Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.
-
Upload
brandon-rich -
Category
Documents
-
view
220 -
download
0
Transcript of Michael Howard Principal Security Program Mgr. Microsoft Corp. DPR203.
Inside the Microsoft Security Development Lifecycle (and how you can use it!)
Michael HowardPrincipal Security Program Mgr.Microsoft Corp.DPR203
Who Is This Guy?
[email protected] employee for 17 yearsAlways in securityWorked on the SDL since inception
Feels like
eternity!
Agenda
The SDLRecommendations vs. RequirementsSDL Recommendations and Requirements
My Only ObjectiveGive you actionable ideas that will improve
the security of your software.
Links to tools and other resourcesare in the speaker notes.
IMPORTANT
This session does not cover every SDL itemThis session covers very little privacy and nothing to do with security response and servicingNor does it cover any internal Microsoft-specific issues
The SDL
“Reduce the Number of Vulnerabilities in your code.”“Reduce the Severity of the Vulnerabilities you miss.”
Does SDL Apply to Your Product?
Yes, if…It handles valuable data (e.g., PII, sensitive business/medical data)Has a large customer baseHas functional risk
Eg: one socket from the ’netPart of an acquisition
Recommendations vs. Requirements
Requirement is something you must do prior to shippingRecommendation is something you should considerMany requirements start life as recommendations
Identify Primary Security & Privacy Contact
REQUIREMENTSomeone (or some people) must handle the security and privacy for the team
ACTIONPick a security person to be the “Security Champ”“Grow” this person if needed
Security Training
REQUIREMENTFits into the “rhythm of the product”At least 80% trained
ACTIONAdopt ongoing training for your teamIf you have *NEVER* attended *ANY* security training, do so ASAP
Track Security BugsREQUIREMENT
Configure your bug database to track security bugsACTION
Create the following in your database:Security Criticality
None, Critical, Important, Moderate, Low, Defense in Depth
Security CauseNone, Buffer overflow/underflow, Arithmetic, SQL injection, Race Condition, XSS, Crypto, etc…
Security EffectNone, STRIDE
Use Strong-Named Assemblies and but not APTCA
REQUIREMENTStrong-named assemblies prevent DLL Hell and provide tamper detectionAdds a defense: immediate callers must be granted FullTrustAllowPartiallyTrustedCallersAttributes allows partially trusted callers (i.e., code from the ’net)
ACTIONRun FxCop on your strong-named assemblies
Code review CA2116 & CA2117Consider using SecurityTransparent
Use Secure Crypto Design (1 of 3)
REQUIREMENTCovers: algorithms, agility, use of standard libsAgility: Do not hard-code algorithms in your code
ACTIONUse a class factory
SHA1Managed sha = new SHA1Managed();
HashAlgorithm alg = HashAlgorithm.Create(“MyAppHash”);
Use Secure Crypto Design (2 of 3)
ACTIONUse Microsoft standard crypto libraries
System.Security.Cryptography for managedCryptoAPI, CNG for native
Use DPAPI for secretsUse approved random number generators
CryptGenRandomrand_sRNGCryptoServiceProvider
Use Secure Crypto Design (3 of 3)
ACTIONUse appropriate algorithms
Use: AES (128-bit or better), RSA (2048 or better), SHA-256 (+)Use nothing else!
