Disclosure of information

Note that the information disclosure trees are not part of LINDDUN, but of Microsoft's STRIDE. As privacy depends on security, LINDDUN also includes STRIDE's Information Disclosure threats (which, on their turn, refer to other STRIDE trees). It is however adviced to excute a full security analysis in advance or in parallel with LINDDUN.

All STRIDE trees on this page are taken from the Security Development Lifecycle book by Howard and Lipner (Microsoft Press, 2006)

 

Information disclosure

information disclosure threat tree (LINDDUN)

Tree in general

The threat tree concerning information disclosure of data flow, data store, and process refers to the security threat tree of information disclosure. This illustrates the fact that privacy properties are part of security properties, and privacy may depend on security. Please access the corresponding STRIDE threat trees through the links in the second navigation bar on the left.

 

Information disclosure of data flow

Note that this tree is not part of LINDDUN, but of Microsoft's STRIDE. As privacy depends on security, LINDDUN also includes STRIDE's Information Disclosure threats (which, on their turn, refer to other STRIDE trees). It is however advised to execute a full security analysis in advance or in parallel with LINDDUN.

information disclosure data flow (STRIDE threat tree)
 

Tree in general

Information disclosure refers to the security threat which reveals information when it shouldn't. For data flows this basically means that the channel is insufficiently protected (and man-in-the-middle attacks are possible or side channels leak information) and the message is not kept confidential.

Information disclosure of data store

Note that this tree is not part of LINDDUN, but of Microsoft's STRIDE. As privacy depends on security, LINDDUN also includes STRIDE's Information Disclosure threats (which, on their turn, refer to other STRIDE trees). It is however advised to execute a full security analysis in advance or in parallel with LINDDUN.

Infomation disclosure of data store (STRIDE threat tree)

Tree in general

Information disclosure of a data store can occur, similar to the data flow, when the data store itself is insufficiently protected against unauthorized access and/or when the data itself is not kept confidential.

When both the database protection scheme can be bypassed (because of a canonicalization failure, weak or no protection, or other consumers next to this application) and the data is intelligible as it is unencrypted or an authorized user can be spoofed, information disclosure at the data store is possible. Also side channels which reveal information, and extra-monitor access are a threat to data confidentiality. Finally, storage management can fail: what happens when the application undoes or recovers an operation? How is sensitive data erased or hidden (occluded data)? Storage might also be incorrectly initialized or cleared.

 

Information disclosure of process

Note that this tree is not part of LINDDUN, but of Microsoft's STRIDE. As privacy depends on security, LINDDUN also includes STRIDE's Information Disclosure threats (which, on their turn, refer to other STRIDE trees). It is however advised to execute a full security analysis in advance or in parallel with LINDDUN.

information disclosure of process (STRIDE threat tree)

Tree in general

A process can disclose information when it is not sufficiently protected against side channels or when it is corrupted by an input validation failure or memory access. Also, in case the user who has access to the process can be spoofed, information can be disclosed.

 

Spoofing, tampering & elevation of privilege

As information disclosure threats can refer to other STRIDE threats, we included those referenced trees below for completeness purposes.

Note that these trees are not part of LINDDUN, but of Microsoft's STRIDE. As privacy depends on security, LINDDUN also includes STRIDE's Information Disclosure threats (which, on their turn, refer to other STRIDE trees). It is however advised to execute a full security analysis in advance or in parallel with LINDDUN.

Spoofing an entity

An entity can be spoofed by either obtaining legitimate credentials from an existing user or falsifying credentials. When an insufficient authentication system is present, the entity can also be easily spoofed. Questions that need to be asked regarding credentials are: How are the credentials protected at storage? How are credentials transmitted? How secure is the protocol to update credentials? How complex is the credentials: is it easy to guess, can multiple credentials be treated as the same, are accounts with no password (null credentials) supported? Also the authentication scheme should be examined: does the application support an older, less-secure scheme? Can the user access more than he should?

spoofing entity (STRIDE threat tree)

Tampering of data flow

A misactor can tamper with the data flow if either the channel or the message has insufficient integrity measures. The analyst should verify whether the dataflow is defended against replay attacks and collisions with e.g. time stamps or counters. When no of weak message or channel integrity is present, tampering also becomes possible. Finally, the channel can also be violated through man-in-the-middle (MITM) attacks.

tampering data flow (STRIDE threat tree)

Tampering of data store

Tampering of the data store can occur when, similar to information disclosure threats, the data store itself is insufficiently protected against unauthorized access or when the access checks can be bypassed. Other threats are related to overcapacity failures.
Concerning the protection scheme: Why is there no protection scheme? Is this by design? Does any code rely on a name, such as a file name, to determine access? If yes, make sure the code looks for only valid names and does not filter out illegal names (canonicalization failure). Also, look at the permissions on all objects to determine whether they offer the correct level of protection.
The monitor can also be bypassed, for example by extra-monitor access (when you can access the data store without following the process governing access), or there might not even be a monitor present. Finally, overcapacity failures can result in a tampering threat. Verify what happens when the data store is full: is data discarded? is data written to the beginning of the data store (wraparound)? is data dropped and not written to the store or does the application crash (other failure mode)?

tampering data store (STRIDE threat tree)

Tampering of process

Process tampering threats include corrupting the process, or providing false credentials to gain access to the process. Also, when a subprocess is tampered with, the entire process itself is corrupted as well.
To avoid a corrupted state, one should examine whether all input is verified for correctness. Also, the internal state (memory) should be tamper-proof. Concerning the call chain, it is important that you both trust the code that calls your code and the code that you call.

tampering process (STRIE threat tree)

Elevation of privilege of process

Elevation of privilege indicates that a misactor can gain access to a process and/or information when he does not have the sufficient access rights. This can occur when an entity (with more privileges than the misactor) is spoofed, en there is an insufficient authorization system caused by cross-domain issues or call-chain issues, when the process is corrupted by means of input validation failure or access to memory.

elevation f privilege of process (STRIDE threat tree)
 

DistriNet Research Group 

KU Leuven

Dept. Computer Science 

Celestijnenlaan 200A (postbox 2402) 

200A B-3001 Heverlee BELGIUM 

  • White Facebook Icon
  • White Twitter Icon

© 2020  DistriNet KU Leuven