Upload
neovik82
View
214
Download
0
Embed Size (px)
Citation preview
8/14/2019 Security Engineering in Vista
1/35
Copyright 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the Creative Commons Attribution-ShareAlike 2.5License. To view this license, visithttp://creativecommons.org/licenses/by-sa/2.5/
The OWASPFoundation
OWAS
PAppSec
Seattle
Oct 2006 http://www.owasp.org/
How the Security
Development Lifecycle(SDL) ImprovedWindows Vista
Michael [email protected]
Senior Security Program ManagerMicrosoft Corp.
1
8/14/2019 Security Engineering in Vista
2/35
OWASP AppSec Seattle 2006
Who is this Guy?
[email protected] employee for 14 years
Always in security
A pragmatist!
8/14/2019 Security Engineering in Vista
3/35
OWASP AppSec Seattle 2006
Windows Vista Engineering Process(from 35,000ft!)
3
Prescriptive
Guidance
External
Review
Mandatory
Education
Quality
Gates
Central
analysis
Threat
analysis
Software Security Science
8/14/2019 Security Engineering in Vista
4/35
OWASP AppSec Seattle 2006
Why All This Security Work?
4
The threats have changed,
customers are demandingincreased security andreduced support costs.
There is no one silverbullet.
8/14/2019 Security Engineering in Vista
5/35
OWASP AppSec Seattle 2006
Guidance and Education
All engineers must attend The Basics Introductory secure design, coding and testing
On-going yearly security education required forall engineers
Over a dozen in-depth classes
Raise awareness, set expectations, realizewhat you dont know
Learn to not make mistakes!
Writing Secure Code 2nd is required reading
5
8/14/2019 Security Engineering in Vista
6/35
OWASP AppSec Seattle 2006
Quality Gates
Stop the Bleeding Catch bugs early Battery of tools run on the check-in that look for:
Banned APIs Enforce use of safer C runtime functions
Correct use of Standard Annotation Language (SAL) Banned crypto Buffer overruns Integer arithmetic issues (overflow, underflow,
truncation, signedness) Weak ACLs and much, much more
Other quality gates include privacy, reliability etc.
6
8/14/2019 Security Engineering in Vista
7/35
Copyright 2006 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the Creative Commons Attribution-ShareAlike 2.5License. To view this license, visithttp://creativecommons.org/licenses/by-sa/2.5/
The OWASPFoundation
OWAS
PAppSec
Seattle
Oct 2006 http://www.owasp.org/
Hang on Whats SAL?
7
8/14/2019 Security Engineering in Vista
8/35
OWASP AppSec Seattle 2006 8
Standard Annotation Language
Used by static analysis tools such as PREfast
and /analyze (Visual Studio 2005)
Benefits of adding annotations to your code:
Help the tools find harder to find bugs
The process of adding annotations finds bugs!
Bugs found are low noise
8/14/2019 Security Engineering in Vista
9/35
OWASP AppSec Seattle 2006 9
SAL at Work
void FillString(TCHAR* buf,
size_t cchBuf,
TCHAR ch) {
for (size_t i = 0; i < cchBuf; i++) {
buf[i] = ch;}
}
These two arguments are related
but the compiler does not know!
8/14/2019 Security Engineering in Vista
10/35
OWASP AppSec Seattle 2006 10
SAL at Work
void FillString(__out_ecount(cchBuf) TCHAR* buf,
size_t cchBuf,
TCHAR ch) {
for (size_t i = 0; i < cchBuf; i++) {
buf[i] = ch;
}
}
8/14/2019 Security Engineering in Vista
11/35
OWASP AppSec Seattle 2006 11
SAL at Work
__out_ecount(cchBuf)
Out buffer, function will write to the buffer.Other examples include __in and __inout
Element count.Other example includesbcount, byte count.
__checkReturn __bcount_opt(_Size)
malloc(__in size_t _Size);
Optional, can be NULL
Must checkreturn value
8/14/2019 Security Engineering in Vista
12/35
OWASP AppSec Seattle 2006 12
SAL at Work
ing C6386: Buffer overrun: accessing 'argument 1',ritable size is 200*2' bytes, but '420' bytes might be written: Lines: 3
ing C6387: 'argument 1' might be '0': this does not adhere topecification for the function 'FillString': Lines: 33, 34
void FillString(
__out_ecount(cchBuf) TCHAR* buf,size_t cchBuf,
TCHAR ch) {
for (size_t i = 0; i < cchBuf; i++) {
buf[i] = ch;}
}void main() {
TCHAR *buff = malloc(200 * sizeof(TCHAR));
FillString(buff,210,_T(x));
}
8/14/2019 Security Engineering in Vista
13/35
OWASP AppSec Seattle 2006
Central Analysis (1 of 2)
Inter-procedural static analysis Binary analysis detects compiler and linker
requirements
Attack Surface Analysis Weak ACLs, Service configuration, etc.
