Software Development : Security : Threat Models

From bitrary
Jump to: navigation, search

Software Development : Security


Attack Trees

In a role of an attacker think of an attack goal, place it as a tree root and construct an Attack Tree(archival copy) that has leaves as the first action of the attack. Each path from a leaf to the root forms one version of the whole attack operation. In reality in stead of an attack tree there might be an attack graph that has loops in it.

Graph of Failures

Unlike the attack trees the graph of failures can also include loops and events that are not caused by the adversaries. In addition to possible attacks the graph of failures tries to cover event sequences, where a random event that is not caused by any adversarial activity, something that might be a technical flaw, gives adversaries a fine opportunity for attack. The graph of failures can also be used for cases, where there are no adversaries at all, for example, civil aviation accident investigations and the construction of specifications for reliable systems. If the developers of the Titanic had ... (please connect the dots).

Types of Attacks and Their Countermeasures

Denial of Service (DoS)

That can be mitigated by limiting CPU-load and RAM consumption by servicing only N requests per time unit and by choosing the channels and time windows that are being listened to according to some secret key.

Crash or Malware execution due to Malformed data

It's not necessarily a special case of Denial of Service attack, because it can happen due to software flaws, without anybody attacking the system. It can not be totally avoided, but that type of crashes can be expected and any internal data format check that fails must throw an exception and crash the process. That type of crashes should be recoverable by automatically restarting the application and by making sure that the data in database is not left to some unrecoverable, wrongly interpretable, state. Software should be able to detect that it has received or is about to read in malformed data, including malformed files like JPEG, BMP, etc. That feedback allows attackers to find out, what kind of data is malformed, but if the "security by obscurity" is not used, then it does not matter that the attackers know, how to construct data that temporarily crashes the system.

A sample case is, where a field of a file says that an array at the file has N elements, but in reality the number of elements differs from N. Wrong pointers in data files are another example case. A countermeasure to that type of flaws/attacks is to run a file format verifier before starting to process the data at that file. Code that is expected to parse the file must be hardened by making it cope with flawed files.

Revealing Secret Data

That must never happen and it is possible to increase the probability to near-absolute certainty that it does not happen. One design pattern might be that the secret data is held by an agent that does not do the communication to the internet directly. If the communication gateway agent crashes or gets compromised, then the communication gateway agent instance can be deleted, replaced with a new, clean, yet un-compromised instance, that might be compromised the same way, but the malware that got attached to the previous, compromised, agent, gets deleted with the previous agent and some parameters of the new agent instance might be changed to probabilistically impose some extra work to the attacking party.

Identity theft is a special form of breach of secrecy, where access is gained to secret data that is used for authentication.

Timing of key-presses can probabilistically reveal the keys that were pressed

(archival_copy, archive_org_copy)

It takes some time for a finger to move from one key to another and the normalized timing of each ordered key-pair can have an average value for a given person. It's like determining letters from Morse code, except that the analysis is more complex.

Modification, Including Destruction, of Resources (data, hardware, connections, etc.)

Countermeasures are the same as with the "Revealing Secret Data", but there are additional countermeasures in the form of backups and modification logs. If all modifications are kept in a revision control system like Subversion, Git, etc. then it might be possible to restore some of the data.

Spreading of malware, including the cases, where the damaging of the relay is avoided, is a special form of resource modification.

Malware Packaging Methods


Malware can be placed in steganographic form into an image or a video or a sound file that is hosted at some file sharing service, possibly a service that is usually trusted by the "general public". The image/video/sound file itself is harmless, nothing bad will happen if it is played/displayed by an ordinary player or a web browser, but a payload downloader that for some reason has been able to get to the victim machine and start running downloads the image and extracts the malware from it and executes it.