PPT Threat Modeling in Web Application

5/24/2018 PPT Threat Modeling in Web Application

1/55

OutlineIntroduction

Theoretical BackgroundProblem Definition

Literature ReviewProposed Technique & Implementation

Conclusion & Future ScopeRelated References

Threat Modeling

in

Web Applications

Soumya Ranjan Satapathy212cs2368

( For partial fulfillment of M.Tech Degree )

Under the guidance of

Prof. D.P. Mohapatra

Department of Computer Science, NIT Rourkela

May 28, 2014

1 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
http://find/


2/55

OutlineIntroduction




Outline

1 Introduction

2 Theoretical BackgroundThreat ModelingApproaches of Threat modeling

3 Problem Definition

4 Literature ReviewProcess of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling

5 Proposed Technique & ImplementationThreat modeling in industrial web applicationsProposed Hybrid Approach

6 Conclusion & Future ScopeConclusionFuture Scope

7 Related References2 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
http://find/


3/55

OutlineIntroduction




Introduction

In todays online environment, a web application is not safe, it isexpected to be assessed from all possible ways for its vulnerabilities.

From the business point of view, security objectives in areas such asidentity management, financial risk, corporate reputation, business con-tinuity need to be addressed properly by modern assessment methods.

The reliance on network security, provided by general solutions such asfirewall are not enough to overcome the logic errors, architectural flawsand other system design problems.

http://find/


4/55

OutlineIntroduction




Introduction

The failure to produce secure code at the design and development stagewould eventually lead to exploitation of present vulnerabilities by anattacker.

Hence a systematic procedure is needed that can provide applicationspecific security right from the design phase.

Threat modeling as a concept promises to raise the security to a higherlevel of abstraction.

http://find/


5/55

OutlineIntroduction




Threat ModelingApproaches of Threat modeling

Threat Modeling

Security objective: Maintain Confidentiality, Integrity, Availability of a

web application

Threat Modeling

Threat modeling is a process that helps us to identify, analyze, documentand possibly rate systems vulnerabilities at the design phase.

In the next step, it allows system designers to prioritize and implementcountermeasures to security threats in a logical order based on risk.


O tli
http://find/http://goback/


6/55

OutlineIntroduction





Threat Modeling

The significant advantages of threat modeling are:

The threat modeling outcome will be the basis for design decisions and

documents.It will be used in the implementation phase and will be required for theprogrammer to read the document before writing code.

In order to manage all risks efficiently, threat modeling is useful.

Security budget can be optimally utilized with the help of threat mod-

eling.Flaws can be found earlier to technical testing.

Targeted penetration testing can be performed.


Outline
http://find/


7/55

OutlineIntroduction





Threat Modeling

3 major approaches for threat modeling:

Attacker-centric: This approach of threat modeling focuses on the iden-tification of all possible access points to the system and the possibleadversary aims from the attackers point of view.

Asset-centric: It starts from identifying critical assets entrusted to asystem, such as a collection of sensitive personal information from adatabase; assessing risks associated with them and ranking the risks.

Software-centric: It focuses on capturing system design and deploymentflaws which can translate into vulnerabilities.


Outline
http://find/


8/55

OutlineIntroduction




Problem Definition

To develop threat model for Industrial web applications.

To propose an approach for modification in the existing hybrid threatmodeling approach, which uses data flow diagram for threat identifica-tion and possesses the ability to produce threat report.


Outline
http://find/


9/55

OutlineIntroduction




Process of Threat modelingMisUse case diagramAttack treeHybrid Approach to Threat modeling

Process of Threat modeling

Though there exists several approaches for threat modeling, the most

accepted threat modeling approach is the process proposed by Microsoft.

This process of threat modeling follows the software-centric approach ofthreat modeling.

The detailed process of threat modeling is depicted in the next Figure.


