Shostack + Friends Blog

 

More on GPT-3 and threat modeling

More thoughts about AI and threat modeling A Disney princess hacking

Since writing my Dark Reading article, I had some time to continue investigating ChatGPT and threat modeling, and a few notes. First, I fed it the same question that DS did, and got very different answers. This may relate to the Dec 15th software update, or it may be a feature of GPT that it tries to emit unique answers. Second, the answers I get are much more about IP level attacks than Kubernetes. (And in fact, I got exceptionally similar responses when asking about a rust environment, and it failed to fall into my traps of asking about a covfefe or flempt environments.)

One of the things I focus on in training people is consistency; we want to avoid the problems that come with “ask two experts, get three answers.” So inconsistency on the part of the chatbot is an issue if we’re naively taking the output. But we might not be. We might be using a chatbot to provoke thinking or coverage.

That use, as I mention in my Dark Reading article, might lull people into relaxing and not paying close attention. And that seems really bad. But what other effects might we see?

One of the values of threat modeling is that it gives time, space and name for a ritual of assembling people and talking about design. The agile community has learned the value of naming and making time for work that’s otherwise invisible: “We haven’t done a retro in a while,” or “we haven’t done backlog grooming for our next sprint.” If threat modeling evolves to be a ‘conversation’ with an AI, then we lose that social space. Part of the magic of threat modeling can be that bringing people together for a conversation that otherwise doesn’t happen.

Another value from the work may be that when people invest time and energy in a project, the project takes on psychological significance. This effect is widespread and has many names: sunk cost, ‘the Ikea effect’...whatever we call it, if people invest in threat modeling work, then they’re invested in having it matter, and that will include driving fixes to completion. (Perhaps the Ikea effect is part of why code review seems to work better than static analysis? No one’s offended when you ignore gcc -W3.)

Driving fixes to completion is a strange liminal space. It’s both part of threat modeling and more traditional software engineering. If we consider it as part of threat modeling, does the chatbot pentulently nag you about ‘what happened with that conversation we had about missing authentication on the calendar interface?’ Does it @ you in Jira? (How chatbots might replace junior project managers is a fascinating topic for another day, as is how we make senior project managers in such a world.)

With that, my first tries are reproduced below, as text not as screencaptures because text is better than pictures of text.


Prompt: "List all spoofing threats for a system which has a backend to backend interaction in a kubernetes environment in a table format with columns threats, description, and mitigations"

Response: Here is a table listing several spoofing threats for a system with a backend-to-backend interaction in a Kubernetes environment, along with a description and potential mitigations for each threat:

Threat Description Mitigations
IP spoofing An attacker can pretend to be a trusted server by sending packets with a forged source IP address, potentially gaining access to restricted resources or disrupting communication between the backend and other services. Implement IP filtering at the network level to block packets with suspicious or forged source IP addresses. Use strong authentication mechanisms, such as mutual TLS, to verify the identity of servers and prevent unauthorized access.
DNS spoofing An attacker can manipulate the Domain Name System (DNS) to redirect traffic intended for a legitimate server to a malicious one, potentially stealing sensitive data or conducting a man-in-the-middle attack. Use DNS security measures such as DNSSEC and DNS over HTTPS to prevent DNS spoofing attacks. Implement network segmentation and access controls to limit the ability of an attacker to manipulate DNS records.
ARP spoofing An attacker can send forged Address Resolution Protocol (ARP) messages to manipulate the ARP cache of a target device, potentially redirecting traffic intended for the legitimate device to the attacker's own device. Use ARP spoofing detection and prevention tools to detect and block forged ARP messages. Implement network segmentation and access controls to limit the ability of an attacker to manipulate ARP caches.
MAC spoofing An attacker can change the Media Access Control (MAC) address of their device to match that of a trusted device, potentially gaining unauthorized access to restricted resources or disrupting communication between the backend and other services. Implement MAC filtering at the network level to block packets with suspicious or forged MAC addresses. Use strong authentication mechanisms, such as mutual TLS, to verify the identity of devices and prevent unauthorized access.

It's important to note that these are just a few examples of spoofing threats that could potentially impact a backend-to-backend system in a Kubernetes environment. It's always a good idea to conduct a thorough threat assessment and implement appropriate security measures to protect against potential spoofing attacks.

Prompt: make that more specific to kubernetes

Here are some additional details on how these spoofing threats could specifically impact a backend-to-backend system in a Kubernetes environment:

  • IP spoofing: In a Kubernetes environment, an attacker could potentially use IP spoofing to gain access to restricted resources within the cluster by pretending to be a trusted service or pod. For example, an attacker could send packets with a forged source IP address that appears to be a trusted database service, potentially gaining access to sensitive data stored in the database. To mitigate this threat, you could implement network policies within the cluster to block packets with suspicious or forged source IP addresses, and use mutual TLS to verify the identity of servers and prevent unauthorized access.
  • DNS spoofing: In a Kubernetes environment, an attacker could potentially use DNS spoofing to redirect traffic intended for a legitimate service to a malicious one, potentially stealing sensitive data or conducting a man-in-the-middle attack. To mitigate this threat, you could use DNS security measures such as DNSSEC and DNS over HTTPS to protect against DNS spoofing attacks, and implement network segmentation and access controls to limit the ability of an attacker to manipulate DNS records.
  • ARP spoofing: In a Kubernetes environment, an attacker could potentially use ARP spoofing to redirect traffic intended for a legitimate pod to their own device, potentially stealing sensitive data or conducting a man-in-the-middle attack. To mitigate this threat, you could use ARP spoofing detection and prevention tools to detect and block forged ARP messages, and implement network segmentation and access controls to limit the ability of an attacker to manipulate ARP caches.
  • MAC spoofing: In a Kubernetes environment, an attacker could potentially use MAC spoofing to gain unauthorized access to restricted resources or disrupt communication between the backend and other services by changing the MAC address of their device to match that of a trusted one. To mitigate this threat, you could implement MAC filtering at the network level to block packets with suspicious or forged MAC addresses, and use strong authentication mechanisms such as mutual TLS to verify the identity of devices nd prevent unauthorized access.

It's important to note that these are just a few examples of how spoofing threats could potentially impact a backend-to-backend system in a Kubernetes environment. It's always a good idea to conduct a thorough threat assessment and implement appropriate security measures to protect against potential spoofing attacks.

Prompt: what about kubernetes specific attacks

There are several spoofing attacks that could specifically impact a backend-to-backend system in a Kubernetes environment:

  1. Service spoofing: An attacker could create a malicious service with the same name as a legitimate one, potentially stealing sensitive data or disrupting communication between the backend and other services.
  2. Pod spoofing: An attacker could create a malicious pod with the same name as a legitimate one, potentially gaining access to restricted resources or disrupting communication between the backend and other services.
  3. Node spoofing: An attacker could create a malicious node with the same name as a legitimate one, potentially gaining access to restricted resources or disrupting communication between the backend and other services.
  4. Namespace spoofing: An attacker could create a malicious namespace with the same name as a legitimate one, potentially gaining access to restricted resources or disrupting communication between the backend and other services.
Editorial comment: Adam doesn’t know why this list was numbered, and the previous was bulleted.

To mitigate these threats, you could implement network policies within the cluster to block traffic from suspicious or unauthorized services, pods, nodes, and namespaces. You could also use strong authentication mechanisms such as mutual TLS to verify the identity of services, pods, nodes, and namespaces and prevent unauthorized access. Additionally, you could implement access controls to limit the ability of an attacker to create malicious resources with the same name as legitimate ones.

Image credit: DALL-E, “a stock art hacker breaking into computers with the hacker as a disney character”