http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=11 [º¹»ç]
º°Ç¥¶û ¿µ¾î¼¯¿© ÀÖ´Â ºÎºÐµéÀº µµÀúÈ÷ ¹¹¶ó°í ÇÏ´ÂÁö ¾Ë¾ÆµéÀ» ¼ö°¡ ¾ø³×¿ä.
ÇØ¿Ü »ç½Ã´Â ´É·ÂÀںеéÀ̳ª µé¸®½Ã´Â ºÐµéÀº Á» ´Ùµë¾îÁÖ½Ã¸é °¨»çÇÏ°Ú½À´Ï´Ù!
´©°¡ À§Çù ¸ðµ¨¸µÀ» ÇØ¾ß ÇÒ±î¿ä?
so who should threat model?
ÀüÇüÀûÀ¸·Î Àú´Â ²À °³¹ßÀÚ¸¦ Àüü À§Çù ¸ðµ¨¸µ °úÁ¤¿¡ Âü¿©ÇÏ°Ô ÇÒ °ÍÀ» ±ÇÀåÇص帳´Ï´Ù.
typically, i will recommend the developers must be involved in the entire process of threat model.
¿Ö °³¹ßÀÚµéÀÌ À§Çù ¸ðµ¨¸µÀ» ÇؾßÇÒ±î¿ä?
why would you think the developers must be involved in threat models?
°³¹ßÀÚµéÀº Äڵ带 ¸¸µé¸é¼ ¾î´À ºÎºÐ¿¡ °¡Àå Ưº°ÇÑ ÁÖÀǸ¦ ±â¿ï¿©¾ß ÇÏ´ÂÁö ¾Ë¾Æ¾ß Çϱ⠶§¹®ÀÔ´Ï´Ù.
so that they can figure out 'where exactly they need to make sure that paying extra attention' to developing codes
ÇÁ·ÎÁ§Æ® ¸Å´ÏÀúµé ¶ÇÇÑ È®½ÇÈ÷ Æ÷ÇԵǾî¾ßÇÕ´Ï´Ù.
project managers need to be involved
Àú±â º¸ÀÌ´Â °Íó·³ °³¹ß ÀÏÁ¤À» Á¤Çϱ⠶§¹®ÀÌÁÒ.
obvioulsy because they will have to additional timeline over there
±×¸®°í ºñÁî´Ï½º °³¹ßÀÚ, ¿¹ÀüºÎÅÍ ´ëºÎºÐÀÇ °æ¿ì¿¡¼ Á¦Ç°À» (¼ÒÀ¯ÇÑ? ÀÇ ¼ÒÀ¯±ÇÀ» °¡Áö°í ÀÖ´Â?) »ç¶÷µéÀÔ´Ï´Ù, ±×µéµµ Æ÷ÇԵǾî¾ßÇÕ´Ï´Ù.
and business devs -the people who generally own the products yesterday and most of the cases,- they need to be involved.
À§Çù ¸ðµ¨¸µÀ» ¾ðÁ¦ ÇØ¾ß ÇÒ±î¿ä?
when should you threat model?
ÀÌ°Ç Á¤¸» Á¤¸» Áß¿äÇÑ Áú¹®ÀÔ´Ï´Ù.
this is a really really big question.
¸ðµç À§Çù ¸ðµ¨¸µÀÇ ¿¹½ÃµéÀº Á¦°¢±â ´Ù¸¥ ½Ã°£´ë¿¡ Ç϶ó°í ¸»ÇÕ´Ï´Ù.
every organization threat model at a different time period
Àú´Â ÀϹÝÀûÀ¸·Î µðÀÚÀÎ ´Ü°è ¹Ù·Î ´ÙÀ½¿¡ À§Çù ¸ðµ¨¸µÀ» ÇÒ °ÍÀ» ÃßõÇص帳´Ï´Ù.
typically i would recommend that you threat model just after the design stage
±â´ÉÀûÀÎ ¸é¿¡¼ ÇÁ·Î±×·¥ÀÇ ¸ñÀû¿¡ ´ëÇØ ¼¼¼¼ÇÏ°Ô ¼³°èÇÏÀÚ¸¶ÀÚ ¸»ÀÌÁÒ.
once you've figured a lot of details from the functionality point of your what your application should do
then you'll do the threat modelling
±×¸®°í Å×½ºÆ® ´Ü°è Àü¿¡µµ À§Çù ¸ðµ¨¸µÀ» ÇؾßÇÕ´Ï´Ù.
and then you again do it before the testing stage.
