Pragmatic Pragmatic Trustworthy ComputingTrustworthy Computing
Michael Howard ([email protected])Michael Howard ([email protected])Senior Program ManagerSenior Program ManagerSecure Windows InitiativeSecure Windows InitiativeMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Who is SWI?Who is SWI? What is TwC?What is TwC? What we’re doingWhat we’re doing
Teaching critical skillsTeaching critical skills Attack surface reductionAttack surface reduction
Beyond MicrosoftBeyond Microsoft
Who is SWI?Who is SWI?
Secure Windows InitiativeSecure Windows Initiative Focus on securing Microsoft productsFocus on securing Microsoft products Little (read: zero) focus on security Little (read: zero) focus on security
features nor network securityfeatures nor network security Security Features != Secure FeaturesSecurity Features != Secure Features
Secure Windows InitiativeSecure Windows Initiative
PeoplePeopleTrain, and keep current, every developer, tester, Train, and keep current, every developer, tester, and program manager in the specific techniques and program manager in the specific techniques of building secure products.of building secure products.
ProcessProcess
Make security a critical factor in design, coding and Make security a critical factor in design, coding and testing of every product Microsoft buildstesting of every product Microsoft buildsMajor changes to development processMajor changes to development processSecurity Threat Analysis part of every design specSecurity Threat Analysis part of every design specCross-group design & code reviewsCross-group design & code reviewsRed Team testing and code reviewsRed Team testing and code reviewsSecurity bug feedback loop & code sign-off requirements Security bug feedback loop & code sign-off requirements External reviews and testing by consultants and publicExternal reviews and testing by consultants and public
TechnologyTechnology
Build tools to automate everything possible in the quest Build tools to automate everything possible in the quest to code the most secure productsto code the most secure productsPreFIX and PreFAST for defect detectionPreFIX and PreFAST for defect detection
Updated as new vulnerabilities foundUpdated as new vulnerabilities foundVisual C++ compiler improvementsVisual C++ compiler improvements
Trustworthy Computing:Trustworthy Computing:What Is It?What Is It?
The key goal of Trustworthy Computing is to make The key goal of Trustworthy Computing is to make computing so safe and reliable that people simply computing so safe and reliable that people simply take it for granted—just as they take electricity and take it for granted—just as they take electricity and the telephone system for granted today.the telephone system for granted today.
A top priority for Microsoft—and a cultural shift we are A top priority for Microsoft—and a cultural shift we are totally committed to totally committed to
A lengthy journey (at least a decade)A lengthy journey (at least a decade) Needs the commitment of the entire computer industry Needs the commitment of the entire computer industry
(software, hardware, ISPs, etc)(software, hardware, ISPs, etc)
Trustworthy ComputingTrustworthy ComputingCore TenetsCore Tenets
Resilient to attackResilient to attack Protects confidentiality, integrity, Protects confidentiality, integrity,
availability and dataavailability and data
DependableDependable Available when neededAvailable when needed Performs at expected levelsPerforms at expected levels
Individuals control personal dataIndividuals control personal data Products and online services adhere to Products and online services adhere to
fair information principles fair information principles
Vendors provide quality productsVendors provide quality products Product support is appropriateProduct support is appropriate
SecuritySecurity
PrivacyPrivacy
ReliabilityReliability
Business Business IntegrityIntegrity
SDSD33 + Communications + Communications
Clear security commitmentClear security commitmentFull member of the security communityFull member of the security communityMicrosoft Security Response Center Microsoft Security Response Center
Security Framework is VitalSecurity Framework is Vital
Secure Secure by Designby Design
Secure Secure by Defaultby Default
Secure in Secure in DeploymentDeployment
CommunicationsCommunications
Secure architectureSecure architectureImproved processImproved processReduce vulnerabilities in the codeReduce vulnerabilities in the code
Reduce attack surface areaReduce attack surface areaUnused features off by defaultUnused features off by defaultOnly require minimum privilegeOnly require minimum privilege
Protect, detect, defend, recover, manageProtect, detect, defend, recover, manageProcess: How to’s, architecture guidesProcess: How to’s, architecture guidesPeople: TrainingPeople: Training
Microsoft Security Response Center Microsoft Security Response Center severity rating systemseverity rating systemMSDN security guidance for developersMSDN security guidance for developersOrganization for Internet Safety formedOrganization for Internet Safety formed
Sampling of Progress To DateSampling of Progress To Date
SDSD33 + Communications + Communications
Secure Secure by Designby Design
Secure Secure by Defaultby Default