Outline
http://find/


10/55

Out eIntroduction





Process of Threat modeling

Figure: [1] Threat modeling process by Microsoft


Outline
http://find/


11/55

IntroductionTheoretical Background

Problem DefinitionLiterature Review

Proposed Technique & ImplementationConclusion & Future Scope

Related References


STRIDE methodology

Table: [1] STRIDE security concepts

Property Description Threat Definition

Authentication The identity of the user isestablished. Spoofing Impersonating somethingor someone else

Integrity Data and System resources are

only changed by intended people Tampering Modifying data or code

Non-repudiation User cant perform an action

and later deny it Repudiation

Claiming to have notperformed an action

Confidentiality Data available to only intended

personsInformationDisclosure

Exposing informationto unauthorized person

Availability System is ready when neededand perform fine

Denial ofService

Deny or degradeservices to user

Authorization Users are explicitly allowed or

denied to access resourcesElevation ofPrivileges

Gain capabilities withoutproper authorization


Outline
http://find/


12/55




Related References


STRIDE methodology

Microsoft proposed the STRIDE model which can be applied on the designlevel data flow diagram to find out all possible types of attacks on theelements.Relationship between STRIDE threats and DFD:

Table: [2] STRIDE on DFD

Element type Threat types

S T R I D E

External Interactor Y YProcess Y Y Y Y Y Y

Data storage Y Y Y Y

Data flow Y Y Y


OutlineI d i


13/55




Related References


DREAD methodology

DREAD is a word made from 5 different words initials:

Damage potential: It defines how much damage to the system can occuronce the vulnerability has been exploited.

Reproducibility: It defines the easiness of execution of the attack andrepeating the attack.

Exploitability: It defines the easiness of lunching the attack and whatamount of expertise is required for an attacker to launch an attack.

Affected user: It shows what number of end users get affected by the

exploitation.

Discoverability: It defines the easiness to attack the system or find outthe vulnerability.


OutlineI t d ti


14/55




Related References


DREAD Methodology

The basic equation for decision making is given by Risk score = Proba-bility of occurrence * Business impact

Damage potential and Affected users contribute towards the businessimpact, while the rest three Discoverability, Exploitability and Repro-ducibility contribute to probability of occurrence. Rewriting the for-mula,Risk Score = (Discoverability + Exploitability + Reproducibility) *(Damage potential + Affected users)

On a scale of 10, 10 is assigned to the high value, 5 to the medium and0 to the low value.


OutlineIntroduction
http://find/


15/55




Related References


DREAD Methodology

In a scale of 10,Maximum risk score = (10+10+10)*(10+10)=600

minimum risk score = 0And medium risk score = (5+5+5)*(5+5) =150So by this it may be a measure like, a threat with risk score in the range0 to 100 can be taken as a low risk threat. 100 to 300 risk scored threatscan be medium risk threats and 300 to 600 risk scored threats to be highrisk threats.

Following the risk evaluation, Different remediation against the identifiedthreats are suggested.


OutlineIntroduction
http://find/


16/55




Related References


Misuse case diagram

It is another approach of threat modeling which depicts the functionalbehavior of legitimate and illegitimate threats in one diagram.Definition: Misuse case, also termed as abuse cases can be defined as anevolution of use case diagrams which describes the behavior that the systemor external entity does not want to occur.

The misuse case diagram, used to show the malicious activities, is actedupon the use case diagram, but in an inverted manner (shown in blackcolor).

There is one or more than one mis-actor identified for each actor in theuse case diagram.


OutlineIntroduction
http://find/


17/55




Related References


Misuse case diagram

The following diagram shows an example of a misuse case diagram of asimple order processing system.

Figure: [2] Misuse case example of a simple order processing system


OutlineIntroduction


18/55





Attack tree

it forms a convenient way to systematically categorize the different ways in

which a system can be attacked.An attack tree is a tree in which the nodes represent attacks.

