Security Process & You: SQL Server Case Study James Hamilton General Manager SQL Server Webdata Development & Security Architect James Hamilton General

Security Process & You:SQL Server Case Study

James HamiltonGeneral Manager SQL Server Webdata

Development & Security Architect

AgendaAgenda

Risk Escalating RapidlySQL Injection Demo

Case Study: SQL Server Security PushSQL Server Lessons Learned

Security Tools & AutomationAdmin, Data Protection, & App DesignSummary




Incidents Reported Industry WideIncidents Reported Industry Wide

CERT/CC incident statistics 1988 through 2003Incident: single security issue grouping together all impacts of that that issueIssue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality

CERT/CC incident statistics 1988 through 2003Incident: single security issue grouping together all impacts of that that issueIssue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality

0

10000

20000

30000

4000050000

60000

70000

80000

90000

Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html

Port ScannersBlack Hat

Community Sharing

Know Your EnemyKnow Your Enemy

Brute Force pwd crackers

Dictionary Based pwd crackers

Network Sniffers

De-compilersDebuggers

Cracker Tools

Data Thief ArchitectureData Thief Architecture

App. Databas

e

App. Databas

e

LocalDB

LocalDB

VulnerableApplicationVulnerableApplication

Attack stringForm values

appended with extra SQL statement

Attack stringForm values

appended with extra SQL statement

SQL-Injected query

Contains an OPENROWSET

statement

SQL-Injected query

Contains an OPENROWSET

statement

SQL injected OPENROWSET statement

causes remote DB to connect back to attackers DB, sending back useful

data

SQL injected OPENROWSET statement

causes remote DB to connect back to attackers DB, sending back useful

data

Girish ChanderSQL Server Security PMGirish ChanderSQL Server Security PM

Data Thief Demonstration

Author: Cesar Cerrudo

Data Thief Demonstration

Author: Cesar Cerrudo

AgendaAgenda



Security Tools & AutomationAdmin, Data Protection, & App Design

SQL Injection Demo

Summary




SQL Injection Demo

Summary

Security Push TimelineSecurity Push Timeline

PreparationPreparationPhasePhase

SecurityPush

PushFollow-on

3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003

Push PreparationPush Preparation•Goal full 800 person team Goal full 800 person team productive from startproductive from start

•Identify ComponentsIdentify Components•Complete threat modelsComplete threat models•Complete EducationComplete Education

•Select push start dateSelect push start date•Security planSecurity plan•Security reps from each teamSecurity reps from each team•Set triage barsSet triage bars•Infrastructure set-upInfrastructure set-up

Security PushSecurity Push•5 million+ lines of code reviewed•Two release in service•One more release in dev•100% team focus during push

•Dev, Test, PM, & UE•No other non-security work

•Three pronged approach:•Targeted code reviews•Tools targeting security•Threat driven reviews & testing

Push Prep: CommunicationsPush Prep: Communications

Learning from other teams’ experiencesWindows, VS .Net, & IIS preceded SQL

Team readiness criticalDon’t start security push until team is prepared

Security push planMotivation, goals, approach, process, fix bar,…

Education plan for teamWeb site set up for general announcements & communication

Learning from other teams’ experiencesWindows, VS .Net, & IIS preceded SQL

Team readiness criticalDon’t start security push until team is prepared

Security push planMotivation, goals, approach, process, fix bar,…

Education plan for teamWeb site set up for general announcements & communication

Push Prep: TrainingPush Prep: Training

Security training for every team memberMandatory training for Architects, PMs, Developers & Testers

Material covered includes:Threat modeling, hacker/cracker tools, black hat community, security development & test tools, attack vectors & defense

Video tape training for new team membersSecurity talks series

more detail on important security related topicsStaying current with evolving threats

On demand webcasts (search on security): <http://www.microsoft.com/usa/webcasts/ondemand/default.asp>

Security training for every team memberMandatory training for Architects, PMs, Developers & Testers

Material covered includes:Threat modeling, hacker/cracker tools, black hat community, security development & test tools, attack vectors & defense

Video tape training for new team membersSecurity talks series

more detail on important security related topicsStaying current with evolving threats

On demand webcasts (search on security): <http://www.microsoft.com/usa/webcasts/ondemand/default.asp>

