Pragmatic Pragmatic Trustworthy ComputingTrustworthy Computing

Michael Howard (mikehow@microsoft.com)Michael Howard (mikehow@microsoft.com)Senior Program ManagerSenior Program ManagerSecure Windows InitiativeSecure Windows InitiativeMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

Who is SWI?Who is SWI? What is TwC?What is TwC? What we’re doingWhat we’re doing

Teaching critical skillsTeaching critical skills Attack surface reductionAttack surface reduction

Beyond MicrosoftBeyond Microsoft

Who is SWI?Who is SWI?

Secure Windows InitiativeSecure Windows Initiative Focus on securing Microsoft productsFocus on securing Microsoft products Little (read: zero) focus on security Little (read: zero) focus on security

features nor network securityfeatures nor network security Security Features != Secure FeaturesSecurity Features != Secure Features

Secure Windows InitiativeSecure Windows Initiative

PeoplePeopleTrain, and keep current, every developer, tester, Train, and keep current, every developer, tester, and program manager in the specific techniques and program manager in the specific techniques of building secure products.of building secure products.

ProcessProcess

Make security a critical factor in design, coding and Make security a critical factor in design, coding and testing of every product Microsoft buildstesting of every product Microsoft buildsMajor changes to development processMajor changes to development processSecurity Threat Analysis part of every design specSecurity Threat Analysis part of every design specCross-group design & code reviewsCross-group design & code reviewsRed Team testing and code reviewsRed Team testing and code reviewsSecurity bug feedback loop & code sign-off requirements Security bug feedback loop & code sign-off requirements External reviews and testing by consultants and publicExternal reviews and testing by consultants and public

TechnologyTechnology

Build tools to automate everything possible in the quest Build tools to automate everything possible in the quest to code the most secure productsto code the most secure productsPreFIX and PreFAST for defect detectionPreFIX and PreFAST for defect detection

Updated as new vulnerabilities foundUpdated as new vulnerabilities foundVisual C++ compiler improvementsVisual C++ compiler improvements

Trustworthy Computing:Trustworthy Computing:What Is It?What Is It?

The key goal of Trustworthy Computing is to make The key goal of Trustworthy Computing is to make computing so safe and reliable that people simply computing so safe and reliable that people simply take it for granted—just as they take electricity and take it for granted—just as they take electricity and the telephone system for granted today.the telephone system for granted today.

A top priority for Microsoft—and a cultural shift we are A top priority for Microsoft—and a cultural shift we are totally committed to totally committed to

A lengthy journey (at least a decade)A lengthy journey (at least a decade) Needs the commitment of the entire computer industry Needs the commitment of the entire computer industry

(software, hardware, ISPs, etc)(software, hardware, ISPs, etc)

Trustworthy ComputingTrustworthy ComputingCore TenetsCore Tenets

Resilient to attackResilient to attack Protects confidentiality, integrity, Protects confidentiality, integrity,

availability and dataavailability and data

DependableDependable Available when neededAvailable when needed Performs at expected levelsPerforms at expected levels

Individuals control personal dataIndividuals control personal data Products and online services adhere to Products and online services adhere to

fair information principles fair information principles

Vendors provide quality productsVendors provide quality products Product support is appropriateProduct support is appropriate

SecuritySecurity

PrivacyPrivacy

ReliabilityReliability

Business Business IntegrityIntegrity

SDSD33 + Communications + Communications

Clear security commitmentClear security commitmentFull member of the security communityFull member of the security communityMicrosoft Security Response Center Microsoft Security Response Center

Security Framework is VitalSecurity Framework is Vital

Secure Secure by Designby Design

Secure Secure by Defaultby Default

Secure in Secure in DeploymentDeployment

CommunicationsCommunications

Secure architectureSecure architectureImproved processImproved processReduce vulnerabilities in the codeReduce vulnerabilities in the code

Reduce attack surface areaReduce attack surface areaUnused features off by defaultUnused features off by defaultOnly require minimum privilegeOnly require minimum privilege

Protect, detect, defend, recover, manageProtect, detect, defend, recover, manageProcess: How to’s, architecture guidesProcess: How to’s, architecture guidesPeople: TrainingPeople: Training

Microsoft Security Response Center Microsoft Security Response Center severity rating systemseverity rating systemMSDN security guidance for developersMSDN security guidance for developersOrganization for Internet Safety formedOrganization for Internet Safety formed