ÇÏÁö¸¸ ¸¶ÀÌÅ©·Î¼ÒÇÁÆ®´Â À§Çù ¸ðµ¨¸µÀ» Å×½ºÆ® ´Ü°è¿¡¼¸¸ Çصµ µÈ´Ù°í ¸»ÇÕ´Ï´Ù.
but microsoft says that you should just threat model towards testing stage
¶Ç ¾î¶² ±×·ìÀº °³¹ßÀ» ¿Ï·áÇÏ°í ¹èÆ÷Çϱâ Á÷Àü¿¡ Çصµ µÈ´Ù°í ÇÕ´Ï´Ù.
and there are different organazations that say that you should just do it at the end of the products before releasing it
³× ¾ÆÁÖ Á¤È®ÇÏÁÒ.
yeah exactly.
(ÇÁ·¹Á¨Å×À̼Ç: ÇÁ·Î±×·¥ÀÌ ¹èÆ÷µÇ°í Ãë¾àÁ¡ÀÌ ¹ß°ßµÇ°í ³ª¼¾ß À§Çù ¸ðµ¨¸µÀ» ÇÔ, ¸Þ¸ð:¾î¶² ÇÁ·Î±×·¥, ³»ºÎ Àü¿ëÀÌ¶óµµ À§Çù ¸ðµ¨¸µÀ» ÇØ¾ß ÇÔ)
±×·¡¼, º¸½Ã´Â ¹Ù¿Í °°ÀÌ ÀüÇüÀûÀ¸·Î ¹èÆ÷µÇ°í ³ª¼¾ß À§Çù ¸ðµ¨¸µÀÌ ÀÌ·ç¾îÁý´Ï´Ù.
so typically now as you can see most of the applications are threat models just after the release
¿Ö³Ä°í¿ä?
why?
´ëºÎºÐÀº Ãë¾àÁ¡ÀÌ ÀÖ´Â Á¦Ç°À» Ãâ½ÃÇÏ°í ³ª¼¾ß ±×µéÀº "¸¿¼Ò»ç ¿©±â Ãë¾àÁ¡ÀÌ ÀÖ¾î! ´Ù¸¥ °÷Àº ¾î¶²Áö À§Çù ¸ðµ¨¸µÀ» Çغ¸ÀÚ"¶ó°í ¸»ÇÕ´Ï´Ù.
because they would be vulnerable released on product ****? they will say 'oh my god, there's vulnerabilities let's threat model and try to figure out where are the other areas
ÇÏÁö¸¸ ±×·¯·Á¸é ±×µéÀº ¸Ç óÀ½ ÁÖ¿ä Ãë¾àÁ¡µéÀÌ Á¸ÀçÇß´ø °÷À¸·Î µÇµ¹¾Æ°¡¾ßÇÕ´Ï´Ù.
but they have to go back and actually take from the very beginning what are the major ******** and what are the major locations there vulnerabilities could exist
¿©±â °£´ÜÇÑ ÆøÆ÷¼ö ¸ðµ¨ÀÌ ÀÖ½À´Ï´Ù.
so here's a simple waterfall model.
Ãʱâ À§Çù ¸ðµ¨¸µÀÇ ±ÇÀåµÇ´Â À§Ä¡´Â ÇÁ·Î±×·¥ µðÀÚÀÎÀ» ¸¶Ä¡ÀÚ ¸¶ÀÚ°¡ µÇ°ÚÁÒ.
recommended loaction should be initial threat model right after the program design.
±×¸®°í Å×½ºÆ® ´Ü°è Á÷Àü¿¡µµ ´Ù½Ã ÇغÁ¾ß ÇÕ´Ï´Ù.
revisit threat model right before the testing stage
ÇÏÁö¸¸ Å©·¡Ä¿µé°ú ÄÚµå ¸®ºä¾îµéÀº ÀÌ ¸ðµç ÀϵéÀÌ ÀϾ°í ³ª¼¾ß ÇÕ´Ï´Ù.
but attackers and code reviewers typically these days do it right after everything is happened
³Ê¹« ´Ê½À´Ï´Ù. °ø°Ý´çÇϱ⠸ſì ÁÁÀº »óȲÀÌÁÒ.
it is too late. it's a bandit situation over there.
¹º°¡ ÀÌ¹Ì À߸øµÈ °É °íÄ¡·Á°í Çϸé
you just trying to fix something that is already broken
ÇÁ·Î±×·¥ÀÇ Àüü µðÀÚÀÎÀÌ ±úÁú ¼öµµ ÀÖ´Â »óȲÀΰÅÁÒ
it might be the entire design of the application might be broken.