Central removal of banned APIs and weakcrypto
~50% of banned APIs removed automatically Large % automatically migrated by compiler if
destination buffer size is known at compile time
13
char buf[32];
strcpy(buf,src);
char buf[32];
strcpy_s(buf,src,32);
8/14/2019 Security Engineering in Vista
14/35
OWASP AppSec Seattle 2006
Central Analysis (2 of 2)
A HUGE quantity of bugs found in thewild today are due to malformed data Fuzz testing can find these bugs
Central fuzz-testing team Performed primarily by our group
Identify and fuzz all file formats consumedby the operating system
Minimum 100,000 malformed files per parser Fuzz many networking protocols, including
RPC
14
8/14/2019 Security Engineering in Vista
15/35
OWASP AppSec Seattle 2006
A Note About Tools
15
Tools DO NOT MAKE
SOFTWARE SECURE!Theyhelp scale the process and they
help enforce policy
8/14/2019 Security Engineering in Vista
16/35
OWASP AppSec Seattle 2006
Threat Analysis
Threat models help find design issuesAll components in Windows Vista are
threat modeled
Weve learned a great deal about makingTMs easier to create by non-securityexpertsWeve moved away from threat trees to
patterns of threatsRisk heuristics instead of risk calculations
16
8/14/2019 Security Engineering in Vista
17/35
OWASP AppSec Seattle 2006
External Review
Most security work is performed by coreWindows Vista engineers
Our team and external securityconsultants also:Review feature designs
Review code
Review threat models
Perform black-box testing
17
8/14/2019 Security Engineering in Vista
18/35
OWASP AppSec Seattle 2006
If all the upfront engineering failsWindows Vista Defenses
Core assumptions Code is never perfect
Designs are never perfect
We must protect customers
Remember, security is Man vs. Man Security is a never-ending arms race
You can never be done with security so long
as the adversary is still breathing Windows Vista includes numerous
defenses
18
8/14/2019 Security Engineering in Vista
19/35
8/14/2019 Security Engineering in Vista
20/35
OWASP AppSec Seattle 2006
Windows Vista DefensesSecurity Features (1 of 2)
Windows Vista firewall is integrated with IPSecBi-directional
On by default
BitLocker full volume drive encryptionOnly in Windows Vista Ultimate and Enterprise
Mitigate the stolen laptop scenario
Provides integrity for the boot process
Can use TPM 1.2 or USB
Windows DefenderCan be disabled by ISVs
20
8/14/2019 Security Engineering in Vista
21/35
8/14/2019 Security Engineering in Vista
22/35
OWASP AppSec Seattle 2006
Windows Vista DefensesService Hardening (1 of 2)
Services (daemons) are attractive targetsNo need for user interaction
Long-lived
Often run elevated
Malware often: Alters the OS
Opens network ports
22
8/14/2019 Security Engineering in Vista
23/35
OWASP AppSec Seattle 2006
Windows Vista DefensesService Hardening (2 of 2)
Many existing services moved out of SYSTEMDescribe the privileges you need
Per-service identity (SID)Protect objects for just that service
Stricter service restart policyRestrict network behaviorEg: foo.exe can only open port TCP/123 inbound
|Action=Allow|Dir=In|LPORT=123|Protocol=17|App=%SystemRoot%\foo.exe
23
8/14/2019 Security Engineering in Vista
24/35
OWASP AppSec Seattle 2006
Windows Vista DefensesIsolation
Users are no longer admins (by default) Even an admin is not an admin (by default)
Integrity levels help contain damage IE7 runs in low integrity (by default)
Protected Mode
Most parts of the operating system aremedium integrity
Restricts Write-Up
Helps defend integrity of the operating system
24
8/14/2019 Security Engineering in Vista
25/35
OWASP AppSec Seattle 2006
Windows Vista DefensesMemory defenses (1 of many)
Stack protection (aka /GS, enabled by default) Detects stack-based overruns
Re-arranges the stack so buffers are in higher memory(helps protect variables)
Moves various arguments to lower memory
Stack is randomized for each thread (by default)
Heap is randomized (by default)
Exception handler protection (aka /SafeSEH,
enabled by default) Exception addresses are verified at runtime
25
8/14/2019 Security Engineering in Vista
26/35
