The Best Air Fryer of 2020

Air Fryer is an electronic kitchen appliance that cooks food with convection technology with minimal or no oil usage. Air fryer bakes the food at a high temperature with the help of a high powered…

独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

What is Vector Threat Modeling

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of any company. Examples of analysis performed within this article are only gather through personal experience. Assumptions made within this article are not reflective of the position of any individual or company other than me of course.

Introduction

Every passing year, software development is disrupting many industries. In this commoditized market, cost-to-company, application security and time-to-market are the only basis of competition. Threat modeling is one of many tools in the arsenal that allows company to leverage consistency and clarity. However the main apprehension surrounding threat modeling is community is not able to agree on the vocabulary. For example, Microsoft security published a threat modeling book and tool and still suffers divergence between the STRIDE/DREAD camp and security testers on what it means to threat model. In this article we will take a look into a practical approach towards threat modeling.

Threat modeling, as a whole, is a vaguely defined term, most of the people would define threat modeling as something that helps to identify and document security strengths and weaknesses in a software design. But threat modeling is more than that. It is a deep dive into architectural and implementation level threats. These threats are categorized based on application artifacts including software stack threat model, software architecture document, high level data models and use cases. Threat modelers should also take other factors into consideration. One of many such considerations is software architecture goes through number of iterations; however the software document and other relevant source material like requirements, design diagram does not necessarily goes through the same cycle. This makes their work a little harder and in many cases the threat modeling process obsolete. In such scenario, threat modeler should have one-on-one meetings with software architecture to derive continuous and incremental threat modeling, especially taking DevOps into consideration.

The most cost effective approach for creating threat modeling is to perform it in two phases, application specification phase and implementation phase. During the specification phase, application artifacts, software stack threat model along with the one-on-one meetings with software architecture are the idyllic inputs to the threat modeling process.

Vector Threat Model

Secret ingredient for saving huge chuck of cooperate money without loosing direction is using vector threat modeling during specification stage. Vector threat modeling creates a baseline model. During this stage, it helps to understand the nitty gritty of application while taking other variables like attack vectors, trust boundaries, asset flow and misuse/abuse cases into consideration. During iteration phase, the baseline threat model helps software architect, risk partner and developers to find a proper mitigation for all the issues found so far.

Negligence to this methodology during the implementation stage would defeat the purpose of creating threat model. And those issues would be captured during source code analysis or penetration testing phase; during those phases, not only the software architect and developers look credibility but cooperate also has to shell out more money to fix the issue.

Vector threat model is built during the application specification phase. This threat model is then iteratively refined. Threat model goes through this iterative process by taking into consideration decisions made during the Software Development LifeCycle (SDLC) as well as by taking into account the software stack security issues pertaining to the application.

Vector threat modeling is built using is a four-step process. Technical teams involved to build the baseline are architects, product managers, developers and security experts.

The four steps involved are

The first step in building any sort of threat model is to comprehend the application. The application specifications such as the requirements, architecture and use cases should be analyzed to identify various trust levels for the external entities an application can support, various assets the application stores and the attack surface of the application itself. This step also involves direct communication with the product management team, architecture team, and the technology teams.

Trust levels represent the set of rights given to an external entity based on the system’s knowledge about that entity. If a system’s trust level corresponds to user’s group, those groups are based on authentication.

1. What are the user type and roles in this application?

a. The user trust levels should be used to determine high-risk entry points and prioritize the various aspects of the security.

2. How does the application authenticate roles?

Trust levels are particularly relevant in analyzing potential elevation-of-privilege attacks.

Any potential point where an end user interacts with the application is a potential entry point. To ensure that a threat model is effective, the entry points identified should be granular enough to call out disparate permission levels but not so granular that they overwhelm the threat model process. Initially security experts must build a threat model based on higher level entry points and over time include a more detailed analysis based on more granular entry points.

Assets are resources that the system must protect from incorrect or unauthorized use. An adversary who obtains access to these assets could cause financial damage to the company.

Few questions relevant to entry points are,

1. Is there any sensitive data stored on the local device?

2. If some sensitive data is stored on local device is it encrypted properly?

3. What functionality does the entry point exposes?

Security Controls

Security controls constitute an important part in the understanding of an application (from security viewpoint). Security controls should focus on identifying authentication, authorization, input validation, output encoding, auditability, privacy controls, confidentiality controls, and non-repudiation controls within the application. For each type of control, a table should be created that catalogs each control, the assets the control is protecting, and remarks if the control is not correctly implemented or is non-compliant with prevailing industry and company policies.

Implementation assumptions are used when some or all of the system is in design phase. These assumptions dictate specifics about features of the system that have yet to be implemented. This detail must be relevant for the system to remain secure.

External dependencies which can impact security should also be taken into consideration. External dependencies are assumptions made about the usage or behavior of these other components or products, Inconsistencies in these assumptions can lead to security weakness.

