MSDN Magazine - November 2008 - (Page 41) MIchael howard Security BriefS Threat Models Improve Your Security Process This column proposes a way to think about secure Figure 1 Process Entry Points design from a more holistic perspective by using Network threat models to drive your security engineering Entry Point Accessibility process, primarily helping you prioritize code review, TCP/1234 Remote fuzz testing, and attack surface analysis tasks. As a setup for this column, you might want to \\.\pipe\admin Remote first read Jeremy Dallman’s “ ‘Crawling’ Toward SDL” post, which can be found on the Security De- ncacn_ip_tcp Remote velopment Lifecycle (SDL) blog (blogs.msdn.com/sdl/ 609b954b-4fb6-11d1archive/2008/03/06/crawling-toward-sdl.aspx). You will no9971-00c04fbbb345 Authentication and Authorization Anonymous Admin Authenticated Users Admin Process App.exe (SYSTEM) App.exe (SYSTEM) User.exe (Network Service) App.exe (SYSTEM) Comment Main request/ response Administrative named pipe User’s account information RPC interface Application configuration file tice that the concepts in this column map very well Config.xml onto Jeremy’s ideas and will allow you to add more structure and precision to your security efforts as you learn to crawl, then walk, and finally run with the SDL. What I am proposing is using the threat model to help drive other SDL security requirements, primarily code review priority, fuzz testing priority, and attack surface reduction. That’s all there is to it. Of course, I need to explain myself, so let’s look at each in a little detail. Let me start with threat modeling. Many MSDN Magazine readers are familiar with the concept of threat modeling. Adam Shostack wrote an excellent article on the subject in the June 2008 issue (msdn.microsoft.com/magazine/cc700352) and offers a glimpse of the future of the threat modeling process in more depth on the SDL blog (blogs.msdn.com/sdl/archive/tags/ threat+modeling/default.aspx). Local Threat Modeling In my opinion, when people think of security vulnerabilities, most think of implementation bugs. One could argue that the SDL is focused a little too much on implementation bugs, and historically it was because most of the vulnerabilities Microsoft has fixed resulted from implementation bugs. But over the last couple of years we have moved more resources to focus on secure design, in part because the implementation bugs are now more scarce thanks to the SDL. Threat modeling is a cornerstone of the SDL because it allows a development team to think about secure design in a structured way. The threat modeling process can be effectively simplified into the following tasks: Send your questions and comments to briefs@microsoft.com. • Draw a picture of your software’s data flows. • Use the “STRIDE per element” approach to find threats that apply to the design. • Address each threat. • Verify that you’ve modeled enough of the software, considered each threat, and addressed all the threats you discovered. A core element of a threat model is the delineation of application entry points. The threat model captures entry points as trust boundaries during the “picture-drawing” phase. Examples include networking entry points, file and registry entry points, and so on. A good threat model should also capture the network accessibility and authentication/authorization requirements of the interfaces. This includes network accessibility through IP address (local and remote, local subnet, and local-only access). It also includes authentication and authorization levels, anonymous access, user access, and administrator-only access. In the case of Windows access control lists (ACLs), authorization levels are finer-grained, but there is no need to go too deep (for a deeper discussion of ACLs, check out John Michener’s article in this issue at msdn.microsoft.com/ magazine/cc982153). Keep it simple. Another critical piece of data captured by the threat model is process identity. An entry point is simply an interface to