Post on 02-Apr-2015
The “Everything Developer Security” TalkMichael HowardPrincipal Security Program ManagerMicrosoft Corp
Come ask questions, voice concerns, get insights and guidance at this interactive theater talk that has no defined agenda, other than developer-related security issues. Michael will simply put a list of topics that interest him on the screen, and from that point on it’s open season! Examples include: -GS, ASLR, DEP, C/C++ security, Windows Vista security, the SDL and how it applies to agile methods, and lessons learned from five years of Trustworthy Computing.
“
”
“”
How do I sell security to management?
Selling Security
• Don’t sell security• CxOs are sick of hearing “the sky might fall”• There is little ROI evidence for security today• Unless your stock symbol is MSFT!
• Sell privacy• Get the risk management folks in the room• Spending €100,000 to offset €17,000,000 of risk is a
no-brainer
“”
What is the #1 Skill Developers should Learn?
Never Trust Data
• “All data is evil, until proven otherwise”• The most heinous bugs are because of too much
trust in data• Buffer overruns• Cross-site scripting• HTTP response splitting• Cross-site request forgery• SQL injection • Command injection• XPath injection• Etc.
Never Trust Data: Evidence
• 47% of security bugs tracked by CVE between 2001-2004 were due to too much trust in data
• Stragglers include:• Breaking a sandbox, poor crypto, information
disclosure etc.
Never Trust Data: Action
• Don’t solely use “blocklists”• Constrain
• Only allow what you know to be good• Eg: constrain to only a valid email address
• Reject• Reject that which you know is bad• Eg; reject bad characters, often environment specific
(Web etc) such as <>& etc• Sanitize
• Encode if possible• Eg; HTML encode
Do NOT look ONLY for “bad things.”
It assumes you know all the“bad things”
deldeleteete from table
“”
What is the #1 Skill Testers should Learn?
Fuzz!
• Fuzzing was designed to find reliability bugs• It turns out many reliability bugs are actually security
bugs• A buffer overrun defect might crash an app• The right payload could execute malicious code
Fuzz: Evidence
• Just about every file parsing bug ever found in the history of software was found through fuzzing!
XLS (MS06-012)BMP (MS06-005, MS05-002)TNEF (MS06-003) EOT (MS06-002)WMF (MS06-001, MS05-053)EMF (MS06-053)PNG (MS05-009)GIF (MS05-052, MS04-025)
JPG (MS04-028)ICC (MS05-036)ICO (MS05-002)CUR (MS05-002)ANI (MS05-002)DOC (MS05-035)ZIP (MS04-034)ASN.1 (MS04-007)Etc…
Fuzz: Action
• Fuzz all formats you consume• SDL mandates 100,000 iterations per file format• Build an ‘evil layer’
Fuzz: Action
• Fuzz all formats you consume• SDL mandates 100,000 iterations per file format• Build an ‘evil layer’
ClientServer
‘pu
re e
vil’
#ifdef __EVIL__
#endif
void FuzzBuf(__inout_bcount(cbBuf) char *pBuf, __inout size_t *pcbBuf) {
if (!*pcbBuf || !*pBuf) return; if ((rand() % 100) > 7) return; // fuzz about 7% of Buffers
size_t loop = 1 + (rand() % 4);
for (size_t j = 0; j < loop; j++) { size_t i=0, iLow = rand() % *pcbBuf, iHigh = 1+rand() % *pcbBuf; if (iLow > iHigh) {size_t t=iHigh; iHigh=iLow; iLow=t;} char ch=0; switch(rand() % 7) { case 0 : // flip upper bit for (i=iLow; i<iHigh; i++) { pBuf[i] ^= 0x80; } break;
case 1 : // write a series of random bytes for (i=iLow; i<iHigh; i++) { pBuf[i] = (char)(rand() % 256); } break;
case 2 : // set NULL bytes to random value for (i=iLow; i<iHigh; i++) { if (!pBuf[i]) pBuf[i] = (char)(rand() % 256);} break;
case 3 : // switch bytes at random for (i=iLow; i<__max(iHigh-1,iLow); i+= rand() % 8) {char t=pBuf[i]; pBuf[i]=pBuf[i+1]; pBuf[i+1] = t;} break;
case 4 : // write a random series of bytes at random locations for (i=iLow; i<__max(iHigh-1,iLow); i+= rand() % 8) {pBuf[i] = (char)(rand()%256);} break;
case 5 : // write a random byte to a range ch=(char)(rand() % 256); for (i=iLow; i < iHigh; i++) { pBuf[i] = ch; } break;
default: // truncate the data *pcbBuf = iHigh; break; } }}
Pop Quiz:What’s wrong with this design?
When a TCP/IP SYN packet arrives, the TCP/IP stack uses the following algorithm to derive a 12-bit integer, and the result is used as an insertion and look-up value in a hash-table.
value 32-bit packed source IP addressvalue value XOR source portvalue value MOD 4093
“”
What is the #1 Skill Designers should Learn?
