Threat Modeling

Laurie Williams �laurie_williams@ncsu.edu

​

​

​

​

1

OWASP Threat Dragon Apache 2.0

Announcements

• Hope to get the grading done ASAP
• The TAs has spring break too … but we’re all back now
• Workshops 6, 7, 8; Midterm; Project 2
• Project 2 Peer Eval due Wednesday (3/19) @ 10AM
• Was incorrect in Gradescope
• Project 3 released, due Wednesday, April 2
• Was incorrect on class schedule

Where we are in this class

• Just scratching the surface, but …

• Implementation bugs
• Design flaws
• OWASP Top 10
• CWE Top 25

• ATT&CK
• CAPEC

​

• Attack trees
• Threat modeling
• Abuse/misuse cases
• Security Requirements

What is a threat? A threat model?

• Threat = potential event that will have an unwelcome consequence

​

• Threat model = model you employ to think about … then address or mitigate potential threats� …. thinking like an attacker, or an “innocent user” who makes a (security) mistake

​

The simplest threat model: Four Questions�

© Getty Image

1. What are we working on? (”greenfield” �project or enhancement)
2. What can go wrong? (Who wants to cause �harm? What security mistakes can be made?)
3. What are we going to do about it? �(functionality to prevent “what can go �wrong”)
4. Did we do a good job? (testing the �functionality)

Discuss with your neighborStory

As a physician, I want to edit my patient records so that I can manage their care as can other health care providers.

1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good job?

More systematic software security threat modeling

• Set of techniques aimed at identifying threats to a system based upon how it is architected and how it supposed to behave
• Process of decomposing a system architecture:
• Key structural elements
• Assets
• Attack surface
• Data and control flow
• Security mechanisms
• Trust boundaries

Who

• Building a threat model
• Program Manager (PM) owns overall process
• Testers
• Identify threats in analyze phase
• Use threat models to drive test plans
• Developers create diagrams
• Business analysts
• Customers for threat models
• Your team
• Other features, product teams
• Customers, via user education
• “External” quality assurance resources, such as pen testers
• You’ll need to decide what fits to �your organization

Why

• Produce software that’s secure by design
• Improve designs the same way we’ve improved code
• Because attackers think differently
• Creator blindness/new perspective
• Allow you to predictably and effectively�find security problems early in the process
• Understand your security requirements

How?

The Process

Diagram

• Sketch high level view of system
• Most commonly a Data Flow Diagram (DFD)
• Sketching DFD 🡺 Understand the system
• Analyzing DFD 🡺 Understand the threats

Data Flow Diagram (DFD): Symbols

External Entity / Interactor

Process

Data store

Data flow

Trust boundary

DFD Elements: Examples

Data Flow Diagram – Detailed

https://www.owasp.org/index.php/Application_Threat_Modeling

Diagrams Should Not Resemble

• Flow charts
• Class diagrams
• Call graphs

The Process: Identify Threats

Identify Threats

• Use a systematic approach to identify the application exposure to threats

​

• Attack libraries (ATT&CK, CAPEC), common vulnerabilities (implementation bugs & design flaws)
• Attack trees
• Analyze DFD via (Microsoft’s) STRIDE
• Elevation of Privilege game (to come)
• Abuse and misuse cases (to come)
• Unstructured Brainstorm

​

• Outcome: List of threats relevant to the application environment, the hosts, �and the application tiers

(Microsoft) STRIDE

Threat: Spoofing

Threat: Tampering

Threat: Repudiation

Threat: Information Disclosure

Threat: Denial of Service

Threat: Elevation of Privilege

Different Threats Affect Each Element Type�

Process

S T R I D E





























ELEMENT

?

Data Flow

External Entity

What STRIDE Threats Exist?

https://www.owasp.org/index.php/Application_Threat_Modeling

STRIDE: Review

The Process: Address Threats

Addressing Threats is the Point of Threat Modeling

• Protect customers
• Design secure software
• Why bother if you:
• Create a great model
• Identify lots of threats
• Stop
• So, find problems and fix them

Address Threats: META

For each threat,

• Mitigate

What have similar software packages done and how has that worked out for them?

• Eliminate

Redesign

• Transfer

Another part of the system or entity

• Accept

​

• “wait and see”

STRIDE: Standard Mitigations

STRIDE: Standard Mitigations

STRIDE: Standard Mitigations

STRIDE: Standard Mitigations

STRIDE: Standard Mitigations

STRIDE: Standard Mitigations

The Process: Validate

Validate DFDs

1. Can we tell a story without changing the diagram?
2. Can we tell that story without using words such as “sometimes” or “also”?
3. Can we look at the diagram and see exactly where the software will make a security decision?
4. Does the diagram show all the trust boundaries, such as where different accounts interact? Do you cover all user roles, all application roles, and all network interfaces?
5. Does the diagram reflect the current or planned reality of the software?
6. Can we see where all the data goes and who uses it?
7. Do we see the processes that move data from one data store to another?

Validate Threats

1. Have we looked for each of the STRIDE threats?
2. Have we looked at each element of the diagram?
3. Have we looked at each data flow in the diagram?
4. For each threat: Does it:
• Describe the attack
• Describe the context
• Describe the impact

​

Validate “Addressing Threats”

• Is there a proposed/planned/implemented way to address each threat?
• Is the mitigation correctly implemented?
• Test cases?
• Software passed tests?

​

Validate Information Captured

• Dependencies
• What other code are you using?
• What security functions are in that other code?
• Are you sure?
• Assumptions
• Things you note as you build the threat model
• “HTTP.sys will protect us against SQL Injection”
• “LPC will protect us from malformed messages”
• GenRandom will give us crypto-strong randomness

​

​

​

OWASP Threat Dragon

Granularity

Way too big in terms of granularity for a web application as big as OpenEMR. Break up into major modules of functionality.

OWASP Threat Dragon

• Introductory video
• Exercise ….

​

The simplest threat model: Four Questions�

© Getty Image

• What are we working on? (”greenfield” �project or enhancement)
• What can go wrong? (Who wants to cause �harm? What security mistakes can be made?)
• What are we going to do about it? �(functionality to prevent “what can go �wrong”)
• Did we do a good job? (testing the �functionality)

Summary

• Threat models helps you find and proactively mitigate security design flaws before the system is built
• Threat models help you understand your application better and find bugs.
• Threat models help new team members (and other teams) understand the application in detail.
• Threat models can be used by testers to plan test cases.
• Treat model bugs are entered into the defect tracking system.

47