Developer Security Dave Glover Microsoft Blog:

Developer SecurityDeveloper Security

Dave GloverDave GloverMicrosoftMicrosoftBlog: http://blogs.msdn.com/dglover Blog: http://blogs.msdn.com/dglover

The Gartner Group states: The Gartner Group states: "Today over 70% of attacks against a "Today over 70% of attacks against a

company's Web site or Web application company's Web site or Web application come at the 'Application Layer' not the come at the 'Application Layer' not the Network or System layer."Network or System layer."

ResourcesResources Stay informed about securityStay informed about security

Microsoft Developers Network Security CenterMicrosoft Developers Network Security Center http://msdn.microsoft.com/security/http://msdn.microsoft.com/security/ Microsoft Security GuidanceMicrosoft Security Guidance http://www.microsoft.com/security/guidance/ http://www.microsoft.com/security/guidance/

Get additional security trainingGet additional security training Find online and in-person training seminars:Find online and in-person training seminars:

http://www.microsoft.com/seminar/events/securithttp://www.microsoft.com/seminar/events/security/ y/

Read the book: Writing Secure CodeRead the book: Writing Secure Code Michael Howard and David LeBlancMichael Howard and David LeBlanc ISBN: 0-7356-1722-8ISBN: 0-7356-1722-8

““Threats and Counter Measures”Threats and Counter Measures”andand

“Securing Web Apps and Web Services”“Securing Web Apps and Web Services”

Documents available fromDocuments available from

http://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practices Threats_Countermeasures.pdfThreats_Countermeasures.pdf

AgendaAgenda Typical AttacksTypical Attacks SOA and Web Services SecuritySOA and Web Services Security Future Directions with IndioFuture Directions with Indio MiscellaneousMiscellaneous

Common Application ThreatsCommon Application Threats80:20 Rule80:20 Rule

http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?frame=true#c10618429_004http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?frame=true#c10618429_004i

ThreatThreat ExamplesExamples

SQL injectionSQL injection Including DROP TABLE command in text typed into Including DROP TABLE command in text typed into an input fieldan input field

Cross-site Cross-site scriptingscripting

Using malicious client-side script to steal cookiesUsing malicious client-side script to steal cookies

Hidden-field Hidden-field tamperingtampering

Maliciously changing the value of a hidden fieldMaliciously changing the value of a hidden field

EavesdroppingEavesdropping Using a packet sniffer to steal passwords and Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connectionscookies from traffic on unencrypted connections

Session hijackingSession hijacking Using a stolen session ID cookie to access someone Using a stolen session ID cookie to access someone else's session stateelse's session state

Identity spoofingIdentity spoofing Using a stolen forms authentication cookie to pose Using a stolen forms authentication cookie to pose as another useras another user

Information Information disclosuredisclosure

Allowing client to see a stack trace when an Allowing client to see a stack trace when an unhandled exception occursunhandled exception occurs

SQL Injection AttackSQL Injection Attack““SELECT * From Users where ID = “ + ID SELECT * From Users where ID = “ + ID

“and Password = “ + Password“and Password = “ + Password

DEMODEMO

Services Orientated Services Orientated Architectures Architectures

and and

Web Service Security Web Service Security StandardsStandards

The Tenets of SOThe Tenets of SO Boundaries are ExplicitBoundaries are Explicit Services are autonomousServices are autonomous Share schema & contract, Share schema & contract,

not classnot class Compatibility based on policyCompatibility based on policy

Web Services ProtocolsWeb Services Protocols (WS-*) (WS-*) Makes SO feasibleMakes SO feasible Platform independencePlatform independence Loose couplingLoose coupling Self description, and discovery Self description, and discovery

Service OrientationService Orientation

PeoplePeople

Existing Existing ApplicationsApplications

Spanning Spanning BoundariesBoundaries

SO – Security ChallengesSO – Security Challenges

IdentityIdentity

FederatioFederationnAuthN/AuthZAuthN/AuthZ ProtocolsProtocols

WS-* Protocol ArchitectureWS-* Protocol Architecture

Transports HTTP

XML XML, XSD, XPath

Messaging SOAP, WS-Addressing

SecurityWS-Security

WS-TrustWS-Federation

ReliabilityWS-ReliableMessaging

TransactionsWS-BusinessActivity

WS-CoordinationWS-AtomicTransaction

Met

adat

aW

SD

L, W

S-P

olic

y

Web Service Security Web Service Security FoundationsFoundations

Authentication – who are you?Authentication – who are you? Authorization – what are you allowed Authorization – what are you allowed

to do?to do? Secure CommunicationSecure Communication

Confidentiality – can anyone else Confidentiality – can anyone else understand what your saying?understand what your saying?

