Upload
dominic-caldwell
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Inside Microsoft’s Inside Microsoft’s Secure Windows InitiativeSecure Windows Initiative
Steve LipnerSteve LipnerDirector of Security Engineering StrategyDirector of Security Engineering StrategySecurity Business UnitSecurity Business UnitMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Who Am I?Who Am I? What is SWI?What is SWI? SDSD33 + c + c Secure Development ProcessSecure Development Process Threat ModelsThreat Models Relative Attack SurfaceRelative Attack Surface Open QuestionsOpen Questions
Who is this guy?Who is this guy?
[email protected]@microsoft.com Been at Microsoft for 3.5 yearsBeen at Microsoft for 3.5 years
Always in securityAlways in security
Started working in security in 1970Started working in security in 1970 Experience includes A1 systems, Experience includes A1 systems,
firewalls, consulting, other stufffirewalls, consulting, other stuff
PragmaticPragmatic A chief conspirator!A chief conspirator!
What is SWI?What is SWI?
Secure Windows InitiativeSecure Windows Initiative Work across MicrosoftWork across Microsoft Focus on securing productsFocus on securing products Security Features != Secure FeaturesSecurity Features != Secure Features Two sub-groupsTwo sub-groups
Defensive SWI Defensive SWI Offensive SWIOffensive SWI
Building SoftwareBuilding Softwarefor Peoplefor People
SoftwareSoftware
SecurityPrivacy
Reliability
Supportable
Manageable
DeployableCompatible
Affordable
International
Accessible
Usable (Features)
Doable (Schedule, $, skills)
You cannot build software ‘for people’ in a vacuum
Building SoftwareBuilding Softwarefor Peoplefor People
SoftwareSoftware
SecuritySecurity
PrivacyPrivacy
ReliabilityReliability
Supportable
Manageable
DeployableCompatible
Affordable
International
Accessible
Usable (Features)
Doable (Schedule, $, skills)
SDSD33 + Communications + Communications
Clear security commitmentClear security commitmentFull member of the security communityFull member of the security communityMicrosoft Security Response Center Microsoft Security Response Center
A Security FrameworkA Security Framework
Secure Secure by Designby Design
Secure Secure by Defaultby Default
Secure in Secure in DeploymentDeployment
CommunicationsCommunications
Secure architecture & codeSecure architecture & codeThreat analysisThreat analysisReduce vulnerabilitiesReduce vulnerabilities
Reduce attack surface areaReduce attack surface areaUnused features off by defaultUnused features off by defaultOnly require minimum privilegeOnly require minimum privilege
Protect, detect, defend, recover, manageProtect, detect, defend, recover, manageProcess: How to’s, architecture guidesProcess: How to’s, architecture guidesPeople: TrainingPeople: Training
SDSD33 At Work – MS03-007 At Work – MS03-007Windows Server 2003 UnaffectedWindows Server 2003 Unaffected
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable
Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push
EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default
EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled
Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)
EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003
EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun
EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun
Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’
EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough
Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)
Secure Product Secure Product Development TimelineDevelopment Timeline
Secure questionsSecure questionsduring interviewsduring interviews
Concept /Concept /RequirementsRequirements
DesignsDesignsCompleteComplete
Test plansTest plansCompleteComplete
CodeCodeCompleteComplete
ShipShip PostPostShipShip
ThreatThreatanalysisanalysis
SWISWIReviewReview
Group memberGroup membertrainingtraining Data mutationData mutation
& Least Priv& Least PrivTestsTests
Security sign-offSecurity sign-offcriteria determinedcriteria determined
Review old defects Review old defects Check-ins checkedCheck-ins checkedSecure coding guidelinesSecure coding guidelinesUse toolsUse tools
Security auditSecurity audit
Learn & Learn & RefineRefine
External External reviewreview
Security pushSecurity push
Threat AnalysisThreat AnalysisYou cannot build secure applications You cannot build secure applications
unless you understand threatsunless you understand threats Adding security features does not mean Adding security features does not mean
you have secure softwareyou have secure software ““We use SSL!”We use SSL!”
