Security Process & You: SQL Server Case Study

Security Process & You:SQL Server Case Study

James HamiltonGeneral Manager SQL Server Webdata

Development & Security Architect

AgendaRisk Escalating Rapidly

SQL Injection DemoCase Study: SQL Server Security Push

SQL Server Lessons LearnedSecurity Tools & AutomationAdmin, Data Protection, & App DesignSummary

Incidents Reported Industry WideCERT/CC incident statistics 1988 through

2003Incident: single security issue grouping together all impacts of that that issueIssue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality

0100002000030000400005000060000700008000090000

Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html

Port ScannersBlack HatCommunity Sharing

Know Your Enemy

Brute Force pwd crackers

Dictionary Based pwd crackers

Network Sniffers

De-compilers Debuggers

Cracker Tools

Data Thief Architecture

App. Databas

e

LocalDB

VulnerableApplication

Attack stringForm values

appended with extra SQL statement

SQL-Injected query

Contains an OPENROWSET

statement

SQL injected OPENROWSET statement

causes remote DB to connect back to attackers DB, sending back useful

data

Girish ChanderSQL Server Security PM

Data Thief Demonstration

Author: Cesar Cerrudo



SQL Server Lessons LearnedSecurity Tools & AutomationAdmin, Data Protection, & App Design

SQL Injection DemoSummary

Security Push Timeline

PreparationPreparationPhasePhase

SecurityPush

PushFollow-on

3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003

Push PreparationPush Preparation•Goal full 800 person team Goal full 800 person team productive from startproductive from start

•Identify ComponentsIdentify Components•Complete threat modelsComplete threat models•Complete EducationComplete Education

•Select push start dateSelect push start date•Security planSecurity plan•Security reps from each teamSecurity reps from each team•Set triage barsSet triage bars•Infrastructure set-upInfrastructure set-up

Security PushSecurity Push•5 million+ lines of code reviewed•Two release in service•One more release in dev•100% team focus during push

•Dev, Test, PM, & UE•No other non-security work

•Three pronged approach:•Targeted code reviews•Tools targeting security•Threat driven reviews & testing

Push Prep: CommunicationsLearning from other teams’ experiences

Windows, VS .Net, & IIS preceded SQLTeam readiness critical

Don’t start security push until team is preparedSecurity push plan

Motivation, goals, approach, process, fix bar,…Education plan for teamWeb site set up for general announcements & communication

Push Prep: TrainingSecurity training for every team member

Mandatory training for Architects, PMs, Developers & Testers

Material covered includes:Threat modeling, hacker/cracker tools, black hat community, security development & test tools, attack vectors & defense

Video tape training for new team membersSecurity talks series

more detail on important security related topicsStaying current with evolving threats

On demand webcasts (search on security): <http://www.microsoft.com/usa/webcasts/ondemand/default.asp>

Push Prep: Infrastructure ReadyCross component team to drive push

SQL Security LeadsBug Tracking guidelines detailed

Classification of bugs and threatsSeparate bug tracking DB for tracking file reviews

Tracks code review progress & completenessIdentification of components

228 components; Risk level assessed for eachThreat models for each component

Getting security tools running & building skillsClear fix criteria setTracking progress is critical

12



SecurityPush

PushFollow-on

3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003







Push: Threat Modeling Process

Collect Background Information

Model the System

Determine Threats

Use Scenarios

Implementation Assumptions

External Dependencies

External Security Notes

Internal Security Notes

Entry Points

Assets

Trust Levels

Data Flow Diagrams/Process

Models

Identify Threats

Analyze Threats/Determine

Vulnerabilities

• A process to understand document threats to a systemA process to understand document threats to a system• Methodical and completeMethodical and complete• Describes the system’s threat profileDescribes the system’s threat profile

• Goal is to find design level issues before code is writtenGoal is to find design level issues before code is written

Push: Example Data Flow Diagram

Push: Threat ModelingThreats must be understood to build secure systemsEvery spec/design goes through threat analysis

Model of component is created (typically a DFD)Threats categorized based on STRIDESeverity ranked based on DREAD

NOT how hard it is to fix

SS---Spoofing---Spoofing

TT---Tampering of Data---Tampering of Data

RR---Repudiation---Repudiation

II---information Disclosure---information Disclosure

DD---Denial of Service---Denial of Service

EE---Escalation of Privileges---Escalation of Privileges

DD---Damage potential---Damage potential

RR---Reproducibility---Reproducibility

EE---Exploitability---Exploitability

AA---Affected Users---Affected Users

DD---Discoverability---Discoverability

Push: Security SWAT TeamCentral team focused on cross component analysisMembers chosen from different teamsBuild and share security expertiseOverall Approach:

Met on daily basisChoose component based on priority & riskInvite relevant team members for that componentCollectively brainstorm to ferret out cross component threats

Experience: an effective approach:Part of ongoing, regular effort to audit product security

Push: Dead Code RemovalDead code removal

Code hygiene & work reductionWhy maintain & review non-executable code?Code in product might be used in future

Dead code detector built from code coverage tool

Analyzes compiled binariesAutomatically files bugs

One bug per fileBug assigned to owner or last modifier

Push: Code ReviewsThreat model directed & tools driven reviewsCode review teams set up

Typically, 2 developers and 1 test at leastCode Review driver not code ownerTester files bugs & scribe (some teams rotated roles)

Code Review Experience:Teams progressively became more efficientFirst 90 minutes are the most effectivePass of code by reviewer prior to code review helpedPresentation by code owner was very helpfulAveraged 800-1200 lines reviewed per team per day

Push: Analytical Security Testing

Decompose the app (threat model driven)Identify interfacesEnumerate input points

SocketsPipesRegistryFilesRPC (etc)Command-line argsEtc.

