周旺暾 應用開發技術經理 開發工具暨平台推廣處 台灣微軟 高可信度電腦運算安全性開發生命週期 周旺暾 應用開發技術經理 開發工具暨平台推廣處 台灣微軟 [As of Dec, 2005] ACE Team has been investigating threat models for over 3 years and has enforced the creation and assimilation of threats models as part of SDL-IT for 1 ½ years now. Over this time, we have learnt a great deal and we are using this feedback to evolve our methodology. This is our second iteration of the threat modeling methodology focused at typical enterprise IT (LOB) applications. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

知彼知己，百戰不殆； 不知彼而知己，一勝一負； 不知彼，不知己，每戰必殆。 孫子兵法 謀攻三 知彼知己，百戰不殆； 不知彼而知己，一勝一負； 不知彼，不知己，每戰必殆。 If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. – Sun Tzu, The Art of War Although bit of a cliché, this quote for Sun Tzu nicely emphasizes the needs for threat modeling: we need a formal, consistent and objective way of “understanding” ourselves and our assets before we can move ahead and built a security strategy to guard against our adversaries. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 較簡單的例子 – 埋伏 乙地 While on a simple mission, moving from Point Alpha to Point Brave you are ambushed. What do you do? 1) Run away in the direction you are currently traveling? 2) Run away from the ambush? 3) Run into the Ambush and fight through it? 甲地 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

較簡單的例子 – 埋伏 你會怎麼做? 就地找掩蔽, 準備迎擊? 加速向原來的方向前進? 躲避追擊, 儘快逃離現埸? 直接攻擊來襲陣地?

準備好作出正確的因應 如何讓第一線的員工在極度壓力的情境下做出正確的因應? 先瞭解威脅的形式 針對正確的因應措施，反覆操演 埋伏 砲擊 生化戰 針對正確的因應措施，反覆操演 要熟練到能用直覺做出正確的因應措施 持續評估各種威脅可能發動的時機 一致且有紀律的行動 整個部隊都要清楚做什麼 整個部隊都要立即作出正確的因應

威脅模型 Threat Modeling 瞭解你的系統中存在何種威脅 瞭解威脅如何發生 瞭解採取何種因應措施 什麼樣糟糕的問題可能發生，導致你的系統沒辦法正常運作 瞭解威脅如何發生 瞭解採取何種因應措施 不斷地操演因應措施，並驗收成果，以確保每一個人都可以即時做出正確的因應措施

2006 Microsoft Corporation. All rights reserved. 應用程式的安全 入侵測試 扮演敵人並試著入侵系統 程式碼安全性審查 查驗程式碼中的安全漏洞 架構設計安全性審查 查驗軟體架構上的安全漏洞 我們到底要尋找什麼? Penn testing, SCR and SDR are the majority of the software application security services we currently employ to help ensure the security of our systems. But what are we looking for? Are we looking for threats? weaknesses? vulnerabilities? attacks? 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 威脅, 攻擊, 弱點與對策 威脅 經由… 攻擊 具體化… 弱點 防止… 對策 什麼壞事可能發生 如何發生 (現象) We will use nice easy to understand definition but formal definitions are: Definition A threat is an undesired event that will have a negative impact on one or more specified business objectives. It can either be intentional or unintentional potential occurrence that may or may not be malicious in nature. Definition An attack is an action taken that utilizes one or more vulnerabilities to realize a threat. This could be someone following through on a threat or exploiting a vulnerability. Definition A vulnerability is a weakness in some aspect or feature of a system that makes an attack possible. Vulnerabilities can exist at the network, host, or application levels and include operational practices. Definition A countermeasure addresses a vulnerability to reduce the probability of attacks or the impacts of threats. They do not directly address threats; instead, they address the realization factors that define the threats. Countermeasures range from improving application design, or improving your code, to improving an operational practice. 為什麼發生 (原因) 如何防止 (改正) 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

