45
SESSION ID: #RSAC John Britton Threat Modeling the Minecraft Way SPO2-T10 Director, Product Marketing – EUC Security, VMware Jarred White Security Architect, VMware AirWatch
SESSION ID:
#RSAC
John Britton
Threat Modeling the Minecraft Way
SPO2-T10
Director, Product Marketing – EUC Security, VMware
Jarred WhiteSecurity Architect, VMware AirWatch
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Agenda
Why Minecraft?
Environment Requirements
Threat Profiles
Building Blocks
Threat Modeling
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Why Minecraft?Capacity for creativity and expansion of ideas through direct environmental manipulation
Consequences for “bad security” through poor design/implementation
Encourages approaching problems from many dimensions
Creates an intuitive awareness of security
Mining!
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Environment Requirements
Security• Feeding yourself• Protecting
yourself/assets• Storage and shelter• Light
Performance• Get around safely
and quickly• Shelters, travel
paths, mining must be practical
User Experience•Convenient access to resources•Access to differentbiomes•Free to explore
4
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
SecuritySweet, sweet diamonds
5
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
SecurityFood, farms, and livestock
6
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
SecurityShelter, infrastructure, and
worksites
7
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
PerformanceEfficient transportation
8
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
User ExperiencePermanency
9
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
User ExperienceExploration
10
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
About our environmentThreats to survival
Monsters
Lava
Falling to your death
Starving
Getting lost
Other players
Hubris
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Threat ProfilesCreepers
12
Properties:- Denial of service- Remote access
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Threat ProfilesSkeletons
13
Properties:- Remote code execution- Race condition- Remote access
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Threat ProfilesZombies
14
Properties:- Buffer overflow- Remote access- Virus- Brute force
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Threat ProfilesSpiders
15
Properties:- Remote access- Backdoor
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Building blocksBlocks
Free-form construction using blocks of varying strengths/properties
No physics implications for most blocks (exceptions: sand, gravel)
Blocks resist explosion (from Creepers, TNT) as well as harvesting (e.g., with a pick axe)
Some blocks make better building materials than others
Also wear tools at faster rates when harvesting
Fencing/gates
Wood, stone
Stackable
Used for perimeter security, slowing down attackers
Skeletons can shoot over! Spiders can crawl over!
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Building blocks
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Building Blocks
Organized by relative resistance to explosion/mining
Good structural materials: Cobblestone, Stone, Stone Brick
Varying degree of difficulty to harvest
Dirt Sand Gravel Wood Sandstone Cobblestone StoneStone Brick Obsidian
#RSAC
Subhead if needed
Threat ModelingArchitecture
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.20
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.21
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.22
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.23
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.24
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.25
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.26
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.27
You are here
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.28
1 every 5 blocks gridded out
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.29
#RSAC
Subhead if needed
Threat ModelingStorage
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.31
Hiiiiiiiiiiii!
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.32
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.33
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.34
Ground
2nd level
3rd level
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.35
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.36
#RSAC
Subhead if needed
Threat ModelingTransport
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.38
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.39
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.40
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.41
20 blocks
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.42
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.43
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Threat ModelingObservations
Lighting vulnerabilities are easy to overlook and very costly from a security standpointe.g., Creeper spawning in a dark corner
Layered approach is useful for reducing threats but does not permanently eliminate Perimeter landscaping and fencing/wallingEasy to miss landscaping vulnerabilities
Few “single solutions” to all attack typesWe covered 4/15 monsters and 1/2 “worlds”
Efficiency + Security is expensiveRailroad materials: Gold, iron, redstone, wood, stone Can exchange food for these properties in some circumstances
Defenses centered around monsters only – not other players!Obfuscation comes into play
#RSAC
Copyright © 2014 AirWatch, LLC. All rights reserved. Proprietary & Confidential.
Challenge Go play Minecraft!
Get a group together
Cheap server requirements
Set some goalsFunctional rail systemParliamentAutomated foundryGiant mobile phoneWho cares?!
Now work toward the goals (you know, just play the game)You’ll experience all the scenarios we discussed first-hand (and more)
Limit yourself by not using cheats/admin hacks
Consider adding a “DM” to make things interestingChange conditions on the flyIntroduce attackers