The root node of the tree is the global goal of an attacker. Childrenof a node are refinements of this goal, and leafs therefore represent at-tacks that can no longer be refined. A refinement can be conjunctive(aggregation) or disjunctive (choice).


OutlineIntroduction
http://find/


19/55





Attack tree

The following Figure shows an example of an attack tree representation ofthe process of logging in into UNIX.

Figure: [3] Logging in into UNIX attack tree representation


OutlineIntroduction
http://find/


20/55





Hybrid Approach to Threat modeling

The hybrid approach comprises of all three approaches of threat modeling:Asset-centric, Software-centric and attacker-centric.In the hybrid approach proposed by Asoke K Talukder et al, following arethe steps that are followed for threat modeling:

Identification of Assets and prioritization

Functional Requirements

Security Requirements

Threat and Attack Tree

Rating of RisksDecision on In-vivo Versus In-vitro

Nonfunctional to Functional requirement

Iterate


OutlineIntroduction

Th ti l B k d P f Th t d li


21/55






Asset identification and prioritization:Assets are the reason threats exist; an adversarys goal is to gain access

to an asset. The security team needs to identify which assets need to beprotected from an unauthorized user.All the assets are identified and prioritized according to their vulnerabili-ties from three security aspects- confidentiality, integrity and availability.Also the asset risk has to be calculated from customer, administrator andattacker views.

Functional Behavior:

In this phase, the functional requirements of the system are identified andmodeled using use case diagram.


OutlineIntroduction

Th ti l B k d P f Th t d li
http://find/


22/55






Security requirements:For each actor in the use case diagram, misuse actors are created which

may be one or more than it. They are analyzed for all types of possibleattacks by application of STRIDE threats to each asset and for eachaction. This gives a list of many possible threats which is shown in themisuse case diagram.

Threat and Attack Tree:Each threat in the misuse case diagram is considered as the root node ofan attack tree which is considered to be the goal of the attacker. The

attack trees are constructed for each and every threat mentioned in themisuse case diagram which represent the actual threat.


OutlineIntroduction

Theoretical Background Process of Threat modeling
http://find/


23/55






Rating of threats:in this phase By the use of DREAD model, the threat is prioritized in ascale of 1 to 10. This is shown in the attack tree.

Decision in in-vivo vs in-intro:In this phase, the priority of the threats are utilized to get the order ofthreat mitigation and to find out what threats may be left as they are bycomparing with the prioritized assets listed in phase 1.

Non-functional to functional requirements:In this phase the threats which are listed on higher priority after compar-

ing with assets in the previous step are taken into the list of functionalrequirement(security is at first taken into non-functional requirement bydefault).


OutlineIntroduction

Theoretical Background Process of Threat modeling


24/55






Iterate:The above 1 to 7 phases are again iterated to check for some more refine-ments in the design before deriving a conclusion of threats.

A workbench for implementing the hybrid approach of threat modelinghas been developed by G. Santhosh Babu et al named as Suraksha,an open source tool support.


OutlineIntroduction

Theoretical Background
http://find/


25/55




Threat modeling in industrial web applicationsProposed Hybrid Approach

Threat modeling in industrial web applications

For threat modeling on live industrial web applications, case studiesof two industrial web applications: Scientific Forecasting system andTIPAR system(TCS Intellectual Property Asset Registry) have been

taken.Though threat modeling can be done without any tool support, butfor systematic documentation purpose, Microsoft SDL tool is taken forsimulation of the threat modeling.

This tool works on STRIDE principle and follows software-centric ap-proach.

In the first step, the business objectives of the system are defined anddocumented.

In the next step, the security objective is defined.


