_-04 Misuse and Abuse Cases

Misuse and Abuse cases
Engineering Secure Software
What is a requirement?
How do you define it?If done well, what are they useful for?
© 2011-2012 Andrew Meneely
Key Requirement Properties
What the system should…DoNot doWho interacts with the system (actors)Highly domain-specificDescribe how the surrounding environment has changed as a result of the system
Security is Not a Set of Features
Secureis an emergent property of software“Being dry” in a tent in the rainBeing secure is the result of many, many factors, not one feature (e.g. SSL)…so requirements documents should not just be a list of features
Vulnerabilities are in areas oftoo muchfunctionality
Copyright © Andrew Meneely
5
Unintended Functionality
What the System Should Be
Vulnerabilities
Faults
Non-security faults (bugs)
Use Case Review
Use cases include:ActorPreconditionsMain flow describes the primary scenarioAlternative scenarios describe how the system reacts to alternative cases
Misuse & Abuse Cases
A scenario within a use case in which an actor compromises the systemFlow of events, but with malicious usageDefine the harm done to the systemKeys:Domain, domain, domain.Don’t focus on coding and design vulnerabilities hereMalicious actors are creativeQuestion the assumptions of the systemFocus on what the actorcando overwilldo(prioritize later)
Misuse vs. Abuse
Misuse is unintentionalAbuse is intentionalAbusecases imply the actor is actively seekingvulnerabilitiesMisusecasesmust stillsecurity-relatedNOT the same as alternative flows(e.g. user mistakes are not usually misuse)“Crime”ofopportunityA good test: if you COULD do this again intentionally, would that be abuse? Thenit’s misuse.
e.g. Maintain Drug Interactions
Actor: Hospital AdministratorPrecondition: Admin is authenticated.Main Flow:Admin selects two different drug codes from the National Drug Codes selection menuAdmin enters a minimum dosage for both drugsAdmin enters text notes about the potential consequences of the interactionAdmin is shown a table of patient records where the interaction rule would applyAdmin saves the interaction rule
e.g. Misusing Maintain Drug Interactions
Misuse caseMain flow steps 1-3Admin is shown a set of patient records that have not been authorized for hospital administrator viewingHarm done: Patient privacy has been violated
e.g. Abusing Maintain Drug Interactions
Abuse caseActor: attacker who has spoofed an administrator’s identityRepeat Main Flow steps 10,000 timesProviding many rules for all different drug interactionsAuto-generate vague, technical text notes for each interaction ruleStop when the preview step takes over a minute to completeHarm done:Patients are overwhelmed by alerts, so alerts become ignoredAvailability of the system iscompromisedBut spamming the site with bots is not very creative. Let’s come up with another one…
e.g. Abusing Maintain DrugInteractions (2)
Abuse caseActor:doctor who is paid off by “Big Pharma”Go into maintain drug interactions pageModify the drug interaction rules to not show up in most cases that involve Big Pharma’s drugSystem saves the rule and applies them to all future drug prescriptionsHarmdone:Integrity of the drug interaction rulesPatients are at riskNobody knows who did this
Isn’t this infinite?
YesBut even one good abuse case goes farEasier to think beyond one scenarioStarts a discussionGets stakeholders and developers into a balanced mindset early onMotivates good design decisions
Security Requirements
Generalized forms of misuse and abuse casesUse-cases trace to security requirementsDocument these in the main flowAlso called “anti-requirements”E.g. from Maintain Drug InteractionsHospital administrators are only allowed to view a patient’s record with explicit, opt-in indication from the patientAll actors are limited to 10 server requestsper second
Actor Inspiration
Think of the best engineer on your teamFire them and humiliate them publiclyNow challenge them to break your systemWhat would they go after?What knowledge could they leverage the most?
Assumptions Inspiration
What are the other non-malicious users expecting in this domain?What are the ramifications of violating access restrictions?Where could an attacker “sit in the middle”Sniff the network?Load a plug-in?
Today’s Activity
See course website for “Abuse & Misuse Cases”Systems are:An auction websiteA charity micro-lending website (e.g. Kiva.org)A social networking website for model rocket hobbyistsAsmartphoneapp for trading recipes with people in your neighborhoodA reservation system for virtual images to be run on server farmsA moderated and curated question-and-answer site(e.g.StackOverflow)A crowd-sourced service that curates automated language translationA mobile app for ride-sharing and taxi services
Tips for Writing Misuse & Abuse Cases
It’s all about the actorAvoid “user”e.g. “User clicks on save”“Driver saves Bluetooth preferences”Avoid the HOW, just do the WHATe.g. “Hacker inputs a buffer overflow exploit”“Hacker executes malicious code on the server”This is a creative writing exercise - don’t over-constrainyourself!Find a main flow sentence and mutate ite.g. “The banker inputs the interest rate”“The fraudster writes a different interest rate than agreedupon by the customers”Bring it back to CIA – what are we protecting?