Review threats arising from client-service connection authenticity or TW

[mike1813]

As discussed in #67, where threats to data flows are caused by issues in Client Channels (client-service relationships) there is a case for restricting the threat so they are only caused by Client Channels representing direct connections (not via transparent proxies) or end-to-end connections (not to/from a transparent proxy).

Loss of Service TW is caused by a malicious service manager/operator or a compromised (hacked) service. In the former case, it is possible for Loss of Service TW to be caused in end-to-end channels only, because the threat is only relevant if the client has the same manager/operator. In the latter case Loss of Service TW is caused in all Client Channels to the service. Where the service is a transparent proxy, these threats only affect the local channels, affecting data flows on end-to-end channels through the proxy but not allowing direct attacks on the end-to-end relationship. Hence Loss of Service TW should not propagate between indirect and direct channels.

Service Impersonation (Loss of Service Authenticity) is caused by an attacker gaining control of the network and diverting client messages, or diverting the client by sending an incorrect service endpoint, e.g., via a phishing attack. In the former case this affects direct channels to the service, as the effect arises in the network. However, if the service is a transparent proxy, what is thereby diverted is the end-to-end communication, so that should also be affected. In the latter case, only end-to-end channels can be affected. Service Impersonation should therefore propagate from direct to indirect channels.

Loss of Anon User TW just means an attacker has network access to the service, which may be true of any service. It therefore affects all direct connections. It should propagate step-wise via transparent proxies towards the back-end service, as if anyone can send messages to the proxy, it will forward them. If the effect is present for a complete chain of connections from the client to the back-end service, the end-to-end connection should also be affected.

Note that Loss of Anon User TW does not imply that an attacker can authenticate or access the service, but it is a prerequisite for malicious access, and sufficient to launch anonymous attacks on a service.

Client Impersonation (Loss of Client Authenticity) is caused when an attacker acquires the means to authenticate to the service as the client. This does not imply they can access the service, however. The ways an attacker can acquire the means to authenticate include (a) access to a service that fails to authenticate clients - so the attacker wouldn't need any credentials at all, (b) access to credentials used by the client that are verified by the service, or (c) authenticated access to a separate service that handles authentication on behalf of the target service. Case (b) includes access to credentials by compromising the client, while case (c) includes authentication by a back-end service enabling authenticated access to a transparent proxy.

Client Impersonation does not propagate between indirect and direct connections. Client Impersonation in an indirect end-to-end connection may be a precursor to an end-to-end Loss of Client TW, enabling Client Impersonation in direct connections from the intervening transparent proxies. Client Impersonation in one of those direct connections does not affect the end-to-end connection, however.

Loss of Client TW is caused by a malicious client user, a compromised (hacked) client, or an attacker with both network access to the service and access to a means of authentication as the client. The first two cases work in the same way as Loss of Service TW, and may affect either direct or indirect channels via transparent proxies. The last case only arises in end-to-end channels which may or may not be indirect.

Where the cause is not a malicious insider, the service may be able to detect that the client is being used by the wrong person (e.g., via biometric profiling) after authentication, so Loss of Client TW implies slightly more than the combination Loss of Anon User TW and Client Impersonation, which are enough to launch authenticated attacks but not to use the service where such checks are possible. Loss of Client TW (by itself) implies access by an imposter. It must be used in conjunction with (possibly contextualised) client attributes to fully model access by a hacked or malicious (but legitimate) client.

If a transparent proxy is compromised, it leads to a Loss of Client TW affecting only the direct channel to the adjacent back-end service, which may or may not be another proxy. The attacker would then have a means to leak data coming from a service and alter data going to a service.

The proxy could also snoop passwords or other credentials (unless protected end-to-end) along with data. However, it doesn't have unfettered access to the back-end service.

Conclusion

We should change threats causing these behaviours so they arise only where they should.

We should change threats caused by these behaviours or the associated TW attributes to ensure they are caused if appropriate while avoiding duplication between direct and indirect channels.

