Microsoft's Larry Osterman On Threat Modeling

Schneier has pointed out an excellent series of blog posts about threat modeling by Microsoft's Larry Osterman. The series focuses on the PlaySound API as an example. "As you go about filling in the threat model threat list, it's important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team. At the end of the day, this process is about ensuring that our customer's machines aren't compromised. When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage."

Standard Microsoft Threat Modeling Dialog

[eldavojohn (898314)]

Consumer: My company doesn't need Vista, we're using Linux which has about the same amount of bumps and hiccups.
Microsoft: You mean you're using an operating system that validates over 450 of our patents?
Consumer: Well, I know that isn't true but ...
Microsoft: But it'd be a shame if your company was ever engaged with our world class legal team instead of being a 'partner' with the largest software maker ever?
Consumer: But we only have 20 employees.
Microsoft: We know--perhaps you'd be interested in purchasing a copy of our lap dog here, Novell's SUSE?
Consumer: But we already use Red Hat ...
Microsoft: We heavily suggest you re-evaluate SUSE and when you do your trade study please do note that it's the only Microsoft Certified Genuine Linux. Also, it would be a shame if we had to exercise our patent portfolio on Red Hat and subsequently ... well, no reason to get into details. Have a nice day!

Re:

[pembo13 (770295)]

one can only hope that such never takes place. but posters are always quick to remind others that businesses are profit oriented only, yet seemingly reluctant to believe that such conversations are likely.

Re:

[by Anonymous Coward]

Given that the article talks about the audio api, it probably went more like this:

Threat: User may play a song without paying for it.
Mitigation: Render the internet useless while playing music.

Threat: User may complain about the network being crippled while playing music.
Mitigation: Blame hardware, blame drivers, then make up some excuse that playing audio requires super-low latency priority for the audio playing app and the network is sacrificed to ensure smooth playback.

Threat: User may notice that the ne

Re:

[packetmon (977047)]

Slashdotter: Windows!@ You obviously didn't RTFM or the FP we don't do Windows here
Microsoft: You obviously are spending too much time on forums, games and caffeine... Did you know Vista..
Slashdotter: I don't live in San Diego [vista.ca.us]...
Microsoft: No, not the town, I mean Vista...
Slashdotter: dewd!!!!!!! I don't even speak Spanish
Microsoft: *gives up*

Re:

[frank_adrian314159 (469671)]

Consumer: Google?

Microsoft: ?? [Throws chair...]

That's got to be a hell of a job

[Skyshadow (508)]

Try to imagine this guy's work day: He gets to wake up in the morning, hug his kids and then go into work and spend all day trying to figure out the right combination of security defaults that will (a) let people go out and do stuff while (b) protecting them from their own "I'm a average Windows user" level of abject stupidity.

Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.

As much as it's fun to give MS shit for their products, I think I'd last about two hours in that position before I went into the executive washroom and slashed my wrists.

Re:

[ScytheBlade1 (772156)]

I've got his RSS feed in my RSS reader (http://blogs.msdn.com/larryosterman/rss.xml). I enjoy reading about the details of what goes on inside of MS, and I really do enjoy getting the story straight from the horse's mouth. For example, the whole "playing a video kills my network performance" thing. Slashdot is, well, Slashdot. It'll spin it how it wants to.

Larry started doing this threat modeling bit a while back, as the first article is dated some time ago. He's taken his time, and demonstrated what to do

Re:

[beckerist (985855)]

Meh, I'm a newb to advanced security. For the rest of you (like me:) http://en.wikipedia.org/wiki/Threat_model [wikipedia.org]

Basically, in a nutshell, a "threat model" is a designers / programmers way of saying "all potential flaws in our application." An example: a 1 meter hole in the side of the Death Star.
Just thought I'd pass that along as I learned it...eh...3 minutes ago.

Re:

[beckerist (985855)]

Actually, I can be more concise: it's a way of LOOKING at your application (or creation, period) and trying to discern all potential ways of attacking it. It's not necessarily a list of bugs, but a list of potential ways to find or exploit the "bugs" in the system.
--beckerist

I prefer Attack Trees.

[khasim (1285)]

http://en.wikipedia.org/wiki/Attack_tree [wikipedia.org]
By Bruce Schneier.

Face it, no matter how secure your little bit of code is, if the SYSTEM is vulnerable, your little bit of code is vulnerable.

Which is where Larry goes wrong in TFA.

You can put all the locks you want on your front door. But if you don't fix the huge hole in the wall next to it, you aren't improving your security at all. No matter what you claim.