Find issues before the code is createdFind issues before the code is createdFind different bugs than code review Find different bugs than code review
and testingand testing Implementation bugs vs higher-level Implementation bugs vs higher-level
design issuesdesign issuesApprox 50% of issues come from threat Approx 50% of issues come from threat
modelsmodels
Threat Modeling ProcessThreat Modeling Process Create model of app (DFD, UML etc)Create model of app (DFD, UML etc)
Build a list of assets that require protectionBuild a list of assets that require protection Categorize threats to each attack target Categorize threats to each attack target
node with STRIDEnode with STRIDE Spoofing, Tampering, Repudiation, Spoofing, Tampering, Repudiation,
Info Disclosure, Denial of Service, Elevation of Info Disclosure, Denial of Service, Elevation of PrivilegePrivilege
Build threat tree for each threatBuild threat tree for each threat Derived from hardware fault treesDerived from hardware fault trees
Rank threats by riskRank threats by risk Risk = Potential * DamageRisk = Potential * Damage DREAD: Damage potential, Reproducibility, DREAD: Damage potential, Reproducibility,
Exploitability, Affected Users, DiscoverabilityExploitability, Affected Users, Discoverability
1.0User
5.0Serviceclient
request
Payrollrequest
Payrollresponse
Portion of DFDPortion of DFD
Inte
rnet
Dat
a C
entr
e
Potentially sensitivePayroll information(Info Disc threat - Privacy issue)
User privilegeRequired
S – T – R – I – D – E –
Data flowData flow5.0 5.0 1.0 1.0
Data flowData flow1.0 1.0 5.0 5.0
Information Disclosure Information Disclosure Threat to Payroll DataThreat to Payroll Data
Threat #1 (I)View payroll data
1.1Traffic is unprotected
1.2Attacker viewstraffic
1.2.1Sniff traffic with protocol analyzer
1.2.2Listen to routertraffic
1.2.2.1Router is unpatched
1.2.2.2Compromise router
1.2.2.3Guess routerpassword
1.0 View payroll data (I) 1.1 Traffic is unprotected (AND) 1.2 Attacker views traffic 1.2.1 Sniff traffic with protocol analyzer 1.2.2 Listen to router traffic 1.2.2.1 Router is unpatched (AND) 1.2.2.2 Compromise router 1.2.2.3 Guess router password
Applying Risk (W.I.P.)Applying Risk (W.I.P.)
Threat #1 (I)View payroll data
1.1Traffic is unprotected
1.2Attacker viewstraffic
1.2.1Sniff traffic with protocol analyzer
1.2.2Listen to routertraffic
1.2.2.1Router is unpatched
1.2.2.2Compromise router
1.2.2.3Guess routerpassword
•Damage potential•Affected Users-or-•Damage
•Reproducibility•Exploitability•Discoverability-or-•Chance
Applying Risk (W.I.P.)Applying Risk (W.I.P.)Using Risk = Chance*DamageUsing Risk = Chance*Damage
Threat #1 (I)View payroll data
1.1Traffic is unprotected
1.2Attacker viewstraffic
1.2.1Sniff traffic with protocol analyzer
1.2.2Listen to routertraffic
1.2.2.1Router is unpatched
1.2.2.2Compromise router
1.2.2.3Guess routerpassword
Damage = 9
Chance=10
Chance=9
Chance=5 Chance=3 Chance=1 AND = min(C1, C2, Cn)OR = max(C1, C2, Cn)
max(1.2.2.3, min(1.2.2.1, 1.2.2.2))Calculated Chance=3
max(1.2.1, 1.2.2)Calculated Chance=9
min(1.1, 1.2)Calculated Chance = 9
Gotta fix it!
Risk = 9 * 981
Designing to a Threat Designing to a Threat ModelModel Threat types have mitigation techniquesThreat types have mitigation techniques
SpoofingSpoofing Authentication (authn), good credential storageAuthentication (authn), good credential storage
TamperingTampering Authorization (authz), MAC, signingAuthorization (authz), MAC, signing
RepudiationRepudiation Authn, Authz, signing, logging, trusted third partyAuthn, Authz, signing, logging, trusted third party
Info DisclosureInfo Disclosure Authz, encryptionAuthz, encryption
Denial of ServiceDenial of Service Filtering, Authn, AuthzFiltering, Authn, Authz
Elev of PrivElev of Priv Don’t run with elevated privsDon’t run with elevated privs
Threat Mitigation Threat Mitigation Techniques & TechnologiesTechniques & Technologies
ThreatType
(STRIDE)
MitigationTechnique
MitigationTechnique
Technology Technology Technology Technology
Spoofing Authentication
NTLMX.509 certsPGP keysBasicDigestKerberosSSL/TLS
PatchingPolicy
PasswordPolicy
Defensein depth
Threat MitigationThreat Mitigation
Threat #1 (I)View payroll data
1.1Traffic is unprotected
1.2Attacker viewstraffic
1.2.1Sniff traffic with protocol analyzer
1.2.2Listen to routertraffic
1.2.2.1Router is unpatched
1.2.2.2Compromise router
1.2.2.3Guess routerpassword
Look for high-level AND clauses
SSL/TLS,WS-Security,
IPSecetc.
