Microsoft's Larry Osterman On Threat Modeling 113
Schneier has pointed out an excellent series of blog posts about threat modeling by Microsoft's Larry Osterman. The series focuses on the PlaySound API as an example. "As you go about filling in the threat model threat list, it's important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team. At the end of the day, this process is about ensuring that our customer's machines aren't compromised. When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage."
Standard Microsoft Threat Modeling Dialog (Score:3, Funny)
Microsoft: You mean you're using an operating system that validates over 450 of our patents?
Consumer: Well, I know that isn't true but
Microsoft: But it'd be a shame if your company was ever engaged with our world class legal team instead of being a 'partner' with the largest software maker ever?
Consumer: But we only have 20 employees.
Microsoft: We know--perhaps you'd be interested in purchasing a copy of our lap dog here, Novell's SUSE?
Consumer: But we already use Red Hat
Microsoft: We heavily suggest you re-evaluate SUSE and when you do your trade study please do note that it's the only Microsoft Certified Genuine Linux. Also, it would be a shame if we had to exercise our patent portfolio on Red Hat and subsequently
Re: (Score:2)
Re: (Score:2, Funny)
Threat: User may play a song without paying for it.
Mitigation: Render the internet useless while playing music.
Threat: User may complain about the network being crippled while playing music.
Mitigation: Blame hardware, blame drivers, then make up some excuse that playing audio requires super-low latency priority for the audio playing app and the network is sacrificed to ensure smooth playback.
Threat: User may notice that the ne
Re: (Score:2)
Microsoft: You obviously are spending too much time on forums, games and caffeine... Did you know Vista..
Slashdotter: I don't live in San Diego [vista.ca.us]...
Microsoft: No, not the town, I mean Vista...
Slashdotter: dewd!!!!!!! I don't even speak Spanish
Microsoft: *gives up*
Re: (Score:2)
Microsoft: ?? [Throws chair...]
That's got to be a hell of a job (Score:5, Insightful)
Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.
As much as it's fun to give MS shit for their products, I think I'd last about two hours in that position before I went into the executive washroom and slashed my wrists.
Re: (Score:3, Informative)
Larry started doing this threat modeling bit a while back, as the first article is dated some time ago. He's taken his time, and demonstrated what to do
Re: (Score:3, Informative)
Re: (Score:2)
I prefer Attack Trees. (Score:3, Insightful)
By Bruce Schneier.
Face it, no matter how secure your little bit of code is, if the SYSTEM is vulnerable, your little bit of code is vulnerable.
Which is where Larry goes wrong in TFA.
You can put all the locks you want on your front door. But if you don't fix the huge hole in the wall next to it, you aren't improving your security at all. No matter what you claim.
Re: (Score:1, Flamebait)
No way, baby! Larry did his homework! That PlaySound API is rock solid!
Um, did anybody else notice that the PlaySound API doesn't actually play any sounds? It just passes data to the APIs that actually do play sounds. So WTF does the PlaySound API do, really? To me, it doesn't really do anything at all...
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
That said, a threat model isn't a panacea. It doesn't replace good coding practices, code reviews, testing, or anyt
Re: (Score:1, Flamebait)
A threat model is about admitting we have a bad product, saying that fixing it properly is too hard
Re: (Score:3, Informative)
A threat model is about admitting we have a bad product, saying that fixing it properly is too hard /expensive so we will try and work out what the largest holes are and fix those first.
Nonsense.
Threat modeling is a crucial exercise for any system that wants to be secure. Note that "system" is more than just "software", so just testing your software against all possible inputs is insufficient, even if it were actually possible.
For example, let's suppose the system under consideration is the Windows access control system, responsible for ensuring that only authorized users can read/write files. What are the attack vectors? How many of them can be addressed with input validation tes
Re: (Score:2)
A threat model is about admitting we have a bad product, saying that fixing it properly is too hard /expensive so we will try and work out what the largest holes are and fix those first.
Do you mean to say that you are against looking for security weaknesses in a product's design during the design phase, with a focus on untrusted input and data crossing trust boundaries? Ahahahahaha. Hahahaha. *Snorgahah*. Haha. Knowing how much open source there is in use today, especially on the server, I sincerely hop
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
He may know what he's doing, but here's what he has to say about his colleagues in Microsoft:
"Developers tend to think in terms of what a customer needs. But many times, the things that make things really cool for a customer provide a superhighway for the bad guy to attack your code. "
"It's ad-hoc. M
Re: (Score:2)
Remapping IRQs in the bios didn't fix it....so i sacrificed both cards to the thermite gods.