[mike1813]

Threats causing Loss of Service TW are CC.L.CSHSAC.1, CC.L.CSCCHuoSt.1 and CC.L.CSCCHuSt.1. All are restricted to direct channels to the untrustworthy service, but should apply to any channels.

• [x] Make Loss of Service TW affect indirect or direct channels in CC.L.CSHSAC.1, CC.L.CSCCHuoSt.1 and CC.L.CSCCHuSt.1.

Threats causing Service Impersonation are CC.AuS.CRoS.3, CC.AuS.CRoSG.3 and CC.AuS.CRoSI.3. All affect direct channels only (via a client path through the network), but the effect should also apply to any associated indirect channels. This is already the case for these threats.

Threats causing Loss of Anon User TW previously worked only for direct channels via transparent proxies, but they have now been replaced by threats representing network access to arbitrary services including transparent proxies, step-wise access via a proxy, and access to the indirect channel if the first and last direct channels are affected. See #64.

Threats causing Client Impersonation (Loss of Client Authenticity) are:

• CC.AuC.CACHcLSS.1 and CC.AuC.CACHLSS.2: represent access to the target service from a compromised or stolen client.
• CC.AuC.CCC-nS.1: represents anonymous access to a target service that fails to use any client authentication.
• CC.AuC.HumCCC-nS.3: represents a brute force attack such as credential stuffing to discover a weak password.
• CC.AuC.CCC-nS.3.2, CC.AuC.HuDFTCS.3 and CC.AuC.HuDSTCS.3: represent various methods for stealing a client password by directing the client (or redirecting their messages) to an imposter service.
• CC.AuC.CCC-nS.3.3: represents stealing a client password via snooping in the network.
• CC.AuC.HuiHCCC-nS.3.3, CC.AuC.HuiHrCCC-nS.3.3: represent stealing a client password by shouder-surfing.
• CC.AuC.DFrXSS.3, CC.AuC.DFsXSS.3, CC.AuC.DSrXSS.3 and CC.AuC.DSsXSS.3: represent cross-site scripting attacks to steal the client's session cookie/token, allowing the attacker to intrude on a legitimate client-service connection.
• CC.AuC.CCCSScS.1: represents authenticated access to a separate OIDC-style authentication service used by the target service.

Most of these threats use prohibited links that inhibit the threats unless the service authenticates the client. They don't apply to client-service connections via transparent proxies, so they only affect end-to-end connections, as required.

They also don't affect connections to services that rely on another service for client authentication, including redirection of the client to an OIDC-style authenticator, or forwarding of authentication requests by a transparent proxy to a back end service. In either case, authenticated access (Client TW) to the authenticating service causes Client Impersonation at the dependent service.

CC.AuC.CCCSScS.1 doesn't quite work to cause Client Impersonation in channels via transparent proxies, because there must be both a common client and a 'controls' relationship between the two services. The simplest solution is to remove the inferred 'controls' link (construction pattern CuPvnS+c) so CC.AuC.CCCSScS.1 no longer covers any connections via transparent proxies. This leaves a separate threat CC.AuC.CCCvCCS.1, also added in response to issue #64, to handle those.

• [x] Remove the inferred 'controls' link from construction pattern CuPvnS+c so CC.AuC.CCCSScS.1 does not make Client Authenticity in direct channels via transparent proxies dependent on Client TW in indirect end-to-end channels.

The other problem is with CC.AuC.CACHcLSS.1 and CC.AuC.CACHLSS.2, which are also restricted to channels where the service authenticates the client, and (since they require a client attack path) exclude indirect channels via transparent proxies. Evidently, client authenticity is meaningless if the client is such a proxy, so the first restriction is not a problem, although it does mean we will need some other way to represent the effect of a compromised proxy.

The second issue is more problematic. One solution is to link indirect client channels to client attack paths connected to direct channels to/from proxies. However, this would lead to duplicate threat paths from CC.AuA.CCAPNaS.1 or CC.AuA.OCAPNaS.1 via CC.AuA.CCCPCCcS.1 and CC.AuA.CCCv2CCS.1. The best solution seems to be new threats alongside CC.AuC.CACHcLSS.1 and CC.AuC.CACHLSS.2, to cover the case where the end-to-end connection is indirect.

