Threat Modeling in Web Application

Outline
Introduction
Theoretical Background
Problem Definition
Literature Review
Proposed Technique & Implementation
Conclusion & Future Scope
Related References
Threat Modeling
in
Web Applications
Soumya Ranjan Satapathy
212cs2368
( For partial fulfillment of M.Tech Degree )
Under the guidance of
Prof. D.P. Mohapatra
Department of Computer Science, NIT Rourkela
May 28, 2014
1 / 55 Soumya Ranjan Satapathy 212cs2368 Threat Modeling
Outline
Introduction
Problem Definition
Literature Review
Related References
Outline
1
Introduction
2
Threat Modeling
Approaches of Threat modeling
3
Problem Denition
4
Literature Review
Process of Threat modeling
MisUse case diagram
Attack tree
Hybrid Approach to Threat modeling
5
Threat modeling in industrial web applications
Proposed Hybrid Approach
6
Conclusion
Future Scope
7
Related References
Outline
Introduction
Problem Definition
Literature Review
Related References
Introduction
In todays online environment, a web application is not safe, it is
expected to be assessed from all possible ways for its vulnerabilities.
From the business point of view, security objectives in areas such as
identity management, nancial risk, corporate reputation, business con-
tinuity need to be addressed properly by modern assessment methods.
The reliance on network security, provided by general solutions such as
rewall are not enough to overcome the logic errors, architectural aws
and other system design problems.
Outline
Introduction
Problem Definition
Literature Review
Related References
Introduction
The failure to produce secure code at the design and development stage
would eventually lead to exploitation of present vulnerabilities by an
attacker.
Hence a systematic procedure is needed that can provide application
specic security right from the design phase.
Threat modeling as a concept promises to raise the security to a higher
level of abstraction.
Outline
Introduction
Problem Definition
Literature Review
Related References
Threat Modeling
Threat Modeling
Security objective: Maintain Condentiality, Integrity, Availability of a
web application
Threat Modeling
Threat modeling is a process that helps us to identify, analyze, document
and possibly rate systems vulnerabilities at the design phase.
In the next step, it allows system designers to prioritize and implement
countermeasures to security threats in a logical order based on risk.
Outline
Introduction
Problem Definition
Literature Review
Related References
Threat Modeling
Threat Modeling
The signicant advantages of threat modeling are:
The threat modeling outcome will be the basis for design decisions and
documents.
It will be used in the implementation phase and will be required for the
programmer to read the document before writing code.
In order to manage all risks eciently, threat modeling is useful.
Security budget can be optimally utilized with the help of threat mod-
eling.
Flaws can be found earlier to technical testing.
Targeted penetration testing can be performed.
Outline
Introduction
Problem Definition
Literature Review
Related References
Threat Modeling
Threat Modeling
3 major approaches for threat modeling:
Attacker-centric: This approach of threat modeling focuses on the iden-
tication of all possible access points to the system and the possible
adversary aims from the attackers point of view.
Asset-centric: It starts from identifying critical assets entrusted to a
system, such as a collection of sensitive personal information from a
database; assessing risks associated with them and ranking the risks.
Software-centric: It focuses on capturing system design and deployment
aws which can translate into vulnerabilities.
Outline
Introduction
Problem Definition
Literature Review
Related References
Problem Denition
To develop threat model for Industrial web applications.
To propose an approach for modication in the existing hybrid threat
modeling approach, which uses data ow diagram for threat identica-
tion and possesses the ability to produce threat report.
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Though there exists several approaches for threat modeling, the most
accepted threat modeling approach is the process proposed by Microsoft.
This process of threat modeling follows the software-centric approach of
threat modeling.
The detailed process of threat modeling is depicted in the next Figure.
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Figure: [1] Threat modeling process by Microsoft
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
STRIDE methodology
Table: [1] STRIDE security concepts
Property Description Threat Denition
Authentication
The identity of the user is
established.
Spoong
Impersonating something
or someone else
Integrity
Data and System resources are
only changed by intended people
Tampering Modifying data or code
Non-repudiation
User cant perform an action
and later deny it
Repudiation
Claiming to have not
performed an action
Condentiality
Data available to only intended
persons
Information
Disclosure
Exposing information
to unauthorized person
Availability
System is ready when needed
and perform ne
Denial of
Service
Deny or degrade
services to user
Authorization
Users are explicitly allowed or
denied to access resources
Elevation of
Privileges
Gain capabilities without
proper authorization
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
STRIDE methodology
Microsoft proposed the STRIDE model which can be applied on the design
level data ow diagram to nd out all possible types of attacks on the
elements.