Diagramming the Application

The previous step “Understanding Application” should naturally lead to this step. In this step, we put our knowledge of what we have learn about the system to use by diagramming the application.

System architecture diagram depicting the location of assets, controls and how entry and egress points (and backdoors) are correlated to such assets should be created. Such a diagram focuses on data as it moves through the system. The diagram should be focused on only components that are pertinent to the security of the application. The diagram should also depict trust boundaries and movement of data across such trust boundaries.

This diagram is used to understand the behavior of the system and data flow during the normative user behavior. The same diagram can now be used to create misuse/abuse cases, to track how system will respond when users act maliciously. This becomes the foundation for the next step.

Threat Enumeration

Once the system diagram is created, then next step logically follows. We should be asking hard questions about each data flow, each type of access to the system and how and if assets can be reached/compromised. This process will identify threats to the system. Once such threats are identified, they should be categorized. As an example, some threats are purely of the tampering nature; others might enable tampering but arise as a result of elevation of privilege.

Iterate

Any threat model should always be a live document. A threat model should be refined as more and more components of the systems are fully specified or as more and more design/technology decisions are made. This is also a good time to revisit the assumptions to ensure that we the assumption set is kept up-to-date with the new information.

The base-level threat model is refined by considering Android framework security as part of the threat model. Like any other framework, Android has its strengths and weaknesses when it comes to security. There are certain best practices for the use of Android and there are some techniques that need to be avoided at all costs.

To include Android framework as part of the threat model, we need to have a high level understanding of Android security. Android provides two levels of security:

1. System level security:

2. IPC (Inter-Process Communication) communication between components

The system level security addresses how Android implements a sandboxing of applications (in a separate ART) and how each application runs as its own process ID under a separate user ID context.

The IPC security primarily deals with application components, the messaging between application components and permissions required for such communication. To be able to understand the Android framework security and its impact on the application threat model, the following security considerations must be evaluated:

1. How many components (Activities, Services, Receivers, and Providers) are globally accessible?

a. In Android if a component is declared with Intent Filters, it is by default, a globally accessible component. It can be accessed by any application.

b. We need to evaluate all globally accessible components to ensure that such set is kept to the required minimum.

2. How does an application protect its components from malicious applications (or components)?

a. It is always a good idea to protect components that do not require global access by the use of permissions.

3. Does application use permissions that it does not need to use? This is a common problem in Android applications, where a number of permissions are required but not used. Almost one-third of the Android applications today are over-privileged.

4. Does the application define its own permissions?

a. If yes, are these permissions defined with correct protection levels? Protection levels of dangerous, signature, and signatureOrSystem are acceptable permissions. Protection level of normal is not recommended.

b. Are new permissions defined with reasonable description, since that is the only way for users to determine if they should grant an application to use such permissions?

5. How are components handling mangled (e.g. using null references) Intent data?

a. Is there a chance of a component not handling mangled data correctly and thereby causing a denial of service attack?

b. Code review is required to assess this issue.

6. Are the broadcast receivers protected from forged messages?

a. Broadcast receivers should always be protected by additional permissions. If not, these components will be able to receive a message (for which they are registered) from any process.

7. Is there any sensitive data encapsulated by Intents? If yes, how is such data protected?

a. Intents leak information since the Intents (which are an encapsulation of data and call) flow on the Android’s middleware IPC channel. A malicious application / component can listen to the Intents and capture sensitive data. In addition, Intents are also logged in the Android logs which can be viewed by a tool such as logcat.

8. Is there an opportunity for Intent injection where some user data is used to create Intent data?

a. If user data is used to generate Intent data, we need to ensure that injection attacks or other harm cannot be done to the application.

9. What type of data is leaking in the Android logs (usually viewed by logcat command)?

10. Is the application using any PendingIntent objects?

a. PendingIntents are encapsulated Android Activities that can be delegated or launched by another application. Care must be taken to ensure that the delegated application is a safe application.

Software development is winning not only by virtue of technological sophistication, but primarily by the strength of their application ecosystems. These ecosystems comprise of thousands of application developers, software architects, security experts and content providers. If one of the tiers in the ecosystem fails, it will take down the whole pyramid. Hence the purpose and steps to achieve the milestones must be very clear and it should avoid ambiguity as much as possible.

Creating a generic threat model for different software design can be challenging. In past, many security experts have tried their hand in creating a generic threat model tools like Microsoft TAM and they have failed. The take away from their experiences are, you cannot create a similar threat model for two applications with different functionality.

Vector threat modeling methodology for mobile applications advocates creating a base-line threat model a) during the application specification phase, b) in an iterative manner, refining this base-line threat model during the application SDLC, and c) adding platform specific security threats to this threat model.

The Best Air Fryer of 2020

What is Vector Threat Modeling

Add a comment

Related posts:

Combining Elasticsearch stemmers and synonyms to improve search relevance

Calendar 2018 Templates

Risk of Rain 2 Steam Key Free