Threat Modeling - Writing Secure Code

Threat Modelingan introduction toSecurity Principals and Patterns in Application Architectural DesignCaleb JenkinsSoftware Ninja | Architecthttp://DevelopingUX.com

or is your world more like this?

AgendaThreat AnalysisBasic Security ConceptsSecurity Code ReviewSummary / Q&A

T.J. Maxx theft believed largest hack everTJX cos. put number to loss Wednesday, acknowledges it could still go upBy Mark JewellAssociated PressMarch 30, 2007BOSTON - A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information.Experts say TJX’s disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.

T.J. Maxx theft believed largest hack everTJX cos. put number to loss Wednesday, acknowledges it could still go upBy Mark JewellAssociated PressMarch 30, 2007Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.

Assets are the things an attacker wants to take from youThreats are the ways in which the attacker will try to get at your assetsMitigations are the ways you block the attacker from getting the assetsVulnerabilities are unmitigated threatsThreat Models are an assessment of the Assets, Threats, Mitigations and Vulnerabilities of the system you are building or have built

Assets are more than money…Reputation & Customer ConfidenceConfidential DataProcessor, Storage, BandwidthAvailabilityPerformance

Threat AnalysisSecure software starts with understanding the threatsThreats are not vulnerabilitiesThreats live foreverHow will attackers attempt to compromise the system?AssetMitigationThreatVulnerability

Security User StoriesDescribes something the bad guy wants to do (a threat)Short and to the point

Written by the user in non-technical languageAs an attackerI want to <attack>So that <crime>By <method>

Security User StoriesAs an attackerI want to obtain credentialsSo that I can plunder bank accountsBy tricking users into logging into my bogus site with a Phishing mail

Security ObjectivesWhat do you not want to happen?Confidentiality“I do not want unauthorized users to gain access to confidential information”Integrity“I do not want unauthorized users to tamper with data”Availability“I do not want the system to be unavailable because of an attack”Agree on security objectives up frontHelps to scope and focus your security effortsAgendaThreat AnalysisBasic Security ConceptsSecurity Code ReviewSummary / Q&A

Basic Security ConceptsReduce Attack SurfaceDefense In DepthLeast PrivilegeFail to Secure Mode

Attack SurfaceThe “Attack Surface” is the sum of the ways in which an attacker can get at you Smaller Attack Surface is betterAttack SurfaceThe “Attack Surface” is the sum of the ways in which an attacker can get at you Smaller Attack Surface is betterWhich one has the Smaller attack surface?

Attack SurfaceThe “Attack Surface” is the sum of the ways in which an attacker can get at you Smaller Attack Surface is betterHint: No way to know… what’s on the other side?

Understand Your Attack SurfaceNetworking protocols that are enabled by defaultNetwork EndpointsCode that auto-starts or will execute when accessedExamples: Services, daemons, ISAPI filters and applications, SOAP services, and Web rootsReusable components ActiveX controls, COM objects, and .NET Framework assemblies, especially those marked with the AllowParticallyTrustedCallersAttribute)Process identities for all the code you runUser accounts installed

Reducing Attack SurfaceTCP/UDPTCP/UDPTCP/UDPService: Autostart SYSTEM

Reducing Attack SurfaceTCP/UDPTCP/UDPTCP/UDPService: Autostart SYSTEM Turn off less-used ports

Reducing Attack SurfaceTCP/UDPTCP onlyService: Autostart SYSTEM Turn off UDP connections

Reducing Attack SurfaceTCP onlyService: Autostart SYSTEM Restrict requeststo subnet/IP range

Reducing Attack SurfaceTCP onlyService: Autostart SYSTEM Authenticate connections

Reducing Attack SurfaceTCP onlyService: Manual NetServiceLower privilegeTurn feature off

Reducing Attack SurfaceTCP onlyService: Manual NetServiceEveryone (Full Control)Admin (Full Control)Everyone (Read)Service (RW)Harden ACLs on data store

