Security Engineering in Vista

8/14/2019 Security Engineering in Vista

1/35

Copyright 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the Creative Commons Attribution-ShareAlike 2.5License. To view this license, visithttp://creativecommons.org/licenses/by-sa/2.5/

The OWASPFoundation

OWAS

PAppSec

Seattle

Oct 2006 http://www.owasp.org/

How the Security

Development Lifecycle(SDL) ImprovedWindows Vista

Michael [email protected]

Senior Security Program ManagerMicrosoft Corp.

1


2/35

OWASP AppSec Seattle 2006

Who is this Guy?

[email protected] employee for 14 years

Always in security

A pragmatist!


3/35


Windows Vista Engineering Process(from 35,000ft!)

3

Prescriptive

Guidance

External

Review

Mandatory

Education

Quality

Gates

Central

analysis

Threat

analysis

Software Security Science


4/35


Why All This Security Work?

4

The threats have changed,

customers are demandingincreased security andreduced support costs.

There is no one silverbullet.


5/35


Guidance and Education

All engineers must attend The Basics Introductory secure design, coding and testing

On-going yearly security education required forall engineers

Over a dozen in-depth classes

Raise awareness, set expectations, realizewhat you dont know

Learn to not make mistakes!

Writing Secure Code 2nd is required reading

5


6/35


Quality Gates

Stop the Bleeding Catch bugs early Battery of tools run on the check-in that look for:

Banned APIs Enforce use of safer C runtime functions

Correct use of Standard Annotation Language (SAL) Banned crypto Buffer overruns Integer arithmetic issues (overflow, underflow,

truncation, signedness) Weak ACLs and much, much more

Other quality gates include privacy, reliability etc.

6


7/35

Copyright 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the Creative Commons Attribution-ShareAlike 2.5License. To view this license, visithttp://creativecommons.org/licenses/by-sa/2.5/

The OWASPFoundation

OWAS

PAppSec

Seattle

Oct 2006 http://www.owasp.org/

Hang on Whats SAL?

7


8/35

OWASP AppSec Seattle 2006 8

Standard Annotation Language

Used by static analysis tools such as PREfast

and /analyze (Visual Studio 2005)

Benefits of adding annotations to your code:

Help the tools find harder to find bugs

The process of adding annotations finds bugs!

Bugs found are low noise


9/35


SAL at Work

void FillString(TCHAR* buf,

size_t cchBuf,

TCHAR ch) {

for (size_t i = 0; i < cchBuf; i++) {

buf[i] = ch;}

}

These two arguments are related

but the compiler does not know!


10/35


SAL at Work

void FillString(__out_ecount(cchBuf) TCHAR* buf,

size_t cchBuf,

TCHAR ch) {


buf[i] = ch;

}

}


11/35


SAL at Work

__out_ecount(cchBuf)

Out buffer, function will write to the buffer.Other examples include __in and __inout

Element count.Other example includesbcount, byte count.

__checkReturn __bcount_opt(_Size)

malloc(__in size_t _Size);

Optional, can be NULL

Must checkreturn value


12/35


SAL at Work

ing C6386: Buffer overrun: accessing 'argument 1',ritable size is 200*2' bytes, but '420' bytes might be written: Lines: 3

ing C6387: 'argument 1' might be '0': this does not adhere topecification for the function 'FillString': Lines: 33, 34

void FillString(

__out_ecount(cchBuf) TCHAR* buf,size_t cchBuf,

TCHAR ch) {


buf[i] = ch;}

}void main() {

TCHAR *buff = malloc(200 * sizeof(TCHAR));

FillString(buff,210,_T(x));

}


13/35


Central Analysis (1 of 2)

Inter-procedural static analysis Binary analysis detects compiler and linker

requirements

Attack Surface Analysis Weak ACLs, Service configuration, etc.

Central removal of banned APIs and weakcrypto

~50% of banned APIs removed automatically Large % automatically migrated by compiler if

destination buffer size is known at compile time

13

char buf[32];

strcpy(buf,src);

char buf[32];

strcpy_s(buf,src,32);


14/35


Central Analysis (2 of 2)

A HUGE quantity of bugs found in thewild today are due to malformed data Fuzz testing can find these bugs

Central fuzz-testing team Performed primarily by our group

Identify and fuzz all file formats consumedby the operating system

Minimum 100,000 malformed files per parser Fuzz many networking protocols, including

RPC

14


15/35


A Note About Tools

15

Tools DO NOT MAKE

SOFTWARE SECURE!Theyhelp scale the process and they

help enforce policy


16/35


Threat Analysis

Threat models help find design issuesAll components in Windows Vista are

threat modeled

Weve learned a great deal about makingTMs easier to create by non-securityexpertsWeve moved away from threat trees to

patterns of threatsRisk heuristics instead of risk calculations

16


17/35


External Review

Most security work is performed by coreWindows Vista engineers

Our team and external securityconsultants also:Review feature designs

Review code

Review threat models

Perform black-box testing

17


18/35


If all the upfront engineering failsWindows Vista Defenses

Core assumptions Code is never perfect

Designs are never perfect

We must protect customers

Remember, security is Man vs. Man Security is a never-ending arms race

You can never be done with security so long

as the adversary is still breathing Windows Vista includes numerous

defenses

18


19/35


20/35


Windows Vista DefensesSecurity Features (1 of 2)

Windows Vista firewall is integrated with IPSecBi-directional

On by default

BitLocker full volume drive encryptionOnly in Windows Vista Ultimate and Enterprise

Mitigate the stolen laptop scenario

Provides integrity for the boot process

Can use TPM 1.2 or USB

Windows DefenderCan be disabled by ISVs

20


21/35


22/35


Windows Vista DefensesService Hardening (1 of 2)

