As demonstrated in the combination lock example in Chapter 1, it is important to really understand how something works to identify potential security issues. Threat modeling is a process that can be used to outline how a piece of software works, what the software interacts with, and how data enters and leaves the software or part of the software and to enumerate potential security threats. In the lock example, we discussed how it might not be easy to spot the potential threats. How many people would quickly think of inserting a small piece of metal between the lock and the shackle? Not many. In this chapter and the next chapter, we discuss how to better understand a piece of software, including how attackers can send data to it and where that data is used. This data could potentially be used to control the application in ways unwanted by the software creators.
Software threat modeling is a process that has evolved quite a bit over the last few years. Microsoft Press published an entire book written by Frank Swiderski and Window Snyder titled Threat Modeling on the subject. The second edition of Michael Howard and David Leblanc’s Writing Secure Code (Microsoft Press) and Michael Howard and Steve Lipner’s The Security Development Lifecycle (Microsoft Press) also contain information about threat modeling. In addition to these books, Peter Torr, in an excellent article titled “Guerrilla Threat Modelling” at http://blogs.msdn.com/ptorr/archive/2005/02/22/378510.aspx, describes how to create threat models quickly. You can use these valuable resources to expand your understanding of threat modeling beyond what we discuss here. In this chapter, we focus on understanding how security testers can use threat modeling to create actionable test cases and help prevent security issues from entering the product in the first place. For example, the Microsoft software development cycle now requires threat modeling to be performed in the planning and design stage. By performing threat modeling at this stage in the product development cycle, design flaws are found before the code has been written.
Important
Before Microsoft implemented the threat modeling process, software developers relied almost entirely on code reviews and penetration testing (pen-testing). Code reviews and pen-testing uncover implementation flaws, whereas threat modeling uncovers design flaws. Finding and fixing both types of flaws are important parts of building secure software.
The threat model creation process should include representatives from the design team (the team that wrote the product specification), the programming team, and the testing team. Each member brings a different point of view and different knowledge about the product. You risk overlooking valuable information about or insights into the product if the threat model creation process doesn’t include someone from each of these disciplines. External attackers don’t have access to the people who created the product or to the product specifications. Use these information sources to your advantage in security testing.
Threat models (TMs) typically consist of three key parts:
Data flow diagram (DFD)
Enumeration of entry and exit points
Enumeration of potential threats
You can use each part of the threat model to find security problems and ship more secure software.
Tip
Creating a high-level DFD and TM shouldn’t be too time-consuming. For example, the DFD and threat models included in this book took us less than an hour to create. For more complex features, it is worthwhile to create a quick, high-level DFD, and then later to decide whether it is worth creating more detailed DFDs and TMs for individual components of the DFD. It is important for you to weigh the return on investment for threat modeling. The high-level threat models have a high return. Lower-level threat models have a high return only for risk features. It is important to use the high-level DFD to make a judgment call on whether it is worthwhile to create more in-depth threat models.
More Info
For more information about creating threat models quickly, see Peter Torr’s article at http://blogs.msdn.com/ptorr/archive/2005/02/22/378510.aspx.
DFDs are extremely useful when you are attempting to find security threats against an entire application or pieces of it. Creating an accurate and reasonably complete DFD forces the software creator to have a clear understanding of the application and how all of the data moves between different components in the DFD.
The team on which Tom Gallagher and Lawrence Landauer, two of the authors, work performs security reviews for Microsoft Office products. Part of the team’s role involves meeting with individual application teams within the Office organization, understanding what they are building, and giving them security advice. After the product team gives the security review team a brief explanation of what they are creating, the security review team looks at the DFD created by that product team. The DFD quickly clarifies exactly how particular software features work and how a user (or attacker) can interact with the feature. By studying the DFD, the security review team can begin to understand the product at a deeper level. This deeper understanding enables the team to uncover threats to the system more easily.
Figure 2-1 shows an example of a small Web application’s DFD. The DFD represents a server application that allows a user visiting a Web page to click a link on that page and e-mail a copy of the page to other users, a feature we call the e-mail Web page feature, although it sometimes goes by other names. This functionality is common on news sites. The user can request that an e-mail message containing a brief note from the user and a link to a news article on the Web site be sent to an arbitrary e-mail address. Because the Web server doesn’t record any identifiable information about the requester, the requester’s actions are largely anonymous.