Defense In DepthDon’t count on one line of defense for everythingWhat if the attacker penetrates that defense?Contain the damageExample – Nuclear Plants

“Multiple redundant safety systems. Nuclear plants are designed according to a "defense in depth" philosophy that requires redundant, diverse, reliable safety systems. Two or more safety systems perform key functions independently, such that, if one fails, there is always another to back it up, providing continuous protection.- Nuclear Energy Institute“

Defense in Depth (MS03-007)Windows Server 2003 UnaffectedMicrosoft Security Bulletin MS03-007Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choiceMaximum Severity Rating: CriticalAffected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software:Microsoft Windows Server 2003

The underlying DLL (NTDLL.DLL) not vulnerableCode made more conservative during Security PushDefense in Depth (MS03-007)Windows Server 2003 UnaffectedMicrosoft Security Bulletin MS03-007Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choiceMaximum Severity Rating: CriticalAffected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software:Microsoft Windows Server 2003

The underlying DLL (NTDLL.DLL) not vulnerableCode made more conservative during Security PushIIS 6.0 not running by default on Windows Server 2003Even if it was vulnerableDefense in Depth (MS03-007)Windows Server 2003 UnaffectedMicrosoft Security Bulletin MS03-007Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choiceMaximum Severity Rating: CriticalAffected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software:Microsoft Windows Server 2003

The underlying DLL (NTDLL.DLL) not vulnerableCode made more conservative during Security PushIIS 6.0 not running by default on Windows Server 2003Even if it was vulnerableIIS 6.0 doesn’t have WebDAV enabled by defaultEven if it was runningDefense in Depth (MS03-007)Windows Server 2003 UnaffectedMicrosoft Security Bulletin MS03-007Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choiceMaximum Severity Rating: CriticalAffected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software:Microsoft Windows Server 2003

The underlying DLL (NTDLL.DLL) not vulnerableCode made more conservative during Security PushIIS 6.0 not running by default on Windows Server 2003Even if it was vulnerableIIS 6.0 doesn’t have WebDAV enabled by defaultEven if it was runningMaximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabledDefense in Depth (MS03-007)Windows Server 2003 UnaffectedMicrosoft Security Bulletin MS03-007Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choiceMaximum Severity Rating: CriticalAffected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software:Microsoft Windows Server 2003

The underlying DLL (NTDLL.DLL) not vulnerableEven if the buffer was large enoughCode made more conservative during Security PushProcess halts rather than executes malicious code, due to buffer-overrun detection code (-GS)IIS 6.0 not running by default on Windows Server 2003Even if it was vulnerableIIS 6.0 doesn’t have WebDAV enabled by defaultEven if it was runningMaximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabledDefense in Depth (MS03-007)Windows Server 2003 UnaffectedMicrosoft Security Bulletin MS03-007Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choiceMaximum Severity Rating: CriticalAffected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software:Microsoft Windows Server 2003

The underlying DLL (NTDLL.DLL) not vulnerableEven if the buffer was large enoughCode made more conservative during Security PushProcess halts rather than executes malicious code, due to buffer-overrun detection code (-GS)IIS 6.0 not running by default on Windows Server 2003Even if it was vulnerableIIS 6.0 doesn’t have WebDAV enabled by defaultEven if it was runningMaximum URL length in IIS 6.0 is 16kb by default (>64kb needed) Even if it did have WebDAV enabledEven if it there was an exploitable buffer overrunWould have occurred in w3wp.exe which is now running as ‘network service’Defense in Depth (MS03-007)Windows Server 2003 UnaffectedMicrosoft Security Bulletin MS03-007Unchecked Buffer In Windows Component Could Cause Server Compromise (815021)Originally posted: March 17, 2003 Impact of vulnerability: Run code of attacker's choiceMaximum Severity Rating: CriticalAffected Software: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Not Affected Software:Microsoft Windows Server 2003