Sampling of Progress To DateSampling of Progress To Date

SDSD33 + Communications + Communications

Secure Secure by Designby Design

Secure Secure by Defaultby Default

Secure in Secure in DeploymentDeployment

CommunicationsCommunications

Security training for MS engineersSecurity training for MS engineersImproved processImproved process

Security code reviews Security code reviews Threat modelingThreat modeling

Office XP: Scripting off by defaultOffice XP: Scripting off by defaultNo sample code installed by defaultNo sample code installed by defaultSQL/IIS off by default in VS.NETSQL/IIS off by default in VS.NET

Deployment tools (MBSA, IIS Lockdown)Deployment tools (MBSA, IIS Lockdown)Created STPP to respond to customersCreated STPP to respond to customersPAG for Windows 2000 Security OpsPAG for Windows 2000 Security Ops

Secure Product Secure Product Development TimelineDevelopment Timeline

Secure questionsSecure questionsduring interviewsduring interviews

ConceptConcept DesignsDesignsCompleteComplete

Test plansTest plansCompleteComplete

CodeCodeCompleteComplete

ShipShip PostPostShipShip

ThreatThreatanalysisanalysis

SecuritySecurityReviewReview

Team memberTeam membertrainingtraining

Data mutationData mutation& Least Priv& Least PrivTestsTests

Review old defects Review old defects Check-ins checkedCheck-ins checkedSecure coding guidelinesSecure coding guidelinesUse toolsUse tools

Security push/auditSecurity push/audit

= on-going= on-going

Learn & Learn & RefineRefine

External External reviewreview

Critical Skills InstilledCritical Skills Instilled

Designers & ArchitectsDesigners & Architects Threat modelingThreat modeling

DevelopersDevelopers Input trust issuesInput trust issues

TestersTesters Data mutation (intelligent fuzz)Data mutation (intelligent fuzz)

Threat ModelsThreat Models

You cannot build secure applications You cannot build secure applications unless you understand threatsunless you understand threats ““We use SSL!”We use SSL!”

Find different bugs than code review Find different bugs than code review and testingand testing Implementation bugs vs higher-level Implementation bugs vs higher-level

design issuesdesign issues

Approx 50% of issues come from threat Approx 50% of issues come from threat modelsmodels

Threat Modeling ProcessThreat Modeling Process Create model of app (DFD, UML etc)Create model of app (DFD, UML etc) Categorize threats to each attack Categorize threats to each attack

target node with STRIDEtarget node with STRIDE Spoofing, Tampering, Repudiation, Spoofing, Tampering, Repudiation,

Info Disclosure, Denial of Service, Info Disclosure, Denial of Service, Elevation of PrivilegeElevation of Privilege

Build threat treeBuild threat tree Rank threats with DREADRank threats with DREAD

Damage potential, Reproducibility, Damage potential, Reproducibility, Exploitability, Affected Users, Exploitability, Affected Users, DiscoverabilityDiscoverability

1.2.1Parse

Request

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

DREADThreat

SubthreatCondition

Threat Threat

ConditionCondition DREAD

Input Trust IssuesInput Trust Issues““All input is evil, until proven All input is evil, until proven

otherwise”otherwise”Good guys provide well-formed input, Good guys provide well-formed input,

bad guys don’t!bad guys don’t! Buffer overrunsBuffer overruns Integer overflow attacksInteger overflow attacks SQL injection attacksSQL injection attacks XSS attacksXSS attacks

Look for well-formed input, and reject Look for well-formed input, and reject everything elseeverything else Don’t look for ‘bad’ thingsDon’t look for ‘bad’ things

The Turkish-I problemThe Turkish-I problem

Turkish has four ‘I’sTurkish has four ‘I’s ii (U+0069) (U+0069) ıı (U+0131) (U+0131) İİ (U+0130) (U+0130) II (U+0049) (U+0049)

In the Turkish locale In the Turkish locale FILEFILE !=!= FİLEFİLE

// Only allow "HTTP://" URLsif(url.ToUpper(CULTURE_INVARIANT).Left(4) == "HTTP") getStuff(url);else return ERROR;

// Do not allow "FILE://" URLsif(url.ToUpper().Left(4) == "FILE") return ERROR;getStuff(url);

What’s wrong with this What’s wrong with this code?code?void func(char *strName) {

char buff[64];strcpy(buff,”My name is: “);strcat(buff,strName);

