A contract-oriented view on threat modelling Ketil Stølen SINTEF ICT and University of Oslo Joint work with Gyrd Brændeland, Heidi Dahl, Olav Ligaarden FLACOS Malta, November 27, 2008 ICT
Motivation � How to modularize threat modelling � How to deal with mutual dependencies in threat modeling of complex systems � We need a notion of contract at the abstraction level of threat models ICT 2
Problem of risk analysis � Systems � are complex � mutually dependent � cross national borders � are continuously updated � You never have full access to all documentation � And, if you had, there would just be too much of it ICT 3
There is only one way forward � We need a reductionistic approach to risk analysis � Decomposing analyses into smaller parts � Composing (already completed) analyses into an overall risk picture � Methodological reductionism is the idea that developing an understanding of a complex system's constituent parts (and their interactions) is the best way to develop an understanding of the system as a whole ICT 4
Reductionistic approach to the modeling of threat scenarios � I will illustrate the approach on CORAS � CORAS is � a method for model-driven security risk analysis � a graphical language � for structured brainstorming and analysis � semantics defined as schematic translation of diagrams into English � a tool � You may do likewise with your favorite threat scenario modeling language – (or your favorite risk table) ICT 5
Approach � Extend the graphical CORAS language to cope with context dependencies � We refer to the extended language as Dependent CORAS � Update the semantics of the CORAS language to deal with context dependencies � Define rules to reason about context dependencies � Define rules for simplifying composed scenarios ICT 6
One Step Back: What is Security Risk Analysis? Analysis context Vulnerability Treatment Target Threat Risk Asset Likelihood Unwanted incident Consequence ICT 7
The CORAS security risk modeling language human threat (accidental) unwanted threat incident scenario asset vulnerability non-human threat treatment human threat (deliberate) ICT 8
Threat Diagram Power supply in Sweden breaks down [1:5 years] 0.1 Blackout in [1:100 years] 1.0 critical Power supply in Norway Power Norway breaks down [3:100 years] production Hacker in Norway Threat Threat scenario Unwanted incident Asset ICT 9
Semantics: Translation into English � Vertices � ”Hacker” is a deliberate threat. � Threat scenario ”Power supply in Norway breaks down” occurs with undefined likelihood. � Threat scenario ”Power supply in Sweden breaks down” occurs with likelihood ”1:5 years”. � Unwanted incident ”Blackout in Norway” occurs with likelihood ”3:100 years”. � ”Power production in Norway” is an asset. � Relations � Hacker initiates ”Power supply in Norway breaks down” with likelihood ”1:100” years. � ”Power supply in Norway breaks down” leads to ”Blackout in Norway” with conditional likelihood ”1.0”. � ”Power supply in Sweden breaks down” leads to ”Blackout in Norway” with conditional likelihood ”0.1”. � ”Power supply in Norway breaks down” impacts ”Power production in Norway” with consequence ”critical”. ICT 10
Checking Likelihoods Power supply in Sweden breaks down [1:5 years] 0.1 Blackout in [1:100 years] 1.0 critical Power supply in Norway Power Norway breaks down [3:100 years] production Hacker in Norway [1:5 years] * 0.1 = [1:50 years] [1:100 years] + [1:50 years] = [3:100 years] ICT 11
Dependent Diagram C ONTEXT SCENARIO Power supply in Sweden breaks down [1:5 years] 0.1 Norwegian Power Supply T ARGET SCENARIO Blackout in [1:100 years] Power supply in 1.0 critical Norway Power Norway breaks down [3:100 years] production Hacker in Norway ICT 12
Semantics of Dependent Diagram � [[ ]] := [[ T ]] assuming [[ C ]] to the extent there are explicit dependencies Power supply in Sweden breaks down [1:5 years] 0.1 Norwegian Power Supply Blackout in [1:100 years] Power supply in 1.0 critical Norway Power Norway breaks down [3:100 years] production Hacker in Norway ICT 13
Independence of Context : T is independent of C if there are no paths from C to T ICT 14
