Threat Modeling, once again

re: Threat Modeling, once again

Brian Miller — Fri, 31 Aug 2007 06:23:35 GMT

Threat modeling? Larry, I learned Windows system programming from hacking. Your first threat is that the code is running on a computer. No, I'm not being too paranoid or irrational. All data and code is suspect, including internal data that you think never touches the outside. Is your process secure? How about the one next to it? Did the sysadmin load a Sony CD? How about a CD that I made?

Threats come from outside and inside.

Wanna know real paranoia?

Here's some books in my library:

"The Art of Computer Virus Research and Defense" by Peter Szor

"Silence on the Wire" by Michal Zalewski

"Hacker Disassembling Uncovered" by Kris Kaspersky

"Rootkits : Subverting the Windows Kernel" by Greg Hoglund

"Exploiting Software" by Hoglund and McGraw

p.s. - Good to see you over at the building 86 cafeteria.

re: Threat Modeling, once again

LarryOsterman — Fri, 31 Aug 2007 07:03:07 GMT

Brian, threats don't come from programs, they come from data. I'm not aware of a single exploit that wasn't spread by tainted data (I may be wrong, but I'm pretty sure about that). That's why threat modeling is so important.

I also have Silence on the Wire, it's ok (not great, but ok - i reviewed it couple of years ago). I don't have the others, but they're on my amazon wishlist.

You didn't mention Writing Secure Code and my current "waiting for the compile to finish" book, which is (I think) "Testing for security".

re: Threat Modeling, once again

arun.philip — Fri, 31 Aug 2007 12:27:46 GMT

Looking forward to this. Go, Larry!

Re: Threat Modeling, once again

Derek Noonan — Fri, 31 Aug 2007 14:23:56 GMT

Hello Larry,

What are your opinions on the Microsoft TAM tool? I use it and find it quite good. It allows me to see who, when and where interactions with my application are happening. Also I get genuinely useful information out of it such as data flow diagrams, call flows etc. It's available for download at: http://www.microsoft.com/downloads/details.aspx?familyid=59888078-9daf-4e96-b7d1-944703479451&displaylang=en

Best regards,

Derek

re: Threat Modeling, once again

Triangle — Fri, 31 Aug 2007 15:03:50 GMT

"Your threats come via data, NOT code."

I disagree with this, one should be able to feel secure about running programs on their own computer without worrying what it could do to their settings, system, and files IMO. That any random program can install their own drivers, boot sectors and hooks from any account without having any notifications to the user or any way to stop seems to be something that can't be fixed with any amount of threat modeling. Yes, people are going to download h4xm3.exe from virus.com and run it, and they will enter their password into the escalation dialog and click OK. Forbidding programs to do dangerous things forbids them from doing clever things, yes, but these are the times where there is just as much software trying to do dangerous things for evil as there are for good. And until they are stopped, slashdot will never shut up.

re: Threat Modeling, once again

LarryOsterman — Fri, 31 Aug 2007 16:26:33 GMT

Derek, the old tool's pretty good. I wasn't aware it was available for public download, or I'd have mentioned it, thanks for that info.

Triangle: You're totally right. But no amount of threat modeling or security will stop the user who downloads h4xm3.exe from virus.com. Allowing the user runs h4xm3.exe, it's NOT a security hole. The computer is doing exactly what the user asked it to do.

Threat modeling is a tool for finding security holes. It's not a tool to mitigate malicious programs. Having said that, the threat model for an FTP client or a Web browser might include the fact that it needs to sandbox the file downloaded from the internet (and in fact that's where the "Mark of the Web" came from - the threat models for IE indicated that there was a risk associated with downloading unsigned code from the internet, the mitigation was to add the MotW to all downloaded programs - it's a mild sandbox that IE applies to let the user know that there might be a risk).

Note to self: Make sure you include this point in the wrapup post.

re: Threat Modeling, once again

Massif — Fri, 31 Aug 2007 17:17:45 GMT

You do know "The Sound of Music" was based on a true story don't you?

Granted, I imagine they sang fewer songs, but there was a real Von Trapp family. And a real Maria von Trapp ( http://en.wikipedia.org/wiki/Maria_von_Trapp )

re: Threat Modeling, once again

LarryOsterman — Fri, 31 Aug 2007 17:51:00 GMT

Massif: Of course I know that Maria von Trapp is real (we actually have one of the von Trapp family albums in our music library).

That's why I refered to her as the "fictional" Maria von Trapp. I suspect that the real Maria never used a song like "Do Re Me" to teach Solfage.

Threat Modeling again. Drawing the diagram.

Larry Osterman's WebLog — Fri, 31 Aug 2007 19:31:20 GMT

In my last post , I listed off some of the elements that make up a threat model. Now that we have a common

Threat Modeling again. Drawing the diagram.

Noticias externas — Fri, 31 Aug 2007 19:36:12 GMT

In my last post , I listed off some of the elements that make up a threat model. Now that we have a common

re: Threat Modeling, once again

Kernel von Trapp — Mon, 03 Sep 2007 03:57:35 GMT

Wait until you hear the singing of the fictional Larry Osterman.

STRIDE chart

The Security Development Lifecycle — Wed, 12 Sep 2007 03:05:00 GMT

Adam Shostack here. I've been meaning to talk more about what I actually do, which is help the teams

re: Threat Modeling, once again

Dave — Wed, 12 Sep 2007 22:45:35 GMT

Nice post Larry. Good stuff and fun to read every 18 months ;)

We as an industry are still trying to figure this here threat-modeling thing out, and so it is good to get your perspective.

Threat Modeling Again, Threat Modeling in Practice

Larry Osterman's WebLog — Wed, 19 Sep 2007 01:48:52 GMT

I've been writing a LOT about threat modeling recently but one of the things I haven't talked about is

The Trouble with Threat Modeling

The Security Development Lifecycle — Wed, 26 Sep 2007 22:27:56 GMT

Adam Shostack here. I said recently that I wanted to talk more about what I do. The core of what I do

The Trouble with Threat Modeling

The Security Development Lifecycle — Wed, 26 Sep 2007 22:28:55 GMT

Adam Shostack here. I said recently that I wanted to talk more about what I do. The core of what I do

re: Threat Modeling, once again

pegr — Mon, 01 Oct 2007 19:09:55 GMT

"Threats come from data, not code."

To which I reply, code IS data... Its ALL data!

re: Threat Modeling, once again

LarryOsterman — Mon, 01 Oct 2007 19:15:30 GMT

Code is only data to the OS loader (and the filesystem). Since the loader's the component that turns the data into code, it needs to be fuzzed against malformed data that looks like code.

Some final thoughts on Threat Modeling...

Larry Osterman's WebLog — Mon, 01 Oct 2007 19:54:04 GMT

I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah,

Some final thoughts on Threat Modeling...

Noticias externas — Mon, 01 Oct 2007 19:55:44 GMT

I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah

The New Threat Modeling Process

The Security Development Lifecycle — Tue, 02 Oct 2007 04:15:36 GMT

Adam Shostack here, with the second post in my series on the evolved threat modeling process. To summarize,

re: Threat Modeling, once again

Brian Utterback — Tue, 02 Oct 2007 16:30:55 GMT

I know this is a little late but about Maria Von Trapp: When asked about the movie

"The Sound of Music", she replied "It is a very nice story. It is not *my*

story, but it is a very nice story."

ABCs of Threat modeling ...

Noticias externas — Thu, 11 Oct 2007 19:03:39 GMT

Larry Osterman has an interesting series of posts on Threat modeling.. It starts from the basics and