Re:

[n0-0p (325773)]

Uh, attack trees are one of several techniques used in threat modeling. And the whole point of the exercise is to identify the security aspects of a system. That means understanding the trust relationships, attack surface, and associated threats. So, the threat model should be helping you identify if the lock on the front door really helps or if there's a big gaping hole in the wall next to it.

That said, a threat model isn't a panacea. It doesn't replace good coding practices, code reviews, testing, or anyt

Re:

[swillden (191260)]

A threat model is about admitting we have a bad product, saying that fixing it properly is too hard /expensive so we will try and work out what the largest holes are and fix those first.

Nonsense.

Threat modeling is a crucial exercise for any system that wants to be secure. Note that "system" is more than just "software", so just testing your software against all possible inputs is insufficient, even if it were actually possible.

For example, let's suppose the system under consideration is the Windows access control system, responsible for ensuring that only authorized users can read/write files. What are the attack vectors? How many of them can be addressed with input validation tes

Re:

[everphilski (877346)]

meh, its only the size of a womp rat.

Re:

[sconeu (64226)]

Can we put some plywood over it or something?

Re:

[everphilski (877346)]

eeeeeeh, it'll lower the resale value...

Re:

[suv4x4 (956391)]

Just because it's MS doesn't mean that it needs to be senselessly bashed. This would be one of the reasons as to why it shouldn't be. This guy knows what he's doing, and he does it well. Gasp, he works for MS.

He may know what he's doing, but here's what he has to say about his colleagues in Microsoft:


"Developers tend to think in terms of what a customer needs. But many times, the things that make things really cool for a customer provide a superhighway for the bad guy to attack your code. "

"It's ad-hoc. M

Re:

[blhack (921171)]

"playing a video kills my network performance"

I just want to let everybody know that I had this exact problem on several different linux boxes running gentoo. We (being me and the folks in #gentoo on freenode.net) finally figured out that it was due to an IRQ conflict between the soundcard and the wireless card.

Remapping IRQs in the bios didn't fix it....so i sacrificed both cards to the thermite gods.

Re:

[pembo13 (770295)]

well, they built that type of user, they get to deal with it

Re:

[suv4x4 (956391)]

Try to imagine this guy's work day: He gets to wake up in the morning, hug his kids and then go into work and spend all day trying to figure out the right combination of security defaults that will (a) let people go out and do stuff while (b) protecting them from their own "I'm a average Windows user" level of abject stupidity.

Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.

As much as it's fun to give MS shit

Re:

[hxnwix (652290)]

He gets to wake up in the morning, hug his kids and then go into work and spend all day trying to figure out the right combination of security defaults that will (a) let people go out and do stuff while (b) protecting them from their own "I'm a average Windows user" level of abject stupidity.

WARNING: This operation may or may not be vital and normal and correct / extremely dangerous and certain to result in fraud. Cancel/Allow?

Indeed, this guy takes his job seriously and is proud of the fact that he has never copped out nor abdicated his responsibilities. We should also respect him for his excellent & highly informative work on theoretical physics titled This Exercise Left To The Reader.

You can't get there from here...

[argent (18001)]

Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.

I'd get them a Mac.

Unfortunately, Microsoft can't get there from here.

Re:

[toadlife (301863)]

If it's so idiotic to "integrate the browser into the OS", then why does Apple do it with OSX and why does the KDE team do it with their desktop environment?

Because KDE is not an OS.

[khasim (1285)]

When Linus puts a web browser in Linux, then you'll have a point.

I can run Linux without KDE.

[khasim (1285)]

What point would that be? Internet explorer is not in the Windows kernel.

I have servers running Linux without Konqueror.

I have workstations running Linux without KDE.

Your point will be valid when (and only when) Linus puts a browser into Linux. Until then, I can (and do) run Linux WITHOUT a browser.

And that is only ONE of the reasons that Linux more secure than Windows.

NT 3.51 was Shell Only

[mosel-saar-ruwer (732341)]

Back in the day [about 11 or 12 years ago], you could run Windows NT 3.51 as a shell - it looked just like DOS, except that there was a true multi-user, multi-tasking kernel underneath.

To go into Windows, you typed "WIN" [or "WIN.EXE"], just like you would in Windows 3.10/3.11.

It wasn't until NT 4.0 [circa 1996] that you were required to run Windows.

NT 3.51 was a really cool operating system - e.g. everything had to go through the client/server model, which meant that video was really slow, so video

Re:

[toadlife (301863)]

Your point will be valid when (and only when) Linus puts a browser into Linux. Until then, I can (and do) run Linux WITHOUT a browser.

Great. Except that was not my point at all.

