Difference between revisions of "2012 Summer Project Week:Threat Modeling"

From NAMIC Wiki
Jump to: navigation, search
 
(5 intermediate revisions by 3 users not shown)
Line 9: Line 9:
 
* Kitware: Jean-Christophe Fillion-Robin (JC), Julien Finet (J2)
 
* Kitware: Jean-Christophe Fillion-Robin (JC), Julien Finet (J2)
 
* Radnostics: Anthony Blumfield
 
* Radnostics: Anthony Blumfield
 +
* Isomics: Steve Pieper
  
 
<div style="margin: 20px;">
 
<div style="margin: 20px;">
Line 51: Line 52:
 
**Default to executable CLIs running in low privileged child processes. Use in proc libs only when necessary.  
 
**Default to executable CLIs running in low privileged child processes. Use in proc libs only when necessary.  
 
**Reduce execution of CLIs to those actually used by supporting an xml file rather than --xml
 
**Reduce execution of CLIs to those actually used by supporting an xml file rather than --xml
**Investigate sandboxes for python  
+
**Investigate sandboxes for python. (i.e [https://github.com/haypo/pysandbox/ pysandbox])
 
*Complex file formats  
 
*Complex file formats  
 
**Investigate loading and validating files in low privileged child process
 
**Investigate loading and validating files in low privileged child process
 
*Network interfaces
 
*Network interfaces
 
**Investigate limiting functionality and sandboxing
 
**Investigate limiting functionality and sandboxing
 +
**What is the situation with OpenIGTLink?
 
*Secure build: compiler/linker options
 
*Secure build: compiler/linker options
**These are basically "freebees".  
+
**These are basically "freebees". See [http://www.na-mic.org/Bug/view.php?id=2250 #2250], topic pushed on jcfr fork [https://github.com/jcfr/Slicer/tree/2250-windows-security-flag 2250-windows-security-flag]
 +
*Best practices
  
  

Latest revision as of 14:41, 22 June 2012

Home < 2012 Summer Project Week:Threat Modeling


Key Investigators

  • Kitware: Jean-Christophe Fillion-Robin (JC), Julien Finet (J2)
  • Radnostics: Anthony Blumfield
  • Isomics: Steve Pieper

Objective

Identify “low hanging fruit” architecture enhancements that will limit the ability of using 3D slicer as a launching pad to take control of the host computer.

Why now? Earlier architectural changes are cheaper and reduce the application compatibility burden.



Approach, Plan

During project week we will create a high level threat model for 3D Slicer v4 and identify possible mitigations

Focus on elevation of privilege threats; punt other threat types to a later stage

Meeting Tuesday noon-3PM, Room 32-D407 (walk through D408)

Progress

Four major areas identified:

  • Code from many sources
  • Complex file formats (e.g. DICOM)
  • Network interfaces
  • Build

Strategy:

  • Start with low hanging fruit
  • Invest in measures that enhance security & quality simultaneously

Mitigations:

  • CLIs:
    • Default to executable CLIs running in low privileged child processes. Use in proc libs only when necessary.
    • Reduce execution of CLIs to those actually used by supporting an xml file rather than --xml
    • Investigate sandboxes for python. (i.e pysandbox)
  • Complex file formats
    • Investigate loading and validating files in low privileged child process
  • Network interfaces
    • Investigate limiting functionality and sandboxing
    • What is the situation with OpenIGTLink?
  • Secure build: compiler/linker options
  • Best practices


Delivery Mechanism

  1. Document

References

  • Swiderski F, Snyder W. Threat Modeling. ISBN-0735619913
  • Howard M, LeBlanc D. Writing Secure Code, Second Edition. ISBN-0735617228