Enumerate data structures

C/C++ struct dataHTTP bodyHTTP headersHTTP header dataOther protocol headersQuerystringsBit flags

Attack all data structures, wire formats, and input data

A Testing method that simulates how A Testing method that simulates how an attacker operatesan attacker operates

Push: Attack Team

Red Team: Microsoft-wide ethical cracking group50-50 split

Reactive: analysis of reported bugsProactive: security reviews

Both formal and informal security reviewsFormal reviews by risk exposureGreater exposure, deeper the review

Analytical Security TestingAdvanced fuzz & data mutation tools developed

21



SecurityPush

PushFollow-on

3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003







Follow-on: What was learned?Set realistic schedulesGet training done before startingInvest in tools early & aggressivelyClearly identify system components earlyCode Reviews:

Provide guidelines & goals for each reviewSecurity focus improved overall system quality

Cross-component interactions better understoodImproved both functional & penetration testing

Define an unambiguous exit criteriaClear progress tracking metrics requiredProcess sometimes interferes with progress



SQL Server Lessons LearnedSecurity Tools & AutomationAdmin, Data Protection, & App Design

SQL Injection DemoSummary

Development ToolsEngineers good at finding specific vulnerabilities

Innovation requiredNot good at reliably finding all instances of a specific bug class

Millions of lines of codeFocus on tools to supplement manual efforts

Tools that can help identify issues in codeManaged code part of the answer

Development tools used:PREFIX & PREFASTFXCOPCompiler options: /GS, SAFESEHOS Level support: NOEXECUTE

…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));SetCurrentDirectory(buff, sizeof(buff));

…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));Warning: Failure to check return value

GetWindowsDirectory can fail in low-memory situationsSetCurrentDirectory(buff, sizeof(buff));

Sample Prefast Defect

Example Defect ClassesResource Leakage

Leaking Memory/Resource

Pointer Management

Dereferencing NULL pointer Dereferencing invalid pointer Dereferencing or returning

pointer to freed memory

Illegal State Resource in illegal state Illegal value Divide by zero Writing to constant string

Memory Management Double frees Freeing pointer to non-allocated

memory (stack, global, etc.) Freeing pointer in middle of

memory block

Initialization Using uninitialized memory Freeing or dereferencing

uninitialized pointer

Bounds violations Overrun & Underrun Failure to validate buffer size

• Managed code avoids many of these issues without post-authoring analysis tools



SQL Server Lessons LearnedSecurity Tools & AutomationAdmin, Data Protection, & App DesignSummary

Application & DB AdministrationBasic security practices:

Automated enterprise software inventoryRun MBSA frequentlyApply latest patches Use Windows Update or Software Update Service

Audit authentication success & failures at all tiersCorporate security policy with periodic audit

Senior security Czar with ability to drive changeEmergency response & disaster recovery plansSmall admin group

Min privilege & strong passwords enforced on all

Data Protection & App. DesignData Protection:

Hot standby: Clustering, log shipping, or DB Mirroring (Yukon)Frequent backups: Offsite with media encryptionOffline, automated, non-production test systems

Encrypted channels for transferring sensitive informationUse integrated security with strong passwordsIsolate Services

Do not install services on domain controllerServices should run under low privileged accounts (not shared)Mid-tier/data-tier isolation with multiple firewallsSurface area reduction: remove/disable unneeded services

No direct access to data-tierTwo-tier client-side doesn’t work – Security in data tier

Apps that “hide” DB passwords in client tier don’t workAccess only via carefully reviewed mid-tier codeValidate all user input

SummaryThreat profile increasingSQ Security Push case study:

Communication, Training, Infrastructure & tools, Goals & exit criteria

Security Tools and Techniques:Threat models, Security SWAT team, Code reviews, Analytical security testing, Attack Team

Application & DB Admin Data Protection & Application Design

ResourcesMicrosoft Security and Privacy site

http://www.microsoft.com/security/SQL Security White paper

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.aspMBSA Home

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp

TITLETITLE

Microsoft Windows 2000 Security Technical ReferenceMicrosoft Windows 2000 Security Technical Reference

Writing Secure Code, 2/eWriting Secure Code, 2/e

Building Secure Microsoft® ASP.NET Applications Building Secure Microsoft® ASP.NET Applications

http://www.microsoft.com/security/

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.asp



Microsoft

Security Process & You: SQL Server Case Study

Documents

Transcript of Security Process & You: SQL Server Case Study