Integrity – has the message been Integrity – has the message been tampered with?tampered with?

Secure CommunicationSecure CommunicationProtocol-level securityProtocol-level security

Encrypts the entire messageEncrypts the entire message Sender must trust all intermediariesSender must trust all intermediaries Restricts protocols that can be usedRestricts protocols that can be used

SSL SecuritySSL Security SSL SecuritySSL Security

Secure CommunicationSecure CommunicationMessage-level securityMessage-level security

End to end message security End to end message security independent of transportindependent of transport

Supports multiple protocols and Supports multiple protocols and multiple encryption technologiesmultiple encryption technologies

Encrypt only parts of the messageEncrypt only parts of the message Sender need only trust endpointSender need only trust endpoint

Web Services Security Web Services Security StandardsStandards WS-SecurityWS-Security XML EncryptionXML Encryption WS-SecurityPolicyWS-SecurityPolicy WS-TrustWS-Trust WS-SecureConversationWS-SecureConversation

The .NET Framework implements Web services security inMicrosoft.Web.Services2.Security

Security TokensSecurity Tokens Tokens assert claims about identity, Tokens assert claims about identity,

capability, privilegescapability, privileges

SignedSigned

……

X.509X.509 KerberosKerberosSecret/Shared KeySecret/Shared Key

PasswordPassword

Proof ofProof ofPossessionPossession

Security Security ContextContext

UnsignedUnsigned

……UsernameUsername

SAMLSAML XrMLXrML

Authenticating With TokensAuthenticating With Tokens Tokens carry claims that are backed by Tokens carry claims that are backed by

“proof of possession”“proof of possession” Shared secret (password, symmetric key)Shared secret (password, symmetric key) Private key signed by trusted Private key signed by trusted

third-party servicethird-party service Authenticating involves checking for Authenticating involves checking for

this knowledgethis knowledge Validating username token passwordsValidating username token passwords Verifying the digital signatureVerifying the digital signature

Authentication With Authentication With Username TokensUsername Tokens ..\..\My Documents\Visual Studio Projects\India\ ..\..\My Documents\Visual Studio Projects\India\UserNameToken\UserNameToken.slnUserNameToken\UserNameToken.sln

WS-PolicyWS-Policy

Defining Security PolicyDefining Security PolicyPolicyPolicy

WS-Policy is an XML syntax to WS-Policy is an XML syntax to describes the requirements of describes the requirements of a servicea service

Higher level than WSDLHigher level than WSDL Policy can be applied on the send side Policy can be applied on the send side

or receive sideor receive side Reduces the amount of code Reduces the amount of code

developers need to writedevelopers need to write

PolicyPolicyWS-SecurityPolicyWS-SecurityPolicy

Describes the security requirements of Describes the security requirements of a web servicea web service

Provides a way of specifyingProvides a way of specifying Supported Token typesSupported Token types Signing and encryption requirementsSigning and encryption requirements Role-based authorization decisionsRole-based authorization decisions Secure Conversation requirementsSecure Conversation requirements

Configuring Security PolicyConfiguring Security Policyand setting theand setting the Thread.CurrentPrincipalThread.CurrentPrincipal ..\..\My Documents\Visual Studio Projects\India\ ..\..\My Documents\Visual Studio Projects\India\UserNameToken\UserNameToken.slnUserNameToken\UserNameToken.sln

Binary TokensBinary TokensX509 TokensX509 Tokens Provides a way to encode Provides a way to encode

X509 certificatesX509 certificates Supplied by Certificate Authority such Supplied by Certificate Authority such

as Windows Certificate Servicesas Windows Certificate Services Contains public key and digital Contains public key and digital

signature from Certificate Authoritysignature from Certificate Authority Supports asymmetric encryption Supports asymmetric encryption

and signingand signing

XML Encryption For PrivacyXML Encryption For Privacy Parts of a message can be encrypted to Parts of a message can be encrypted to

ensure confidentialityensure confidentiality Plain text replaced with cipher textPlain text replaced with cipher text