• [x] Add new threats alongside CC.AuC.CACHcLSS.1 and CC.AuC.CACHLSS.2 leading to Client Impersonation in end-to-end connections. NOT DONE.

Threats causing Loss of Client TW are:

• CC.R.CCC-pS.1: added to address #64 represents authenticated access to a service by someone able to authenticate as the client (Client Authenticity) and send messages to the service (Anon User TW).
• CC.R.HuoStCCCS.1 or CC.R.HuStCCCS.1: insider attacks, which lead directly to Loss of Client TW (not via Client Impersonation) because there is no possibility of intruder detection after authentication (the attacker is a legitimate user).
• CC.R.CDBSC.4: query injection via a service which is a trusted client of a DB service, represented as Loss of Client TW in the channel to the DB service.

The first of these excludes channels from transparent proxies because Client Authenticity is meaningless in those cases, but this means there is no path from compromise of the transparent to Loss of Client TW in the direct channel from there towards the back-end service. To fix this, a new threat is needed.

• [x] Add a new threat similar to CC.AuC.CACHcLSS.1 leading to Loss of Client TW in a channel from a transparent proxy should the proxy be compromised, i.e., controlled by a malicious hacker.

Note that this new threat can lead to Loss of Client TW rather than Client Impersonation because a reverse proxy cannot have an interactive user, so there is no possibility that the intruder could be detected after authentication to the back-end service.

The two insider attacks also exclude channels where the service doesn't authenticate the client. The query injection attack could affect direct or indirect channels, but normally it will be an end-to-end channel because a DB service wouldn't normally act as a transparent reverse proxy. We may want to introduce a modelling error threat to detect where it is used in that way (elevating this assumption to become a domain model restriction). See also

Then all threats caused by Client Authenticity or TW, Service Authenticity or TW, and Client-Service Accessibility must be made consistent with the above.

[mike1813]

The change to CC.L.CSHSAC.1 revealed a small problem.

Removing the mandatory ClientChannel-channelVia-ServiceChannel link means the ClientChannel is no longer restricted to be a direct connection. However, the threat originally specified a ClientChannel-viaSubnet-LogicalSubnet link. It turns out this is not necessary, as the ProcAccess-accessToService-ClientChannel link ensures that the ClientChannel is used in the context where the service has been compromised (so addressing cases where the service host may be mobile).

But investigating this aspect led to a couple of surprises. First, this link is only created for indiret channels (by CCCvCCvLS+vLS) to subnets visited en-route to the first transparent proxy. This means restoring the ClientChannel-viaSubnet-LogicalSubnet link to CC.L.CSHSAC.1 could suppress that threat entirely.

Other uses of this link are:

• in simple misdirection attacks CC.AuC.HuDFTCS.3 and CC.AuC.HuDSTCS.3, where it is used to suppress these threats if the service is not accessed via an IP subnet (mainly to exclude threats in access to USB/Bluetooth services)
• in XSS threats CC.AuC.DFrXSS.3, CC.AuC.DFsXSS.3, CC.AuC.DSrXSS.3 and CC.AuC.DSsXSS.3, for the same reason
• in side effect threats P.A.HuDFrXSS.6, P.A.HuDFsXSS.6, P.A.HuDSrXSS.6, P.A.HuDSsXSS.6, which capture the consequences of a suspension in services with XSS vulnerabilities, and so should satisfy the same restriction
• in P.V.CCCSACvLS.2, representing authenticated access to a service vulnerability from an adjacent subnet, which is OK if the authentication is as a client with direct access.

Because indirect channels are not fully connected to all potential subnets, the first three cases won't work properly for indirect client-service relationships. Pattern CCCvCCvLS+vLS should be changed so links are created to all subnets used. However, that would mean P.V.CCCSACvLS.2 could form duplicate threats from the indirect and last direct channel to the service.