Relationship between STRIDE threats and DFD:
Table: [2] STRIDE on DFD
Element type
Threat types
S T R I D E
External Interactor Y Y
Process Y Y Y Y Y Y
Data storage Y Y Y Y
Data ow Y Y Y
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
DREAD methodology
DREAD is a word made from 5 dierent words initials:
Damage potential : It denes how much damage to the system can occur
once the vulnerability has been exploited.
Reproducibility: It denes the easiness of execution of the attack and
repeating the attack.
Exploitability: It denes the easiness of lunching the attack and what
amount of expertise is required for an attacker to launch an attack.
Aected user: It shows what number of end users get aected by the
exploitation.
Discoverability: It denes the easiness to attack the system or nd out
the vulnerability.
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
DREAD Methodology
The basic equation for decision making is given by Risk score = Proba-
bility of occurrence * Business impact
Damage potential and Aected users contribute towards the business
impact, while the rest three Discoverability, Exploitability and Repro-
ducibility contribute to probability of occurrence. Rewriting the for-
mula,
Risk Score = (Discoverability + Exploitability + Reproducibility) *
(Damage potential + Aected users)
On a scale of 10, 10 is assigned to the high value, 5 to the medium and
0 to the low value.
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
DREAD Methodology
In a scale of 10,
Maximum risk score = (10+10+10)*(10+10)=600
minimum risk score = 0
And medium risk score = (5+5+5)*(5+5) =150
So by this it may be a measure like, a threat with risk score in the range
0 to 100 can be taken as a low risk threat. 100 to 300 risk scored threats
can be medium risk threats and 300 to 600 risk scored threats to be high
risk threats.
Following the risk evaluation, Dierent remediation against the identied
threats are suggested.
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Misuse case diagram
It is another approach of threat modeling which depicts the functional
behavior of legitimate and illegitimate threats in one diagram.
Denition: Misuse case, also termed as abuse cases can be dened as an
evolution of use case diagrams which describes the behavior that the system
or external entity does not want to occur.
The misuse case diagram, used to show the malicious activities, is acted
upon the use case diagram, but in an inverted manner (shown in black
color).
There is one or more than one mis-actor identied for each actor in the
use case diagram.
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Misuse case diagram
The following diagram shows an example of a misuse case diagram of a
simple order processing system.
Figure: [2] Misuse case example of a simple order processing system
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Attack tree
it forms a convenient way to systematically categorize the dierent ways in
which a system can be attacked.
An attack tree is a tree in which the nodes represent attacks.
The root node of the tree is the global goal of an attacker. Children
of a node are renements of this goal, and leafs therefore represent at-
tacks that can no longer be rened. A renement can be conjunctive
(aggregation) or disjunctive (choice).
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Attack tree
The following Figure shows an example of an attack tree representation of
the process of logging in into UNIX.
Figure: [3] Logging in into UNIX attack tree representation
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
The hybrid approach comprises of all three approaches of threat modeling:
Asset-centric, Software-centric and attacker-centric.
In the hybrid approach proposed by Asoke K Talukder et al, following are
the steps that are followed for threat modeling:
Identication of Assets and prioritization
Functional Requirements
Security Requirements
Threat and Attack Tree
Rating of Risks
Decision on In-vivo Versus In-vitro
Nonfunctional to Functional requirement
Iterate
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Asset identication and prioritization:
Assets are the reason threats exist; an adversarys goal is to gain access
to an asset. The security team needs to identify which assets need to be
protected from an unauthorized user.
All the assets are identied and prioritized according to their vulnerabili-
ties from three security aspects- condentiality, integrity and availability.
Also the asset risk has to be calculated from customer, administrator and
attacker views.
Functional Behavior:
In this phase, the functional requirements of the system are identied and
modeled using use case diagram.
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Security requirements:
For each actor in the use case diagram, misuse actors are created which
may be one or more than it. They are analyzed for all types of possible
attacks by application of STRIDE threats to each asset and for each
action. This gives a list of many possible threats which is shown in the
misuse case diagram.
Threat and Attack Tree:
Each threat in the misuse case diagram is considered as the root node of
an attack tree which is considered to be the goal of the attacker. The
attack trees are constructed for each and every threat mentioned in the
misuse case diagram which represent the actual threat.
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Rating of threats:
in this phase By the use of DREAD model, the threat is prioritized in a
scale of 1 to 10. This is shown in the attack tree.