Re: (Score:2, Insightful)
Re: (Score:3, Interesting)
Because KDE is not an OS. (Score:2)
Re: (Score:1)
Fixed for you.
Re: (Score:1)
I can run Linux without KDE. (Score:2)
I have servers running Linux without Konqueror.
I have workstations running Linux without KDE.
Your point will be valid when (and only when) Linus puts a browser into Linux. Until then, I can (and do) run Linux WITHOUT a browser.
And that is only ONE of the reasons that Linux more secure than Windows.
NT 3.51 was Shell Only (Score:2)
Back in the day [about 11 or 12 years ago], you could run Windows NT 3.51 as a shell - it looked just like DOS, except that there was a true multi-user, multi-tasking kernel underneath.
To go into Windows, you typed "WIN" [or "WIN.EXE"], just like you would in Windows 3.10/3.11.
It wasn't until NT 4.0 [circa 1996] that you were required to run Windows.
NT 3.51 was a really cool operating system - e.g. everything had to go through the client/server model, which meant that video was really slow, so video
Re: (Score:2)
WinNT *always* had a GUI shell. For versions 3.1-3.51 it was Progman/Fileman, and from 4.0 on it was Explorer. Server 2008 is the first version of Windows that can be installed without a GUI shell.
But you could kill the GUI in NT 3.51, and just run stuff from the shell prompt.
Re: (Score:2)
Man are you ever wrong, you just didn't know how.
Re: (Score:2, Troll)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Yes, webkit still remains, but it can also be removed if one so desires, as long as one is aware of how many OS X applications use it just because
Re: (Score:1)
Re: (Score:2)
Care to cite any example of how removing IE will break the base install?
There are quite a few things in Windows that use the IE components. The Add/Remove Programs applet, for example. Any time Explorer shows you a thumbnail or media preview. The help system. Etc.
Of course, code re-use is, well, kind of the *point* of having a modular system, so it's a struggle to see why any rational person would consider doing that to be bad. Unless, of course, they were blinded by their anti-Microsoft zealotry (l
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:3, Interesting)
Which ones? I just tried unsuccessfully to access the web through Finder, and when I try to access the local file system through Safari it was smart enough to call Finder, but doesn't access the file system itself.
Explorer doesn't "access the web", either, it just loads up the IE components inside the Explorer window (in the same way you can embed an Excel spreadsheet into a Word document and it fires up Excel from within Word).
I mentioned KDE in my original post, which does integrate the browser and UI
Re: (Score:2)
Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.
As much as it's fun to give MS shit
Re: (Score:2)
He gets to wake up in the morning, hug his kids and then go into work and spend all day trying to figure out the right combination of security defaults that will (a) let people go out and do stuff while (b) protecting them from their own "I'm a average Windows user" level of abject stupidity.
WARNING: This operation may or may not be vital and normal and correct / extremely dangerous and certain to result in fraud. Cancel/Allow?
Indeed, this guy takes his job seriously and is proud of the fact that he has never copped out nor abdicated his responsibilities. We should also respect him for his excellent & highly informative work on theoretical physics titled This Exercise Left To The Reader.
You can't get there from here... (Score:2)
I'd get them a Mac.
Unfortunately, Microsoft can't get there from here.
Double-plus ungood (Score:1, Insightful)
Re: (Score:1)
It is, for the software vendor. The software vendor gets to push the cost of un-sucking the code to the consumers who actually need suck-less code. Of course the consumers never get that, they get to mitigate threats instead, which is almost as good. Sort of.
Funny that "threat mitigation" doesn't exist in the aerospace industry...
Re: (Score:3, Interesting)
What would you call passing through airport security to fly on a passenger aircraft?
Airplanes typically don't stand up to serious attacks. I'm not sure where you're trying to go with this analogy.
Re: (Score:1)
Airplanes typically don't stand up to serious attacks. I'm not sure where you're trying to go with this analogy.
I was actually thinking more of the space part of aerospace... sort of trying to make a point that when cost of software failure is sufficiently high, the software will be very rigorously un-sucked prior to launch. Whereas in non-space-exploration kind of thing the cost of failure is typically less than what decent testing would have cost in the first place -- except when people die, and stuff
Re: (Score:2)
Funny that "threat mitigation" doesn't exist in the aerospace industry...
It damned well does. What mechanisms are in place to ensure that a malicious attacker can't take control of the avionics in-flight? What mechanisms exist to ensure that failure of one component doesn't crash the plane? What mechanisms exist to ensure that metal fatigue doesn't cause a wing to snap, since redundant wings to backstop the primary ones aren't practical?