Secure in Secure in DeploymentDeployment
CommunicationsCommunications
Security training for MS engineersSecurity training for MS engineersImproved processImproved process
Security code reviews Security code reviews Threat modelingThreat modeling
Office XP: Scripting off by defaultOffice XP: Scripting off by defaultNo sample code installed by defaultNo sample code installed by defaultSQL/IIS off by default in VS.NETSQL/IIS off by default in VS.NET
Deployment tools (MBSA, IIS Lockdown)Deployment tools (MBSA, IIS Lockdown)Created STPP to respond to customersCreated STPP to respond to customersPAG for Windows 2000 Security OpsPAG for Windows 2000 Security Ops
Secure Product Secure Product Development TimelineDevelopment Timeline
Secure questionsSecure questionsduring interviewsduring interviews
ConceptConcept DesignsDesignsCompleteComplete
Test plansTest plansCompleteComplete
CodeCodeCompleteComplete
ShipShip PostPostShipShip
ThreatThreatanalysisanalysis
SecuritySecurityReviewReview
Team memberTeam membertrainingtraining
Data mutationData mutation& Least Priv& Least PrivTestsTests
Review old defects Review old defects Check-ins checkedCheck-ins checkedSecure coding guidelinesSecure coding guidelinesUse toolsUse tools
Security push/auditSecurity push/audit
= on-going= on-going
Learn & Learn & RefineRefine
External External reviewreview
Critical Skills InstilledCritical Skills Instilled
Designers & ArchitectsDesigners & Architects Threat modelingThreat modeling
DevelopersDevelopers Input trust issuesInput trust issues
TestersTesters Data mutation (intelligent fuzz)Data mutation (intelligent fuzz)
Threat ModelsThreat Models
You cannot build secure applications You cannot build secure applications unless you understand threatsunless you understand threats ““We use SSL!”We use SSL!”
Find different bugs than code review Find different bugs than code review and testingand testing Implementation bugs vs higher-level Implementation bugs vs higher-level
design issuesdesign issues
Approx 50% of issues come from threat Approx 50% of issues come from threat modelsmodels
Threat Modeling ProcessThreat Modeling Process Create model of app (DFD, UML etc)Create model of app (DFD, UML etc) Categorize threats to each attack Categorize threats to each attack
target node with STRIDEtarget node with STRIDE Spoofing, Tampering, Repudiation, Spoofing, Tampering, Repudiation,
Info Disclosure, Denial of Service, Info Disclosure, Denial of Service, Elevation of PrivilegeElevation of Privilege
Build threat treeBuild threat tree Rank threats with DREADRank threats with DREAD
Damage potential, Reproducibility, Damage potential, Reproducibility, Exploitability, Affected Users, Exploitability, Affected Users, DiscoverabilityDiscoverability
1.2.1Parse
Request
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
Threat (Goal)
STRIDE
DREADThreat
SubthreatCondition
Threat Threat
ConditionCondition DREAD
Input Trust IssuesInput Trust Issues““All input is evil, until proven All input is evil, until proven
otherwise”otherwise”Good guys provide well-formed input, Good guys provide well-formed input,
bad guys don’t!bad guys don’t! Buffer overrunsBuffer overruns Integer overflow attacksInteger overflow attacks SQL injection attacksSQL injection attacks XSS attacksXSS attacks
Look for well-formed input, and reject Look for well-formed input, and reject everything elseeverything else Don’t look for ‘bad’ thingsDon’t look for ‘bad’ things
The Turkish-I problemThe Turkish-I problem
Turkish has four ‘I’sTurkish has four ‘I’s ii (U+0069) (U+0069) ıı (U+0131) (U+0131) İİ (U+0130) (U+0130) II (U+0049) (U+0049)
In the Turkish locale In the Turkish locale FILEFILE !=!= FİLEFİLE
// Only allow "HTTP://" URLsif(url.ToUpper(CULTURE_INVARIANT).Left(4) == "HTTP") getStuff(url);else return ERROR;
// Do not allow "FILE://" URLsif(url.ToUpper().Left(4) == "FILE") return ERROR;getStuff(url);
What’s wrong with this What’s wrong with this code?code?void func(char *strName) {
char buff[64];strcpy(buff,”My name is: “);strcat(buff,strName);
}
Untrusted!These APIs are not ‘insecure’
void func(char *strName) {char buff[64];if (isValid(strName)) {
strcpy(buff,”My name is: “);strcat(buff,strName);
}}
A safe version using ‘insecure’ APIs
UntrustedTrusted
On the Subject of On the Subject of Buffer Overruns!Buffer Overruns! Issue is trusting the data is correct!Issue is trusting the data is correct! Don’t simply use the ‘secure’ ‘n’ versionsDon’t simply use the ‘secure’ ‘n’ versions
ie; strncpy rather than strcpyie; strncpy rather than strcpy VC++ .NET adds the –GS flagVC++ .NET adds the –GS flag
Mitigates some stack-smashing attacksMitigates some stack-smashing attacks VS.NET: Function return addressVS.NET: Function return address VS.NET 2003: exception handlers, stack-based VS.NET 2003: exception handlers, stack-based
function pointers & data pointersfunction pointers & data pointers May lead to DoS rather than attack code May lead to DoS rather than attack code
executionexecution Most of Windows .NET Server compiled with -GSMost of Windows .NET Server compiled with -GS On by default for new VS.NET C++ projectsOn by default for new VS.NET C++ projects Not a replacement for good codeNot a replacement for good code Doesn’t fix code!Doesn’t fix code!