Encryption
Coding to a Threat ModelCoding to a Threat Model
Threat models help you determine the Threat models help you determine the most ‘dangerous’ portions of the most ‘dangerous’ portions of the applicationapplication Prioritize security push effortsPrioritize security push efforts Prioritize on-going code reviewsPrioritize on-going code reviews Help determine the defense mechanisms Help determine the defense mechanisms
to useto use
Determine data flowDetermine data flow ““All input is evil, until proven otherwise”All input is evil, until proven otherwise”
Testing to a Threat ModelTesting to a Threat Model
Testers have problemsTesters have problems Most are not security testers (read: evil)Most are not security testers (read: evil) What needs testing?What needs testing? How do you test?How do you test?
Each threat in the model must have a test Each threat in the model must have a test planplan
The threat model helps drive testing The threat model helps drive testing conceptsconcepts
Allows for Whitehat and Blackhat testingAllows for Whitehat and Blackhat testing Prove the mitigations workProve the mitigations work Prove they don’t work :-)Prove they don’t work :-)
Testing to a Threat ModelTesting to a Threat Model
Mitigation techniques have blackhat testing Mitigation techniques have blackhat testing techniquestechniques SpoofingSpoofing
AuthenticationAuthentication Brute force creds, cred replay, downgrade to less Brute force creds, cred replay, downgrade to less
secure authn, view creds on wiresecure authn, view creds on wire Good credential storageGood credential storage
Use Information Disclosure attacksUse Information Disclosure attacks TamperingTampering
AuthorizationAuthorization Attempt authz bypassAttempt authz bypass
MAC, signingMAC, signing Tamper and re-hash?Tamper and re-hash? Create invalid hash data Create invalid hash data Force app to use less secure protocol (no SSL)Force app to use less secure protocol (no SSL)
Testing to a Threat ModelTesting to a Threat Model
RepudiationRepudiation Authn & AuthzAuthn & Authz
See Spoofing and TamperingSee Spoofing and Tampering SigningSigning
See Tampering See Tampering LoggingLogging
Prevent auditing, spoof log entries (CR/LF)Prevent auditing, spoof log entries (CR/LF) Trusted third party Trusted third party
DoS the third partyDoS the third party Info DisclosureInfo Disclosure
NOTE: Is there any PII/sensitive data in the data?NOTE: Is there any PII/sensitive data in the data? AuthorizationAuthorization
See TamperingSee Tampering EncryptionEncryption
View on-the-wire dataView on-the-wire data Kill process and scavenge for sensitive dataKill process and scavenge for sensitive data Failure leads to disclosure in error messagesFailure leads to disclosure in error messages
Testing to a Threat ModelTesting to a Threat Model
Denial of ServiceDenial of Service FilteringFiltering
Flooding, malformed dataFlooding, malformed data Authn & AuthzAuthn & Authz
See Spoofing and tamperingSee Spoofing and tamperingResource pressureResource pressure
Elev of PrivElev of Priv Don’t run with elevated privsDon’t run with elevated privs
Spend more time here!Spend more time here!
Threat Modeling NotesThreat Modeling Notes Scenario-drivenScenario-driven Note infrastructure mitigating techniques Note infrastructure mitigating techniques
vs. application mitigating techniquesvs. application mitigating techniques Determine privilege to initiate data flowDetermine privilege to initiate data flow
Helps determine chance of attackHelps determine chance of attack Be wary of unauthenticated data flowsBe wary of unauthenticated data flows
Attackers follow the path of least resistanceAttackers follow the path of least resistance All information disclosure threats are All information disclosure threats are
potentially privacy issuespotentially privacy issues Any non-mitigated threat is a potential Any non-mitigated threat is a potential
vulnerabilityvulnerability All security features must mitigate one or All security features must mitigate one or
more threatsmore threats Work on the higher-risk items firstWork on the higher-risk items first
Relative Attack SurfaceRelative Attack Surface Simple way of measuring potential for Simple way of measuring potential for
attackattack Goal of a product should be to reduce Goal of a product should be to reduce
attack surfaceattack surfaceLower privilegeLower privilegeTurn features offTurn features offDefense in depthDefense in depth
Does not address code qualityDoes not address code quality Hard to compare dissimilar productsHard to compare dissimilar products On-going work by Microsoft ResearchOn-going work by Microsoft Research
The ‘Simple’ ProcessThe ‘Simple’ Process
OldVulns
DetermineAttack
Vector(s)
Apply Bias Σ RASQ
Think of it as ‘Cyclomatic Complexity’ for Security!
