Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICT 1 Threat modelling A short introduction and stories from end user involvement SRM Seminar Luxembourg 22.06.2010 Per Håkon Meland - SINTEF ICT, Trondheim,

Similar presentations


Presentation on theme: "ICT 1 Threat modelling A short introduction and stories from end user involvement SRM Seminar Luxembourg 22.06.2010 Per Håkon Meland - SINTEF ICT, Trondheim,"— Presentation transcript:

1 ICT 1 Threat modelling A short introduction and stories from end user involvement SRM Seminar Luxembourg 22.06.2010 Per Håkon Meland - SINTEF ICT, Trondheim, Norway http://www.sintef.com/

2 ICT 2 Motivation and background

3 ICT 3 Hospital systems (2005  ) Integration and access control of EPRs Models used to communicate processes and threats

4 ICT 4 The target group was the ordinary ”developer-on-the- street” Hands-on techniques for improving software security Tøndel et al: Security Requirements for the Rest of Us, IEEE Software January/February 2008 Røstad et al: Learning by Failing (and Fixing), IEEE Security & Privacy, July/August 2008 Jaatun et al: Covering Your Assets in Software Engineering, ARES 2008 Meland et al: Secure Software Design in Practice, SecSE 2008 Ardi et al: How can the developer benefit from security modeling?, ARES 2007 SODA - a Security-Oriented Software Development Framework (2006-2008)

5 ICT 5 SHIELDS EU project 2008-2010 8 partners Sharing of security knowledge Models Methods Tools and tool input End user evaluations Sevaral iterations Real end-users Case studies and commercial products

6 ICT 6 Overview of SHIELDS activities

7 ICT 7 Threat modelling

8 ICT 8 Threat modelling Michael HowardSteve Lipner If we had our hands tied behind our backs … and could do only one thing to improve software security … we would do threat modeling ”The Security Development Lifecycle”, Microsoft Press, 2006

9 ICT 9 Threat modelling Misuse cases and attack trees Understand potential security threats and vulnerabilities Understand attackers Find security design issues before code Determine countermeasures Guide the code review /testing/configuration /deployment Highly reusable Easy to grasp

10 ICT 10 Example: Media player

11 ICT 11 Xine media player

12 ICT 12 Let’s create a model from scratch…

13 ICT 13 Main functionality: Download data (application, codecs, skins,...) Play local media file Play media stream Actors: Software developer User

14 ICT 14

15 ICT 15

16 ICT 16 How about reusing one?

17 ICT 17 Search for existing misuse case diagrams: “Media”, “player”, “Movie”

18 ICT 18

19 ICT 19 Attack trees

20 ICT 20 Hide the details Link to attack patterns Used to identify mitigations

21 ICT 21 Finally…

22 ICT 22 Create textual description to accompany the diagram A document elaborating the diagram Threat descriptions can be fetched from the SHIELDS SVRS Gives an understanding of the possible attacker motivation There can be several different mitigations Input to risk analysis and security activity planning

23 ICT 23 Threat: Launch malicious code through video file Mitigations: Validate length of incoming data elements Validate type of incoming data elements Security goal: Input validation Typical vulnerabilities: Integer overflow

24 ICT 24 security modeling is usually done with general-purpose drawing tools 1 … or on blackboards Little reuse of models (knowledge) between projects and organisations 2 Lots of variation in notation Observations 1.S. Ardi, D. Byers, P. H. Meland, I. A. Tøndel, and N. Shahmehri, “How can the developer benefit from security modeling?” Availability, Reliability and Security, International Conference on, vol. 0, pp. 1017– 1025, 2007. 2.Meland, Tøndel, Jensen, ” Reusability of threat models - an experimental evaluation”, International Symposium on Engineering Secure Software and Systems, Pisa, 2010 (ESSoS’10)

25 ICT 25 GPDT vs dedicated tool support? Egil Trygve Baadshaug, Gencer Erdogan, Per Hâkon Meland, "Security Modeling and Tool Support Advantages," ARES, pp.537-542, 2010 International Conference on Availability, Reliability and Security, 2010 Ded.Sec.Mod.Tool ~20 min of exp. Strict Pre-installed GPDT >4 years of exp. Freedom Pre-made palette Pre-installed 10 student, 2 rounds with each tool, 2 models Indications: 60% less time required, more correct models, 90% preferred ded.tool, freedom can be bad

26 ICT 26 Case study: eTourism

27 ICT 27 Approach 1:Application description 2:Threat model created by experts 3:Threat model created by developers 4:Model consolidated by experts 5:Threat model updated by developers 6:Threat model endorsed by experts Phase 2: Parallel modelling Phase 3: Serial modelling Phase 1: Tutorial

28 ICT 28 Pre-visit, plan: Hotels Route Experiences Virtually explore Post-visit, share Pictures/videos Route Recommendations Blog Bad stuff?

29 ICT 29 Case study: WaLDo

30 ICT 30 Warehouse information system Dock loading RFID tracking Picking lists Advanced shipping notifications Bad stuff?

31 ICT 31

32 ICT 32 Case study: eNewsPaper

33 ICT 33 Electronic newspaper Aimed for the Paris metro Shared from distribution points User relays Bad stuff?

34 ICT 34

35 ICT 35 Feedback and lessons learned New threats and mitigations were identified in all case studies Misuse cases and attack trees: Easy to learn, easy to use Important with diversity while doing threat modelling Keep the size of the models down Need more models from other application areas

36 ICT 36 Share models through the SVRS! Now contains >200 free security models 18 misuse case models 29 attack trees Use the free tools, or integrate your own Add your own, get feedback (and possibly revenue) http://www.shields-project.eu


Download ppt "ICT 1 Threat modelling A short introduction and stories from end user involvement SRM Seminar Luxembourg 22.06.2010 Per Håkon Meland - SINTEF ICT, Trondheim,"

Similar presentations


Ads by Google