Security Testing: Data Security Testing: Data Mutation & Threat ModelsMutation & Threat Models A Problem: Too many “goody two A Problem: Too many “goody two
shoes” testersshoes” testers We need to teach people how to think We need to teach people how to think
‘evil’‘evil’
The threat model can help drive the The threat model can help drive the test processtest process Each threat should have at least two Each threat should have at least two
tests: Whitehat & Blackhattests: Whitehat & Blackhat STRIDE helps drive test techniquesSTRIDE helps drive test techniques DREAD helps drive priorityDREAD helps drive priority
Analytical Security TestingAnalytical Security Testing
Decompose the app Decompose the app (threat model)(threat model)
Identify interfacesIdentify interfaces Enumerate input pointsEnumerate input points
SocketsSockets PipesPipes RegistryRegistry FilesFiles RPC (etc)RPC (etc) Command-line argsCommand-line args Etc.Etc.
Enumerate data Enumerate data structuresstructures C/C++ struct dataC/C++ struct data HTTP bodyHTTP body HTTP headersHTTP headers HTTP header dataHTTP header data QuerystringsQuerystrings Bit flagsBit flags Etc.Etc.
Determine valid Determine valid constructsconstructs
Mutate the data!Mutate the data! ContentsContents
Length (Cl) Length (Cl) Random (Cr)Random (Cr) NULL (Cn)NULL (Cn) Zero (Cz)Zero (Cz) Wrong type (Cw)Wrong type (Cw) Wrong Sign (Cs)Wrong Sign (Cs) Out of Bounds (Co)Out of Bounds (Co) Valid + Invalid (Cv)Valid + Invalid (Cv) Special Chars (Cp)Special Chars (Cp)
Script (Cps)Script (Cps) HTML (Cph)HTML (Cph) Quotes (Cpq)Quotes (Cpq) Slashes (Cpl)Slashes (Cpl) Escaped chars (Cpe)Escaped chars (Cpe) Meta chars (Cpm)Meta chars (Cpm)
LengthLength Long (Ll)Long (Ll) Small (Ls)Small (Ls) Zero Length (Lz)Zero Length (Lz)
ContainerContainer Name (On)Name (On) Link to other (Ol)Link to other (Ol) Exists (Oe)Exists (Oe) Does not exist (Od)Does not exist (Od) No access (Oa)No access (Oa) Restricted Access (Or)Restricted Access (Or)
Network SpecificNetwork Specific Replay (Nr)Replay (Nr) Out-of-sync (No)Out-of-sync (No) High volume (Nh)High volume (Nh)
Data mutation exampleData mutation example
<?xml version="1.0" encoding=“utf-8"?><?xml version="1.0" encoding=“utf-8"?><items><items> <item name="Foo" readonly="true"><item name="Foo" readonly="true"> <cost>13.50</cost><cost>13.50</cost> <lastpurch>20020903</lastpurch><lastpurch>20020903</lastpurch> <fullname>Big Foo Thing</fullname><fullname>Big Foo Thing</fullname> </item></item> ......</items></items>
OnHand.xmlOnHand.xml
•Filename too long (On:Cl:Ll)Filename too long (On:Cl:Ll)•Link to another file (Ol)Link to another file (Ol)•Deny access to file (Oa)Deny access to file (Oa)•Lock file (Oa)Lock file (Oa)
•No data No data (Cl:Lz) (Cl:Lz)•Full of junkFull of junk (Cr) (Cr)
•Escaped (Cpe)Escaped (Cpe)•Junk (Cr)Junk (Cr)
•Different version (Cs & Co)Different version (Cs & Co)•No version (Cl:Lz)No version (Cl:Lz)
Relative Attack SurfaceRelative Attack Surface
Simple way of measuring potential for Simple way of measuring potential for attackattack
Features are attacked Features are attacked Security Bugs Security BugsLess Features == Less Security BugsLess Features == Less Security BugsGoal of a product should be to reduce Goal of a product should be to reduce
