Presentation is loading. Please wait.

Presentation is loading. Please wait.

AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT.

Published byNorman Barrett Modified over 9 years ago

Similar presentations

Presentation on theme: "AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT."— Presentation transcript:

1 AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT

2 Software Design Group, Computer Science and Artificial Intelligence Laboratory (CSAIL) Leader: Prof. Daniel Jackson Research interests: Architecture, modeling, requirements, security, safety, program analysis, verification, testing Systems: Electronic voting, radiation therapy system, network protocols, biometric access control, web application, smart grids… Introduction

3 “What could possibly go wrong with my system?” Three components – Policy: What customers care about – System model: Not just the software! – Environment model: Both good & bad agents What are possible ways in which the system, operating under the specified environment, may fail to satisfy its security policy? What is Threat Modeling?

4 “All models are wrong, but some models are useful.” (George Box) Identify & prioritize risks early in development Explore security implications of design decisions Build mitigations into the design BUT not intended for: – Finding implementation bugs (e.g., SQL injection) – Proving that your system is 100% secure Why Threat Model?

5 Threat Modeling Today

6 Whiteboards & diagramming tools SDL Threat Modeling Tool (Microsoft) Elevation of Privilege (Adam Shostack) TRIKE (Saitta, Larcom, Eddington) ThreatModeler (myappscurity.com) Threat Modeling Today

7 Diversity of threats – Multiple types of attacks, chained together Initial unknowns about system & threats – Design decisions impact knowledge Throw away once used Expressing & checking policy What Makes Threat Modeling Hard?

8 Interactive & incremental modeling – Start small, evolve model & re-analyze Reusable models – Capture & reuse domain knowledge – Extensible attack library Automated analysis – Find subtle, corner cases with exhaustive analysis Visualization – Generate & step through sample attack scenarios Threat Modeling With Poirot

9 Demo Poirot

10 Dataflow for basic representation Attack trees (Bruce Schneier) – Chaining together attacker’s actions CVE, CWE, CAPEC, and other databases Information flow labels (Dorothy Denning) – Specifying security policies Techniques from program verification – Exhaustive checking of properties Ideas We’re Borrowing From

11 How Poirot Work

12 Access control through API operations – Constraints on parameters Partiality – Start with underspecified design & strengthen Knowledge reuse through instantiation Automation – Attack generation as constraint solving Poirot: Key Ideas

13 Cannot check implementation for security vulnerabilities Cannot tell you about attacks outside the attack library Cannot tell you whether your system model is accurate What Poirot Can’t Do

14 How can Poirot be useful to you? Looking beyond the Web – Poirot is generic, and can be populated with knowledge from other domains – Medical devices – Internet of Things What’s Next?

15 Try Poirot at: sdg.csail.mit.edu/poirot Questions? eskang@mit.edu

Download ppt "AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT."

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
CPSC 322, Lecture 19Slide 1 Propositional Logic Intro, Syntax Computer Science cpsc322, Lecture 19 (Textbook Chpt 5.0-5.1) February, 23, 2009.

CPSC 322, Lecture 19Slide 1 Propositional Logic Intro, Syntax Computer Science cpsc322, Lecture 19 (Textbook Chpt ) February, 23, 2009.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Software Engineering COMP 201

Software Engineering COMP 201
Software Testing and Quality Assurance

Software Testing and Quality Assurance
INTRODUCTION COMPUTATIONAL MODELS. 2 What is Computer Science Sciences deal with building and studying models of real world objects /systems. What is.

INTRODUCTION COMPUTATIONAL MODELS. 2 What is Computer Science Sciences deal with building and studying models of real world objects /systems. What is.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Software Quality Engineering Roadmap

Software Quality Engineering Roadmap
1 SYS366 Week 1 - Lecture 2 How Businesses Work. 2 Today How Businesses Work What is a System Types of Systems The Role of the Systems Analyst The Programmer/Analyst.

1 SYS366 Week 1 - Lecture 2 How Businesses Work. 2 Today How Businesses Work What is a System Types of Systems The Role of the Systems Analyst The Programmer/Analyst.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
IS550: Software requirements engineering Dr. Azeddine Chikh 4. Validation and management.

IS550: Software requirements engineering Dr. Azeddine Chikh 4. Validation and management.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI 48019-2122.

End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI
SE 555 Software Requirements & Specification 1 SE 555 Software Requirements & Specification Prototyping.

SE 555 Software Requirements & Specification 1 SE 555 Software Requirements & Specification Prototyping.

Similar presentations

Ads by Google