Introduction to Nanjing hanhaiyuan Security Testing (3)

5. Threat modeling process

Ø system internal subsystem analysis: system analysis needs to be segmented step by step. Different subsystems within the system may have different permission mechanisms, and the specific subsystems accessed by users may also be different, divides the internal subsystems and transfers data from the external interfaces of the system to the internal subsystems to analyze the threat model of the system more effectively.

Ø object permission analysis: only users are described in the security requirement phase. Users are a real entity and should be abstracted into role objects, the associated external components and subsystems with different internal permissions should also be extracted into permission objects to describe the permissions of these objects. At the same time, it is necessary to clarify the differences between the actual permissions of objects with the same permissions, for example, a website allows multiple users to communicate through WEB pages. On the surface, multiple users seem to have the same permissions, but in fact, between user a and user B, it has different permissions on its own host and its own private content on the WEB site. If the user host or website permits the user to retain its own private sensitive data or functions, different users of the same role are also isolated permissions.

Ø Data Stream Analysis: external expressions of how objects with different permissions are connected to the system and what types of data are transmitted using data streams are the same for different subsystems, in this way, we can analyze possible threats from the perspective of data flow channels.

Ø data contamination transfer and penetration Transfer Analysis: For data streams, you can mark the data content of the main load and analyze the possible transmission methods along the data stream direction. The main methods include:

2. Pollution Transfer: in the subsystem of the system, the data of the previous processing node is transmitted directly to the next node.

2. penetration transfer: in the system subsystem, the data of the previous processing node is transferred to the next node through the newly generated data that is related to the original data.

Ø attack data source analysis: Attack Data sources mainly come from two sources

2. Permission object data: Data Sources transmitted from all access objects outside the system are attack data sources, even external objects with all system permissions, it may also cause passive attacks because your host has been intruded into. Although such attacks are difficult to detect and block, from the perspective of security vulnerability analysis, the system should have at least the record and post-event audit capabilities.

2. Low-Permission subsystems within the system: All subsystems with different permissions transmitted to the high-Permission subsystem, or whose permissions do not overlap with each other, data generated within the system that is not directly controllable by external attackers is also an attack data source. Attackers may first gain some ability to control the security vulnerability of the sub-system with low permissions, then, use the high-Permission subsystem to process the security vulnerabilities of the Low-Permission subsystem data and obtain higher permissions. Even if the sub-systems with different permissions have medium and high permissions or do not overlap with the contained sub-systems, it is also a security vulnerability if there is a problem with the data generated internally to be processed by the sub-systems with different permissions. (For example, the Elevation of Privilege Security Vulnerability in IE8 in WIN7)

Ø attack Interface Analysis: Security Vulnerabilities mainly exist on the attack interface, and the following attack interfaces exist:

2. External permission objects to the system: this is easy to understand. Most security vulnerabilities are found here.

2. Between Low-Permission objects and high-Permission objects or different permission objects: from the overall system analysis, attackers can conduct attacks between low-Permission objects and high-Permission objects or different permission objects, then, we can use the capabilities and permissions of High-permission or different permission objects and their assets to break through the capabilities and permissions bound to ourselves.

2. The internal low-Permission sub-system is also an attack interface between the high-Permission sub-system or the sub-system with different permissions.

Ø threat analysis: Threats refer to attacks that target data streams between specific object objects. Attackers may be broken through and exploit the permissions or capabilities. Based on each attack interface, each stage of data streams transmitted in each subsystem of the system, including permission objects for external connections. Data affects those permission objects and is transferred internally to those subsystems. Data Streams load the data, where data streams are stored or embodied in the data associated with permissions, functions, or other entities, you can analyze the threats that may be addressed on each data stream, such as denial, counterfeiting, and leaks.

Ø Security Policy Analysis: summarize all the threats, and analyze the System Configurations Based on the security experience and common security measures, security policies and solutions implemented on deployment.

Ø vulnerability form analysis corresponding to threats: the specific vulnerability form of threats on the data stream. Based on our microscopic analysis, we use the data type, data operation, and storage methods, and the division of object permissions, combined with data, object permissions, how data is processed and stored, and the corresponding threats, we can analyze the vulnerability forms that may correspond to threats against a certain data stream. These vulnerability forms are the basis for connecting the macro to the micro level and implementing Security Vulnerability Detection Based on the system itself.