The best solution: remove the viaSubnet link from P.V.CCCSACvLS.2 and add a prohibited usesViaProxy link so this threat only arises in connection to a direct channel. If an attacker could authenticate as an indirect client, then CC.AuC.CCCvCCS.1 ensures they can attack from a local subnet between the last transparent proxy and the service. This prevents CCCvCCvLS+vLS changes from producing spurious duplicate threats elsewhere.

[mike1813]

CC.L.CSCCHuoSt.1 and CC.L.CSCCHuSt.1 were originally restricted to direct connections, so this restriction (a link from the Client Channel to a mandatory Service Channel) was removed.

[mike1813]

CuPvnS+c renamed CuPvnS+n, and the constructed 'Service-controls-Proxy' link removed, leaving only Client-noAuthN-Proxy.

[mike1813]

Adding new threats alongside CC.AuC.CACHcLSS.1 and CC.AuC.CACHLSS.2 proved too difficult. Instead, their scope was expanded to include indirect client-service relationships.

This can be done by adding construction pattern CCCCAP+ch after the existing CCSCAP+ch. The new pattern adds a 'channelVia' link from each indirect client channel to each client attack paths already linked (by CCSCAP+ch) to a channel via a proxy.

ClientChannel-channelVia-ClientAttackPath links are used in CC.AuC.CACHcLSS.1 and CC.AuC.CACHLSS.2, so adding these links from indirect channels opens up the threats so they can address indirect as well as direct channels.

It is also used in CC.AuA.CCAPNaS.1 and CC.AuA.OCAPNaS.1, where we don't want to open the threats up in the same way. This is because those threats represent the process of sending an unauthenticated message to the service, which propagates to the end-to-end channel via CC.AuA.CCCPCCcS.1 and CC.AuA.CCCv2CCS.1. To prevent this, a prohibited Client-usesViaProxy-Service link is added.

[mike1813]

CC.R.HuoStCCCS.1 or CC.R.HuStCCCS.1 restricted by adding a prohibited proxyAuthN link, and removing links from the Client Channel to a mandatory Service Channel node.

[mike1813]

Review of threats caused by Service Authenticity:

• DF.C.CCDFCS.3.2 and DF.Auth.CCDFSC.3.2: leaking data sent to the service and injecting false data send from the service, which may be a data flow intermediary rather than the destination or source, respectively.
• CC.AuC.CCC-nS.3.2: loss of client authenticity in the relationship due to password capture by the imposter service.
• I.Auth.HVSICSG.3: spoofing a virtual network that is controlled by the real service.

The first two threats affect data flow intermediaries, so should arise for any connection including those via transparent proxies.

The other two threats are caused only by end-to-end connection. The first is constructed in that way, while the second should never be found for a transparent proxy service because such a service should never control anything except another transparent proxy.

Required actions:

• [x] Add a modelling error threat to detect cases where a transparent proxy controls anything other than another transparent proxy.

[mike1813]

Review of threats caused by Service TW:

• DF.C.CCDFTS.1.3 and DF.Auth.CCDFFS.1.3: leaking data sent to the service and injecting false data send from the service, which must not be an intermediary, i.e., it is the data destination or source, respectively.
• DF.C.CCDFC-tS.1.3 and DF.Auth.CCDF-fSC.1.3: leaking data sent to the service and injecting false data send from the service, which must be a data flow intermediary rather than the destination or source, respectively.
• CC.AX.CCCS.1.3: untrustworthy service disables access by a client

These threats differ from those caused by Service Authenticity because the real service is involved. An imposter service cannot block access to the real service, nor access encryption keys. The real service can block access, and if it is the data flow source or destination, it can alter/intercept even encrypted data (unless homomorphic encryption is used).

The first two threats should be restricted to end-to-end client channels arriving at the service, so as not to create a duplicate from the channel from the last transparent proxy. The others need no such restriction.

Required actions:

• [x] Restrict DF.C.CCDFTS.1.3 and DF.Auth.CCDFFS.1.3 so they are only caused by end-to-end client channels.

