Repudiation (R) is the third suit of threats in the STRIDE threat enumeration.
Repudiation describes any threat that allows an attacker to deny that they have taken an action that your application allowed. Repudiation is a complex and confusing threat, requiring that an action which has occurred can be denied by the user who caused it. Because it’s confusing and complex, the characters on the cards are capital letter “R”s with filled in loops. Bold faced lie-Rs, if you like.
Repudiation threats are generally countered through quality implementations of Logging, Integrity protection and Authorisation.
Another successful way to mitigate repudiation is to not care about who did what - this only works if you can accept that your application may engage in multiple actions without your being able to determine who caused those actions, or whether they truly occurred. Ignoring repudiation and hoping that attackers will voluntarily provide identifying information or proof of purchase is not a valid mitigation strategy.
The cards in the Repudiation suit are as follows
Example / Mitigation
An attacker can pass data through the log to attack a log reader, and there’s no documentation of what sorts of validation are done
A low privilege attacker can read interesting security information in the logs
An attacker can alter digital signatures because the digital signature system you’re implementing is weak, or uses MACs where it should use a signature
An attacker can alter log messages on a network because they lack strong integrity controls
An attacker can create a log entry without a timestamp (or no log entry is timestamped)
An attacker can make the logs wrap around and lose data
An attacker can make a log lose or confuse security information
An attacker can use a shared key to authenticate as different principals, confusing the information in the logs
An attacker can get arbitrary data into logs from unauthenticated (or weakly authenticated) outsiders without validation
An attacker can edit logs and there’s no way to tell (perhaps because there’s no heartbeat option for the logging system)
An attacker can say “I didn’t do that,” and you’d have no way to prove them wrong
The system has no logs
You’ve invented a new Repudiation attack
[When completed, each card description above will link to a copy of the card, along with examples of the threat and some specific mitigation steps. Point to Patterns & Practices documents, excerpts from Writing Secure Code, etc, where possible. Emphasise that the information is already out there, so that dev teams widen their horizons.]
This is hilarious!