³ªÁß¿¡ ¸î¸î ±âÃÊ µðÀÚÀÎÀÇ ¹®Á¦¿¡ ´ëÇÑ ¿¹¸¦ µé¾îº¼°Ì´Ï´Ù.
and we'll talk about some basic design issues as well in the examples.
À§Çù ¸ðµ¨¸µÀº ¾î¶»°Ô ÇÏ´Â °É±î¿ä?
how to threat model?
À§Çù ¸ðµ¨¸µÀº Å©°Ô 3´Ü°è·Î ³ª´ ¼ö ÀÖ½À´Ï´Ù.
threat model has 3 major processes
óÀ½Àº ÇÁ·Î±×·¥¿¡ ´ëÇÑ Á¤º¸¸¦ ¼öÁýÇÏ´Â °ÍÀÔ´Ï´Ù.
it is collecting information about the applications.
ÇÁ·Î±×·¥ÀÇ ¸ñÀûÀÌ ¹«¾ùÀÎÁö ¾Ë¾Æ³»´Â °ÍÀÌÁÒ.
figure out "what's the goal of the application is"
ÀÌ ÇÁ·Î±×·¥Àº ¾îµð¿¡ ¾²À̴°¡, ¹» À§ÇØ ¸¸µé¾îÁ³´Â°¡, ³»ºÎ¿¡¼¸¸ ¾²ÀÌ´Â ÀÎÆ®¶ó³Ý Àü¿ë ÇÁ·Î±×·¥Àΰ¡?
where has it to *****, what is the purpose of the application, is it just a intranet application?
È®½ÅÇϱâ À§ÇØ ¹®¼ÈÇϼ¼¿ä.
document it for sure
(¿Ö³ÄÇϸé,) ¾Æ¸¶ ¸ðµç ºÐµéÀÌ ÃÖ¼ÒÇÑ ÇÑ ¹øÂëÀº ³»ºÎ »ç¿ëÀÚ Àü¿ëÀ¸·Î µðÀÚÀÎ µÈ ÇÁ·Î±×·¥ÀÌ °©ÀÚ±â ÀÎÅͳݿ¡ ¿Ã¶ó¿Í ÀÖ´Â °ÍÀ» º» ÀûÀÌ ÀÖÀ¸½Ç°Ì´Ï´Ù.
because, i know all of you have gone through at least one application that was initialy designed for internal use only and it sudddenly on the internet.
±×·± ÀÏÀº Ç×»ó ÀϾ´Ï´Ù.
and that happens all the time.
¸¸¾à ÇÁ·Î±×·¥ÀÇ ¸ñÀûÀÌ ¹¹¿´´ÂÁö, ÀüüÀûÀÎ ¾ç»óÀÌ ¹«¾ùÀ̾ú´ÂÁö¸¦ ¹®¼ÈÇÏÁö ¾Ê¾Ò´Ù¸é
and if you have not documente that what the goal was, what the whole aspects
*******************************
never c???? generally are easy ?*****
±×µéÀº °¡Àå »¡¸® ³ª°¡´Â Åë·Î¸¦ ã¾Æ ³ª°¥ °ÍÀÔ´Ï´Ù.
they're gonna take the quickest way out
********
******ºÐ¸í ´©±º°¡°¡ ÀÌ·¸°Ô »ý°¢ÇÒ°Ì´Ï´Ù
one of **** will think
"¾Æ ÀÌ°Å º°°Å ¾Æ´Ï³×, ºñ¹Ð¹øÈ£´Â ±×³É ¿©±â ´ëÃæ ´øÁ®³õ°í Æí¾ÈÇÏ°Ô »ý°¢ÇÏÀÚ."
"ah, it's not a big deal, let me just put the password here and let's make it easy"
³»ºÎ »ç¿ëÀÚ Àü¿ëÀÌÀݾƿä. ´©°¡ ½Å°æ½á¿ä. ±×·¸ÁÒ?
and it's literally internal use only. who cares? right?
????????????????????????
but the ******(matter is?) it's going to go to the internet if this document is there at least someone might be review it ******** they will review it
ÇÁ·Î±×·¥À» ºÐ¼®Çϼ¼¿ä.
decompose the application.