[mike1813]

Review of threats caused by Client Authenticity:

• CC.R.CCC-pS.1: loss of Client TW caused when an attacker has access to client credentials (Client Authenticity) and can also send messages to the service (Anon User TW) - the combination means they can access the service as the client.
• P.V.CCCSAC.2: remote access to exploit a software vulnerability that requires authentication, caused by the same combination.
• P.V.CCCSACvLS.2: same as P.V.CCCSAC.2 except the attack must come from an adjacent network.
• CC.AX.CCCS.6.2: loss of accessibility for the real client caused as a side effect of suspending access for an unauthentic client, where the service is able to detect this.

The first of these only makes sense for end-to-end connections. If a transparent proxy were compromised, it would be able to access its back-end service (which may be another proxy), but not as the ultimate client.

The other three threats should apply to all direct or indirect connections. In practice, direct connections are sufficient because a loss of authenticity propagates from the end-to-end connection via CC.AuC.CCCvCCS.1, and loss of accessibility propagates to the end-to-end connection via CC.AX.CCCvCCS.0.

Required changes: none.

[mike1813]

Review of threats caused by Client TW:

• CC.AuC.CCCSScS.1: authentication to a service via authenticated access to its OAuth/OIDC authenticator, caused by end-to-end connections (now ensured by the modelling error threat ensuring a transparent proxy can't control another service).
• CC.AuC.CCCvCCS.1: authenticated access to/from a transparent proxy via authenticated access to a back-end service, caused by end-to-end connections only.
• CC.AuP.CCCPCCPS.1, CC.AuP.CCCPCCS.1, CC.AuP.CCCPPCCPS.1 and CC.AuP.CCCPPCCS.1: access via an authenticating proxy to back end services, the cause being the connection to the first authenticating proxy which must be end-to-end.
• CC.AX.CCCS.6.3: loss of accessibility for the real client caused by suspension of access due to the client being untrustworthy, if the service can detect this.
• DF.A.CCDFCS.6.3: loss of availability in a data flow due to its suspension at a client to avoid sending data to an untrustworthy service, assuming the client has a way to detect this. This threat should depend on Service TW, not Client TW.
• DF.A.CCDFSC.6.3: loss of availability in a data flow due to its suspension at a service to avoid sending data to an untrustworthy client, assuming the service has a way to detect this.
• DF.Auth.CCDFCS.1.3 and DF.C.CCDFSC.1.3: injection of false content in data flows to a service, and leaking of content in data flows from a service, where the client may be a data flow intermediary.
• DF.Auth.CCDFFC.1.6 and DF.C.CCDFTC.1.6: same threats where the client has been compromised and is the data flow source or destination, meaning data flow encryption controls will be less useful.
• DF.Auth.CCDFFC.2.6 and DF.C.CCDFTC.2.6: same threats again, but this time where the client is accessed via a stolen device.
• DS.A.CDBSCDSF.4, DS.A.CDBSC-DSF.4, DS.Auth.CDBSC-DSF.4 and DS.C.CDBSC-DST.4: threats caused by injection attack, so the trusted client (in this case another service) sends a false query.
• LS.L.HLSISC.1: connection to a logical subnet via authenticated access to its controlling service, which should be end-to-end and is prevented by modelling error threats that ensure a transparent proxy cannot control access to anything.
• P.L.CCCLnSAC.1 and P.L.CCCSAC.3: gaining access to the service host through authenticated access to a service. In the first of these the service is a remote access service designed to allow access, and in the second the service contains a back door.
• DF.O.CCDFSFC.3, DF.O.CCDFSTC.3 and P.O.CCCS.3: overload attacks on a service by an impersonated/malicious client. These threats should be revised to address #53, so will not be considered further here.

Required changes:

• [x] DF.A.CCDFCS.6.3: change cause from Client TW to Service TW.

[mike1813]

Initial tests revealed a couple of bugs.

Pattern CCCSScS had the prohibited proxyAuthN link in the wrong place, suppressing threats to connections from transparent proxies, when it should have prevented threats from those connections. Threat CC.L.CSHSAC.1 wasn't updated correctly - the mandatory service channel wasn't removed as intended.

Now fixed, so all the above changes have been made in branch 65.

[mike1813]

Regression tests revealed that the modelling error(s) aren't working quite as expected.