OutlineIntroduction

http://find/


26/55

gProblem Definition




Threat modeling in Scientific forecasting system

For the system, the security objectives are

The registered SCM user only should be able to upload and view theforecasted results. Any unauthorized user should not be able to do the

same.(satisfaction of Confidentiality property)No one other than the designated SCM person (SCM planning managerhere ) should be able to modify the output by the system.(satisfactionof Integrity property)

The system should provide uninterrupted service to the registered users.(satisfacof Availability property)

Identity of the user should be established (preferably by session param-eters) before allowing access to the system. (satisfaction of Authentica-tion property)


OutlineIntroduction

http://find/


27/55



Related References



No other SCM should be able to see the confidential business data neither

the output of other SCMs. (satisfaction of Authorization property)There should be a proper log maintained by the system which may bereferred to in future on any modifications of the report done by the SCMplanning manager and for all the transaction histories. (satisfaction ofAccountability property)

In the next step, the system overview diagram is depicted which is thecontext DFD.


OutlineIntroduction

Theoretical Backgroundbl f h d l d l b l
http://find/


28/55



Related References



Figure: [4] Context Diagram


OutlineIntroduction

Theoretical BackgroundP bl D fi iti Th t d li i i d t i l b li ti
http://find/


29/55



Related References



In the next step, the decomposition of the context diagram happens andshown in the following modules.

Figure: [5] Level 1 DFD of scientific forecasting system


OutlineIntroductionTheoretical Background

Problem Definition Threat modeling in industrial web applications
http://find/


30/55



Related References



Figure: [6] Admin Module



http://find/


31/55



Related References



Figure: [7] Data Input Module



http://find/


32/55



Related References



Figure: [8] Data Setup Module



http://find/


33/55



g ppProposed Hybrid Approach


Figure: [9] Structural Analysis



http://find/


34/55



g ppProposed Hybrid Approach


Figure: [10] Output unit



http://find/


35/55



Proposed Hybrid Approach


Table: [3] Threats to Admin module

External Entity Data flow Database Process

Spoofing

- IP Spoofing- Session Hijacking

- Offline password attacks- Man in the middle attack- XSS

NA NA

- DNS Spoofing- ARP poisoning

- URL spoofing- Content spoofing- MITM

Tampering NA- Sniffing attack- Replay Attack- MITM

- SQL injection NA

Repudiation

- Repudiation Attack- Log Injection- Web parameter tamperingby MITM

NA

- Log file manipulationvia SQL injection- Privilege to Adminof the Log files

NA

InformationDisclosure

NA - Side channel Analysis

-Sniffing - SQL Injection NA

Denial of

Service NA NA

- Empty DB tried to beread or full DB tried to bewritten

- Forced browsing- Resource consumptionattacks

- DOS attack- XSS, a link may redirect

to another one leading DOSfor actual link

Elevation ofPrivileges

NA NA NA XSS



Problem DefinitionLi R i

Threat modeling in industrial web applicationsP d H b id A h
http://find/


36/55





Table: [4] Threats to Data Input Module

Threa ts Ext erna lEntity Data flow Database Process

Spoofing

- IP Spoofing- Session Hijacking- Offline password attacks

- Man in the middle attack- XSS

NA NA

- DNS Spoofing- ARP poisoning- URL spoofing

- Content spoofing- MITM


NA(for temp DB)- SQL injection forUser schema

NA

Repudiation


NA


NA




Denial ofService NA NA

- full DB tried to bewritten, empty user DBmay be tried to be read- Forced browsing

- Resource consumptionattacks- Huge Data stays in DBuntil sent in temp db, betterchance of DOS

- By spoofing a user,-DOS attack

- XSS, a link may redirectto another one leading DOSfor actual link


NA NA NA XSS



Problem DefinitionLit t R i

Threat modeling in industrial web applicationsP d H b id A h
http://find/


37/55





Table: [5] Threats to data setup module


Spoofing

- IP Spoofing- Session Hijacking- Offline password attacks- Man in the middle attack- XSS

NA NA

- DNS Spoofing- ARP poisoning- URL spoofing- Content spoofing- MITM


NA(for temp DB andstaging DB)- SQL injection forUser schema

NA

Repudiation


NA

- Log file manipulationvia SQL injection- Privilege to Adminof the Log files-NA for staging DB