Sample Windows Data Sample Windows Data PointsPoints Open socketsOpen sockets Open RPC endpointsOpen RPC endpoints Open named pipesOpen named pipes ServicesServices Services running by Services running by
defaultdefault Services running as Services running as
SYSTEMSYSTEM Active Web handlersActive Web handlers Active ISAPI FiltersActive ISAPI Filters Dynamic Web pagesDynamic Web pages Executable vdirsExecutable vdirs
Enabled AccountsEnabled Accounts Enabled Accounts in Enabled Accounts in
admin groupadmin group Null Sessions to Null Sessions to
pipes and sharespipes and shares Guest account Guest account
enabledenabled Weak ACLs in FSWeak ACLs in FS Weak ACLs in Weak ACLs in
RegistryRegistry Weak ACLs on Weak ACLs on
sharesshares ScriptingScripting
Relative Attack SurfaceRelative Attack Surface
317.7
598.3
342.3
157.1 171.2 178.3
113.2
0
100
200
300
400
500
600
700W
indo
ws
NT
4
Win
dow
s N
T 4
w/I
IS
Win
dow
s 20
00w
/IIS
Win
dow
s S
erve
r20
03
Win
dow
s S
erve
r20
03 w
/IIS
6
Win
dow
s X
P
Win
dow
s X
Pw
/IC
F E
nabl
ed
IIS
Ch
ec
kli
st
IIS
Ch
ec
kli
st
Windows Server 2003 Windows Server 2003 Reduced Attack ProfileReduced Attack Profile 20+ services off by default20+ services off by default 20+ services run in lower privilege20+ services run in lower privilege IIS6 off by defaultIIS6 off by default
Minimal functionality by defaultMinimal functionality by default All code runs in low privilege by defaultAll code runs in low privilege by default
More restrictive ACLs throughoutMore restrictive ACLs throughout Internet Explorer is an “HTML 3.2” browserInternet Explorer is an “HTML 3.2” browser ““.” directory no longer searched first.” directory no longer searched first No games installedNo games installed UDDI Server written in C#UDDI Server written in C# All Active Directory traffic is signed/sealedAll Active Directory traffic is signed/sealed SMB packet signing for Domain Controller trafficSMB packet signing for Domain Controller traffic Defense in depth measuresDefense in depth measures
‘‘safer’ string handling functionssafer’ string handling functions OS compiled with VC++ /GS flagOS compiled with VC++ /GS flag
Detects some kinds of stack-based buffer overruns at run timeDetects some kinds of stack-based buffer overruns at run time Impersonation privilegeImpersonation privilege
Changing the Process: Changing the Process: Our Ultimate GoalOur Ultimate Goal Not to inject security bugs into the Not to inject security bugs into the
code in the first place!code in the first place! Short term: remove existing flawsShort term: remove existing flaws Longer term: don’t add flaws to the codeLonger term: don’t add flaws to the code
You can’t do this through code reviewYou can’t do this through code review ……or testingor testing
They only remove They only remove existingexisting flaws flaws
You have to teach people to do the You have to teach people to do the right things…!right things…!
You must change the process!You must change the process!
The Turkish-İ problemThe Turkish-İ problem(Applies also to Azerbaijan!)(Applies also to Azerbaijan!)
Turkish has four letter ‘I’sTurkish has four letter ‘I’s ii (U+0069) (U+0069) II (U+0049) (U+0049) ıı (U+0131) (U+0131) İİ (U+0130) (U+0130)
In Turkish locale In Turkish locale UC(UC(""filefile"")==FİLE)==FİLE
// Do not allow "FILE://" URLsif(url.ToUpper().Left(4) == "FILE") return ERROR;getStuff(url);
// Only allow "HTTP://" URLsif(url.ToUpper(CULTURE_INVARIANT).Left(4) == "HTTP") getStuff(url);else return ERROR;
İ
SummarySummary
Who Am I?Who Am I? What is SWI?What is SWI? SDSD33 + c + c Secure Development ProcessSecure Development Process Threat ModelsThreat Models Relative Attack SurfaceRelative Attack Surface
How can you help?How can you help?
When is a threat model complete?When is a threat model complete? How does privacy apply to TMs?How does privacy apply to TMs? A more complete taxonomy of A more complete taxonomy of
mitigation techniques and mitigation techniques and technologiestechnologies
A more complete taxonomy of attack A more complete taxonomy of attack techniquestechniques
Is Relative Attack Surface accurate?Is Relative Attack Surface accurate? Is it worthwhile?Is it worthwhile?
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Backup SlidesBackup Slides
DREAD RankingsDREAD Rankings
DDamage Potentialamage Potential Minor [1] Minor [1] →→ Complete Subversion [10] Complete Subversion [10]
RReproducibilityeproducibility Rare [1] Rare [1] →→ Every Time [10] Every Time [10]
EExploitabilityxploitability NSA Only [1] NSA Only [1] → My Mom [10]→ My Mom [10]
AAffected Usersffected Users 10% [1] → 100% [10]10% [1] → 100% [10]
DDiscoverabilityiscoverability Very Subtle [1] → Already on Bugtraq [10]Very Subtle [1] → Already on Bugtraq [10]