Decision in in-vivo vs in-intro:
In this phase, the priority of the threats are utilized to get the order of
threat mitigation and to nd out what threats may be left as they are by
comparing with the prioritized assets listed in phase 1.
Non-functional to functional requirements:
In this phase the threats which are listed on higher priority after compar-
ing with assets in the previous step are taken into the list of functional
requirement(security is at rst taken into non-functional requirement by
default).
Outline
Introduction
Problem Definition
Literature Review
Related References
MisUse case diagram
Attack tree
Iterate:
The above 1 to 7 phases are again iterated to check for some more rene-
ments in the design before deriving a conclusion of threats.
A workbench for implementing the hybrid approach of threat modeling
has been developed by G. Santhosh Babu et al named as Suraksha,
an open source tool support.
Outline
Introduction
Problem Definition
Literature Review
Related References
For threat modeling on live industrial web applications, case studies
of two industrial web applications: Scientic Forecasting system and
TIPAR system(TCS Intellectual Property Asset Registry) have been
taken.
Though threat modeling can be done without any tool support, but
for systematic documentation purpose, Microsoft SDL tool is taken for
simulation of the threat modeling.
This tool works on STRIDE principle and follows software-centric ap-
proach.
In the rst step, the business objectives of the system are dened and
documented.
In the next step, the security objective is dened.
Outline
Introduction
Problem Definition
Literature Review
Related References
Threat modeling in Scientic forecasting system
For the system, the security objectives are
The registered SCM user only should be able to upload and view the
forecasted results. Any unauthorized user should not be able to do the
same.(satisfaction of Condentiality property)
No one other than the designated SCM person (SCM planning manager
here ) should be able to modify the output by the system.(satisfaction
of Integrity property)
The system should provide uninterrupted service to the registered users.(satisfaction
of Availability property)
Identity of the user should be established (preferably by session param-
eters) before allowing access to the system. (satisfaction of Authentica-
tion property)
Outline
Introduction
Problem Definition
Literature Review
Related References
No other SCM should be able to see the condential business data neither
the output of other SCMs. (satisfaction of Authorization property)
There should be a proper log maintained by the system which may be
referred to in future on any modications of the report done by the SCM
planning manager and for all the transaction histories. (satisfaction of
Accountability property)
In the next step, the system overview diagram is depicted which is the
context DFD.
Outline
Introduction
Problem Definition
Literature Review
Related References
Figure: [4] Context Diagram
Outline
Introduction
Problem Definition
Literature Review
Related References
In the next step, the decomposition of the context diagram happens and
shown in the following modules.
Figure: [5] Level 1 DFD of scientic forecasting system
Outline
Introduction
Problem Definition
Literature Review
Related References
Figure: [6] Admin Module
Outline
Introduction
Problem Definition
Literature Review
Related References
Figure: [7] Data Input Module
Outline
Introduction
Problem Definition
Literature Review
Related References
Figure: [8] Data Setup Module
Outline
Introduction
Problem Definition
Literature Review
Related References
Figure: [9] Structural Analysis
Outline
Introduction
Problem Definition
Literature Review
Related References
Figure: [10] Output unit
Outline
Introduction
Problem Definition
Literature Review
Related References
Table: [3] Threats to Admin module
External Entity Data ow Database Process
Spoong
- IP Spoong
- Session Hijacking
- Oine password attacks
- Man in the middle attack
- XSS
NA NA
- DNS Spoong
- ARP poisoning
- URL spoong
- Content spoong
- MITM
Tampering NA
- Sning attack
- Replay Attack
- MITM
- SQL injection NA
Repudiation
- Repudiation Attack
- Log Injection
- Web parameter tampering
by MITM
NA
- Log le manipulation
via SQL injection
- Privilege to Admin
of the Log les
NA
Information
Disclosure
NA
- Side channel Analysis
-Sning
- SQL Injection NA
Denial of
Service
NA NA
- Empty DB tried to be
read or full DB tried to be
written
- Forced browsing
- Resource consumption
attacks
- DOS attack
- XSS, a link may redirect
to another one leading DOS
for actual link
Elevation of
Privileges
NA NA NA XSS
Outline
Introduction
Problem Definition
Literature Review
Related References
Table: [4] Threats to Data Input Module
Threats External Entity Data ow Database Process
