JD-GUI Java decompiler for the Java classes
  39. 39. Summary so far We have a shell and file system access We have root on the appliance We know the technologies We know product functionality We know roughly how it is built We know what speaks to what We have mooched around the interfaces We have had a quick look at the database
  40. 40. Phase 2 – Dataflow
  41. 41. Step #0 – Dataflow - High-level
  42. 42. Step #1 – Dataflow – With Boundaries
  43. 43. What’s still missing?
  44. 44. What still missing High-level: Logging, Platform defences etc. Low-level: Detailed functional flows e.g. authentication, actions, commands, mail transiting
  45. 45. Phase 3 – Threat Model based on High-Level
  46. 46. Threats: The Microsoft Way
  47. 47. Threats?
  48. 48. Threats: Web Interface
  49. 49. Threats: Admin Console
  50. 50. Threats: Daemon
  51. 51. Threats: Mail Transfer Agent
  52. 52. So what’s next? We now ‘test’, ‘assess’ and or ask the architects / developers what has been considered and any present mitigations
  53. 53. How do we summarize? Threat Impact / Risk Mitigation Residual Risk Malformed PDF document Memory corruption leading to arbitrary code execution in the main daemon or wrapper process Written in Java Denial of Service
  54. 54. Phase 4 – Going Deeper
  55. 55. Going deeper • Rip into database • Application passwords stored in clear-text • File system contents • Soap interface credentials in clear-text • Certificates are dynamically generated == a more complete real world threat model
  56. 56. Going deeper • Grab the Tomcat configurations • Work out the filter chains • See which URLs don’t’ need authentication • Chain URLs back to Java classes • Grab the JAR and WAR files contain the classes • Disassemble • Review code == a more complete real world threat model
  57. 57. Conclusions for now…
  58. 58. The ideal process
  59. 59. Challenges • Development may not have the deep threat / mitigation knowledge • Brainstorming with a security person helps here • Organisations under estimate the effort, size and complexity required to do threat modelling right
  60. 60. Conclusions • Threat modelling requires good understanding of security risks • Developing a good threat model takes a lot of time / effort and resource • Enumeration of technologies and interfaces is key • Think about possible attacks and how they are mitigated • Verify threats either statically or dynamically … this presentation was only the beginning
  61. 61. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich - Germany Zurich - Switzerland Thanks! Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com

×