In test case Test04d C-P-X-S-Implicit (attached), the modelling error P.E.Pc-uCpS.9 is found as expected. This arises because the transparent proxy P2 is also controlled by authentication service X4. That is inconsistent, as a transparent proxy should not be authenticating clients, not even by redirection to an authentication service.

However, we also get the new modelling error P.E.Pc-pPpmS.9, which catches cases where a transparent proxy controls another process. That is also inconsistent, because access to a service can only be controlled by another service that authenticates clients, either locally or by further redirection.

In this case, the modelling error says P2 is controlling X4, but in fact the relationship is the other way around. It looks like a copy and paste error durnig the creation of the threat pattern.

Required changes:

• [x] Review and fix the pattern for P.E.Pc-pPpmS.9.
• [x] Review the pattern for P.E.Pc-uCpS.9, to ensure it is not contributing (even if only slightly) to an overlap between these modelling errors.

[mike1813]

Pattern CCCSScS had the prohibited proxyAuthN link in the wrong place

Actually, the proxyAuthN link already included in pattern CCCSScS was in the right place. There was a proxyAuthN link missing which had to be added, but the existing link should not have been deleted.

• [x] Fix residual but in pattern CCCSScS.

[mike1813]

The modelling errors got into a bit of a mess. We now have:

• P.E.Pu-pPpmS.9: A transparent proxy for one back-end service cannot authenticate for other back-end services
• P.E.Pc-uCpmS.9: A transparent proxy cannot be controlled by another service
• P.E.Pc-pPpmS.9: A transparent proxies can’t control access to other services
• P.E.PcHpmS.9: A transparent proxies can’t control access to hosts
• P.E.PcLSpmS.9: A transparent proxies can’t control access to networks

During development of these threats to client-service relationships it was assumed that a reverse proxy will either authenticate the client before forwarding subsequent requests in the same session, or forward authentication requests to back-end services (so they control the proxy). It is not clear whether the solutions adopted rely on this assumption. A simple test case that mixes the two cases seems to work OK, but more analysis and testing is needed to confirm this would hold in more complex system models. Given that, the first modelling error has been retained.

The second modelling error is needed. A transparent proxy is controlled by the back-end services, so having access to it controlled by anything else would create a conflict. The resulting system model would be at best ambiguous as to how this can be resolved so we need a modelling error to detect and flag that situation.

The other three are needed because a transparent proxy doesn't authenticate clients, so it has no basis on which to make access control decisions for any other service (or host or network). Back-end services accessed via a transparent proxy could do this, but not the proxy itself.

[mike1813]

The new threat for Loss of Client TW in a channel from a transparent proxy is CC.R.CAPHcLSS.1. It is similar to CC.AuC.CACHcLSS.1 except instead of a prohibited 'Client-noAuthN-Service' link it has a necessary 'Client-proxyAuthN-Service' (meaning that the Client is a transparent proxy for the back-end Service). In addition, the ClientAttackPath has a 'channelTo' link to the Service.

[mike1813]

Changes now addressed as described in revised comments, fixing problems found in regression tests so this issue can be closed again.

[mike1813]

Reopening once again. One more issue found in the regression test. Loss of Service TW shouldn't propagate between direct channels and indirect end-to-end channel, as this leads to duplicate threat paths.

The reason this was missed is because if Loss of Service TW arises due to malicious control of the service, we assumed (rightly) that direct and indirect channels to the service would be affected. However, it was wrong to conclude this means it is OK to propagate Loss of Service TW from direct channels to indirect channels. If the hacked service is a transparent proxy, the indirect channel isn't to the service, so propagation to the indirect channel creates a new, duplicated threat path.

The solution is to revert changes in CC.L.CSHAC.1, CC.L.CSCCHuoSt.1 and CC.L.CSCCHuSt.1 that add optional threat effects where there is an indirect channel. The changes enabling indirect channels to be affected are still needed, however.

In addition, the descriptions given above should be fixed.

[mike1813]

Fixed in branch 65, and descriptions above made consistent with what is needed.