Figure 2-1 is a high-level and simple DFD. Often, more detailed DFDs are created to examine specific parts of the high-level DFD. Even with this high-level DFD, you have a much better idea of how the system works. Simply knowing some of the technologies that are used can enable you to identify some attacks that are relevant and that require testing in this application. Did you notice that the feature accepts anonymous Web requests with untrusted data? Can you follow the untrusted data through the application? Did you notice this feature sends e-mail to user-supplied addresses with user-supplied content by using Simple Mail Transfer Protocol (SMTP)? What else can you see based on this DFD? Can you spot any potential problems based on this DFD? We look at a few later, but before we do, let’s look at ways an attacker might enter the application.
Important
Many functionality testers would simply verify whether the application works from an end user’s perspective. DFDs give testers a better understanding of how the application actually works. This understanding enables testers to develop more specific test cases tailored to the technologies used. For thorough security testing, this level of knowledge is imperative because attackers will take the time to understand the application at this level.
When people secure objects in the physical world, such as their home, they first secure obvious entry points like doors and windows for good reason. These points are where attackers will most commonly attempt to gain entry. Likewise, it is important for security testers to understand the entry points and how potentially malicious data can enter the software being tested. Some entry points are fairly easy to identify just by thinking about the application. For example, an application that accepts data through the user interface or uses a user-specified data file has a few fairly obvious entry points. However, many entry points are not obvious. Identifying all entry points is so important in security testing that we dedicate Chapter 3, entirely to the topic.
In the physical world in addition to securing entry points, people attempt to secure exit points, such as trash cans. For example, sensitive information is often shredded before being discarded. Companies concerned that sensitive information might be appear in the trash restrict access to the trash receptacles by using locks and/or guards.
In an ideal world, you could test everything completely. However, this isn’t possible: you can’t test every single piece of software as thoroughly as you might like. You need to prioritize where you will spend your time testing. The DFD is extremely useful in helping you identify where to spend your time. You want to find the most accessible parts of the software—the most obvious entry and exit points—and use this data to make testing prioritization decisions. For this reason, you must remember to consider and identify the access levels required to hit the various points in the DFD. For example, if the target application listens on a socket (allowing remote computers to connect to it), you must know whether a certain access level is required for the application to accept the data from the socket. For example, an application that allows only administrators to send data after authentication (using Kerberos, Internet Protocol Security [IPSec], etc.) is less of a security testing priority than is application functionality that can be invoked by anonymous users. Anonymous users and administrators are at opposite ends of the spectrum, but most users, including authenticated users, should be considered potential threats.
Tip
It is often a good idea to create a prioritized list of the features and functionalities that will be tested and to obtain general consensus from other testers and developers before the actual testing. This helps ensure the most important areas are tested and everyone understands where the security testing efforts are focused.
In the DFD in Figure 2-1, it is clear that anonymous users can send data to the product through a Hypertext Transfer Protocol (HTTP) request. This functionality is a high-priority item to test because the HTTP requests can be made by anyone on the Internet.
Tip
Good security testers verify that the entry points in the threat model are accurate by testing against the product. They also consider omissions, or hidden entry points that weren’t considered during design and threat modeling, because, often, how people think something works and how it actually does work differ. Chapter 3 discusses how to find entry points in software.
Before you jump in and spend time and resources testing, it’s a good idea for you to finish developing your threat model so you have a clear, organized approach to testing. The next key part of developing a threat model is to make an actual list of threats associated with the functionality being modeled. The list of entry points can be used as a starting point. You need to think about all of the data that enters the functionality, how it is used, and how it might be maliciously used to cause undesirable results. Because testers break software as part of their job, with practice, they often come up with some of the better threats against an application.
Although we could fill several pages with threats against the e-mail Web page functionality mentioned earlier, we mention only a few here:
Spam. A malicious user inserts an advertisement in the message body (the area intended for a user to enter a brief message for the recipient) sent to the recipient, enabling the malicious user to spam arbitrary e-mail addresses.
Mail bomb. A malicious user makes many requests to send e-mail to the same address in hopes of flooding the recipient’s mailbox.
Sender repudiation. The recipient of the e-mail message is unable to determine who requested that the e-mail message be sent.
Information disclosure through e-mail. E-mail sent to the recipient contains information about the internal network hosting the feature.
Information disclosure through HTTP response. The HTTP response contains information about the internal network hosting the feature.
Denial of service through malformed requests. A malformed HTTP request crashes the server.
Arbitrary code execution through malformed requests. A malformed HTTP request allows arbitrary code execution—for example, buffer overflow, integer overflow, or format string vulnerability.