My point was that the integration of IE into Windows is nothing special, and the security implications of it are nothing special either. It is perfectly possible to run Windows without explorer.exe or IE or any of the dlls that they both share. You won't get any of the integrated goodness (or badness, depending on your view) and you will have to rely instead on third party apps, and glorious command line to do things like file management and administration, but it

Re:

[wolrahnaes (632574)]

Clearly you've never used OS X if you think Safari is integrated in any way. I haven't tried, since it's nice to have a Safari around for testing new web page layouts, but I would not be surprised at all if it could be completely removed from the system just by dragging it to the trash as one would any other OS X application.

Re:

[toadlife (301863)]

Yeah, you could "remove" Safari but the libraries that provide all of Safari's functionality would remain. You could also remove IE from Windows, but most of it's functionality would remain as IE most just calls external dlls - dlls that other parts of the system share.

If you really wanted to remove Safari from OSX, you would have to remove the entire webkit [webkit.org] framework that it and many other OSX applications rely on, and I really don't think you would want to do that.

Re:

[wolrahnaes (632574)]

Actually, removing IE from Windows is a hell of a challenge and breaks stuff. Hell, even Mozilla says not to do it [mozillazine.org]. Removing Safari, on the other hand, can be done by simply dragging the icon to the trash. I was unsure about this when I posted earlier, but confirmed with a friend who had removed Safari from his first OS X install that there were no ill effects.

Yes, webkit still remains, but it can also be removed if one so desires, as long as one is aware of how many OS X applications use it just because

Re:

[DrgnDancer (137700)]

I don't believe that Safari can be said to integrated into OS X. It's a built in component, but that's not the same thing. When you open "My Computer" or "Windows Explorer" or even "Control Panel" on a Windows box you're opening IE. The browser is "integrated" in the sense of "If you remove this, you remove a significant portion of OS functionality." I might be wrong, I'm just basing this on look and feel, but I don't think "Safari", "Finder", and "System Preferences" are essentially the same thing the

Re:

[toadlife (301863)]

When you open "My Computer" or "Windows Explorer" or even "Control Panel" on a Windows box you're opening IE.

No, you are not. Explorer is explorer, not internet explorer. It uses some of the same dlls that Internet explorer uses, but that kind of library sharing is standard practice in any large desktop enviroment, weather it be OSX or KDE or Gnome.

Microsoft *could* reinvent the wheel 20 times in order to make sire every single app has their own libraries tpo use, but that would be stupid.

Re:

[DrgnDancer (137700)]

Which ones? I just tried unsuccessfully to access the web through Finder, and when I try to access the local file system through Safari it was smart enough to call Finder, but doesn't access the file system itself. I mentioned KDE in my original post, which does integrate the browser and UI tools, but since that's a desktop, not an OS, it's a different matter. I suppose it's arguable that "Explorer" is only a UI level system in Windows, but that seems disingenuous since unlike in Linux Windows has only o

Re:

[drsmithy (35869)]

Which ones? I just tried unsuccessfully to access the web through Finder, and when I try to access the local file system through Safari it was smart enough to call Finder, but doesn't access the file system itself.

Explorer doesn't "access the web", either, it just loads up the IE components inside the Explorer window (in the same way you can embed an Excel spreadsheet into a Word document and it fires up Excel from within Word).

I mentioned KDE in my original post, which does integrate the browser and UI

I have no words for this statement

[zappepcs (820751)]

At the end of the day, this process is about ensuring that our customer's machines aren't compromised. When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage."

but I'm certain that the folks who wrote the blaster worm, and those that run huge botnets would like to buy this guy a beer or 12.

This is a poor security model

[Cassini2 (956052)]

For high reliability code, you write code on the assumption that other code may have problems. You write code defensively. For any kind of complex system, people will make mistakes. Thus you have to continually verify program integrity and security in a multiply redundant manner. You don't wait until a trust barrier is crossed.

For example, if I have an application controlling a power plant, even if the computer is already running "foreign" code at my privilege level, the control application may still b

Re:

[Ajehals (947354)]

Not sure why you are modded as 'Troll' but hey.

I guess the issue at hand is that MS may well have a brilliant threat modelling process, it could be the best in the world for all I know, but it should feed back into all the areas it impacts upon (not saying it doesn't, just addressing your post.). It is not sufficient to have one or even a few great security procedures and practices if you are unable or unwilling to apply them consistently, or if they fail to address any given known or predictable issue. I

Re:

[jofny (540291)]

Completely agree with you. (And yeah, I thought I was making a legit point...but thats how Slashdot goes.) I guess I was arguing the same point from reverse: Yes, they dont put their whole package together very well (resulting in obvious defects), but that doesn't mean their threat modeling process is automatically junk - especially when so few organizations follow any sort of threat modeling process whatsoever. Everyone should!