}

Untrusted!These APIs are not ‘insecure’

void func(char *strName) {char buff[64];if (isValid(strName)) {

strcpy(buff,”My name is: “);strcat(buff,strName);

}}

A safe version using ‘insecure’ APIs

UntrustedTrusted

On the Subject of On the Subject of Buffer Overruns!Buffer Overruns! Issue is trusting the data is correct!Issue is trusting the data is correct! Don’t simply use the ‘secure’ ‘n’ versionsDon’t simply use the ‘secure’ ‘n’ versions

ie; strncpy rather than strcpyie; strncpy rather than strcpy VC++ .NET adds the –GS flagVC++ .NET adds the –GS flag

Mitigates some stack-smashing attacksMitigates some stack-smashing attacks VS.NET: Function return addressVS.NET: Function return address VS.NET 2003: exception handlers, stack-based VS.NET 2003: exception handlers, stack-based

function pointers & data pointersfunction pointers & data pointers May lead to DoS rather than attack code May lead to DoS rather than attack code

executionexecution Most of Windows .NET Server compiled with -GSMost of Windows .NET Server compiled with -GS On by default for new VS.NET C++ projectsOn by default for new VS.NET C++ projects Not a replacement for good codeNot a replacement for good code Doesn’t fix code!Doesn’t fix code!

Security Testing: Data Security Testing: Data Mutation & Threat ModelsMutation & Threat Models A Problem: Too many “goody two A Problem: Too many “goody two

shoes” testersshoes” testers We need to teach people how to think We need to teach people how to think

‘evil’‘evil’

The threat model can help drive the The threat model can help drive the test processtest process Each threat should have at least two Each threat should have at least two

tests: Whitehat & Blackhattests: Whitehat & Blackhat STRIDE helps drive test techniquesSTRIDE helps drive test techniques DREAD helps drive priorityDREAD helps drive priority

Analytical Security TestingAnalytical Security Testing

Decompose the app Decompose the app (threat model)(threat model)

Identify interfacesIdentify interfaces Enumerate input pointsEnumerate input points

SocketsSockets PipesPipes RegistryRegistry FilesFiles RPC (etc)RPC (etc) Command-line argsCommand-line args Etc.Etc.

Enumerate data Enumerate data structuresstructures C/C++ struct dataC/C++ struct data HTTP bodyHTTP body HTTP headersHTTP headers HTTP header dataHTTP header data QuerystringsQuerystrings Bit flagsBit flags Etc.Etc.

Determine valid Determine valid constructsconstructs

Mutate the data!Mutate the data! ContentsContents

Length (Cl) Length (Cl) Random (Cr)Random (Cr) NULL (Cn)NULL (Cn) Zero (Cz)Zero (Cz) Wrong type (Cw)Wrong type (Cw) Wrong Sign (Cs)Wrong Sign (Cs) Out of Bounds (Co)Out of Bounds (Co) Valid + Invalid (Cv)Valid + Invalid (Cv) Special Chars (Cp)Special Chars (Cp)

Script (Cps)Script (Cps) HTML (Cph)HTML (Cph) Quotes (Cpq)Quotes (Cpq) Slashes (Cpl)Slashes (Cpl) Escaped chars (Cpe)Escaped chars (Cpe) Meta chars (Cpm)Meta chars (Cpm)

LengthLength Long (Ll)Long (Ll) Small (Ls)Small (Ls) Zero Length (Lz)Zero Length (Lz)

ContainerContainer Name (On)Name (On) Link to other (Ol)Link to other (Ol) Exists (Oe)Exists (Oe) Does not exist (Od)Does not exist (Od) No access (Oa)No access (Oa) Restricted Access (Or)Restricted Access (Or)

Network SpecificNetwork Specific Replay (Nr)Replay (Nr) Out-of-sync (No)Out-of-sync (No) High volume (Nh)High volume (Nh)

Data mutation exampleData mutation example

<?xml version="1.0" encoding=“utf-8"?><?xml version="1.0" encoding=“utf-8"?><items><items> <item name="Foo" readonly="true"><item name="Foo" readonly="true"> <cost>13.50</cost><cost>13.50</cost> <lastpurch>20020903</lastpurch><lastpurch>20020903</lastpurch> <fullname>Big Foo Thing</fullname><fullname>Big Foo Thing</fullname> </item></item> ......</items></items>