NA



-Sniffing- SQL Injection-NA for staging DB

NA

Denial ofService

NA NA

- full DB tried to bewritten, empty user DBmay be tried to be read

- Forced browsing- Resource consumptionattacks- Huge Data stays in DBuntil sent in temp db, betterchance of DOS-NA for staging DB

- By spoofing a user,

- DOS attack- XSS, a link may redirectto another one leading DOSfor actual link


NA NA NA XSS




http://find/


38/55





Table: [6] Threats to Structural analysis Module


Spoofing

-NA for system- IP Spoofing- Session Hijacking- Offline password attacks

- Man in the middle attack- XSS

NA NA

- DNS Spoofing- ARP poisoning- URL spoofing- Content spoofing- MITM


- SQL injection forUser schema andMain DB

NA

Repudiation

-NA for system- Repudiation Attack- Log Injection- Web parameter tamperingby MITM

NA


NA




Denial ofService

NA NA

- full DB tried to bewritten, empty user DBmay be tried to be read

- Forced browsing- Resource consumptionattacks- Huge Data stays in DBuntil sent in main db, betterchance of DOS

- By spoofing a user,

-DOS attack- XSS, a link may redirectto another one leading DOSfor actual link


NA NA NA XSS




http://find/


39/55





No threat to the output module.After successful completion of threat identification, threat prioritization isdone and appropriate countermeasure against the threats are taken. In thesystem, countermeasures can be like:

As a remediation against spoofing attack,a standard authentication technique has to be implemented at all inter-faces with the external entities.

The credentials should be random and arbitrary.

Hashing or encryption has to be applied to stored credentials with ap-

propriate salt.careful input validation using whitelist

use of Access Control List(ACL)




http://find/


40/55





Session parameters should be encrypted, random, one-time and lengthySession IDs, session timeouts, appropriate expiry time for cookies con-taining session ID, invalidation of session after logging out.

Use of CAPTCHA




http://find/


41/55


Related References

p y pp


Remediation against Tampering can be:

Cryptographic integrity control for the data in network has to be done.

An anti-replay technique and a strong integrity technique has to befollowed.

To prevent the man in the middle attack, the end points should beauthenticated to each other before the start of the session.

Standard protocol like SSL has to be adopted for a strong message in-tegrity system.

ACL should be maintained and careful input validation has to be done.




http://find/


42/55


Related References


Remediation against Repudiation can be:

the user activity should be logged.

Standard digital signature scheme should be introducedAn anti-replay technique and a strong integrity technique have to befollowed.

Sufficient space should be there for the activity log so that it does notrun out of space.

maintainance of ACL.Remediation against Information disclosure can be:



Problem DefinitionLiterature Review&

http://find/


43/55


Related References


The data in the database as well as flowing across the system should beconsidered for encryption.

Constant time approach should be applied to encryptions to increase

the chance of un-ambiguity in the encrypted message to prevent sidechannel attacks.

Remediation against Denial of service can be:

Anonymous user access of database has to be prevented by assignmentof appropriate privilege level.

database names should be hard to predict.The file system should not be shared and the registry access across dif-ferent trusted parties should not be shared.


OutlineIntroduction


Literature ReviewP d T h i & I l t ti

http://find/


44/55


Related References


The app should deal with an unavailable data store to make fool to theattacker. Log for that false data store should be kept also.

Bandwidth calculation and then allocation has to be done for the system

data flow and database accesses.Sufficient amount of memory should be available for the whole operationof the system.

Remediations against Elevation of privileges can be:

Careful validation of all user input by maintaining whitelist of acceptable

characters.

In the same way, threat modeling to the TCS Intellectual Property AssetRegistry (TIPAR) system has also been done.