All of the above mechanisms -- some of which are implemented in software, some in hardware and some in maintenance processes -- are threa
Re: (Score:2)
Funny that "threat mitigation" doesn't exist in the aerospace industry...
I think (hope) you have made a gross misinterpretation of the term "threat mitigation".
Re: (Score:2)
Funny that "threat mitigation" doesn't exist in the aerospace industry
Of course it does. Just because *gasp* a different industry doesnt use exactly the same terms, doesnt mean the practice isnt there.
Things like redundancy and backup systems are a perfect example of this. The threat analysis has to be done up front to understand what failures cause death, which cause inconvenience, and the redundancies and backup efforts go into those that have the more unfortunate outcome. Also just like software, system interdependency analysis is a big part of this.
This is just basic
Re: (Score:1)
Re: (Score:1)
I have no words for this statement (Score:2)
This is a poor security model (Score:3, Interesting)
For high reliability code, you write code on the assumption that other code may have problems. You write code defensively. For any kind of complex system, people will make mistakes. Thus you have to continually verify program integrity and security in a multiply redundant manner. You don't wait until a trust barrier is crossed.
For example, if I have an application controlling a power plant, even if the computer is already running "foreign" code at my privilege level, the control application may still b
Re: (Score:1, Troll)
Re: (Score:2)
I guess the issue at hand is that MS may well have a brilliant threat modelling process, it could be the best in the world for all I know, but it should feed back into all the areas it impacts upon (not saying it doesn't, just addressing your post.). It is not sufficient to have one or even a few great security procedures and practices if you are unable or unwilling to apply them consistently, or if they fail to address any given known or predictable issue. I
Re: (Score:2)
Re: (Score:2)
Why do Slashdotters so often fail to differentiate between a company's business decisions and its technical capabilities?
For the same reason they don't differentiate between "security problems" that are the result of actual design and/or coding flaws and "security problems" that are the result of end-user and developer error.
Yup, it's job one. (Score:2)
Little Dutchboy Mode (Score:2)
I like the rest of you that have (Score:1, Troll)
In the article:
What a relief!
I feel sorry for the guy (Score:1)
What are the specs for Vista? (Score:2)
Just license some tech from VMWare or such.
Build the NEW system to that it CORRECTLY conforms to security "best practices" and then incorporate "virtual machines" that can run those "legacy" apps under the OS they were designed for.
Microsoft has already sort of tried this with "compatibility mode" and things like that. The problem is NOT the apps (as people claim). The problem is Microsoft'
Re: (Score:2)
Re: (Score:2)
Most web browsers run with the full permissions of the user running them, enough to make it very hard for that user to create a botnet node or whatever. There are exceptions to this, but they are rare.
Actually, this functionality you're describing has been present in Windows XP for years. Right click on IE, choose RunAs, and just leave the default and hit OK.
You've not spawned an IExplore.exe process with very specific security tokens. Basically restrict it from writing anything at all to the registry, and nothing expect a very few locations on the hard drive (temp & cache space, basically).
Vista makes it more prevalent, but its been there for years.
Vista and Win2008 server also has a limited form
Re: (Score:2)
Re: (Score:2)
I will introduce you to a new technology for you to research. It is called NT and is over 15years old. Why the introduction, well if you are so stupid to still correlate Windows with 3.1 concepts then you obviously have no freaking idea what NT is.
The argument you mak
Re: (Score:2)
About the only downside to full ACLs is that the complexity is slightly higher.
My kingdom for a properly placed apostrophe (Score:2)
I cried tears of joy when I read about Microsoft dedicating so many of their resources to securing one customer's machines. It just shows how Steve "Big Hearted" Ballmer is steadily filling what was once a cold, impersonal monopolist with people who are willing to go not just an extra mile, but several extra parsecs to ensure that every one of their customers feels loved and cared for. I'm so very, very glad that there's a stil
Mod parent up for sarcasm (Score:2)
We have to be honest here - this IS innovation! Have you ever heard such quality BS from *any*, and I mean *any* other company? I mean, it's been tough since Enron's "I feel you pain" Shilling went the way of the Dodo, but Thank God we still have Microsoft churning out new way of selling complete and utter BS.
I think we will all feel the loss when the EU finally hangs all of them (at least, that's what they make their conviction sound like
Re: (Score:2)
No, but that's only because there aren't any companies who've achieved Microsoft's level of success that need to explain why their entire product range has been so bad for so many years.
"I mean, it's been tough since Enron's "I feel you pain" Shilling went the way of the Dodo, but Thank God we still have Microsoft churning out new way of selling complete and utter BS."