Push Prep: Infrastructure ReadyPush Prep: Infrastructure ReadyCross component team to drive push

SQL Security Leads

Bug Tracking guidelines detailedClassification of bugs and threats

Separate bug tracking DB for tracking file reviewsTracks code review progress & completeness

Identification of components228 components; Risk level assessed for eachThreat models for each component

Getting security tools running & building skillsClear fix criteria setTracking progress is critical

Cross component team to drive pushSQL Security Leads

Bug Tracking guidelines detailedClassification of bugs and threats

Separate bug tracking DB for tracking file reviewsTracks code review progress & completeness

Identification of components228 components; Risk level assessed for eachThreat models for each component

Getting security tools running & building skillsClear fix criteria setTracking progress is critical

12



SecurityPush

PushFollow-on

3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003







Push: Threat Modeling ProcessPush: Threat Modeling Process

Collect Background Information

Model the System

Determine Threats

Use Scenarios

Implementation Assumptions

External Dependencies

External Security Notes

Internal Security Notes

Entry Points

Assets

Trust Levels

Data Flow Diagrams/Process

Models

Identify Threats

Analyze Threats/Determine

Vulnerabilities

• A process to understand document threats to a systemA process to understand document threats to a system• Methodical and completeMethodical and complete• Describes the system’s threat profileDescribes the system’s threat profile

• Goal is to find design level issues before code is writtenGoal is to find design level issues before code is written

Push: Example Data Flow DiagramPush: Example Data Flow Diagram

Push: Threat ModelingPush: Threat Modeling

Threats must be understood to build secure systemsEvery spec/design goes through threat analysis

Model of component is created (typically a DFD)Threats categorized based on STRIDESeverity ranked based on DREAD

NOT how hard it is to fix

Threats must be understood to build secure systemsEvery spec/design goes through threat analysis

Model of component is created (typically a DFD)Threats categorized based on STRIDESeverity ranked based on DREAD

NOT how hard it is to fix

SS---Spoofing---Spoofing

TT---Tampering of Data---Tampering of Data

RR---Repudiation---Repudiation

II---information Disclosure---information Disclosure

DD---Denial of Service---Denial of Service

EE---Escalation of Privileges---Escalation of Privileges

DD---Damage potential---Damage potential

RR---Reproducibility---Reproducibility

EE---Exploitability---Exploitability

AA---Affected Users---Affected Users

DD---Discoverability---Discoverability

Push: Security SWAT TeamPush: Security SWAT TeamCentral team focused on cross component analysisMembers chosen from different teamsBuild and share security expertiseOverall Approach:

Met on daily basisChoose component based on priority & riskInvite relevant team members for that componentCollectively brainstorm to ferret out cross component threats

Experience: an effective approach:Part of ongoing, regular effort to audit product security

Central team focused on cross component analysisMembers chosen from different teamsBuild and share security expertiseOverall Approach:

Met on daily basisChoose component based on priority & riskInvite relevant team members for that componentCollectively brainstorm to ferret out cross component threats

Experience: an effective approach:Part of ongoing, regular effort to audit product security

Push: Dead Code RemovalPush: Dead Code Removal

Dead code removalCode hygiene & work reductionWhy maintain & review non-executable code?Code in product might be used in future

Dead code detector built from code coverage tool

Analyzes compiled binariesAutomatically files bugs

One bug per fileBug assigned to owner or last modifier

Dead code removalCode hygiene & work reductionWhy maintain & review non-executable code?Code in product might be used in future

Dead code detector built from code coverage tool

Analyzes compiled binariesAutomatically files bugs

One bug per fileBug assigned to owner or last modifier

Push: Code ReviewsPush: Code Reviews

Threat model directed & tools driven reviewsCode review teams set up

Typically, 2 developers and 1 test at leastCode Review driver not code ownerTester files bugs & scribe (some teams rotated roles)

Code Review Experience:Teams progressively became more efficientFirst 90 minutes are the most effectivePass of code by reviewer prior to code review helpedPresentation by code owner was very helpfulAveraged 800-1200 lines reviewed per team per day

Threat model directed & tools driven reviewsCode review teams set up

Typically, 2 developers and 1 test at leastCode Review driver not code ownerTester files bugs & scribe (some teams rotated roles)

Code Review Experience:Teams progressively became more efficientFirst 90 minutes are the most effectivePass of code by reviewer prior to code review helpedPresentation by code owner was very helpfulAveraged 800-1200 lines reviewed per team per day

Push: Analytical Security TestingPush: Analytical Security Testing

Decompose the app (threat model driven)Identify interfacesEnumerate input points

SocketsPipesRegistryFilesRPC (etc)Command-line argsEtc.

