Threat Modeling for Hostile Client Systems Avni Rambhia
Outline Goals of threat modeling Quick overview of generic threat modeling Quirks of a hostile user system Threat modeling for hostile user systems Interactive threat model for PKI signature verification Summary Questions and discussion
What is threat modeling? Discover and document threats to a system or application –Threat = system is compromised in a certain way Fake transaction is created Determine severity of each threat –Severity = measure of danger if the threat were successfully executed. 20,000 dollar car shipped to different address Determine vulnerabilities or mitigations for each threat path –Threat path = way in which threat is executed Session number can be guessed and fake cookie created
Conventional Threat Modeling Create a threat model –APIs or entry points (trusted/untrusted) –Data flows –Assets Determine the severity of each threat Decompose application to discover vulnerabilities Document external dependencies and assumptions
VERIFIERVERIFIER PKI-based Authentication System Quick and Dirty overview Random Challenge = n Certificate + signed n Verify Certificate Verify Signed n Authentication success or failure REQUESTERREQUESTER
Conventional Threat Modeling VERIFIERVERIFIER REQUESTERREQUESTER Random Challenge = n Certificate + signed n Verify Certificate Verify Signed n Authentication success or failure Repeated or predictable n MIMMIM MIMMIM Buffer overflow Integer overflow Private key discovered using known plaintext
Hostile User Threat Modeling What is hostile user scenario? –Administrator of system has reason to attack the system to subvert it. virus running in kernel or with admin privilege user of multimedia management system More effective to threat model based on –Assumptions –Assets
Some assumptions in PKI Verifier Root public key used to verify the certificate is correct Local time used to check certificate expiry is correct Cryptography functions correctly perform operations and correctly report results Authentication does not succeed unless certificate and signature are correctly verified
Some assets in Verifier Challenge –Random number generator Certificate verification –Root public key (certificate chain) –System clock –Cryptography routines (signature verification)
Hostile Threat Modeling - Verifier VERIFIERVERIFIER Verify Certificate Verify Signed n Random Challenge = n Certificate + signed n success or failure Replace random no. generator Change code to not call random no. fn. Bypass verification routines Tamper clock Replace public key! Replace hash calculation function Tamper (hash == hash) condition to if (1) Replace hash calculation function
You have the threats. What next? Determine severity/risk of each threat –Relative to the security requirements of the system (penny sale auditing v/s NSA auditing) –DREAD (conventional) Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability –FACE (For hostile user systems) Feasibility, Asset value, Collateral Damage, Execution Difficulty –In general, don’t consider will-do mitigations while calculating risks.
Mitigating Risk For all threats with unacceptable risk, determine mitigations Some mitigations for hostile user systems: –Obfuscation/Fragilization –Integrity verification –In-lining critical functions –Server-based security –Stack checking –Privileged execution (more useful for safety against virus)
Summary Hostile user threat modeling has a much larger threat surface than conventional threat modeling Asset and Assumption based investigation is best approach for hostile user systems Systems needing resistance to hostile users have unique mitigation needs Breach of crypto algorithms is the least of your worries for such systems
Key Takeaway Design of hostile user systems is challenging. Whenever you design a system, identify all portions which must be resistant against hostile users, and ensure that your design can achieve the requisite level of security
Resources/Contact Avni Rambhia, Principal, Security Matters – Conventional Threat Modeling resources –Writing Secure Code, Second Edition Mike Howard, Dave LeBlanc (MS Press) –Threat Modeling Frank Swiderski, Window Snyder (MS Press)
Questions/Discussion