Encryption With X509 CertificatesEncryption With X509 Certificates

..\..\My Documents\Visual Studio ..\..\My Documents\Visual Studio Projects\India\XPathSecurity\Projects\India\XPathSecurity\XPathSecurity.slnXPathSecurity.sln

Acquiring Security Tokens Acquiring Security Tokens WS-TrustWS-Trust

Defines a protocol for issuing and Defines a protocol for issuing and obtaining security tokensobtaining security tokens

Uses a Security Token Service (STS) Uses a Security Token Service (STS) to issue Tokensto issue Tokens Manages security across trust boundariesManages security across trust boundaries Client and server can each trust STS Client and server can each trust STS

avoiding having to manage direct trustavoiding having to manage direct trust STS can manage exchanging one security STS can manage exchanging one security

token type for anothertoken type for another

Scope of trust

Scope of trust

Acquiring Security TokensAcquiring Security Tokens Exchange Token TypesExchange Token Types Map tokensMap tokens

ClientClient

Security Security Token Token

ServiceService

ServiceService

1. RST1. RST

2. RSTR2. RSTR

3. Message3. Message

Creating Security ContextsCreating Security Contexts Asymmetric keys are slow for Asymmetric keys are slow for

multiple messagesmultiple messages WS-SecureConversation defines a WS-SecureConversation defines a

SecurityContext token (SCT)SecurityContext token (SCT) Based on a symmetric keyBased on a symmetric key Faster for multiple callsFaster for multiple calls

Secure ConversationSecure Conversation

Request for SCTRequest for SCT

SCT Issued to clientSCT Issued to client

Series of messages Series of messages signed with issued SCTsigned with issued SCTClientClient ServerServer

The Future is Indigo...The Future is Indigo... A set of .NET technologies for building A set of .NET technologies for building

and managing Service-oriented and managing Service-oriented systemssystems

Broadly interoperableBroadly interoperable WSE 3 will be wire level compatible WSE 3 will be wire level compatible

with Indigowith Indigo A unified programming model and A unified programming model and

runtimeruntime

Indigo ArchitectureIndigo Architecture

Connector

Communications Manager (Port)

Transport Channels(IPC, HTTP, TCP…)

Channels (Datagram, Reliable, Peer, …)

Policy Engine

MessageEncoder

ChannelSecurity

Service Model

Hosting Environments

Instance Manager

Context Manager

TypeIntegration

ServiceMethods

DeclarativeBehaviors

TransactedMethods

ASP.NET .container .exe NT Service DllHost

Messaging Services

System Services

Queuing

Routing

Eventing

…

Transaction

Federation

…

Next StepsNext Steps Stay informed about securityStay informed about security

Microsoft Developers Network Security CenterMicrosoft Developers Network Security Center http://http://msdn.microsoft.commsdn.microsoft.com/security//security/ Microsoft Security GuidanceMicrosoft Security Guidance http://www.microsoft.com/security/guidance/http://www.microsoft.com/security/guidance/

Get additional security trainingGet additional security training Find online and in-person training seminars:Find online and in-person training seminars:

http://www.microsoft.com/seminar/events/securithttp://www.microsoft.com/seminar/events/security/y/

Read the book: Writing Secure CodeRead the book: Writing Secure Code Michael Howard and David LeBlancMichael Howard and David LeBlanc ISBN: 0-7356-1722-8ISBN: 0-7356-1722-8

http://msdn.microsoft.com/security/



https://mail.microsoft.com/exchweb/bin/redir.asp?URL=http://www.microsoft.com/security/guidance/

https://mail.microsoft.com/exchweb/bin/redir.asp?URL=http://www.microsoft.com/seminar/events/security/

https://mail.microsoft.com/exchweb/bin/redir.asp?URL=http://www.microsoft.com/seminar/events/security/

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Security Best PracticesSecurity Best Practices All input is Evil - Guard againstAll input is Evil - Guard against

Cross-site ScriptingCross-site Scripting SQL InjectionSQL Injection

Use Hashing to Store your PasswordsUse Hashing to Store your Passwords Store Secure Information in the RegistryStore Secure Information in the Registry

Keys etcKeys etc Use Sessions, but Not Cookie-less Sessions Use Sessions, but Not Cookie-less Sessions Do Some Housekeeping for ProductionDo Some Housekeeping for Production