attack surfaceattack surface Lower privLower priv Turn features offTurn features off Defense in depthDefense in depth
Founded on past mistakesFounded on past mistakes
Products have vulnerability pointsProducts have vulnerability pointsWindows is attacked one way, Linux Windows is attacked one way, Linux
another, SQL Server yet anotheranother, SQL Server yet anotherHard to compare non-similar productsHard to compare non-similar products
The ProcessThe Process
OldVulns
DetermineAttack
Vector(s)
Apply Bias Σ RASQ
Think of it as ‘Cyclomatic Complexity’ for Security!
Sample Windows Data Sample Windows Data PointsPoints Open socketsOpen sockets Open RPC endpointsOpen RPC endpoints Open named pipesOpen named pipes ServicesServices Services running by Services running by
defaultdefault Services running as Services running as
SYSTEMSYSTEM Active Web handlersActive Web handlers Active ISAPI FiltersActive ISAPI Filters Dynamic Web pagesDynamic Web pages Executable vdirsExecutable vdirs
Enabled AccountsEnabled Accounts Enabled Accounts in Enabled Accounts in
admin groupadmin group Null Sessions to Null Sessions to
pipes and sharespipes and shares Guest account Guest account
enabledenabled Weak ACLs in FSWeak ACLs in FS Weak ACLs in Weak ACLs in
RegistryRegistry Weak ACLs on Weak ACLs on
sharesshares
The Figures are interestingThe Figures are interesting
RASQ
0
100
200
300
400
500
600
700
Windows NT 4SP6a
Windows NT 4SP6a +
Option Pack
Windows2000
Windows.NET Server
Windows.NET Server
w/IIS
Windows XP Windows XPw/ICF Enabled
RASQ
Using RASQ to build better Using RASQ to build better productsproductsProduct A agrees on RASQ data pointsProduct A agrees on RASQ data points
Based on past exploitsBased on past exploits SWI has buy inSWI has buy in
v1 has RASQ = 350v1 has RASQ = 350Goal for v2 is to reduce RASQ by at Goal for v2 is to reduce RASQ by at
least 10%least 10% Add as many features as you wantAdd as many features as you want But do so while still reducing RASQBut do so while still reducing RASQ
Measurable!Measurable!
Beyond MicrosoftBeyond MicrosoftSharing new issues and educationSharing new issues and education
Writing Secure Code 2Writing Secure Code 2ndnd Edition Edition ““Code Secure” at msdn.microsoft.comCode Secure” at msdn.microsoft.com More whitepapersMore whitepapers Strsafe.hStrsafe.h SiteLockSiteLock Microsoft Official CurriculumMicrosoft Official Curriculum
2805a – Security Seminar for Developers2805a – Security Seminar for Developers ISV trainingISV training Premier Partner TrainingPremier Partner Training
The Ultimate GoalThe Ultimate Goal
Not to inject security bugs into the Not to inject security bugs into the code in the first place!code in the first place! Short term: remove existing flawsShort term: remove existing flaws Longer term: don’t add them to the codeLonger term: don’t add them to the code
You can’t do this through code reviewYou can’t do this through code review ……or testingor testing
Only remove existing flawsOnly remove existing flaws
You have to teach people to do the You have to teach people to do the right things…!right things…!
SummarySummary
Who is SWI?Who is SWI? What is TwC?What is TwC? What we’re doingWhat we’re doing
Teaching critical skillsTeaching critical skills Attack surface reductionAttack surface reduction
Beyond MicrosoftBeyond Microsoft