Decompose the app (threat model driven)Identify interfacesEnumerate input points

SocketsPipesRegistryFilesRPC (etc)Command-line argsEtc.

Enumerate data structures

C/C++ struct dataHTTP bodyHTTP headersHTTP header dataOther protocol headersQuerystringsBit flags

Attack all data structures, wire formats, and input data

Enumerate data structures

C/C++ struct dataHTTP bodyHTTP headersHTTP header dataOther protocol headersQuerystringsBit flags

Attack all data structures, wire formats, and input data

A Testing method that simulates how A Testing method that simulates how an attacker operatesan attacker operates

Push: Attack TeamPush: Attack Team

Red Team: Microsoft-wide ethical cracking group50-50 split

Reactive: analysis of reported bugsProactive: security reviews

Both formal and informal security reviewsFormal reviews by risk exposureGreater exposure, deeper the review

Analytical Security TestingAdvanced fuzz & data mutation tools developed

Red Team: Microsoft-wide ethical cracking group50-50 split

Reactive: analysis of reported bugsProactive: security reviews

Both formal and informal security reviewsFormal reviews by risk exposureGreater exposure, deeper the review

Analytical Security TestingAdvanced fuzz & data mutation tools developed

21



SecurityPush

PushFollow-on

3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003







Follow-on: What was learned?Follow-on: What was learned?

Set realistic schedulesGet training done before startingInvest in tools early & aggressivelyClearly identify system components earlyCode Reviews:

Provide guidelines & goals for each reviewSecurity focus improved overall system quality

Cross-component interactions better understoodImproved both functional & penetration testing

Define an unambiguous exit criteriaClear progress tracking metrics requiredProcess sometimes interferes with progress

Set realistic schedulesGet training done before startingInvest in tools early & aggressivelyClearly identify system components earlyCode Reviews:

Provide guidelines & goals for each reviewSecurity focus improved overall system quality

Cross-component interactions better understoodImproved both functional & penetration testing

Define an unambiguous exit criteriaClear progress tracking metrics requiredProcess sometimes interferes with progress

AgendaAgenda




SQL Injection Demo

Summary




SQL Injection Demo

Summary

Development ToolsDevelopment ToolsEngineers good at finding specific vulnerabilities

Innovation required

Not good at reliably finding all instances of a specific bug class

Millions of lines of code

Focus on tools to supplement manual effortsTools that can help identify issues in codeManaged code part of the answer

Development tools used:PREFIX & PREFASTFXCOPCompiler options: /GS, SAFESEHOS Level support: NOEXECUTE

Engineers good at finding specific vulnerabilitiesInnovation required

Not good at reliably finding all instances of a specific bug class

Millions of lines of code

Focus on tools to supplement manual effortsTools that can help identify issues in codeManaged code part of the answer

Development tools used:PREFIX & PREFASTFXCOPCompiler options: /GS, SAFESEHOS Level support: NOEXECUTE

…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));SetCurrentDirectory(buff, sizeof(buff));

…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));Warning: Failure to check return value

GetWindowsDirectory can fail in low-memory situations

SetCurrentDirectory(buff, sizeof(buff));

…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));SetCurrentDirectory(buff, sizeof(buff));

…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));Warning: Failure to check return value

GetWindowsDirectory can fail in low-memory situations

SetCurrentDirectory(buff, sizeof(buff));

Sample Prefast DefectSample Prefast Defect

Example Defect ClassesExample Defect Classes

Resource Leakage Leaking Memory/Resource

Pointer Management

Dereferencing NULL pointer Dereferencing invalid pointer Dereferencing or returning

pointer to freed memory

Illegal State Resource in illegal state Illegal value Divide by zero Writing to constant string