Disable tracingDisable tracing customErrors mode="RemoteOnly" customErrors mode="RemoteOnly"

http://msdn.microsoft.com/security/http://msdn.microsoft.com/security/ Application GuidesApplication Guides

SecureCRT LibrariesSecureCRT Libraries Safer C++ Runtime Libraries Safer C++ Runtime Libraries

Microsoft’s implementation of the Standard C++ Libraries (aka Microsoft’s implementation of the Standard C++ Libraries (aka STL) now defaults to a more safe mode that detects buffer STL) now defaults to a more safe mode that detects buffer overruns automatically, and disallows risky usages. As with the C overruns automatically, and disallows risky usages. As with the C library, the unsafe usages are deprecated, and the user can library, the unsafe usages are deprecated, and the user can disable the deprecation as they need to.disable the deprecation as they need to.

In a _DEBUG build, we have integrated much deeper self-In a _DEBUG build, we have integrated much deeper self-consistency checks to detect common programming errors when consistency checks to detect common programming errors when using STLusing STL

There have been minor changes in other C++ Libraries (ATL, There have been minor changes in other C++ Libraries (ATL, MFC) where specific functions were found to have unsafe design.MFC) where specific functions were found to have unsafe design.

The Microsoft C Runtime Library and the ISO C Standard library The Microsoft C Runtime Library and the ISO C Standard library contains a number of functions that are inherently ‘unsafe’, and contains a number of functions that are inherently ‘unsafe’, and prone to coding patterns vulnerable to buffer overruns. In VS prone to coding patterns vulnerable to buffer overruns. In VS 2005, we are deprecating these functions (by default). So when 2005, we are deprecating these functions (by default). So when the user recompiles their existing applications, they will see the user recompiles their existing applications, they will see compiler warnings when they use these inherently unsafe compiler warnings when they use these inherently unsafe functions.functions.

Submitted to ISO Standard C library for standardization. Submitted to ISO Standard C library for standardization. Microsoft is taking a leadership role in this effort. It has broad Microsoft is taking a leadership role in this effort. It has broad support from the ISO C Committee members and the current plan support from the ISO C Committee members and the current plan is to go for ‘registration’ in March 05.is to go for ‘registration’ in March 05.

2004 E-Crime Watch2004 E-Crime Watch Shows significant increase in electronic crimesShows significant increase in electronic crimes 43% report an increase in e-crimes and intrusions versus the 43% report an increase in e-crimes and intrusions versus the

previous yearprevious year 70% report at least one e-crime or intrusion was committed 70% report at least one e-crime or intrusion was committed

against their organizationagainst their organization 56% report operational losses, 25% state financial loss, 12% 56% report operational losses, 25% state financial loss, 12%

declare other types of lossesdeclare other types of losses 30% don’t know if they were attacked by insiders or outsiders30% don’t know if they were attacked by insiders or outsiders Those who DO know say 71% of attacks come from outsiders Those who DO know say 71% of attacks come from outsiders

compared to 29% from insiderscompared to 29% from insiders 40% believe “Hackers” are the biggest security threats 40% believe “Hackers” are the biggest security threats 31% believe it is former employees or contractors31% believe it is former employees or contractors 36% experienced unauthorized access to information, systems, 36% experienced unauthorized access to information, systems,

or networks by an insideror networks by an insider ……. compared to 27% committed by outsiders. compared to 27% committed by outsiders

Both sabotage and extortion are committed equally by insiders Both sabotage and extortion are committed equally by insiders and outsidersand outsiders

http://www.csoonline.com/releases/ecrimewatch04.pdfhttp://www.csoonline.com/releases/ecrimewatch04.pdf

/GS and Strongly Named DLLs/GS and Strongly Named DLLs /GS Switch/GS Switch

Used to mitigate buffer overruns exploitsUsed to mitigate buffer overruns exploits Considerable Enhancements in VS 2005:Considerable Enhancements in VS 2005:

stack reorderingstack reordering parameter shadowingparameter shadowing etc.etc.