Spoong
- IP Spoong
- Session Hijacking
- XSS
NA NA
- DNS Spoong
- ARP poisoning
- URL spoong
- Content spoong
- MITM
Tampering NA
- Sning attack
- Replay Attack
- MITM
NA(for temp DB)
- SQL injection for
User schema
NA
Repudiation
- Log Injection
by MITM
NA
via SQL injection
of the Log les
NA
Information
Disclosure
NA
-Sning
- SQL Injection NA
Denial of
Service
NA NA
- full DB tried to be
written, empty user DB
may be tried to be read
- Forced browsing
attacks
- Huge Data stays in DB
until sent in temp db, better
chance of DOS
- By spoong a user,
-DOS attack
for actual link
Elevation of
Privileges
NA NA NA XSS
Outline
Introduction
Problem Definition
Literature Review
Related References
Table: [5] Threats to data setup module
Spoong
- IP Spoong
- Session Hijacking
- XSS
NA NA
- DNS Spoong
- ARP poisoning
- URL spoong
- Content spoong
- MITM
Tampering NA
- Sning attack
- Replay Attack
- MITM
NA(for temp DB and
staging DB)
- SQL injection for
User schema
NA
Repudiation
- Log Injection
by MITM
NA
via SQL injection
of the Log les
-NA for staging DB
NA
Information
Disclosure
NA
-Sning
- SQL Injection
-NA for staging DB
NA
Denial of
Service
NA NA
- Forced browsing
attacks
until sent in temp db, better
chance of DOS
-NA for staging DB
- By spoong a user,
- DOS attack
for actual link
Elevation of
Privileges
NA NA NA XSS
Outline
Introduction
Problem Definition
Literature Review
Related References
Table: [6] Threats to Structural analysis Module
Spoong
-NA for system
- IP Spoong
- Session Hijacking
- XSS
NA NA
- DNS Spoong
- ARP poisoning
- URL spoong
- Content spoong
- MITM
Tampering NA
- Sning attack
- Replay Attack
- MITM
- SQL injection for
User schema and
Main DB
NA
Repudiation
-NA for system
- Log Injection
by MITM
NA
via SQL injection
of the Log les
NA
Information
Disclosure
NA
-Sning
- SQL Injection NA
Denial of
Service
NA NA
- Forced browsing
attacks
until sent in main db, better
chance of DOS
- By spoong a user,
-DOS attack
for actual link
Elevation of
Privileges
NA NA NA XSS
Outline
Introduction
Problem Definition
Literature Review
Related References
No threat to the output module.
After successful completion of threat identication, threat prioritization is
done and appropriate countermeasure against the threats are taken. In the
system, countermeasures can be like:
As a remediation against spoong attack,
a standard authentication technique has to be implemented at all inter-
faces with the external entities.
The credentials should be random and arbitrary.
Hashing or encryption has to be applied to stored credentials with ap-
propriate salt.
careful input validation using whitelist
use of Access Control List(ACL)
Outline
Introduction
Problem Definition
Literature Review
Related References
Session parameters should be encrypted, random, one-time and lengthy
Session IDs, session timeouts, appropriate expiry time for cookies con-
taining session ID, invalidation of session after logging out.
Use of CAPTCHA
Outline
Introduction
Problem Definition
Literature Review
Related References
Remediation against Tampering can be:
Cryptographic integrity control for the data in network has to be done.
An anti-replay technique and a strong integrity technique has to be
followed.
To prevent the man in the middle attack, the end points should be
authenticated to each other before the start of the session.
Standard protocol like SSL has to be adopted for a strong message in-
tegrity system.
ACL should be maintained and careful input validation has to be done.
Outline
Introduction
Problem Definition
Literature Review
Related References
Remediation against Repudiation can be:
the user activity should be logged.
Standard digital signature scheme should be introduced
An anti-replay technique and a strong integrity technique have to be
followed.
Sucient space should be there for the activity log so that it does not
run out of space.
maintainance of ACL.
Remediation against Information disclosure can be:
Outline
Introduction
Problem Definition
Literature Review
Related References
The data in the database as well as owing across the system should be
considered for encryption.
Constant time approach should be applied to encryptions to increase
the chance of un-ambiguity in the encrypted message to prevent side
channel attacks.
Remediation against Denial of service can be:
Anonymous user access of database has to be prevented by assignment
of appropriate privilege level.
database names should be hard to predict.
The le system should not be shared and the registry access across dif-
ferent trusted parties should not be shared.
Outline
Introduction
Problem Definition
Literature Review
Related References
The app should deal with an unavailable data store to make fool to the
attacker. Log for that false data store should be kept also.
