13. Data Flow Diagram (Example)
Appendix E ■ Case Studies 513
Web Clients
SQL Clients
Front End(s)
External Entity
Key:
Process Data Store
DB Admin
Data Management Logs
Log analysis
Acme SQL Account
DB Cluster
DBA (human)
DB
Users
(human)
Database
data flow
Trust
Boundary
16. State Machines
• Helpful for considering what changes
security state
– For example, unauthenLcated to
authenLcated
– User to root/admin
• Rarely shows boundaries
the appropriate security validations.
A very simple state machine for a door is shown in Figure
Wikipedia). The door has three states: opened, closed, and loc
entered by a transition. The “deadbolt” system is much easier t
on the knob, which can be locked from either state, creating
diagram and user experience. Obviously, state diagrams can
quickly. You could imagine a more complex state diagram tha
state that can result from either open or closed. (I started draw
trouble deciding on labels. Obviously, doors that can be ajar ar
and should not be deployed.) You don’t want to make archit
just to make modeling easier, but often simple models are ea
and reflect better engineering.
Opened
Closed Locked
State
Transition
Open door
Close door
Unlock deadbolt
Lock deadbolt
Transition
condition
19. STRIDE
Threat Property
Violated
DefiniLon Example
Spoofing AuthenLcaLon ImpersonaLng
something or someone
else.
Pretending to be any of Bill Gates, Paypal.com
or ntdll.dll
Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it
traverses the network
RepudiaLon Non-repudiaLon Claiming to have not
performed an acLon.
“I didn’t send that email,” “I didn’t modify that
file,” “I certainly didn’t visit that web site, dear!”
InformaLon
Disclosure
ConfidenLality Exposing informaLon
to someone not
authorized to see it
Allowing someone to read the Windows source
code; publishing a list of customers to a web
site.
Denial of Service Availability Deny or degrade
service to users
Crashing Windows or a web site, sending a
packet and absorbing seconds of CPU Lme, or
rouLng packets into a black hole.
ElevaLon of Privilege AuthorizaLon Gain capabiliLes
without proper
authorizaLon
Allowing a remote internet user to run
commands is the classic example, but going
from a limited user to admin is also EoP.
22. Spoofing Over a Network
Threat Example What the A7acker Does Notes/Examples
Spoofing a machine ARP spoofing
IP spoofing
DNS spoofing
DNS compromise Can be at the TLD, registrar
or DNS server
IP redirecLon
Spoofing a person Take over account “Stranded in London”
Set the display name
Spoofing a role Declares themselves to be
that role
SomeLmes opening a
special account, semng up
a domain/website, other
“verifiers”
24. Tampering with Memory
Threat Example What the A7acker Does Notes/Examples
Modifying code Changes your code to suit
themselves
Hard to defend against if
the aHacker is running
code inside the trust
boundaries
Modifying data they’ve
supplied
Supplies data to a pass by
reference API, then
changes it
Works because of TOCTOU
issues
Supplies data into a shared
memory segment, then
changes it
26. RepudiaLon
Threat Example What the A7acker Does Notes/examples
RepudiaLng an acLon Claims to have not
clicked
Maybe they did, maybe they
didn’t, maybe they’re honestly
confused
Claims to not have
received
1. Electronic or physical
2. Receipt is strange; does a client
downloading email mean you’ve
seen it? Did a network proxy pre-
fetch images? Was a package leP
on a porch?
Claims to be a fraud
vicLm
Uses someone else’s
account
28. InformaLon Disclosure (Processes)
Threat Example What the A7acker Does Notes/Examples
Extracts user data Exploits bugs like SQL
injecLon to read db tables
Can find this by looking to
data stores, but here the
issue is the process
returning data it shouldn’t
Reads error messages
Extracts machine secrets Reads error messages Cannot connect to
database ‘foo’ as user ‘sql’
with password ‘&IO*(^&’
Exploits bugs “Heartbleed”
31. Denial of Service
Threat Example What the A7acker Does Notes/Examples
Against a process Absorb memory (ram or disk)
Absorb CPU
Uses a process as an amplifier
Against business logic “Too many login
aHempts”
Against a data store Fills the data store
Makes enough requests to slow the
system
Against a data flow Consumes network resources
Can be temporary (as the aHack conLnues; fill the network) or persist beyond that (fill
a disk)
37. “Orders of MiLgaLon”
Order Threat MiEgaEon
1st Window smashing Reinforced glass
2nd Window smashing Alarm
3rd Cut alarm wire Heartbeat signal
4th Fake heartbeat Cryptographic signal integrity
By Example:
• Thus window smashing is a first order threat, cumng
alarm wire, a third-order threat
• Easy to get stuck arguing about orders
• Are both stronger glass & alarms 1st order
miLgaLons? (Who cares?!)
• Focus on the concept of interplay between
miLgaLons & further aHacks
40. Example Threat Tracking Tables
Diagram Element Threat Type Threat Bug ID
Data flow #4, web
server to business
logic
Tampering Add orders without
payment checks
4553 “Need
integrity controls
on channel”
Info disclosure Payment
instruments sent in
clear
4554 “need crypto”
#PCI
Threat Type Diagram Element(s) Threat Bug ID
Tampering Web browser AHacker modifies
our JavaScript order
checking
4556 “Add order-
checking logic to
server”
Data flow #2 from
browser to server
Failure to
authenLcate
4557 “Add enforce
HTTPS everywhere”
Both are fine, help you iterate over diagrams in different ways
47. MiLgate
• Add/use technology to prevent aHacks
• For example, prevent tampering:
– Network: Digital signatures, cryptographic integrity
tools, crypto tunnels such as SSH or IPsec
• Developers, sysadmins have different toolkits for
miLgaLng problems
• Standard approaches available which have been
tested & worked through
• SomeLmes you need a custom approach
48. Some Technical Ways to Address
Threat MiEgaEon Technology Developer Example Sysadmin Example
Spoofing AuthenLcaLon Digital signatures, AcLve
directory, LDAP
Passwords, crypto
tunnels
Tampering Integrity, permissions Digital signatures ACLs/permissions,
crypto tunnels
RepudiaLon Fraud prevenLon,
logging, signatures
Customer history risk
management
Logging
InformaLon
disclosure
Permissions,
encrypLon
Permissions (local), PGP,
SSL
Crypto tunnels
Denial of service Availability ElasLc cloud design Load balancers, more
capacity
ElevaLon of
privilege
AuthorizaLon, isolaLon Roles, privileges, input
validaLon for purpose,
(fuzzing*)
Sandboxes, firewalls
* Fuzzing/fault injecLon is not a miLgaLon, but a great tesLng technique
See chapter 8, Threat Modeling for more
52. Some Technical Ways to Address
Threat MiEgaEon Technology Developer Example Sysadmin Example
Spoofing AuthenLcaLon Digital signatures, AcLve
directory, LDAP
Passwords, crypto
tunnels
Tampering Integrity, permissions Digital signatures ACLs/permissions,
crypto tunnels
RepudiaLon Fraud prevenLon,
logging, signatures
Customer history risk
management
Logging
InformaLon
disclosure
Permissions,
encrypLon
Permissions (local), PGP,
SSL
Crypto tunnels
Denial of service Availability ElasLc cloud design Load balancers, more
capacity
ElevaLon of
privilege
AuthorizaLon, isolaLon Roles, privileges, input
validaLon for purpose,
(fuzzing*)
Sandboxes, firewalls
* Fuzzing/fault injecLon is not a miLgaLon, but a great tesLng technique
See chapter 8, Threat Modeling for more