如何無法清楚描述出 商業上的負面影響, 不能算是威脅! This is a critical property of a threat in our definition. If a “threat” does not have this property, it cannot be considered a threat. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 攻擊者觀點 目前應用程式安全性多半是佔在攻擊者的觀點 入侵測試 程式碼安全性審查 架構設計安全性審查 尋找可被利用作為攻擊的弱點 弱點與攻擊是簡單的一對一組合 These services that we commonly employ are taking the adversarial perspective. We’re looking for vulnerabilities… We need to understand our assets first (recall Sun Tzu’s quote). 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

防禦者觀點 從攻擊者觀點，很難完全理解什麼是威脅 在開始進行工作之前，我們要先清楚可能的威脅 要有安全性策略 導入 SDLC

2006 Microsoft Corporation. All rights reserved. ACE 威脅模型 威脅模型的主張 如果不瞭解威脅的存在方式，沒有人可以建造出真正安全的系統 為什麼要威脅模型? 找出威脅 建立安全性策略 ACE 威脅模型經由 SDLC 提供應用程式風險管理方法! One cannot begin to build a defense until one understands what it is that is being defended. ACE Threat Modeling provides application risk management by providing a way to develop, maintain and test a security strategy through the SDLC. Beyond the SDLC, a TM repository is used to maintain all the threat models. This repository is used to provide a justifiable risk response to newly discovered attacks and vulnerabilities in the very dynamic and evolving landscape of application security. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 何謂 ACE 威脅模型? 威脅模型方法主要用在企業 IT (LOB) 應用程式 目的 提供一致性的方法，用以辨識並評估應用程式中的威脅 將技術上的風險轉換成商業上的影響 促使經營者去管理風險 在團隊中建立安全性依存與前提的認同 並非只有安全性專家才能做得來 [More info on methodology document] 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. ACE 威脅模型的好處 對開發團隊的好處 將技術上的風險轉換成商業上的影響 提供安全性策略 區分安全性功能的重要性 瞭解對策的價值 對安全團隊的好處 更著重於安全性評估 將弱點轉換成商業上的影響 提昇安全的認同 搭起開發團隊與安全團隊的橋樑 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 切開威脅 安全團隊專家 應用程式主體 威脅 攻擊 弱點 對策 Threat Modeling begins with the identification of threats from which we derive attacks, vulnerabilities and countermeasures. But the threats don’t come out of thin air – they are the byproduct of your application context. With this structure, one of the things ACE has learned from ACE Threat Modeling v1.0 is that here is a clear separation as far as what the application teams are good at identifying and what the security teams are good at identifying. With our ACE Threat Modeling v2.0 methodology, we are acknowledging this divide and building a methodology that takes this into account. 開發團隊專家 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 解構應用程式主體 主角 資料 Building an application context is analogous to building a Lego toy. But in our Lego toy, we define our own pieces so here we define the kinds of pieces we will be using to build our toy (application context.) 元件 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 應用程式主體的基本規則 角色經由一定的行動與元件互動 元件經由一定的行動與元件互動 資料儲存於元件內部 元件可對資料進行 CRUD (建立、讀取、更新、刪除) 資料在兩個互動中的元件之間移動 資料在角色與元件互動之間移動 We can take our decomposed pieces and join them together (putting the Lego pieces together) in accordance with these rules to build our application context. We have a formal structure approach for this in our methodology/tool but this discussion is beyond the scope of this presentation. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 威脅的產生 應用程式主體定義了允許的行動 根據前述的規則 有系統的導致行動失效，就是威脅 自動威脅產生 From the application context, we simply go through each functionality or action defined and systematically corrupt it to produce a threat. How we do this is again beyond the scope of this presentation. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 常見的攻擊 Password Brute Force Buffer Overflow Canonicalization Cross-Site Scripting Cryptanalysis Attack Denial of Service Forceful Browsing Format-String Attacks HTTP Replay Attacks Integer Overflows LDAP Injection Man-in-the-Middle Network Eavesdropping One-Click/Session Riding/CSRF Repudiation Attack Response Splitting Server-Side Code Injection Session Hijacking SQL Injection XML Injection So now the question is how we identify the threats underneath each attack? This is a common list of attacks we deal with in software systems. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