Bandwidth calculation and then allocation has to be done for the system
data ow and database accesses.
Sucient amount of memory should be available for the whole operation
of the system.
Remediations against Elevation of privileges can be:
Careful validation of all user input by maintaining whitelist of acceptable
characters.
In the same way, threat modeling to the TCS Intellectual Property Asset
Registry (TIPAR) system has also been done.
Outline
Introduction
Problem Definition
Literature Review
Related References
Threat Modeling in Industrial web applications
Table: [8] No. of threatened elements in two industrial projects
Threat
No. of threatened
elements in
Scientic
Forecasting
System
No. of threatened
elements in
TIPAR System
Spoong 10 6
Tampering 21 17
Repudiation 9 5
Information Disclosure 21 17
Denial of Service 8 5
Elevation of Privileges 10 12
Outline
Introduction
Problem Definition
Literature Review
Related References
In this approach Data ow diagrams instead of Misuse case diagrams
to show the threats has been used in the hybrid approach of threat
modeling.
Hence the second and third phase of the hybrid threat modeling process,
the functional and security requirement identication phase have been
modied.
motivation behind the modication:
To avoid use over Misuse case template, an overhead to the use of Misuse
case diagram
To introduce Report generation as preferred by Industries.
To introduce a systematic way of application of STRIDE.
Outline
Introduction
Problem Definition
Literature Review
Related References
Implementation of Proposed Hybrid Approach
Figure: [11] DFD generator on Suraksha
Outline
Introduction
Problem Definition
Literature Review
Related References
Figure: [12] STRIDE methodology applied on elements of DFD(here on Admin
external entity)
Outline
Introduction
Problem Definition
Literature Review
Related References
Figure: [13] Option for exporting the report
Outline
Introduction
Problem Definition
Literature Review
Related References
Figure: [14] Report generated
Outline
Introduction
Problem Definition
Literature Review
Related References
Conclusion
Future Scope
Conclusion
Threat modeling though takes a lot of brainstorming sessions to collect
information on asset, trust boundaries and threat proles, it needs to be
applied from the design phase of the software for secure code design.
The threat modeling for two industrial web applications has been shown.
The software centric approach dominates in the current market, but
a hybrid approach is better to be considered if report generation and
simplicity is added to it. The proposed approach does that.
Outline
Introduction
Problem Definition
Literature Review
Related References
Conclusion
Future Scope
Future Scope
Lack of automation has been a major drawback in most of the threat
modeling tools developed yet.
Libraries containing security modules or algorithms should be attached
to the tools, as an afterthought, for the scalability of the threats in
future.
Outline
Introduction
Problem Definition
Literature Review
Related References
Selected Reference I
1 J. Steven,
Threat modeling-perhaps its time
Security and Privacy, IEEE, vol. 8, no. 3, pp. 83-86, 2010.
2 P. Torr.
Demystifying the threat modeling process
Security & Privacy,IEEE, vol. 3, no. 5, pp. 66-70, 2005.
3 Asoke K Talukder, Alwyn Roshan Pais.
Security-aware Software Development Life Cycle (SaSDLC) - Processes and Tools
IFIP International Conference on Wireless and Optical Communications Networks, WOCN
09, Cairo, Egypt, 2009
4 G. Santhosh Babu, V. K. Maurya, E. Jangam, V. Muni Sekhar, A. K. Talukder, and A. R.
Pais
Suraksha: A security designers workbench
Proc., Hack. in 2009, pp. 59-66, 2009.
5 Caroline Mockel, Ali E. Abdullah.
Threat modelling approaches and tools for securing architectural design of an e-banking
application
Sixth International conference on information assurance and security, UK, pp. 149-154,2010
Outline
Introduction
Problem Definition
Literature Review
Related References
Selected Reference II
6 G. Sindre and A. L. Opdahl
Eliciting security requirements with misuse cases
Requirements Engineering, vol. 10, no. 1, pp. 34-44, 2005.
7 D. Dhillon.
Developer-driven threat modeling: Lessons learned in the trenches.
IEEE Security and Privacy, vol. 9, no. 4, pp. 41-47, 2011.
8 S. Hernan, S. Lambert, T. Ostwald, and A. Shostack,
Uncover security design aws using the stride approach
msdn. microsoft. com, nov. 2006
Outline
Introduction
Problem Definition
Literature Review
Related References
Thank You
THANK YOU!

Threat Modeling in Web Application

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Threat Modeling in Web Application

Uploaded by

Copyright:

Available Formats

Outline

You might also like