Least PrivilegeA defense in depth measureCode should run with only the permissions it requiresAttackers can only do whatever the code was already allowed to doRecommendationsUse least privilege accounts

Write Apps that non-admins can actually useFail To Secure ModeFunction Authenticate(UserID As String, Password As String)Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return AuthenticatedEnd Function

Fail To Secure ModeFunction Authenticate(UserID As String, Password As String)Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return AuthenticatedEnd FunctionAuthenticated As Boolean = TrueDanger!!Assumes Success

Fail To Secure ModeFunction Authenticate(UserID As String, Password As String)Dim Authenticated As Boolean = True Try Dim conn As New SqlConnection(connString) conn.Open() Dim cmd As New SqlCommand("SELECT Count(*) FROM Users …”) Dim count As Integer count = cmd.ExecuteScalar() Authenticated = (count = 1) Catch ex As Exception MessageBox.Show("Error logging in " + ex.Message) End Try Return AuthenticatedEnd FunctionAuthenticated As Boolean = TrueDanger!!Assumes SuccessAuthenticated flag may still be true hereCatch ex As Exception

TryDim conn As SqlConnection = NothingDim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo")conn.Open() sqlString = "SELECT HasShipped" + _" FROM Shipment WHERE ID='" + ID + "'"cmd = New SqlCommand(sqlString, conn)Dim adapter As New SqlDataAdapter(cmd)adapter.Fill(results)Catch se As SqlException Dim status As String status = sqlString + " failed"For Each err As SqlError In se.Errors status = status + err.MessageNextMesssageBox.Show(status)End TrySecurity Code Review

TryDim conn As SqlConnection = NothingDim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo")conn.Open() sqlString = "SELECT HasShipped" + _" FROM Shipment WHERE ID='" + ID + "'"cmd = New SqlCommand(sqlString, conn)Dim adapter As New SqlDataAdapter(cmd)adapter.Fill(results)Catch se As SqlException Dim status As String status = sqlString + " failed"For Each err As SqlError In se.Errors status = status + err.MessageNextMesssageBox.Show(status)End TrySecurity Code ReviewNever connect as SADon’t Embed Secretsuser id=sapassword=passwordUnencrypted & Weak Password

TryDim conn As SqlConnection = NothingDim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo")conn.Open() sqlString = "SELECT HasShipped" + _" FROM Shipment WHERE ID='" + ID + "'"cmd = New SqlCommand(sqlString, conn)Dim adapter As New SqlDataAdapter(cmd)adapter.Fill(results)Catch se As SqlException Dim status As String status = sqlString + " failed"For Each err As SqlError In se.Errors status = status + err.MessageNextMesssageBox.Show(status)End TrySecurity Code ReviewNever connect as SADon’t Embed Secretsuser id=sapassword=passwordUnencrypted & Weak PasswordWHERE ID='" + ID + "'"Don’t Concatenate arguments

TryDim conn As SqlConnection = NothingDim results As New DataSet() conn = New SqlConnection("data source=localhost;" _ + "user id=sa;password=password;" + _ "Initial Catalog=SqlInjectionDemo")conn.Open() sqlString = "SELECT HasShipped" + _" FROM Shipment WHERE ID='" + ID + "'"cmd = New SqlCommand(sqlString, conn)Dim adapter As New SqlDataAdapter(cmd)adapter.Fill(results)Catch se As SqlException Dim status As String status = sqlString + " failed"For Each err As SqlError In se.Errors status = status + err.MessageNextMesssageBox.Show(status)End TrySecurity Code ReviewNever connect as SADon’t Embed Secretsuser id=sapassword=passwordUnencrypted & Weak PasswordWHERE ID='" + ID + "'"Don’t Concatenate argumentsDon’t reveal everything to an attackerFor Each err As SqlError