Resource Leakage Leaking Memory/Resource

Pointer Management

Dereferencing NULL pointer Dereferencing invalid pointer Dereferencing or returning

pointer to freed memory

Illegal State Resource in illegal state Illegal value Divide by zero Writing to constant string

Memory Management Double frees Freeing pointer to non-allocated

memory (stack, global, etc.) Freeing pointer in middle of

memory block

Initialization Using uninitialized memory Freeing or dereferencing

uninitialized pointer

Bounds violations Overrun & Underrun Failure to validate buffer size

Memory Management Double frees Freeing pointer to non-allocated

memory (stack, global, etc.) Freeing pointer in middle of

memory block

Initialization Using uninitialized memory Freeing or dereferencing

uninitialized pointer

Bounds violations Overrun & Underrun Failure to validate buffer size

• Managed code avoids many of these issues without post-authoring analysis tools

AgendaAgenda







Application & DB AdministrationApplication & DB Administration

Basic security practices:Automated enterprise software inventoryRun MBSA frequentlyApply latest patches Use Windows Update or Software Update Service

Audit authentication success & failures at all tiersCorporate security policy with periodic audit

Senior security Czar with ability to drive change

Emergency response & disaster recovery plansSmall admin group

Min privilege & strong passwords enforced on all

Basic security practices:Automated enterprise software inventoryRun MBSA frequentlyApply latest patches Use Windows Update or Software Update Service

Audit authentication success & failures at all tiersCorporate security policy with periodic audit

Senior security Czar with ability to drive change

Emergency response & disaster recovery plansSmall admin group

Min privilege & strong passwords enforced on all

Data Protection & App. DesignData Protection & App. DesignData Protection:

Hot standby: Clustering, log shipping, or DB Mirroring (Yukon)Frequent backups: Offsite with media encryptionOffline, automated, non-production test systems

Encrypted channels for transferring sensitive informationUse integrated security with strong passwordsIsolate Services

Do not install services on domain controllerServices should run under low privileged accounts (not shared)Mid-tier/data-tier isolation with multiple firewallsSurface area reduction: remove/disable unneeded services

No direct access to data-tierTwo-tier client-side doesn’t work – Security in data tier

Apps that “hide” DB passwords in client tier don’t workAccess only via carefully reviewed mid-tier codeValidate all user input

Data Protection:Hot standby: Clustering, log shipping, or DB Mirroring (Yukon)Frequent backups: Offsite with media encryptionOffline, automated, non-production test systems

Encrypted channels for transferring sensitive informationUse integrated security with strong passwordsIsolate Services

Do not install services on domain controllerServices should run under low privileged accounts (not shared)Mid-tier/data-tier isolation with multiple firewallsSurface area reduction: remove/disable unneeded services

No direct access to data-tierTwo-tier client-side doesn’t work – Security in data tier

Apps that “hide” DB passwords in client tier don’t workAccess only via carefully reviewed mid-tier codeValidate all user input

SummarySummary

Threat profile increasingSQ Security Push case study:

Communication, Training, Infrastructure & tools, Goals & exit criteria

Security Tools and Techniques:Threat models, Security SWAT team, Code reviews, Analytical security testing, Attack Team

Application & DB Admin Data Protection & Application Design

Threat profile increasingSQ Security Push case study:

Communication, Training, Infrastructure & tools, Goals & exit criteria

Security Tools and Techniques:Threat models, Security SWAT team, Code reviews, Analytical security testing, Attack Team

Application & DB Admin Data Protection & Application Design

ResourcesResourcesMicrosoft Security and Privacy site

http://www.microsoft.com/security/

SQL Security White paperhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.asp

MBSA Homehttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp

Microsoft Security and Privacy sitehttp://www.microsoft.com/security/

SQL Security White paperhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.asp

MBSA Homehttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp

TITLETITLE

Microsoft Windows 2000 Security Technical ReferenceMicrosoft Windows 2000 Security Technical Reference

Writing Secure Code, 2/eWriting Secure Code, 2/e

Building Secure Microsoft® ASP.NET Applications Building Secure Microsoft® ASP.NET Applications


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.asp


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp







Microsoft

Documents

Security Process & You: SQL Server Case Study James Hamilton General Manager SQL Server Webdata Development & Security Architect James Hamilton General