Services (daemons) are attractive targetsNo need for user interaction

Long-lived

Often run elevated

Malware often: Alters the OS

Opens network ports

22


23/35


Windows Vista DefensesService Hardening (2 of 2)

Many existing services moved out of SYSTEMDescribe the privileges you need

Per-service identity (SID)Protect objects for just that service

Stricter service restart policyRestrict network behaviorEg: foo.exe can only open port TCP/123 inbound

|Action=Allow|Dir=In|LPORT=123|Protocol=17|App=%SystemRoot%\foo.exe

23


24/35


Windows Vista DefensesIsolation

Users are no longer admins (by default) Even an admin is not an admin (by default)

Integrity levels help contain damage IE7 runs in low integrity (by default)

Protected Mode

Most parts of the operating system aremedium integrity

Restricts Write-Up

Helps defend integrity of the operating system

24


25/35


Windows Vista DefensesMemory defenses (1 of many)

Stack protection (aka /GS, enabled by default) Detects stack-based overruns

Re-arranges the stack so buffers are in higher memory(helps protect variables)

Moves various arguments to lower memory

Stack is randomized for each thread (by default)

Heap is randomized (by default)

Exception handler protection (aka /SafeSEH,

enabled by default) Exception addresses are verified at runtime

25


26/35



Data ExecutionProtection (aka NX/XD,enabled by default)Harder to execute data

In Windows Vista, DEPcannot be disabledonce turned on for aprocess

26

Most CPUs today support DEP,but make sure its enabled in the

BIOS


27/35



Heap defenses (all by default) Lookasides no longer used

Arrays of free lists no longer used

Early detection of errors due to block header integritycheck

ENTRY->Flink->Blink == ENTRY->Blink->Flink == ENTRY

Heap TerminateOnCorruption

Dynamic adjustment of algorithms based upon theusage

All enabled by default Integer overflow calling operator::new

automatically detected at runtime (by default)

27


28/35



Image randomization (ASLR) System images are loaded randomly into 1 of

256 slots

Changes on each boot

To be effective, ASLR requires DEP Enabled by default

Link with /dynamicbase for non-system images

Long-lived pointers are encoded anddecoded A successful pointer overwrite must survive the

decoding process (XOR with a random number)

28


29/35


Default Exploit Mitigations on Popular ClientOperating Systems

29


30/35


Software Security Science

Security is Man vs. Man We must continue to innovate

We must continue to learn more aboutattackers And how to thwart them

We perform root-cause analysis of eachsecurity bug

We analyze bugs from around the industry We work closely with security researchers

Feeds back into the SDL twice a year

30


31/35


Summary

Threats have evolved Customers are asking Microsoft to provide

a more secure base operating system

We have substantially improved ourdevelopment process

We have added many defenses to the OS

We will continue to provide fundamental

security functionality that protects userswhile still providing opportunities fordevelopers

31


32/35


[email protected]://blogs.msdn.com/michael_ho

32


33/35


Backup Slides

33


34/35


Banned APIs

strcpy, strcpyA, strcpyW, wcscpy,_tcscpy, _mbscpy, StrCpy, StrCpyA,StrCpyW, lstrcpy, lstrcpyA, lstrcpyW,_tccpy, _mbccpystrcat, strcatA, strcatW, wcscat,_tcscat, _mbscat, StrCat, StrCatA,StrCatW, lstrcat, lstrcatA, lstrcatW,StrCatBuff, StrCatBuffA, StrCatBuffW,StrCatChainW, _tccat, _mbccatstrncpy, wcsncpy, _tcsncpy,

_mbsncpy, _mbsnbcpy, StrCpyN,StrCpyNA, StrCpyNW, StrNCpy,strcpynA, StrNCpyA, StrNCpyW,lstrcpyn, lstrcpynA, lstrcpynWstrncat, wcsncat, _tcsncat, _mbsncat,_mbsnbcat, StrCatN, StrCatNA,StrCatNW, StrNCat, StrNCatA,StrNCatW, lstrncat, lstrcatnA,lstrcatnW, lstrcatn

CharToOem, CharToOemA,CharToOemW, OemToChar,OemToCharA, OemToCharW,CharToOemBuffA, CharToOemBuffWalloca, _alloca

wnsprintf, wnsprintfA, wnsprintfW,

sprintfW, sprintfA, wsprintf, wsprintfW,wsprintfA, sprintf, swprintf, _stprintf,_snwprintf, _snprintf, _sntprintf,wvsprintf, wvsprintfA, wvsprintfW,vsprintf, _vstprintf, vswprintf,

_vsnprintf, _vsnwprintf, _vsntprintf,wvnsprintf, wvnsprintfA, wvnsprintfWstrtok, _tcstok, wcstok, _mbstokmakepath, _tmakepath, _makepath,

_wmakepath, _splitpath, _tsplitpath,

_wsplitpathscanf, wscanf, _tscanf, sscanf, swscanf,

_stscanf, snscanf, snwscanf, _sntscanf_itoa, _itow, _i64toa, _i64tow, _ui64toa,_ui64tot, _ui64tow, _ultoa, _ultot, _ultowgets, _getts, _gettwsIsBadWritePtr, IsBadHugeWritePtr,IsBadReadPtr, IsBadHugeReadPtr,IsBadCodePtr, IsBadStringPtr

strlen, wcslen, _mbslen, _mbstrlen,StrLen, lstrlen


35/35


No Weak Crypto

No new code must use:MD4, MD5, SHA1 (use SHA2 suite)

DES (use AES)

RC4 (without crypto review)

No symmetric keys

Documents

Security Engineering in Vista