Difference between revisions of "2012 Summer Project Week:Threat Modeling"

Objective

Identify “low hanging fruit” architecture enhancements that will limit the ability of using 3D slicer as a launching pad to take control of the host computer.

Why now? Earlier architectural changes are cheaper and reduce the application compatibility burden.

Approach, Plan

During project week we will create a high level threat model for 3D Slicer v4 and identify possible mitigations

Focus on elevation of privilege threats; punt other threat types to a later stage

Meeting Tuesday noon-3PM, Room 32-D407 (walk through D408)

Progress

Four major areas identified:

• Code from many sources
• Complex file formats (e.g. DICOM)
• Network interfaces
• Build

Strategy:

• Start with low hanging fruit
• Invest in measures that enhance security & quality simultaneously

Mitigations:

• CLIs:
  • Default to executable CLIs running in low privileged child processes. Use in proc libs only when necessary.
  • Reduce execution of CLIs to those actually used by supporting an xml file rather than --xml
  • Investigate sandboxes for python. (i.e pysandbox)
• Complex file formats
  • Investigate loading and validating files in low privileged child process
• Network interfaces
  • Investigate limiting functionality and sandboxing
  • What is the situation with OpenIGTLink?
• Secure build: compiler/linker options
  • These are basically "freebees".