2012 Summer Project Week:Threat Modeling

From NAMIC Wiki
Revision as of 14:41, 22 June 2012 by JChris.FillionR (talk | contribs) (→‎Key Investigators)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Home < 2012 Summer Project Week:Threat Modeling


Key Investigators

  • Kitware: Jean-Christophe Fillion-Robin (JC), Julien Finet (J2)
  • Radnostics: Anthony Blumfield
  • Isomics: Steve Pieper

Objective

Identify “low hanging fruit” architecture enhancements that will limit the ability of using 3D slicer as a launching pad to take control of the host computer.

Why now? Earlier architectural changes are cheaper and reduce the application compatibility burden.



Approach, Plan

During project week we will create a high level threat model for 3D Slicer v4 and identify possible mitigations

Focus on elevation of privilege threats; punt other threat types to a later stage

Meeting Tuesday noon-3PM, Room 32-D407 (walk through D408)

Progress

Four major areas identified:

  • Code from many sources
  • Complex file formats (e.g. DICOM)
  • Network interfaces
  • Build

Strategy:

  • Start with low hanging fruit
  • Invest in measures that enhance security & quality simultaneously

Mitigations:

  • CLIs:
    • Default to executable CLIs running in low privileged child processes. Use in proc libs only when necessary.
    • Reduce execution of CLIs to those actually used by supporting an xml file rather than --xml
    • Investigate sandboxes for python. (i.e pysandbox)
  • Complex file formats
    • Investigate loading and validating files in low privileged child process
  • Network interfaces
    • Investigate limiting functionality and sandboxing
    • What is the situation with OpenIGTLink?
  • Secure build: compiler/linker options
  • Best practices


Delivery Mechanism

  1. Document

References

  • Swiderski F, Snyder W. Threat Modeling. ISBN-0735619913
  • Howard M, LeBlanc D. Writing Secure Code, Second Edition. ISBN-0735617228