Why not connect as SA?Violates the principle of least privilegeThreat: Code is subject to attacker elevating privilegeMitigation RecommendationDefense in depth Action: Run SQL as Network Service rather than Local SystemReduce surface area: eliminate privileges on everything except for the required stored proceduresAction: Create stored proceduresLeast privilege: run as a lesser privileged user when connecting to databaseAction: Fix the connection string

Why not embed secrets?Violates the principle of avoiding security by obscurityThreat: Secrets are easily discoveredMitigation RecommendationDon’t Store SecretsTip: Use Windows AuthenticationEncrypt secretsFor .NET 1.1 consider Enterprise LibraryFor .NET 2.0 use Enterprise Library or System.Security.Cryptography.ProtectedDataFor SQL Server 2005 use EncryptByKey / DecryptByKey

Storing SecretsHackers use search engines to locate secretsSearch engines will find anything you have hidden

Storing SecretsMySQL Data DumpsConfig Files on *nix systems

Fix Connection StringNot goodMuch Better

Never create your own encryption

Why not use easy passwords?Because they are easily broken by brute force attacksThreat: Attacker guesses or brute forces password to access secretsMitigation:Enforce a strong password policy

Enable password policy enforcement on SQL Server

Uses Windows Server 2003 policyBrute Force Dictionary Attacks

Password PolicySQL Server 2005 Management Studio Tool Shown

Why not concatenate arguments?Violates the principle of All Input Is Evil (Until Proven Otherwise)Threat: Code is subject to luring attacks via SQL InjectionMitigation RecommendationReduce Attack Surface

Create stored procedures and grant access only to the stored procedure

Consider Table-Valued Functions in SQL 2005

Disable unneeded SQL Server FeaturesUsing Parameters and Sprocs

Reduce SQL Surface AreaIf you don’t connect in a sysadmin role the account used by xp_cmdshell will be the one defined by xp_cmdshell_proxy_account which may have reduced privilege

Evil Input Attack - HotmailOctober 2001 an XSS vulnerability which allowed an attacker to steal a user's Microsoft .NET Passport session cookies. Exploit for this vulnerability consisted of sending a malicious email to a Hotmail user, which contained malformed HTML. The script filtering code in Hotmail's site failed to remove the broken HTML and Internet Explorer's parsing algorithm happily interpreted the malicious code.

Security Fix: Validate InputConstrainLook for valid data and reject everything else

Use Regular Expressions to permit only what you want

Integer expression: “^[0-9]{0,5}$”RejectReject things you know are badSanitizeUse SQL Parameters

HTMLEncode outputdiscussion: White Listing vs Black Listing Input“Look for valid data and reject everything else”SQL Example: string.Replace(“delete”, “”)

discussion: White Listing vs Black Listing Input“Look for valid data and reject everything else”SQL Example: string.Replace(“delete”, “”)“deldeleteete”

discussion: White Listing vs Black Listing Input“Look for valid data and reject everything else”SQL Example: string.Replace(“delete”, “”)“deldeleteete”“deldeleteete”

discussion: White Listing vs Black Listing Input“Look for valid data and reject everything else”SQL Example: string.Replace(“delete”, “”)“deldeleteete”“deldeleteete”“delete”

demo: SQL InjectionSanitizing User InputSelect Count(*) From UsersWhere User Name = ‘’ OR1+1=2; -- ‘ and password = ‘’

demo: SQL InjectionSanitizing User Input

Discussion: XSSSanitizing User Input

Why not reveal all exceptions?Most users won’t understand the details anywayThreat: Code is subject to information disclosure threatsMitigation RecommendationMap low level error messages to meaningful messages for your users

Never disclose secrets in error messagesMeaningful Error MessagesWhat this error really means…No SmartCard inserted in card reader

Threat Modeling - Writing Secure Code

More Related Content

What's hot

Similar to Threat Modeling - Writing Secure Code

More from Caleb Jenkins

Recently uploaded

Threat Modeling - Writing Secure Code

Editor's Notes