Yup, it's job one.

[$RANDOMLUSER (804576)]

At the end of the day, this process is about ensuring that our customer's machines aren't compromised.

<HEAD ASPLODES>

Little Dutchboy Mode

[rts008 (812749)]

What he's really saying is they ran out of fingers to plug the holes in the dike,they have their dicks plugging the holes in their customer's ass, and the water is STILL rising.

My kingdom for a properly placed apostrophe

[Weedlekin (836313)]

"this process is about ensuring that our customer's machines aren't compromised."

I cried tears of joy when I read about Microsoft dedicating so many of their resources to securing one customer's machines. It just shows how Steve "Big Hearted" Ballmer is steadily filling what was once a cold, impersonal monopolist with people who are willing to go not just an extra mile, but several extra parsecs to ensure that every one of their customers feels loved and cared for. I'm so very, very glad that there's a stil

Mod parent up for sarcasm

[cheros (223479)]

Absolute class - thanks. It made me laugh.

We have to be honest here - this IS innovation! Have you ever heard such quality BS from *any*, and I mean *any* other company? I mean, it's been tough since Enron's "I feel you pain" Shilling went the way of the Dodo, but Thank God we still have Microsoft churning out new way of selling complete and utter BS.

I think we will all feel the loss when the EU finally hangs all of them (at least, that's what they make their conviction sound like :-).

A brilliant statement of the obvious, LO0G

[andrewzx1 (832134)]

I think we can all agree that actions have consequences, especially in an over-engineered software environment with layers upon layers of APIs and legacy code. - AH4H

I'd like to see their threat model for IE

[argent (18001)]

Or rather for the use of ActiveX in the HTML control, particularly security zones.

"Storing a file in the wrong place can lead to complete compromise... that's OK, if you download a file you really meant to run it anyway, so that's the user's fault."

Law #1 is a lie.

[zestyping (928433)]

I see they're still using the old, tired, " Immutable Law #1 [microsoft.com]" that Scott Culp made up many years ago.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
[...]
When you choose to run a program, you are making a decision to turn over control of your computer to it. Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer.

It's simply wrong, and it's deceptively named.

One of the important jobs of any operating

Improvements

[BlueParrot (965239)]

Some improvements that could help:
a)The default action for opening a document ( double click ) should not be the same as the default action for executing a binary ( double click ) and installing software ( yep, another double click ).
b)Don't offer the option to execute binaries when you hit a link in the web browser. If the user wants to run a binary it goes: download -> execute ( again, not double click ).
c)Try to avoid a situation which encourages the user to hit "Allow" without thinking.

Oh, and finall

Re:

[Mongoose Disciple (722373)]

Funny that "threat mitigation" doesn't exist in the aerospace industry...

What would you call passing through airport security to fly on a passenger aircraft?

Airplanes typically don't stand up to serious attacks. I'm not sure where you're trying to go with this analogy.

What are the specs for Vista?

[khasim (1285)]

Even if you were correct, it should not be that difficult for a company with Microsoft's money and personnel to solve.

Just license some tech from VMWare or such.

Build the NEW system to that it CORRECTLY conforms to security "best practices" and then incorporate "virtual machines" that can run those "legacy" apps under the OS they were designed for.

Microsoft has already sort of tried this with "compatibility mode" and things like that. The problem is NOT the apps (as people claim). The problem is Microsoft'

Re:

[cnettel (836611)]

Apps are supposed to read and write user data. I can agree that this concept is flawed, it should be much more prevalent that an app defines a manifest or locks down its own token on load time to only be able to access things that really are relevant (possibly with some special breakout directly connected to the file chooser widget of choice). This is not common in any OS today. Most web browsers run with the full permissions of the user running them, enough to make it very hard for that user to create a bo

Re:

[andrewzx1 (832134)]

without Win3.0, there would never have been any subsequent versions on Windows. And for those of us who were Win3.0 adopters, I can tell you that is was a better OS in terms of cost, hardware, and applications than many of its peers: DOS, Novell, UNIX, MacOS5.

Re:

[TheNetAvenger (624455)]

Microsoft made a big mistake when creating Windows, though not one most of us would have foreseen in the early '90s-- they made Windows 3.1 a single-user OS and thanks to their dedication to backwards-compatibility ended up being stuck with it.

I will introduce you to a new technology for you to research. It is called NT and is over 15years old. Why the introduction, well if you are so stupid to still correlate Windows with 3.1 concepts then you obviously have no freaking idea what NT is.

The argument you mak