OWASP AppSec Seattle 2006
Windows Vista DefensesMemory defenses (2 of many)
Data ExecutionProtection (aka NX/XD,enabled by default)Harder to execute data
In Windows Vista, DEPcannot be disabledonce turned on for aprocess
26
Most CPUs today support DEP,but make sure its enabled in the
BIOS
8/14/2019 Security Engineering in Vista
27/35
OWASP AppSec Seattle 2006
Windows Vista DefensesMemory defenses (3 of many)
Heap defenses (all by default) Lookasides no longer used
Arrays of free lists no longer used
Early detection of errors due to block header integritycheck
ENTRY->Flink->Blink == ENTRY->Blink->Flink == ENTRY
Heap TerminateOnCorruption
Dynamic adjustment of algorithms based upon theusage
All enabled by default Integer overflow calling operator::new
automatically detected at runtime (by default)
27
8/14/2019 Security Engineering in Vista
28/35
OWASP AppSec Seattle 2006
Windows Vista DefensesMemory defenses (4 of many)
Image randomization (ASLR) System images are loaded randomly into 1 of
256 slots
Changes on each boot
To be effective, ASLR requires DEP Enabled by default
Link with /dynamicbase for non-system images
Long-lived pointers are encoded anddecoded A successful pointer overwrite must survive the
decoding process (XOR with a random number)
28
8/14/2019 Security Engineering in Vista
29/35
OWASP AppSec Seattle 2006
Default Exploit Mitigations on Popular ClientOperating Systems
29
8/14/2019 Security Engineering in Vista
30/35
OWASP AppSec Seattle 2006
Software Security Science
Security is Man vs. Man We must continue to innovate
We must continue to learn more aboutattackers And how to thwart them
We perform root-cause analysis of eachsecurity bug
We analyze bugs from around the industry We work closely with security researchers
Feeds back into the SDL twice a year
30
8/14/2019 Security Engineering in Vista
31/35
OWASP AppSec Seattle 2006
Summary
Threats have evolved Customers are asking Microsoft to provide
a more secure base operating system
We have substantially improved ourdevelopment process
We have added many defenses to the OS
We will continue to provide fundamental
security functionality that protects userswhile still providing opportunities fordevelopers
31
8/14/2019 Security Engineering in Vista
32/35
OWASP AppSec Seattle 2006
[email protected]://blogs.msdn.com/michael_ho
32
8/14/2019 Security Engineering in Vista
33/35
OWASP AppSec Seattle 2006
Backup Slides
33
8/14/2019 Security Engineering in Vista
34/35
OWASP AppSec Seattle 2006
Banned APIs
strcpy, strcpyA, strcpyW, wcscpy,_tcscpy, _mbscpy, StrCpy, StrCpyA,StrCpyW, lstrcpy, lstrcpyA, lstrcpyW,_tccpy, _mbccpystrcat, strcatA, strcatW, wcscat,_tcscat, _mbscat, StrCat, StrCatA,StrCatW, lstrcat, lstrcatA, lstrcatW,StrCatBuff, StrCatBuffA, StrCatBuffW,StrCatChainW, _tccat, _mbccatstrncpy, wcsncpy, _tcsncpy,
_mbsncpy, _mbsnbcpy, StrCpyN,StrCpyNA, StrCpyNW, StrNCpy,strcpynA, StrNCpyA, StrNCpyW,lstrcpyn, lstrcpynA, lstrcpynWstrncat, wcsncat, _tcsncat, _mbsncat,_mbsnbcat, StrCatN, StrCatNA,StrCatNW, StrNCat, StrNCatA,StrNCatW, lstrncat, lstrcatnA,lstrcatnW, lstrcatn
CharToOem, CharToOemA,CharToOemW, OemToChar,OemToCharA, OemToCharW,CharToOemBuffA, CharToOemBuffWalloca, _alloca
wnsprintf, wnsprintfA, wnsprintfW,
sprintfW, sprintfA, wsprintf, wsprintfW,wsprintfA, sprintf, swprintf, _stprintf,_snwprintf, _snprintf, _sntprintf,wvsprintf, wvsprintfA, wvsprintfW,vsprintf, _vstprintf, vswprintf,
_vsnprintf, _vsnwprintf, _vsntprintf,wvnsprintf, wvnsprintfA, wvnsprintfWstrtok, _tcstok, wcstok, _mbstokmakepath, _tmakepath, _makepath,
_wmakepath, _splitpath, _tsplitpath,
_wsplitpathscanf, wscanf, _tscanf, sscanf, swscanf,
_stscanf, snscanf, snwscanf, _sntscanf_itoa, _itow, _i64toa, _i64tow, _ui64toa,_ui64tot, _ui64tow, _ultoa, _ultot, _ultowgets, _getts, _gettwsIsBadWritePtr, IsBadHugeWritePtr,IsBadReadPtr, IsBadHugeReadPtr,IsBadCodePtr, IsBadStringPtr
strlen, wcslen, _mbslen, _mbstrlen,StrLen, lstrlen
8/14/2019 Security Engineering in Vista
35/35
OWASP AppSec Seattle 2006
No Weak Crypto
No new code must use:MD4, MD5, SHA1 (use SHA2 suite)
DES (use AES)
RC4 (without crypto review)
No symmetric keys