27
Banned APIs and Sin Within! Michael Howard [email protected]

Banned APIs and Sin Within! Michael Howard [email protected]

Embed Size (px)

Citation preview

Page 1: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Banned APIs and Sin Within!

Michael [email protected]

Page 2: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Who Is This Guy?

[email protected]• Christian (imperfect in every possible way!)• Microsoft employee for 20 years• Always in security• Worked on the Microsoft SDL since inception

Page 3: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Goals and Non-Goals

• I am not one for drawing analogies– “Security Analogies are usually Wrong”

http://blogs.msdn.com/b/michael_howard/archive/2006/03/09/547575.aspx

• I use quotes from the Bible to compare/contrast software security

• “The Bible is correct, your code is not.” :-)

Page 4: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

If cars operated in an environment like the Internet, they would…

• Be driven by people with little regard for safe automobile operation.• Have their windshields shot out every 60 secs.• Once you have bullet-proof glass, the bad guys place nails at freeway

off-ramps next to signs like, “free coffee this way”– and someone is always trying to steal your keys– and pull out your sparkplugs– and siphon your gas

• Talking of gas, you fill up at a Shell station, only to realize the gas really isn’t gas, it’s vegetable oil and sand

• Oh, that gas station isn’t a Shell station, it certainly looked like one, but they took your credit card details anyway

• As this all goes on, you can’t see the adversary• And the adversaries are sharing new weapons with each other

Page 5: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

The SDL

• A set of process changes that help improve software security

• Over 100 requirements and recommendations• About 30 deal with memory corruption• Removing banned APIs is one such

requirement

Page 6: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

What Are The Banned APIs?

• Mostly memory corruption APIs– strcpy …– strcat …– strncpy …– strncat …– sprintf …– gets …

Page 7: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Banned APIsstrcpy, strcpyA, strcpyW, wcscpy, _tcscpy, _mbscpy, StrCpy, StrCpyA, StrCpyW, lstrcpy, lstrcpyA, lstrcpyW, _tccpy, _mbccpystrcat, strcatA, strcatW, wcscat, _tcscat, _mbscat, StrCat, StrCatA, StrCatW, lstrcat, lstrcatA, lstrcatW, StrCatBuff, StrCatBuffA, StrCatBuffW, StrCatChainW, _tccat, _mbccatstrncpy, wcsncpy, _tcsncpy, _mbsncpy, _mbsnbcpy, StrCpyN, StrCpyNA, StrCpyNW, StrNCpy, strcpynA, StrNCpyA, StrNCpyW, lstrcpyn, lstrcpynA, lstrcpynWstrncat, wcsncat, _tcsncat, _mbsncat, _mbsnbcat, StrCatN, StrCatNA, StrCatNW, StrNCat, StrNCatA, StrNCatW, lstrncat, lstrcatnA, lstrcatnW, lstrcatnCharToOem, CharToOemA, CharToOemW, OemToChar, OemToCharA, OemToCharW, CharToOemBuffA, CharToOemBuffW

wnsprintf, wnsprintfA, wnsprintfW, sprintfW, sprintfA, wsprintf, wsprintfW, wsprintfA, sprintf, swprintf, _stprintf, _snwprintf, _snprintf, _sntprintf, wvsprintf, wvsprintfA, wvsprintfW, vsprintf, _vstprintf, vswprintf, _vsnprintf, _vsnwprintf, _vsntprintf, wvnsprintf, wvnsprintfA, wvnsprintfWstrtok, _tcstok, wcstok, _mbstokmakepath, _tmakepath, _makepath, _wmakepath, _splitpath, _tsplitpath, _wsplitpathscanf, wscanf, _tscanf, sscanf, swscanf, _stscanf, snscanf, snwscanf, _sntscanf_itoa, _itow, _i64toa, _i64tow, _ui64toa, _ui64tot, _ui64tow, _ultoa, _ultot, _ultowgets, _getts, _gettwsIsBadWritePtr, IsBadHugeWritePtr, IsBadReadPtr, IsBadHugeReadPtr, IsBadCodePtr, IsBadStringPtrmemcpy

Page 8: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

CONFIGRETResDesToNtResource( IN PCVOID ResourceData, IN RESOURCEID ResourceType, IN ULONG ResourceLen, IN PCM_PARTIAL_RESOURCE_DESCRIPTOR pResDes, IN ULONG ulTag ){ case ResType_ClassSpecific: { PCS_RESOURCE pCsData = (PCS_RESOURCE)ResourceData; LPBYTE ptr = NULL; ptr = (LPBYTE)((LPBYTE)pResDes + sizeof(CM_PARTIAL_RESOURCE_DESCRIPTOR)); memcpy(ptr, pCsData->CS_Header.CSD_Signature + pCsData->CS_Header.CSD_LegacyDataOffset, pCsData->CS_Header.CSD_LegacyDataSize);

PnP MS05-039Zotob

Page 9: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

#define SSL2_MAX_CHALLENGE_LEN 32

typedef struct _Ssl2_Client_Hello {DWORD dwVer;DWORD cCipherSpecs;DWORD cbSessionID;DWORD cbChallenge;UCHAR SessionID[SSL3_SESSION_ID_LEN]; UCHAR Challenge[SSL2_MAX_CHALLENGE_LEN];Ssl2_Cipher_Kind CipherSpecs[MAX_UNI_CIPHERS];

} Ssl2_Client_Hello, * PSsl2_Client_Hello;

SP_STATUS Pct1SrvHandleUniHello(..., PSsl2_Client_Hello pHello,...) { Pct1_Client_Hello ClientHello;

...

