Difference between revisions of "2012 Summer Project Week:Threat Modeling"
From NAMIC Wiki
(Created page with '__NOTOC__ <gallery> Image:PW-MIT2012.png|Projects List Image:genuFAp.jpg|Scatter plot of the original FA data through the genu of the corpus…') |
|||
(12 intermediate revisions by 3 users not shown) | |||
Line 2: | Line 2: | ||
<gallery> | <gallery> | ||
Image:PW-MIT2012.png|[[2012_Summer_Project_Week#Projects|Projects List]] | Image:PW-MIT2012.png|[[2012_Summer_Project_Week#Projects|Projects List]] | ||
− | Image: | + | Image:Threat.jpg|Unsecured code can be a launching pad to take control of the host computer. |
</gallery> | </gallery> | ||
==Key Investigators== | ==Key Investigators== | ||
− | * Kitware: Julien Finet ( | + | * Kitware: Jean-Christophe Fillion-Robin (JC), Julien Finet (J2) |
* Radnostics: Anthony Blumfield | * Radnostics: Anthony Blumfield | ||
+ | * Isomics: Steve Pieper | ||
<div style="margin: 20px;"> | <div style="margin: 20px;"> | ||
Line 27: | Line 28: | ||
<h3>Approach, Plan</h3> | <h3>Approach, Plan</h3> | ||
During project week we will create a high level threat model for 3D Slicer v4 and identify possible mitigations | During project week we will create a high level threat model for 3D Slicer v4 and identify possible mitigations | ||
+ | |||
+ | Focus on elevation of privilege threats; punt other threat types to a later stage | ||
+ | |||
+ | Meeting Tuesday noon-3PM, Room 32-D407 (walk through D408) | ||
+ | |||
</div> | </div> | ||
Line 32: | Line 38: | ||
<h3>Progress</h3> | <h3>Progress</h3> | ||
+ | Four major areas identified: | ||
+ | *Code from many sources | ||
+ | *Complex file formats (e.g. DICOM) | ||
+ | *Network interfaces | ||
+ | *Build | ||
+ | |||
+ | Strategy: | ||
+ | *Start with low hanging fruit | ||
+ | *Invest in measures that enhance security & quality simultaneously | ||
+ | |||
+ | Mitigations: | ||
+ | *CLIs: | ||
+ | **Default to executable CLIs running in low privileged child processes. Use in proc libs only when necessary. | ||
+ | **Reduce execution of CLIs to those actually used by supporting an xml file rather than --xml | ||
+ | **Investigate sandboxes for python. (i.e [https://github.com/haypo/pysandbox/ pysandbox]) | ||
+ | *Complex file formats | ||
+ | **Investigate loading and validating files in low privileged child process | ||
+ | *Network interfaces | ||
+ | **Investigate limiting functionality and sandboxing | ||
+ | **What is the situation with OpenIGTLink? | ||
+ | *Secure build: compiler/linker options | ||
+ | **These are basically "freebees". See [http://www.na-mic.org/Bug/view.php?id=2250 #2250], topic pushed on jcfr fork [https://github.com/jcfr/Slicer/tree/2250-windows-security-flag 2250-windows-security-flag] | ||
+ | *Best practices | ||
Latest revision as of 14:41, 22 June 2012
Home < 2012 Summer Project Week:Threat Modeling
Key Investigators
- Kitware: Jean-Christophe Fillion-Robin (JC), Julien Finet (J2)
- Radnostics: Anthony Blumfield
- Isomics: Steve Pieper
Objective
Identify “low hanging fruit” architecture enhancements that will limit the ability of using 3D slicer as a launching pad to take control of the host computer.
Why now? Earlier architectural changes are cheaper and reduce the application compatibility burden.
Approach, Plan
During project week we will create a high level threat model for 3D Slicer v4 and identify possible mitigations
Focus on elevation of privilege threats; punt other threat types to a later stage
Meeting Tuesday noon-3PM, Room 32-D407 (walk through D408)
Progress
Four major areas identified:
- Code from many sources
- Complex file formats (e.g. DICOM)
- Network interfaces
- Build
Strategy:
- Start with low hanging fruit
- Invest in measures that enhance security & quality simultaneously
Mitigations:
- CLIs:
- Default to executable CLIs running in low privileged child processes. Use in proc libs only when necessary.
- Reduce execution of CLIs to those actually used by supporting an xml file rather than --xml
- Investigate sandboxes for python. (i.e pysandbox)
- Complex file formats
- Investigate loading and validating files in low privileged child process
- Network interfaces
- Investigate limiting functionality and sandboxing
- What is the situation with OpenIGTLink?
- Secure build: compiler/linker options
- These are basically "freebees". See #2250, topic pushed on jcfr fork 2250-windows-security-flag
- Best practices
Delivery Mechanism
- Document
References
- Swiderski F, Snyder W. Threat Modeling. ISBN-0735619913
- Howard M, LeBlanc D. Writing Secure Code, Second Edition. ISBN-0735617228