Download SDLCryptoCheck, run on your code and triage results
Firewall Requirements
REQUIREMENTFirewall setting changes must be logged in the system security logDo not disable the firewallDo not create an inbound rule to allow the traffic through the firewallCannot allow exception by user without admin privilegesDocument your networking requirements
ACTIONSee above :-)
Threat Models
REQUIREMENTBuild a threat model for your product
Threats to a Windows Azure solution are different threats to a native Windows solution
Helps you understand secure design issuesService updates do not need threat modeling
ACTIONLearn how to do threat modeling, then download the SDL Threat Modeling tool and use it
Support UAC
REQUIREMENTMost applications should run correctly as normal users and not require unnecessary privileges
ACTIONMake sure you test your application as a non-admin on Windows Vista or Windows 7Use Aaron Margosis’ LUABuglight to help ascertain why your application fails as non-adminOr use LuaPriv with Application VerifierRead Writing Secure for Windows Vista
Granular Feature Control
RECOMMENDATIONTo reduce attack surface, expose only the most common functionality
ACTIONSupport granular enable/disable features and parsersIIS7 is the poster child
Grant Minimal Privileges
RECOMMENDATIONApplications should run with only enough privilege to perform the tasks required, and no more
ACTION(See UAC) and don’t run your services as SYSTEM unless you absolutely mustDrop privileges on service startup
Use Minimum Code Generation Suite
REQUIREMENTWe constantly add defenses to the compiler and linkerYou get defenses for free by simply using the latest compilers
ACTIONAt a minimum, you should use VS 2005 SP1But highly recommend you use VS 2008 SP1
And VS 2010 when it comes out, especially for C++Stronger -GS
Use /GS
REQUIREMENT Applies to 32-bit native C/C++ code onlyEven if the code is called by Managed codeDetects some forms of stack-based buffer overrun at runtime
ACTIONCompile all native 32-bit C/C++ code with /GSIt’s on by default in VC++ 2008, so don’t use /GS-Consider using #pragma strict_gs_check(on)
Use Safe Exception Handling
REQUIREMENTDetects compromised exception handlers
C++ and Windows SEHWould have prevented CodeRed
ACTIONLink with /SAFESEH
Use MIDL /ROBUST for RPC/DCOM
REQUIREMENTRPC is subject to potentially dangerous inputLots of services use RPCIn Windows NT4 server-side proxy code was very trustingWe added /ROBUST to MIDL to add more data validation
ACTIONAlways run MIDL with /ROBUST (it’s the default now)Requires Windows 2000 and later
Use ASLR
REQUIREMENTApplies to all codeRandomizes the image in memory, making it harder for attackers to get their exploits working correctly
ACTIONLink your code with /DYNAMICBASE
Use DEP
REQUIREMENTApplies to all codeMarks memory as “no execute” which can stop some forms of buffer overrunASLR is required for DEP to be effective
ACTIONLink your code with /NXCOMPAT
Confirm DEP and ASLR with Process Explorer
Detect Heap Corruption
REQUIREMENTC & C++ onlyWindows Vista and later heap manager detect heap corruption, but Windows will not shut your application down by default
ACTIONAdd the following to your main() or WinMain() function (void)HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, NULL, 0);
No Writeable PE Segments
REQUIREMENTSomewhat esoteric IPC method PE segments are not ACL-able
ACTIONDon’t use PE segmentsThese are all bad:
/section:<name>, RWS#pragma comment(linker, ―/section:<name>, rws‖) #pragma section(<name>, read, write, shared)
Do Not Use Banned APIs
REQUIREMENTSome C runtime functions are prone to errorSo don’t use them, use safer versions
ACTIONCompile with banned.h or strsafe.hTriage C4996 warningsReplace insecure functions with safer C runtime functions or strsafe functionsstrcpy [strcpy_s or String CchCopy]Add the following to auto-migrate functions to safe functions
#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES (1)
Encode Long-lived Pointers
RECOMMENDATIONLong-lived pointers, for example globally scoped, are targets for attackThey need protecting
ACTIONFind all long-lived pointers and protect them with EncodePointer, etc.
// g_pFoo is a global point that points to foo void g_pFoo = EncodePointer(&foo); ...// Decode the pointer when you need to use itvoid *pFoo = DecodePointer(g_pFoo);
Use FxCop on Managed Code
REQUIREMENTFxCop can help find common security vulnerabilities in C# and VB.NET code
Web code or standalone code
ACTIONDownload FxCop (or use Code Analysis in VS)Run it at least once a dayTriage all Security rules
Aim to have zero suppressions and zero warnings
Use /analyze for Unmanaged Code
REQUIREMENTThe PREfast engine can find many common and easy-to-fix security vulnerabilities at compile time
ACTIONCompile with /analyze at least once a day
Don’t use it on your main builds, it doubles compile timesTriage:
6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276
/analyze is very low noise
Help /analyze – Use SAL
RECOMMENDATIONAdding SAL can help /analyze find more security bugs SAL adds valuable interface contract data, e.g.,
_In_z_bytecount_(n)
‘In’ buffer, code will read the buffer
Buffer will be NULL-terminated Buffer byte count is ‘n’
Use /W4
RECOMMENDATIONC and C++ onlyThere is a subset of high-noise warnings that are now potentially real security vulnerabilities
ACTIONCompile C and C++ code with /W4 or the less noisy:
MSC_WARNING_LEVEL=/W3 /WX /we4242 /we4245 /we4254 /we4289 /we4295 /we4296 /we4701
Hand triage the results
Native Code XML Parsers
REQUIREMENTParsing XML safely is hardThere have been many industry-wide security vulnerabilities parsing malicious XML payloadsXML is everywhere!C++ just makes matters worse!
ACTIONUse XmlLiteUse MSXML 6 SP1Use MSXML3 SP9 only if there is a strong business justification
XSS Prevention
REQUIREMENTXSS is the #1 security vulnerability today
Yes, it’s bigger than BOs!