MS have to keep producing BS screens l
A brilliant statement of the obvious, LO0G (Score:2)
I'd like to see their threat model for IE (Score:2)
"Storing a file in the wrong place can lead to complete compromise... that's OK, if you download a file you really meant to run it anyway, so that's the user's fault."
Law #1 is a lie. (Score:2, Interesting)
It's simply wrong, and it's deceptively named.
One of the important jobs of any operating
Re: (Score:1)
Re: (Score:2)
To be more specific, the bad guy knows about the as of yet undiscovered security hole that renders all of your OS level sandboxing moot. That's why when the bad guy gets to run code on your computer, it's not your computer any more.
And there have absolutely been such flaws in Windows (the windows manifest file vulnerability [microsoft.com] for example), OSX (the
Re: (Score:1)
That is a design decision they made, not an immutable law of the universe. Windows is intentionally designed so that when you run a program, it runs with your identity and all your privileges. It is conceivable that one could design a system that handled privileges differently, and of course people have designed such systems. (One of them is the browser you are using right now, if it suppo
Re: (Score:1)
Re: (Score:1)
Improvements (Score:2)
a)The default action for opening a document ( double click ) should not be the same as the default action for executing a binary ( double click ) and installing software ( yep, another double click ).
b)Don't offer the option to execute binaries when you hit a link in the web browser. If the user wants to run a binary it goes: download -> execute ( again, not double click ).
c)Try to avoid a situation which encourages the user to hit "Allow" without thinking.
Oh, and finall
Euclid: As we go about proving a theorem, (Score:2)
why not just do it right? (Score:2)
Well, yeah, but there are so many threats against Microsoft software. So, why not just do it right in the first place? Why not create software without the possibility of buffer overflows and most other avoidable issues in the first place?
Re: (Score:2)
Probably the closest thing our race has ever seen to engineering that always 'does it right' the first time is NASA. And plenty of people have DIED on their ships. And they are arguably the most overfunded, overengineering, overly conversative R&D/engineering organization in the history of mankind.
Bottom line is that 'doing it right' perfectly is not possible, at least not for larger-than-tiny systems. At least not in the current state of the art in systems software. If nothing el
Re: (Score:2)
Buffer overflows are completely avoidable by using a language with bounds checks.
Many millions of dollars per year flow into software/os/systems R&D to find a way to make a system impervious to these types of attacks, while still having an O/S that runs at a useful speed.
The techniques for making buffer overflows impossible are well understood, and switching to languages that implement them does not cost you anything
Re: (Score:2)
Buffer overflows are completely avoidable by using a language with bounds checks.
I notice that you dont actually name this language. Can you?
What classes of buffer overflows does it protect against? Do you still have full access to pointers and memory reads/writes/copies? Do you have to give up direct manipulation of the stack?
While I agree that it should (and will, eventually) be possible to write an operating system without the insanities of C-based languages, I'm definitely not aware of one. The only languages I'm aware of that even try to minimize the possibility are languages
Re: (Score:2)
There are so many: Object Pascal, Oberon, Cedar/Mesa, Modula-3, and on and on.
What classes of buffer overflows does it protect against?
The memory corrupting kind.
Do you still have full access to pointers and memory reads/writes/copies?
Of course, you do. Safe programming languages don't prevent you from doing unsafe things, they merely make you ask for them explicitly.
Do you have to give up direct manipulation of the stack?
There is no "direct manip
Re: (Score:2)
There are so many: Object Pascal, Oberon, Cedar/Mesa, Modula-3, and on and on.
Well, I guess we'll just be in fundamental disagreement there. Not sure I agree that you're going to be able to effectively write an O/S in object pascal. About the only thing going for it in this space is that you can include raw assembly in with it (IIRC) as part of the language.
In fact, at least in its Delphi/Kylix form, this is much more of a user-space apps development language than a systems development language.
The term "managed language" is some bizarre Microsoft neologism, and I have no idea what it's even supposed to mean.
Hardly. Java would qualify as such. The defining characteristic is that its inteded
Re: (Score:2)
Go read up on your OS history: the majority of commercial server and desktop operating systems over the last 50 years have been written in high level languages. We don't have to "guess" whether it's fast enough--it is. We don't have to guess how much assembly language it takes--we know (it takes very little). We don't have to guess whether it prevents buffer overflows and many of the ills that afflict Windows, UNIX, and Linux--it does.
Hardly. Java would qualify as
Re: (Score:1)
Re: (Score:1)
Wrong terminology (Score:1)
http://taosecurity.blogspot.com/2007/10/someone-please-explain-threats-to.html [blogspot.com]