CopyMemory( ClientHello.Challenge,pHello->Challenge,pHello->cbChallenge);

PCT SChannel MS04-011

Page 10: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

NNTP MS05-030

Last Updated 20060103

HRESULT CNewsStore::OnResponse(LPNNTPRESPONSE pResponse) {...if (pResponse->state == NS_LIST)

hr = _HandleListResponse(pResponse, FALSE)...

}

HRESULT CNewsStore::_HandleListResponse(LPNNTPRESPONSE pResp, BOOL fNew) { LPSTR psz, pszCount; int nSize; char szGroupName[CCHMAX_FOLDER_NAME]; LPNNTPLIST pnl = &pResp->rList; for (DWORD i = 0; i < pnl->cLines; i++, m_op.dwProgress++) { psz = pnl->rgszLines[i]; while (*psz && !IsSpace(psz)) psz = CharNext(psz); nSize = (int)(psz - pnl->rgszLines[i]); if (nSize >= CCHMAX_FOLDER_NAME) nSize = CCHMAX_FOLDER_NAME - 1; CopyMemory(szGroupName, pnl->rgszLines[i], nSize);

Page 11: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

LSASS MS04-011VOID DsRolepDebugDumpRoutine( IN DWORD DebugFlag, IN LPWSTR Format, va_list arglist ) {

#define DsRolepDebugDumpRoutine_BUFFERSIZE 1024 WCHAR OutputBuffer[DsRolepDebugDumpRoutine_BUFFERSIZE]; ... length += (ULONG) wvsprintfW(&OutputBuffer[length], Format, arglist); ...}

Sasser

Page 12: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

How Do you Find Them?

• #include <banned.h>• C4996 warnings

Page 13: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

The Replacements

• Don’t use C++ as a glorified C!• Use std::string• Use strsafe.h• Use strcpy_s etc

Page 14: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Auto-replacement of Banned Functions

• If the compiler knows the destination buffer size at compile time, it can automatically generate secure code

• Add the following to auto-migrate functions to

safe functions• #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES (1)

char buf[32];strcpy(buf,src);

char buf[32];strcpy_s(buf,src,32);

Page 15: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

But Isn’t C dead?

http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html

Page 16: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

The Leap of Faith

• What about regressions?• In ten years, I have seen only one regression at

Microsoft

Page 17: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Effectiveness?

• Over 25% of MSRC memory corruption vulns did not affect newer products simply because we banned the API(s) in question and replaced them with a more secure version

• That’s low cost engineering at its best!

Page 18: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Pop Quiz

• What’s in an 8oz glass of wine?• What’s in an 8oz glass of poison?• What’s in an 8oz glass of wine with a drop of

poison?

Page 19: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Sin and Insecure Code

Righteous Man+ One Sin

Sinful Man

Well-Written Code+ One Vulnerability

Insecure System

Page 20: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

All Sin is the Same …• There is no “good” or “bad” sin, it’s all sin in

God’s eyes.• There is no “Security Bulletin” scale for sin

Critical: Adultery, MurderImportant: Bearing False WitnessModerate: StealingLow: Coveting

Page 21: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

… but insecure Code is not the Same

• An anonymously accessible remote code execution vulnerability that gives you root is *way* worse than a local information disclosure vuln accessibly only by admins

Critical: Remote code executionImportant: Server DoSModerate: Temporary Server DoSLow: Client DoS

Page 22: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Banned APIs

• We have banned over 120 APIs at Microsoft• They are great examples of “One-line” Sins

Page 23: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Removing Sin• How do you remove Sin?• By replacing Sin with something not Sinful!• Easy to say, very hard to do.

And I know that nothing good lives in me, that is, in my sinful nature. I want to do what is right, but I can't.Romans 7:18

• How do you remove banned APIs?• By replacing them with something less dangerous!• Easy to say, easy to do.

Page 24: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Removal takes a Leap of Faith

• Trust that God forgives your Sins• Trust that the banned API replacements don’t

introduce regressions!

Praise the Lord, … who forgives all your sins.Psalm 103:3

Page 25: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

How Do you Remove Banned APIs?

• Admit you have banned APIs (admit you sin!)• Do something about it (admit the Lord into

your heart)• Don’t repeat!

Page 26: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Banned APIs and the Sin WithinSummary

• Admit you sin– In life and in code

• Do something about it – Study Romans– Remove Banned APIs

• Put steps in place to help prevent Sin and banned APIs– Think!!– Use banned.h in all your C/C++ code

Page 27: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com

Questions!?