a piece of code running in a process, and high-privilege processes are very dangerous if compromised. In Windows, the highest privilege processes are those running as SYSTEM or administrator. In Linux or Mac OS X, processes running as root are the most privileged. Each app entry point should record the following data: • Entry point name • Network accessibility November 2008 41 http://blogs.msdn.com/sdl/archive/2008/03/06/crawling-toward-sdl.aspx http://blogs.msdn.com/sdl/archive/2008/03/06/crawling-toward-sdl.aspx http://msdn.microsoft.com/magazine/cc700352 http://blogs.msdn.com/sdl/archive/tags/threat modeling/default.aspx http://blogs.msdn.com/sdl/archive/tags/threat modeling/default.aspx http://msdn.microsoft.com/magazine/cc982153 http://msdn.microsoft.com/magazine/cc982153
Table of Contents Feed for the Digital Edition of MSDN Magazine - November 2008 Contents MSDN Magazine - November 2008 Toolbox CLR Inside Out Data Points Cutting Edge Security Briefs Test Your Security IQ Agile SDL Access Control Utility Spotlight RIA Test Run Wicked Code Foundations Team System End Bracket MSDN Magazine - November 2008 MSDN Magazine - November 2008 - (Page Intro) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page Cover1) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page Cover2) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 1) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 2) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 3) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 4) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 5) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 6) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 7) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 8) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 9) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 10) MSDN Magazine - November 2008 - Toolbox (Page 11) MSDN Magazine - November 2008 - Toolbox (Page 12) MSDN Magazine - November 2008 - Toolbox (Page 13) MSDN Magazine - November 2008 - Toolbox (Page 14) MSDN Magazine - November 2008 - Toolbox (Page 15) MSDN Magazine - November 2008 - Toolbox (Page 16) MSDN Magazine - November 2008 - CLR Inside Out (Page 17) MSDN Magazine - November 2008 - CLR Inside Out (Page 18) MSDN Magazine - November 2008 - CLR Inside Out (Page 19) MSDN Magazine - November 2008 - CLR Inside Out (Page 20) MSDN Magazine - November 2008 - CLR Inside Out (Page 21) MSDN Magazine - November 2008 - CLR Inside Out (Page 22) MSDN Magazine - November 2008 - Data Points (Page 23) MSDN Magazine - November 2008 - Data Points (Page 24) MSDN Magazine - November 2008 - Data Points (Page 25) MSDN Magazine - November 2008 - Data Points (Page 26) MSDN Magazine - November 2008 - Data Points (Page 27) MSDN Magazine - November 2008 - Data Points (Page 28) MSDN Magazine - November 2008 - Data Points (Page 29) MSDN Magazine - November 2008 - Data Points (Page 30) MSDN Magazine - November 2008 - Cutting Edge (Page 31) MSDN Magazine - November 2008 - Cutting Edge (Page 32) MSDN Magazine - November 2008 - Cutting Edge (Page 33) MSDN Magazine - November 2008 - Cutting Edge (Page 34) MSDN Magazine - November 2008 - Cutting Edge (Page 35) MSDN Magazine - November 2008 - Cutting Edge (Page 36) MSDN Magazine - November 2008 - Cutting Edge (Page 37) MSDN Magazine - November 2008 - Cutting Edge (Page 38) MSDN Magazine - November 2008 - Cutting Edge (Page 39) MSDN Magazine - November 2008 - Cutting Edge (Page 40) MSDN Magazine - November 2008 - Security Briefs (Page 41) MSDN Magazine - November 2008 - Security Briefs (Page 42) MSDN Magazine - November 2008 - Security Briefs (Page 43) MSDN Magazine - November 2008 - Security Briefs (Page 44) MSDN Magazine - November 2008 - Security Briefs (Page 45) MSDN Magazine - November 2008 - Test Your Security IQ (Page 46) MSDN Magazine - November 2008 - Test Your Security IQ (Page 47) MSDN Magazine - November 2008 - Test Your Security IQ (Page 48) MSDN Magazine - November 2008 - Test Your Security