Rule of Independence Power supply in Sweden breaks down [1:5 years] 0.1 Norwegian Power Supply Blackout in [1:100 years] Power supply in 1.0 critical Norway Power Norway breaks down [3:100 years] production Hacker in Norway ICT 15
Modus Ponens ICT 16
Applying the Deduction Rules Power supply in Sweden breaks down [1:5 years] 0.1 Norwegian Power Supply Blackout in [1:100 years] Power supply in 1.0 critical Norway Power Norway breaks down [3:100 years] production Hacker in Norway Power supply in Norway breaks down [1:100 years] 1.0 Swedish Power Supply Power supply in Blackout in 1.0 critical Sweden breaks down Sweden Power [21:100 years] [1:5 years] Operator production error in Sweden ICT 17
The Combined Diagram ICT 18
ICT 19
Blackout in southern Sweden and Norway Grid overload Minor export High export causes multiple Transmission 1.0 0.1 0.5 area blackout from area line outage outages in export in Norway Power [1:1years] area [1:1year] High load on Protection [1:20years] market [1:10years] transmission failure corridor moderate Grid 0.4 overload causes critical 0.5 multiple outages High import Low hydro Failed area Lack of High load on Power [1:10years] 1.0 Total area availability from Sweden protection transmission rain in production blackout [1:5years] [1:5years] Norway corridor in Norway [1:20years] 0.4 0.1 Grid overload causes 0.4 multiple outages Blackout in 0.5 [1:10years] Hacker southern Sweden 0.07 Outage of two [1:20years] Failed load Failed area or more transmission lines in protection shedding the north/south corridor Interface critical [1: 1year] bottleneck Operator 0.01 moderate Power error Reduced production nuclear availability in Sweden Minor area [1:20years] 1.0 blackout 0.2 [1:20years] Low hydro Capacity Unstable 0.4 1.0 Lack of availability shortage network rain in [1:5years] [1:4years] [1:10years] Sweden ICT 20
Horizontal Composition Grid overload High export causes multiple Transmission 0.5 1.0 0.1 from area outages in export line outage [1:1years] area High load on [1:1year] Protection [1:10years] transmission failure corridor ICT 21
Blackout in southern Sweden and Norway High export Minor export leads to grid overload 0.5 area blackout in Norway in Norway Power [1:10years] [1:20years] market moderate Grid 0.4 overload causes critical 0.5 multiple outages Low hydro High import Failed area Lack of High load on Power [1:10years] 1.0 Total area from Sweden availability protection transmission rain in production blackout [1:5years] [1:5years] Norway corridor in Norway [1:20years] 0.4 0.1 Grid 0.4 overload causes multiple outages Blackout in 0.5 [1:10years] Hacker southern Sweden 0.07 Outage of two [1:20years] Failed area Failed load or more transmission lines in protection shedding the north/south corridor Interface critical [1: 1year] bottleneck 0.01 Operator moderate Power Reduced error production nuclear availability in Sweden Minor area [1:20years] blackout 1.0 0.2 [1:20years] Low hydro Capacity Unstable 0.4 1.0 Lack of availability shortage network rain in [1:5years] [1:4years] [1:10years] Sweden ICT 22
Horizontal Composition 0.2 Total area critical blackout [1:20years] 0.2 ICT 23
Blackout in southern Sweden and Norway High export Minor export leads to grid overload 0.5 area blackout in Norway in Norway Power [1:10years] [1:20years] market moderate Total area critical 0.2 blackout [1:20years] Low hydro High import Lack of High load on Power 1.0 availability from Sweden transmission rain in production [1:5years] [1:5years] corridor Norway in Norway 0.2 0.1 Grid 0.4 overload causes multiple outages Blackout in 0.5 [1:10years] Hacker southern Sweden 0.07 Outage of two [1:20years] Failed area Failed load or more transmission lines in protection shedding the north/south corridor Interface critical [1: 1year] bottleneck Operator 0.01 moderate Power Reduced error production nuclear availability in Sweden Minor area [1:20years] blackout 1.0 0.2 [1:20years] Low hydro Capacity Unstable 0.4 1.0 Lack of availability shortage network rain in [1:5years] [1:4years] [1:10years] Sweden ICT 24
Horizontal Composition Total area critical 0.2 blackout [1:20years] critical Total area blackout 0.1 in southern Sweden and Norway critical [1:100years] ICT 25
Recommend
More recommend