AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT.

Slides:



Advertisements
Similar presentations
Sachin Rawat Crypsis SDL Threat Modeling.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
CPSC 322, Lecture 19Slide 1 Propositional Logic Intro, Syntax Computer Science cpsc322, Lecture 19 (Textbook Chpt ) February, 23, 2009.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Software Engineering COMP 201
Software Testing and Quality Assurance
INTRODUCTION COMPUTATIONAL MODELS. 2 What is Computer Science Sciences deal with building and studying models of real world objects /systems. What is.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Software Quality Engineering Roadmap
1 SYS366 Week 1 - Lecture 2 How Businesses Work. 2 Today How Businesses Work What is a System Types of Systems The Role of the Systems Analyst The Programmer/Analyst.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
IS550: Software requirements engineering Dr. Azeddine Chikh 4. Validation and management.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI
SE 555 Software Requirements & Specification 1 SE 555 Software Requirements & Specification Prototyping.
Course Instructor: Aisha Azeem
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 11 Slide 1 Architectural Design.
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Software Assurance Automation throughout the Lifecycle OWASP AppSec USA 2011 September 23 rd 2011.
The Design Discipline.
© Siemens AG, CT SE 1, Dr. A. Ulrich C O R P O R A T E T E C H N O L O G Y Research at Siemens CT SE Software & Engineering Development Techniques.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 1 Slide 1 An Introduction to Software Engineering.
Introduction to Software Engineering
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
CSE 403, Software Engineering Lecture 4 Documenting and Using Requirements.
Introduction to Software Testing Chapter 9.1 Challenges in Testing Software – Testing for Emergent Properties: Safety and Security Paul Ammann & Jeff Offutt.
Identify steps for understanding and solving the
A GENERIC PROCESS FOR REQUIREMENTS ENGINEERING Chapter 2 1 These slides are prepared by Enas Naffar to be used in Software requirements course - Philadelphia.
1999 Final Year Projects Prof. Michael R. Lyu. Lyu9901: TravelNet Design a Web-based travel manager to reserve airplane tickets and hotel. A distributed.
1 SYS366 Lecture Visual Modeling and Business Use Case Diagrams.
OBJECT ORIENTED SYSTEM ANALYSIS AND DESIGN. COURSE OUTLINE The world of the Information Systems Analyst Approaches to System Development The Analyst as.
Chapter 1: Introduction Omar Meqdadi SE 2730 Lecture 1 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lecture 7: Requirements Engineering
An Introduction to Software Engineering. Communication Systems.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Introduction to Software Engineering. Why SE? Software crisis manifested itself in several ways [1]: ◦ Project running over-time. ◦ Project running over-budget.
K. Ingram (with thanks to A. Seddon) Staffordshire UNIVERSITY School of Computing Introduction to Software System Design.
Chapter 6 – Architectural Design Lecture 1 1Chapter 6 Architectural design.
Microsoft Management Seminar Series SMS 2003 Change Management.
Cosc 4765 Computer Security Thinking beyond today.
EMEA Beat Schwegler Architect Microsoft EMEA HQ Ingo Rammer Principal Consultant thinktecture
Software Engineering1  Verification: The software should conform to its specification  Validation: The software should do what the user really requires.
Design-Directed Programming Martin Rinard Daniel Jackson MIT Laboratory for Computer Science.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Quality Assurance in the Presence of Variability Kim Lauenroth, Andreas Metzger, Klaus Pohl Institute for Computer Science and Business Information Systems.
EMEA Beat Schwegler Architect Microsoft EMEA HQ Ingo Rammer Principal Consultant thinktecture
1 Introduction Bindia Hallauer & Ajay Sudan Product Management, Visual Studio Team System Microsoft Corporation.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
1 SYS366 Week 2 - Lecture 2 Visual Modeling & UML.
How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.
VIEWS b.ppt-1 Managing Intelligent Decision Support Networks in Biosurveillance PHIN 2008, Session G1, August 27, 2008 Mohammad Hashemian, MS, Zaruhi.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 6 Slide 1 Software Requirements (utvalgte foiler fra Kap 6 og 7 i Sommerville)
1 SYS366 Week 2 - Lecture Visual Modeling and Process.
Rekayasa Perangkat Lunak Part-6
Security Testing Methods
Security Issues Formalization
Evaluating Existing Systems
Evaluating Existing Systems
Future Technologies FTC 2016 Future Technologies Conference December 2016 San Francisco, United States.
Software Prototyping Animating and demonstrating system requirements.
Software testing.
Threat Modeling 101 Jozsef Ottucsak OWASP Santa Barbara 12/07/18.
Engineering Secure Software
Presentation transcript:

AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT

Software Design Group, Computer Science and Artificial Intelligence Laboratory (CSAIL) Leader: Prof. Daniel Jackson Research interests: Architecture, modeling, requirements, security, safety, program analysis, verification, testing Systems: Electronic voting, radiation therapy system, network protocols, biometric access control, web application, smart grids… Introduction

“What could possibly go wrong with my system?” Three components – Policy: What customers care about – System model: Not just the software! – Environment model: Both good & bad agents What are possible ways in which the system, operating under the specified environment, may fail to satisfy its security policy? What is Threat Modeling?

“All models are wrong, but some models are useful.” (George Box) Identify & prioritize risks early in development Explore security implications of design decisions Build mitigations into the design BUT not intended for: – Finding implementation bugs (e.g., SQL injection) – Proving that your system is 100% secure Why Threat Model?

Threat Modeling Today

Whiteboards & diagramming tools SDL Threat Modeling Tool (Microsoft) Elevation of Privilege (Adam Shostack) TRIKE (Saitta, Larcom, Eddington) ThreatModeler (myappscurity.com) Threat Modeling Today

Diversity of threats – Multiple types of attacks, chained together Initial unknowns about system & threats – Design decisions impact knowledge Throw away once used Expressing & checking policy What Makes Threat Modeling Hard?

Interactive & incremental modeling – Start small, evolve model & re-analyze Reusable models – Capture & reuse domain knowledge – Extensible attack library Automated analysis – Find subtle, corner cases with exhaustive analysis Visualization – Generate & step through sample attack scenarios Threat Modeling With Poirot

Demo Poirot

Dataflow for basic representation Attack trees (Bruce Schneier) – Chaining together attacker’s actions CVE, CWE, CAPEC, and other databases Information flow labels (Dorothy Denning) – Specifying security policies Techniques from program verification – Exhaustive checking of properties Ideas We’re Borrowing From

How Poirot Work

Access control through API operations – Constraints on parameters Partiality – Start with underspecified design & strengthen Knowledge reuse through instantiation Automation – Attack generation as constraint solving Poirot: Key Ideas

Cannot check implementation for security vulnerabilities Cannot tell you about attacks outside the attack library Cannot tell you whether your system model is accurate What Poirot Can’t Do

How can Poirot be useful to you? Looking beyond the Web – Poirot is generic, and can be populated with knowledge from other domains – Medical devices – Internet of Things What’s Next?

Try Poirot at: sdg.csail.mit.edu/poirot Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.