Software testers commonly create a test plan, which specifies exactly which features and functionalities will be tested and how they will be tested, as well as which features and functionalities will not be tested. The threat model provides the foundation for the test plan. The threats define specific scenarios of interest that should be tested. It is a tester’s responsibility to make sure threats contain enough information to make each threat a set of test cases; if the threats aren’t actionable enough to test, you are missing critical information in your threat model. Application developers and designers often must provide this information. As a tester, it is important that you encourage programmers and designers to include enough detail in the threats so that the threats are actionable enough to test. You might need to interview these people to understand the specific features better and to obtain the data you need. Each threat brainstormed and included in the threat model must be tested to assess whether it is an actual flaw in the product.
If the threats aren’t carefully verified, the value of threat modeling is quickly diminished. The Microsoft Office group, for example, is serious about verifying threats. The threat modeling tool the team uses automatically enters a bug in the bug tracking system for each threat. Next, the feature designer investigates whether there is a potential design flaw. If there is, the feature designer can modify the product’s specification to eliminate the threat or mitigate it. If the designer doesn’t think the threat is an issue, he or she assigns the threat to a developer, who verifies this by looking at the code. Assuming the threat doesn’t affect the product or has been deemed not serious enough to warrant removing or mitigating, the threat is assigned to the tester that works on the functionality in question. Testers should treat threats in the same way and can use the same process testers have for closing “fixed” or “won’t fix” functionality bugs. Testers need to think carefully about the assumptions the designer and developer might have made during their assessment of the issue.
Sometimes threats turn out to be more serious than originally understood. Testers are often able to use their wide knowledge of the product and aptitude for breaking applications to identify additional test cases and attacks based on the threat. This information on the seriousness of a threat can be used to encourage a fix be made in the product. Testers are advocates for the product’s users. Security is very important to customers, and testers must help ensure the product is secure.
The following subsections discuss some of the threats in the e-mail Web page example and how testers can make these actionable test cases.
Spammers want to send mass e-mail that contains their custom advertisement. Because the e-mail Web page feature enables the user to specify a custom message, a spammer might be able to take advantage of this. As a tester, you need to find clever ways the feature could be used for this purpose. How much of this feature can a user control? In addition to actual security test cases, your tests must include an intentionally varied mix of cases designed to find out more about how the functionality is really implemented because you cannot totally trust that the spec or threat model reflects the feature’s true implementation. Following are examples of test cases that come out of this threat:
Can the attacker specify the subject line? (The spammer might be able to insert advertisements in the subject line itself.)
Does the body of the message contain any text informing the recipient that the sender was not verified? (If so, this information can help mitigate the threat when an attacker can use a bogus From e-mail address.)
Is the text of the message limited to only a few text characters? (It isn’t a good idea for the feature to allow a long message or special formatting such as HTML to be included.)
Does the message contain a way for the recipient to report abuse, if necessary?
An attacker might be able to flood a user’s mailbox through this feature by invoking the e-mail Web page feature many times using the same destination e-mail address. You must find out from the developer whether the feature includes any built-in limitations on sending mail, and then test those limits. If there are no limits, it is worth pushing to have limits put in place. Testers should ask the following questions and perform tests around this threat:
Is there a limit on how many e-mails can be sent to a single address?
Is there a limit on how many times the feature can be invoked by a specific IP address in a certain amount of time? (Implementing a limit on how many times the feature can be invoked by a specific IP address might not work as a solution because many legitimate users might use the same IP address [such as a proxy server, Network Address Translation device], and malicious users often can change their IP addresses periodically.)
Is it easy for someone to automate invoking the feature? Many Web applications now require the user to enter the randomly generated alphanumeric characters displayed as an image, known as a Human Interactive Proof, to thwart automation attempts.
Is there an easy way to determine whether someone is using the feature to mail bomb? If so, is there a way to restrict this user’s address?
E-mail is mostly sent over the Internet using SMTP, which enables the sender to specify any address as the From address. As you might imagine, many people have used this functionality to cause trouble. For example, many e-mail scams set the From address to an address the recipient might be likely to trust. Forging the From address is known as spoofing an e-mail message, and scams such as phishing use this technique to entice users to click links or perform other actions. Phishing attacks are discussed in more detail in Chapter 6. Knowledge of this SMTP issue is useful for testing the e-mail Web page feature. One way SMTP servers attempt to mitigate this threat is to stamp the sender’s IP address in the e-mail message headers. Someone can look at the message headers to find more information on who really sent the message.