OnHand.xmlOnHand.xml

•Filename too long (On:Cl:Ll)Filename too long (On:Cl:Ll)•Link to another file (Ol)Link to another file (Ol)•Deny access to file (Oa)Deny access to file (Oa)•Lock file (Oa)Lock file (Oa)

•No data No data (Cl:Lz) (Cl:Lz)•Full of junkFull of junk (Cr) (Cr)

•Escaped (Cpe)Escaped (Cpe)•Junk (Cr)Junk (Cr)

•Different version (Cs & Co)Different version (Cs & Co)•No version (Cl:Lz)No version (Cl:Lz)

Relative Attack SurfaceRelative Attack Surface

Simple way of measuring potential for Simple way of measuring potential for attackattack

Features are attacked Features are attacked Security Bugs Security BugsLess Features == Less Security BugsLess Features == Less Security BugsGoal of a product should be to reduce Goal of a product should be to reduce

attack surfaceattack surface Lower privLower priv Turn features offTurn features off Defense in depthDefense in depth

Founded on past mistakesFounded on past mistakes

Products have vulnerability pointsProducts have vulnerability pointsWindows is attacked one way, Linux Windows is attacked one way, Linux

another, SQL Server yet anotheranother, SQL Server yet anotherHard to compare non-similar productsHard to compare non-similar products

The ProcessThe Process

OldVulns

DetermineAttack

Vector(s)

Apply Bias Σ RASQ

Think of it as ‘Cyclomatic Complexity’ for Security!

Sample Windows Data Sample Windows Data PointsPoints Open socketsOpen sockets Open RPC endpointsOpen RPC endpoints Open named pipesOpen named pipes ServicesServices Services running by Services running by

defaultdefault Services running as Services running as

SYSTEMSYSTEM Active Web handlersActive Web handlers Active ISAPI FiltersActive ISAPI Filters Dynamic Web pagesDynamic Web pages Executable vdirsExecutable vdirs

Enabled AccountsEnabled Accounts Enabled Accounts in Enabled Accounts in

admin groupadmin group Null Sessions to Null Sessions to

pipes and sharespipes and shares Guest account Guest account

enabledenabled Weak ACLs in FSWeak ACLs in FS Weak ACLs in Weak ACLs in

RegistryRegistry Weak ACLs on Weak ACLs on

sharesshares

The Figures are interestingThe Figures are interesting

RASQ

0

100

200

300

400

500

600

700

Windows NT 4SP6a

Windows NT 4SP6a +

Option Pack

Windows2000

Windows.NET Server

Windows.NET Server

w/IIS

Windows XP Windows XPw/ICF Enabled

RASQ

Using RASQ to build better Using RASQ to build better productsproductsProduct A agrees on RASQ data pointsProduct A agrees on RASQ data points

Based on past exploitsBased on past exploits SWI has buy inSWI has buy in

v1 has RASQ = 350v1 has RASQ = 350Goal for v2 is to reduce RASQ by at Goal for v2 is to reduce RASQ by at

least 10%least 10% Add as many features as you wantAdd as many features as you want But do so while still reducing RASQBut do so while still reducing RASQ

Measurable!Measurable!

Beyond MicrosoftBeyond MicrosoftSharing new issues and educationSharing new issues and education

Writing Secure Code 2Writing Secure Code 2ndnd Edition Edition ““Code Secure” at msdn.microsoft.comCode Secure” at msdn.microsoft.com More whitepapersMore whitepapers Strsafe.hStrsafe.h SiteLockSiteLock Microsoft Official CurriculumMicrosoft Official Curriculum

2805a – Security Seminar for Developers2805a – Security Seminar for Developers ISV trainingISV training Premier Partner TrainingPremier Partner Training

The Ultimate GoalThe Ultimate Goal

Not to inject security bugs into the Not to inject security bugs into the code in the first place!code in the first place! Short term: remove existing flawsShort term: remove existing flaws Longer term: don’t add them to the codeLonger term: don’t add them to the code

You can’t do this through code reviewYou can’t do this through code review ……or testingor testing

Only remove existing flawsOnly remove existing flaws

You have to teach people to do the You have to teach people to do the right things…!right things…!

SummarySummary

Who is SWI?Who is SWI? What is TwC?What is TwC? What we’re doingWhat we’re doing

Teaching critical skillsTeaching critical skills Attack surface reductionAttack surface reduction

Beyond MicrosoftBeyond Microsoft