IQ (Page 49) MSDN Magazine - November 2008 - Test Your Security IQ (Page 50) MSDN Magazine - November 2008 - Test Your Security IQ (Page 51) MSDN Magazine - November 2008 - Agile SDL (Page 52) MSDN Magazine - November 2008 - Agile SDL (Page 53) MSDN Magazine - November 2008 - Agile SDL (Page 54) MSDN Magazine - November 2008 - Agile SDL (Page 55) MSDN Magazine - November 2008 - Agile SDL (Page 56) MSDN Magazine - November 2008 - Agile SDL (Page 57) MSDN Magazine - November 2008 - Agile SDL (Page 58) MSDN Magazine - November 2008 - Access Control (Page 59) MSDN Magazine - November 2008 - Access Control (Page 60) MSDN Magazine - November 2008 - Access Control (Page 61) MSDN Magazine - November 2008 - Access Control (Page 62) MSDN Magazine - November 2008 - Access Control (Page 63) MSDN Magazine - November 2008 - Access Control (Page 64) MSDN Magazine - November 2008 - Access Control (Page 65) MSDN Magazine - November 2008 - Access Control (Page 66) MSDN Magazine - November 2008 - Access Control (Page 67) MSDN Magazine - November 2008 - Access Control (Page 68) MSDN Magazine - November 2008 - Access Control (Page 69) MSDN Magazine - November 2008 - Access Control (Page 70) MSDN Magazine - November 2008 - Access Control (Page 71) MSDN Magazine - November 2008 - Utility Spotlight (Page 72) MSDN Magazine - November 2008 - Utility Spotlight (Page 73) MSDN Magazine - November 2008 - Utility Spotlight (Page 74) MSDN Magazine - November 2008 - Utility Spotlight (Page 75) MSDN Magazine - November 2008 - Utility Spotlight (Page 76) MSDN Magazine - November 2008 - Utility Spotlight (Page 77) MSDN Magazine - November 2008 - Utility Spotlight (Page 78) MSDN Magazine - November 2008 - Utility Spotlight (Page 79) MSDN Magazine - November 2008 - Utility Spotlight (Page 80) MSDN Magazine - November 2008 - RIA (Page 81) MSDN Magazine - November 2008 - RIA (Page 82) MSDN Magazine - November 2008 - RIA (Page 83) MSDN Magazine - November 2008 - RIA (Page 84) MSDN Magazine - November 2008 - RIA (Page 85) MSDN Magazine - November 2008 - RIA (Page 86) MSDN Magazine - November 2008 - RIA (Page 87) MSDN Magazine - November 2008 - RIA (Page 88) MSDN Magazine - November 2008 - RIA (Page 89) MSDN Magazine - November 2008 - RIA (Page 90) MSDN Magazine - November 2008 - Test Run (Page 91) MSDN Magazine - November 2008 - Test Run (Page 92) MSDN Magazine - November 2008 - Test Run (Page 93) MSDN Magazine - November 2008 - Test Run (Page 94) MSDN Magazine - November 2008 - Test Run (Page 95) MSDN Magazine - November 2008 - Test Run (Page 96) MSDN Magazine - November 2008 - Test Run (Page 97) MSDN Magazine - November 2008 - Test Run (Page 98) MSDN Magazine - November 2008 - Wicked Code (Page 99) MSDN Magazine - November 2008 - Wicked Code (Page 100) MSDN Magazine - November 2008 - Wicked Code (Page 101) MSDN Magazine - November 2008 - Wicked Code (Page 102) MSDN Magazine - November 2008 - Wicked Code (Page 103) MSDN Magazine - November 2008 - Wicked Code (Page 104) MSDN Magazine - November 2008 - Wicked Code (Page 105) MSDN Magazine - November 2008 - Wicked Code (Page 106) MSDN Magazine - November 2008 - Foundations (Page 107) MSDN Magazine - November 2008 - Foundations (Page 108) MSDN Magazine - November 2008 - Foundations (Page 109) MSDN Magazine - November 2008 - Foundations (Page 110) MSDN Magazine - November 2008 - Foundations (Page 111) MSDN Magazine - November 2008 - Foundations (Page 112) MSDN Magazine - November 2008 - Team System (Page 113) MSDN Magazine - November 2008 - Team System (Page 114) MSDN Magazine - November 2008 - Team System (Page 115) MSDN Magazine - November 2008 - Team System (Page 116) MSDN Magazine - November 2008 - Team System (Page 117) MSDN Magazine - November 2008 - Team System (Page 118) MSDN Magazine - November 2008 - Team System (Page 119) MSDN Magazine - November 2008 - End Bracket (Page 120) MSDN Magazine - November 2008 - End Bracket (Page Cover3) MSDN Magazine - November 2008 - End Bracket (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.