攻擊行為庫 蒐集已知的攻擊形式 定義出基本的關係 現象 成因 改正 SQL Injection Use of dynamic SQL Ineffective or lacking input validation Perform white- list input validation Use stored procedure with no dynamic SQL Use parameterized SQL statement 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

威脅-攻擊鬆散耦合 安全團隊專家 開發團隊專家 SQL Injection Use of dynamic SQL Ineffective or lacking input validation Perform white- list input validation Use stored procedure with no dynamic SQL Use parameterized SQL statement Compromised integrity of credit card numbers Compromised integrity of credit card numbers 安全團隊專家 SQL Injection In our methodology we allow the application teams to define the application context and then utilize our Automatic Threat Generation approach to define the threats. This is something that the application teams can do. With our attack library (created by security teams), the application teams through our ACE Threat Modeling v2.0 methodology have a way to LOOSELY COUPLE the threats with attacks. It’s important to stress that this coupling is a loose coupling because although the threats to the business will rarely change, the attacks, vulnerabilities and countermeasures (Attack Library) will evolve and change. Because of this loose coupling, we can keep our security strategy up to date by using the most up to date Attack Library. 開發團隊專家 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 攻擊行為庫的透明度 應用程式主體 威脅 攻擊 弱點 對策 Another way to look at it (previous slide) is that with our current methodology we are shifting the attacks and vulnerabilities into the background and bringing the countermeasures to the foreground. This gives the application teams actionable items because they need not concern themselves with the attacks and vulnerabilities (how and why) – they simply care about the threat and the fix to the threat. This doesn’t mean we are “mitigating a threat”… we are simply making the details of the structure transparent to the non-security subject matter expert. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2006 Microsoft Corporation. All rights reserved. 威脅模型與安全性專家 由安全性專家建立攻擊行為庫 可檢驗、可重覆 安全性專家提供威脅模型能力 檢驗威脅模型是否符合應用程式規格 補足知識的落差於威脅模型中 新的 0-day 攻擊不在攻擊行為庫中 進行可能的最佳化 This slide outlines how a Security SME is involved in the threat modeling process. Important to stress that the threat modeling is not dependent on the security SME… Security SME simply validates the threat model. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

SDLC 中的 ACE 威脅模型 Signoff Creation Assimilation Evolutionary Process Develop/ Purchase Release/ Sustainment Envision Design Test Application Entry/Risk Assessment Threat Model/Design Review Pre- Production Assessment Post- Production Assessment Internal Review Evolutionary Process

Microsoft Threat Analysis & Modeling v2.0 建立並管理威脅模型的輔助工具 自動威脅產生 自動威脅耦合 提供安全性策略 管理威脅模型以供分析 安全性管理逐步展開 (新的攻擊、弱點與措施) http://msdn.microsoft.com/security/securecode/threatmodeling/acetm/ *Forthcoming feature 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Microsoft Threat Analysis & Modeling v2.0 分析 資料存取控制表 元件存取控制表 主從表 元件屬性表 視覺化 呼叫/資料/信任流 攻擊面 威脅樹 報表 風險歸屬報表 設計/開發/測試/維運團隊報表 綜合報表 Visualizations are all exportable to Visio Format – although they need to be tweaked from the current offering in the current BETA release. Only the Comprehensive report is available in the current BETA release. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

結語 累積多年經驗而建構的方法 對現行開發流程影響最小的方法 一致且客觀的方法 整合開發與系統管理的最佳方法 不需要安全性專家 蒐集已知的資料 一致且客觀的方法 整合開發與系統管理的最佳方法

© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.