ACTIONCheck all incoming data
Constrain with TryParse, or RegExEncode with HTML EncodingUse AntiXSSUse ValidateRequest‖(defense in depth)Use CAT.NET
XSS Prevention (Safe Tags)
<b> <blockquote> <br> <div>
<em> <i> <li> <ol>
IMPORTANT Only safe if you strip or disallow attributes
bool IsSafeTag(string tag) { bool safe = false; string safeTagsRE = @"^<\/?[b|blockquote|br|div|em|i|li|ol|p|strong|u|ul]+>$";
if (Regex.Match(tag, safeTagsRE,RegexOptions.IgnoreCase).Success) safe = true;
return safe;}
<p> <strong> <u> <ul>
Use ViewStateUserkey
REQUIREMENTHelps mitigate Cross-Site Request Forgery (CSRF) vulnerabilitiesDefense in depth
ACTIONAdd this to your Web applications
protected void Page_Init(object sender, EventArgs e) { this.ViewStateUserKey = Session.SessionID; }
Do Not Use JavaScript eval() or Equivalents
RECOMMENDATIONEvaluates and executes arbitrary string dataWhat if the data is untrusted?
ACTIONTriage the following in your JavaScript code
evalsetTimeoutsetInterval
When using JSON, use fromJSON
Safe Redirect
RECOMMENDATIONRedirecting to an arbitrary Web location specified in an HTTP request is dangerousOpens users of your site to phishing attacks
ACTIONOnly redirect to a known set of safe URLs
Response.Redirect("/error.aspx")
Response.Redirect(Request.QueryString(uri))
SQL Execute Only Permission
REQUIREMENTHelps mitigate SQL Injection vulns
ACTIONRun your app as Network Service (DOMAIN\$machinename)Join that account to a domain group (DOMAIN\webapps)Grant that group execute permission to stored procs, etc.
Use SQL Parameterized Queries
REQUIREMENTSQL injections are hard to pull off with parameterized queries…and easy to pull off with string concatenation
ACTION
SqlDataAdapter cmd = new SqlDataAdapter("exec sp_getshipstatus(@id)",
conn);SqlParameter parm = cmd.SelectCommand.Parameters.Add("@id",id);
string query= "select * from status where id = " + id;
Use SQL Stored Procedures
REQUIREMENTA good way to hide back-end application logic in the event your server is breachedIt also allows you to easily support execute-only database objectsIt’s defense in depth
ACTIONUse sprocs for all your back-end queriesDon’t add EXEC (etc) to your sprocs
Do Not Depend on NTLM
RECOMMENDATIONNTLM provides only client authenticationAll current versions of Windows support Kerberos
ACTIONGrep for the word “NTLM” in your codeUse the Negotiate SSP rather than NTLM SSP
No “Swallow All” Exceptions
RECOMMENDATIONExceptions that handle all possible exceptions can mask serious bugsThey also can make it easier to defeat ASLR
ACTIONHandle only the exceptions you can REALLY handleAll bad:
SEH: __except(EXCEPTION_EXECUTE_HANDLER)C++: catch(…)RPC: RpcExcept(1)Managed Code: catch (Exception)
Safe Error Messages
RECOMMENDATIONYou want to make it easy for users and admins to know why something failedBut, you don’t want to tell attackers too much
ACTIONReview all error message text, make sure they are:
Clear to usersDo not disclose too much information
Especially for errors transmitted across the network
Fuzz TestingREQUIREMENT
Many applications fail when presented with incorrectly or malformed dataA DoS may really be a code execution vulnerability
ACTIONFuzz test
Applications that read untrusted data with a minimum of 100,000 malformed inputs
File parsers are a great candidateActiveX controls marked safe for scripting or safe for initialization
Networking endpoints
Test with Application Verifier
REQUIREMENTApplies to native code onlyA runtime tool that can detect many runtime security vulnerabilitiesRequires good code coverage to be effective
ACTIONRun your application under application verifier using the following rules:
Heaps, handles, memory
Device Driver Issues
REQUIREMENTKernel-mode crashes lead to BSOD
ACTIONRun Driver Verifier with at least the following:
Security ChecksMiscellaneous Checks
question & answer
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Track Resources
Visit the DPR TLC for a chance to win a copy of Visual Studio Team Suite. Daily drawing occurs every day in the TLC at 4:15pm. Stop by for a raffle tickethttp://www.microsoft.com/visualstudio http://www.microsoft.com/visualstudio/en-us/products/teamsystem/default.mspxPlease visit us in the TLC blue area
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.