Tampering (STRIDE)

Question

What is tampering? How does integrity mitigate this threat?

Answer

Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet.1

Data integrity is the maintenance of, and the assurance of the accuracy and consistency of, data over its entire life-cycle, and is a critical aspect to the design, implementation and usage of any system which stores, processes, or retrieves data.2

Protection of data in storage and in transit should be accomplished through the following countermeasures:3

  • Use of cryptography such as digital signatures and Hashed Message Authentication Codes (HMACs) as appropriate when handling and storing data
  • Secrets (e.g. keys, confidential data ) are cryptographically protected both in transport and in storage
  • Built-in secure storage is used for protecting keys
  • No credentials (such as keys or passwords) are sent in clear text over the wire

Mitigations for Specific Threats

  • What is the threat when there is a potential SQL Injection vulnerability for a SQL Database?
    • Summary: Tampering related threats occur when an attacker can modify data in a malicious way. In this case, data from a source outside the trust boundary is used to build a SQL statement to be executed by the database. If the data used in the SQL statement is not validated properly, or the SQL statement isn’t built or executed securely (such as through parameterized queries or prepared statements), the database may be compromised. Data from the database may be revealed, stolen, modified, deleted, or other malicious commands against the database or operating system may be executed.
    • Recommendations: Recommended mitigations to consider when auditing potential threats include [4,5]:
      1. Using Prepared Statements with Parameterized Queries
      2. Using Stored Procedures Performing
      3. Allow List Input Validation of any external data used to build SQL statements
      4. Escaping all user supplied input
      5. Ensuring the Principle of Least Privilege is used for all accesses to the database
    • If the application mitigates this threat, the audits should indicate what SQL Injection prevention techniques are used for any SQL statements built using external data. The database should also make sure that access to the database is limited and the principle of least principle is applied, so any interactions with the database are limited. If data is only read from the database, only read access should be provided.

  • What is the threat when a data store could be corrupted?

  • What is the threat from lack of input validation of data sent to a server?

  • What are the risks from logging?

  • What is the threat of Replay Attacks?

  • What is the threat of JavaScript Object Notation processing?

References

  1. MSDN: The STRIDE Threat Model
  2. Wikipedia: Data Integrity
  3. OWASP: Application Threat Modeling
  4. OWASP: SQL Injection Prevention Cheat Sheet
  5. OWASP: Query Parameterization Cheat Sheet
  6. Wikipedia: Data Integrity
  7. Oracle: Data Integrity
  8. OWASP: Input Validation Cheat Sheet
  9. OWASP: Logging Cheat Sheet
  10. Microsoft Threat Modelling Tool Documentation