- ÇÁ·Î±×·¥À» (ÇغÎÇؼ?) ÇÁ·Î±×·¥ÀÇ µ¥ÀÌÅÍ È帧µµ¸¦ ±×·Á¼
ÇÁ·Î±×·¥ÀÇ µ¥ÀÌÅÍ È帧¿¡ ´ëÇØ ´õ Å« ÀÌÇظ¦ ÇÒ ¼ö ÀÖ°Ô ¸»ÀÔ´Ï´Ù
we'll talk about breaking the application and what are the appliction basically
draw some kinds of data flow diagram to get a bigger understanding of the data flow of the application
- ¾îµð¼ ½ÃÀÛµÇ°í ¾îµð¼ ³¡³ª´ÂÁö, ¹» ¾î´À À§Ä¡¿¡¼ °¡·Îç ¼ö ÀÖ´ÂÁö¿ä
where does it starts, where does it ends, what are the locations that might be intercepts happening.
±×¸®°í º¸¾È À§ÇùµéÀ» ÀÚ¼¼È÷ ºÐ¼®Çϼ¼¿ä.
and then do detail analysis of threats.
Àú´Â ÀÌ°Ô ´©±¸¿¡°Ôµµ º¸¾ÈÀûÀÌ°í °³¹ßÀÚÀÇ °üÁ¡¿¡¼ ¹°¾îº¸±â¿¡ °¡Àå ¾î·Æ´Ù°í »ý°¢ÇÕ´Ï´Ù.
this in my opinion is the most difficult to ask for anyone from security perspectives and developers perspectives.
±×¸®°í º¸¾È À§Çù¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ºÐ¼®À» ÇÏ´Â »ç¶÷µéÀ̳ª º¸¾È °³¹ßÀÚµéÀº ¸Å¿ì µå¹´´Ï´Ù. Á¦ »ý°¢À¸·Î´Â¿ä
the ideal people to do the detail analysis the threats or security developers, who are in my opinion very rare to find
¼ö¸¹Àº °¢±â ´Ù¸¥ Ãë¾àÁ¡µéÀÇ ¸®½ºÆ®¸¦ ±¸ÇÏ·Á¸é ÇÒ ¼ö ÀÖ°ÚÁö¸¸,
you can get a list of all the different types of vulnerabilities but
»ç¶÷µéÀº ²À ¾ÆÅ°ÅØóÀûÀÎ Ãø¸é¿¡¼ »ý°¢ÇÏÁö¸¸Àº ¾Ê½À´Ï´Ù.
people do not really think from the architecure level
******************************************************
umm now these with all the securities who *** every ****
CISSP ÀÎÁõÀ» ÃëµæÇϰųª Ãë¾÷ µîµîÀ» ÇÏ·Á°í ÇÏ´Â »ç¶÷µé-
trying to get CISSP and get a job and do anything and everything.
so becareful who is involved at that st*** and we'll talk it little bit more *****-?
ÇÁ·Î±×·¥ÀÇ Á¤º¸¸¦ ¼öÁýÇÏ´Â °Í, ¹Ù·Î ù ´Ü°èÁÒ
so collecting background information, this is process step one.
ÇÁ·Î±×·¥ÀÌ ¾î¶»°Ô ¸¸µé¾îÁ³´ÂÁö,
how the application was built,
ÀÇÁ¸ °ü°è´Â ¾î¶²Áö,
what are the dependencies
»óÈ£ ÇÁ·Î¼¼½º ÀÇÁ¸Àû(inter-process dependencies)ÀÎÁö,
is it inter-process dependencies,
¿ÜºÎ ÀÇÁ¸¼ºÀº LPCÀÎÁö RPCÀÎÁö
are there any external dependencies is LPC, RPC
Á¤È®È÷ ¹«¾ùÀÌ ÀÛµ¿µÇ´ÂÁö
what exactly is happening there
³×ÀÓµå ÆÄÀÌÇÁÀ» Æ÷ÇÔÇÏ°í ÀÖ´ÂÁö, ¿ø°Ý ³×ÀÓµå ÆÄÀÌÇÁÀÎÁö,
is it creating named pipes, does they need remote named pipes,
±ÇÇÑÀº ÀûÀýÇÑÁö,<<*********
are the premissions **** popers,
¹«¾ùÀ¸·Î ¹«¾ùÀ» ÇÏ´ÂÁö¸¦ ¹Ýµå½Ã ¹®¼ÈÇؾßÇÕ´Ï´Ù.
anything to do with anything should be documented over here |
Hit : 1890 Date : 2011/05/04 06:44
|