Build Threat Models
• Help make sure the correct defenses are in place • What data are you storing?
• Privacy concerns: Is the data personally identifiable or confidential?
• Threat models not only benefit design• They can be used to understand more about
your code• Where does the data come from (local, remote, local
subnet)• What trust level is required to communicate with your
code (anonymous, user, admin)• Pay special attention to external dependencies and
assumptions
Build Threat Models
Who can access this entry point, and from where?
Who can access this entry point,and from where?
Rock solid code handling incoming data
BuildThreat Models: Action
• Build effective threat models• Identify all entry points into the system,
and rank their accessibility
• Local vs local subnet vs remote• Admin vs user vs anonymous
• Higher attack surface == better be good code!
• Consider reducing attack surface• Review code along the anonymous data
paths
Increasing attack surface
Pop Quiz: What’s Wrong with this code?
string Status = "No";string sqlstring ="";try { SqlConnection sql= new SqlConnection( @"data source=localhost;" + "user id=sa;password=password;"); sql.Open(); sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if ((int)cmd.ExecuteScalar() != 0) Status = "Yes";} catch (SqlException se) { Status = sqlstring + " failed\n\r"; foreach (SqlError e in se.Errors) { Status += e.Message + "\n\r"; }} catch (Exception e) { Status = e.ToString();}
Hard to guess password!
Connecting as sysadmin
String concatfor dynamic SQL
Telling the bad guytoo much on failure
“
”
I have a gazillion lines of code to review – how do I prioritize?
Potentially, How Buggy is the Code?
An estimate of the total population of bugs (B) is given by
X/B = N/Y
This is a classic capture/recapture technique pioneered in biology, but widely used in software engineering
X=Bugs found by first team
Y=Bugs found by second teamN
Example: Potentially, How Buggy is the Code?
X=10 bugs Y=12 bugs
X/B = N/Y10/B = 4/12
B = 30
If found 10 bugs, and found 12, and there are about 30 bugs, then you better keep on looking!
And they found 4 bugs in
common (N)
Run all available tools
• Compile C/C++ at /W4• /analyze• FxCop• Are some sources files ‘bug-dense’?
• Many need more review
Other Heuristics
• More review• Old code• On by default• Elevated• Anonymous access• Listening on network• Planetary access• UDP• C/C++/ASM• A ‘history’• Complex• Undoc’d interface• Handles PII etc• Big functions• Hard to maintain• Lots of churn
• Less review• New code• Off by default• Least privilege• Authenticated access• Not listening• Local subnet or machine• TCP• Managed code• Clean ‘history’• Simple or well understood• Doc’d interface• Does not handle PII etc• Little functions• Easy to maintain• Stable code
What does the bad guy control?
The Golden Question
Pop Quiz: Is this a security bug?
int main(int argc, char *argv[]) { char t[32]; if (argc==2) strcpy(t,argv[1]);
// etc}
“”
Explain to me againthe “Turkish-I” problem
The Turkish-I problem(Applies also to Azerbaijan!)
• Turkish has four letter ‘I’s• i (U+0069) ı (U+0131) İ (U+0130) I (U+0049)
• In Turkish locale UC("file")==FİLE
// Do not allow "FILE://" URLsif(url.ToUpper().Left(5) == "FILE:") return ERROR;getStuff(url);
// Only allow "HTTP://" URLsif(url.ToUpper(CULTURE_INVARIANT).Left(5) == "HTTP:") getStuff(url);else return ERROR;
Pop Quiz: What does this mean?
“ ”What should I not use RC4?
Issues with Stream Ciphers
• Stream ciphers are simply random number generators• They create a key stream of random bytes
• The ‘seed’ is the symmetric key• Issues:
• Ca xor Cb == Pa xor Pb
• Ca xor Pa == K• Bit flip attacks
P0 C0
K0
P1 C1
K1 …
Don’t use ECB-mode either!
ECB
CBC
Questions?
Email mikehow@microsoft.comBlog blogs.msdn.com\michael_howard
Resources
• Technical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx
• Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
• Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet
• Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx
• New, as a pilot for 2007, the Breakout sessions will be available post event, in the TechEd Video Library, via the My Event page of the website
MSDN Library
Knowledge Base
Forums MSDN
Magazine User Groups
Newsgroups
E-learning Product
Evaluations
Videos Webcasts V-labs
Blogs MVPs Certification Chats
learn
support
connect
subscribe
Visit MSDN in the ATE Pavilion and get a FREE 180-day trial of MS Visual Studio Team System!
Complete your evaluation on the My Event pages of the website at the CommNet or the Feedback Terminals to win!
All attendees who submit a session feedback form within 12 hours after the session ends will have the chance to win the very latest HTC 'Touch' smartphone complete with Windows Mobile® 6 Professional
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.