If the e-mail Web page feature is implemented without consideration for the spoofing threat, it can be very difficult for an e-mail recipient to determine who is the true sender of the message. The e-mail message is sent using SMTP, so the machine connecting to the mail server is included in the message headers. In this case, the IP address of the e-mail Web page server would be included, not the IP address of the user viewing the Web page. This fact potentially enables a malicious sender to hide more easily. Example test cases for this threat include the following:
Is information on who originated the request present in the e-mail headers and message body? Can the information in the e-mail message body be spoofed?
Can the attacker specify the From address? (Spammers might like to be able to spoof a From address.)
These types of threats are different from the others in the threat list. These threats are related to implementation flaws, whereas the others are related to design issues. The denial of service and code execution threats do not contain enough information for you to test easily. To test these threats you must understand which entry points allow data to enter the application and how the data is formatted. If possible, you should to talk to the programmer and/or look at the code to find out how the application handles and parses this data. If you don’t have access to the programmer or source code, you can experiment with black box testing (testing without having access to the source code) and can reverse-engineer how the application is implemented. Code execution threats are the most serious threats in the threat model. More information about these implementation flaws is covered in Chapter 8, Chapter 9, and Chapter 16. Reverse-engineering is covered in more detail in Chapter 17.
While implementing a feature, a developer often encounters parts of the specification that are unclear and must make a decision on how to write the code. Additionally, many times the original design changes after the specification is written, and often the specification is not updated. Even if the specification matches the code, there will be bugs in that code. Testers are familiar with exactly how the product works, including which places are buggy and don’t match the specification. These discrepancies change what should be included in the threat model because they either invalidate some threats or create new ones. Threat models should be updated when the design changes.
As mentioned earlier, all software has bugs. Of the bugs found prior to shipping the software, some are deemed noncrucial and so the team deliberately leaves them unfixed. These bugs are typically small issues that happen only in rare circumstances. However, many security issues occur in the same uncommon code paths in which these bugs are found, and so it is often the case that the unfixed insignificant bugs can be combined with other issues to create an exploitable security issue. To find many of the deeper security bugs, testers start by conducting normal functionality testing and taking advantage of small functionality nuances.
For example, an application’s code to save a file might terminate the filename with a null character. A user might be able to specify a filename containing a null character and have parts of the filename ignored. This bug might not be fixed because of the belief that users shouldn’t put a null character in filenames, and users doing so is rather uncommon. Because executable files can be dangerous, the example file save routine contains filtering code to verify that only text files (using the .txt extension) are saved. The filtering code does not terminate a filename when it recognizes a null. An attacker might be able to take advantage of this and specify a filename such as “test.exe[NULL CHARACTER].txt.” The file passes the .txt extension check, and is then saved as “test.exe.” This specific example is a canonicalization issue and is discussed in more detail in Chapter 12.
Important
Don’t think attack tools and system utilities are the only means to learn about a product’s implementation. You can use the product in boundary and nonstandard scenarios to learn a great deal about it. How the product reacts in these situations often lets you know more about the implementation of the product. With this increased knowledge, you can construct more advanced attacks.
Threat models are read by people who are building functionality that depends on features contained in the threat model. For this reason, it is important to keep threat models up-to-date. As the design changes to mitigate threats, these changes should be included in the threat model because these changes can introduce additional threats that must be carefully modeled and tested.
As you have seen, threat models are an important part of security testing. Testers play a key role alongside developers and designers in the quality and usefulness of the data flow diagram and threat model to help ship secure software. A few key points to remember include the following:
As a security tester, you need to test the product thoroughly. DFDs can help you identify and organize all of the places you (or attackers) can control input to the application, where this input is used, and where it exits the application.
Once these places have been identified, you need to think about each carefully and brainstorm a set of threats describing how an attacker might attempt to cause harm. Remember to track each of these threats so you actually create test cases for all of them. If you don’t track them, you will likely forget something.
If the DFD and threat model are being created by the company designing the software, they should be created by a team consisting of the software designer, developer, and tester. Each discipline has a unique view of the product, and details will likely be missed if each isn’t involved in creating the threat model and DFD.
The threats contained in the threat model should be actionable enough to generate specific test cases.
Testers should not assume all details in the DFD and threat model are correct or complete. It is important for a tester to validate the details after using the product.
The DFD and threat model should be updated to reflect what is actually implemented in the product.
In the next chapter, we look at specific tools, methodologies, and tips to help identify entry points for testing and threat modeling.