Used to recompile Windows XPSP2Used to recompile Windows XPSP2 On by default in VS 2005On by default in VS 2005

Strongly named redistributable DLLs: Strongly named redistributable DLLs: Whidbey C++ libraries are ‘fusionized’ and ‘strongly Whidbey C++ libraries are ‘fusionized’ and ‘strongly

named’. named’. DLLs (MFC, CRT etc) are installed in the WinSxS cache.DLLs (MFC, CRT etc) are installed in the WinSxS cache. Allows us to globally service these libraries if necessary.Allows us to globally service these libraries if necessary.

MiscMisc Threat Modelling ToolThreat Modelling Tool Enterprise LibraryEnterprise Library

SOAP Tracing Tool from Mike TaultySOAP Tracing Tool from Mike Taulty http://blogs.msdn.com/kaevans/archive/http://blogs.msdn.com/kaevans/archive/

2004/08/20/217707.aspx 2004/08/20/217707.aspx WSE 2 Hands On Lab WSE 2 Hands On Lab

Search MSDN.Microsoft.com for Search MSDN.Microsoft.com for ““WSE - HOLDEVL34”WSE - HOLDEVL34”

DEMODEMO

Threat Modelling ToolThreat Modelling Toolhttp://msdn.microsoft.com/security/securecode/threatmodeling/http://msdn.microsoft.com/security/securecode/threatmodeling/

default.aspxdefault.aspx

Threat Modeling ToolThreat Modeling Tool

Class-basedPolymorphismEncapsulation

Interface-basedDynamic LoadingRuntime Metadata

Message-basedMessage-basedSchema+ContractSchema+ContractBinding via PolicyBinding via Policy

ObjectObjectOrientationOrientation

(1980s)(1980s)

ComponentsComponents(1990s)(1990s)

ServiceServiceOrientationOrientation

(Today)(Today)

The Road to ServicesThe Road to Services

Creating A Digital SignatureCreating A Digital Signature

Hash Hash Function Function

(SHA, MD5)(SHA, MD5)

Jrf843kjfgf*Jrf843kjfgf*££$&Hdif*7oU$&Hdif*7oUsd*&@:<CHsd*&@:<CHDFHSD(**DFHSD(**

Py75c%bn&*)9|Py75c%bn&*)9|fDe^bDFaq#xzjFr@gfDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’r5=&nmdFg$5knvMd’rkvegMs”kvegMs”

WSE WSE provides provides

great security great security for servicesfor services

AsymmetricAsymmetricEncryptionEncryption

Message or FileMessage or File Digital SignatureDigital Signature128 bits 128 bits Message DigestMessage Digest

privatprivatee

Verifying A Digital SignatureVerifying A Digital Signature

Jrf843kjfJrf843kjfgf*£$&Hdgf*£$&Hdif*7oUsdif*7oUsd

*&@:<CHD*&@:<CHDFHSD(**FHSD(**

Py75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=

&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs”

Asymmetric Asymmetric DecryptionDecryption

Digital SignatureDigital Signature


great great security for security for

servicesservices

Same Hash Same Hash functionfunction

Original MessageOriginal MessagePy75c%bn&*)Py75c%bn&*)9|fDe^bDFaq9|fDe^bDFaq#xzjFr@g5=#xzjFr@g5=


? == ?? == ?Are They Same?Are They Same?

publicpublic

Sent with Sent with messagemessage



Message EncryptionMessage EncryptionSenderSender

SymmetricSymmetric

EncryptEncrypt



servicesservices



EncryptEncrypt

Encrypted KeyEncrypted Key

publicpublic Receiver'sReceiver'sPublic KeyPublic Key

Generated KeyGenerated Key

Message EncryptionMessage EncryptionReceiverReceiver


&nmdFg$5kn&nmdFg$5knvMd’rkvegMs”vMd’rkvegMs” DecryptDecrypt

Encrypted KeyEncrypted Keypublicpublic Receiver'sReceiver's

Private KeyPrivate Key

SymmetricSymmetric



servicesservicesDecryptDecrypt



Binary TokensBinary TokensKerberos TokensKerberos Tokens Encodes Kerberos TicketsEncodes Kerberos Tickets Supports signing and encryption using Supports signing and encryption using

a symmetric keya symmetric key Retrieved from Kerberos Retrieved from Kerberos

Distribution CentreDistribution Centre WSE automatically creates PrincipalWSE automatically creates PrincipalCustom TokensCustom Tokens WSE supports custom Binary and WSE supports custom Binary and

XML tokensXML tokens