OutlineIntroduction



http://find/


45/55


Related References

Threat Modeling in Industrial web applications

Table: [8] No. of threatened elements in two industrial projects

Threat

No. of threatened

elements inScientificForecastingSystem

No. of threatenedelements inTIPAR System

Spoofing 10 6

Tampering 21 17

Repudiation 9 5

Information Disclosure 21 17

Denial of Service 8 5Elevation of Privileges 10 12


OutlineIntroduction



http://find/


46/55


Related References


In this approach Data flow diagrams instead of Misuse case diagramsto show the threats has been used in the hybrid approach of threatmodeling.

Hence the second and third phase of the hybrid threat modeling process,the functional and security requirement identification phase have beenmodified.

motivation behind the modification:To avoid use over Misuse case template, an overhead to the use of Misuse

case diagramTo introduce Report generation as preferred by Industries.To introduce a systematic way of application of STRIDE.


OutlineIntroduction



http://find/


47/55


Related References

Implementation of Proposed Hybrid Approach

Figure: [11] DFD generator on Suraksha


OutlineIntroduction



http://find/


48/55

oposed ec que & p e e tat oConclusion & Future Scope

Related References


Figure: [12] STRIDE methodology applied on elements of DFD(here on Adminexternal entity)


OutlineIntroduction



http://find/


49/55

p q pConclusion & Future Scope

Related References



OutlineIntroduction



http://find/


50/55



Figure: [14] Report generated


OutlineIntroduction



C l i & F S

ConclusionFuture Scope
http://find/


51/55


Conclusion

Threat modeling though takes a lot of brainstorming sessions to collectinformation on asset, trust boundaries and threat profiles, it needs to beapplied from the design phase of the software for secure code design.

The threat modeling for two industrial web applications has been shown.

The software centric approach dominates in the current market, buta hybrid approach is better to be considered if report generation andsimplicity is added to it. The proposed approach does that.


Outline



Proposed Technique & ImplementationC l i & F t S

ConclusionFuture Scope
http://find/


52/55


Future Scope

Lack of automation has been a major drawback in most of the threatmodeling tools developed yet.

Libraries containing security modules or algorithms should be attachedto the tools, as an afterthought, for the scalability of the threats infuture.


Outline



http://find/


53/55


Selected Reference I

1 J. Steven,Threat modeling-perhaps its timeSecurity and Privacy, IEEE, vol. 8, no. 3, pp. 83-86, 2010.

2 P. Torr.Demystifying the threat modeling process

Security & Privacy,IEEE, vol. 3, no. 5, pp. 66-70, 2005.

3 Asoke K Talukder, Alwyn Roshan Pais.Security-aware Software Development Life Cycle (SaSDLC) - Processes and ToolsIFIP International Conference on Wireless and Optical Communications Networks, WOCN09, Cairo, Egypt, 2009

4 G. Santhosh Babu, V. K. Maurya, E. Jangam, V. Muni Sekhar, A. K. Talukder, and A. R.Pais

Suraksha: A security designers workbenchProc., Hack. in 2009, pp. 59-66, 2009.

5 Caroline Mockel, Ali E. Abdullah.Threat modelling approaches and tools for securing architectural design of an e-bankingapplicationSixth International conference on information assurance and security, UK, pp. 149-154,2010


Outline



http://find/


54/55


Selected Reference II

6 G. Sindre and A. L. OpdahlEliciting security requirements with misuse casesRequirements Engineering, vol. 10, no. 1, pp. 34-44, 2005.

7 D. Dhillon.Developer-driven threat modeling: Lessons learned in the trenches.IEEE Security and Privacy, vol. 9, no. 4, pp. 41-47, 2011.

8 S. Hernan, S. Lambert, T. Ostwald, and A. Shostack,Uncover security design flaws using the stride approachmsdn. microsoft. com, nov. 2006


Outline



http://find/


55/55


Thank You

THANK YOU!

http://find/

PPT Threat Modeling in Web Application

Documents

Transcript of PPT Threat Modeling in Web Application