Preventing Excellent Hacks: Understanding the
Security Development Lifecycle
Mohammad Akif
National Security and Privacy Lead
Microsoft Canada
cdnsec@microsoft.com
Thinking beyond the firewall
Microsoft IT Environment
80,000 Win 7 clients
127,238 Office
clients
129,000 Exchange
mailboxes
359,000 SharePoint
Sites
MSCRM
deployment for
premier services
business
Dynamics business
running on
Dynamics products
5 data centers
10,000
production
servers
108,000 servers
(MSN)
98 countries
550 buildings
260,000+ SMS
managed
computers
585,000 devices
141,549
end users
2,400,000
internal e-mails
with 18,000,000
inbound
(97% filter rate)
36,000,000 IMs
per month
136,000+ e-mail
server accounts
137,000,000+
remote
connections
per month
How we secure
• Build firewalls
• Buy really cool pizza boxes with nice binky
lights
• Penetration test
• Did I mention firewalls?
Trauma of Reactive Security
… the cost of fixing defects after
deployment is almost fifteen times
greater than detecting and eliminating
them during development
100X
Customers
In the Field
15X
System/Acceptance
Testing
1X
Design
6.5X
Static
Analysis
Development
Source IDC and IBM Systems Sciences Institute
Integration
Testing
Testing
Deployment
Trauma of Reactive Security
Trauma of Reactive Security
Britain warns of
major e-mail attack
Hackers seen aiming at
government, corporate networks
The Associated Press
Updated: 1:42 p.m. ET June 16, 2005
In 2004, 78% of enterprises hit
by viruses, 49% had laptops
stolen, 37% reported
unauthorized access to
information
--2004 CSI and FBI Computer Crime and Security Survey
Know Yourself, Know your Enemies
“If you know your enemy and know yourself,
you need not fear the result of a hundred
battles. If you know yourself but not the
enemy, for every victory gained you will also
suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in
every battle.”
Sun Tzu, The Art of War
6th Century BC
Evolving ThreatsLargest segment by
$ spent on defense
National Interest
Spy
Largest area by $ lost
Personal Gain
Largest area
by volume
Personal Fame
Curiosity
Fastest
growing
segment
Thief
Trespasser
Vandal
Script-Kiddy Undergraduate
Author
Expert
Specialist
Embedding Security Into Software And Culture
ImplemenRequireTraining
Design
ments
tation
Verification
Response
Release
Training
Requirements
Design
Implementation
Dynamic/
Response
Response
Fuzz
plan
execution
testing
Verify
Final security
threat
models/
review
Education
Technology and Process
attack
Release
surface
archive
Core training
Analyze
security and
privacy risk
Define quality
gates
Threat
modeling
Attack surface
analysis
Specify tools
Enforce banned
functions
Static analysis
Verification
Release
Response
Specify
Core
Analyze
Threat
training
tools
security
modelingand
Enforce
privacy
banned
Attack risk
functions
Define
surface
Accountability
quality
analysis
gates
Static analysis
Dynamic/Fuzz
testing
Verify threat
models/attack
surface
Response plan
Final security
review
Release archive
Ongoing Process Improvements  6 month cycle
Response
execution
Why the
*&(^%$
do I need
security?
SECURE BY DESIGN
Secure architecture
Mitigations
IMPROVE the design
SECURE BY DEFAULT
Least Privilege!!!
Defense in Depth
Default Deny
SECURE IN DEPLOYMENT
Deployment guidance
Policy Management
Patch management
SECURE IN DEPLOYMENT
Repeatable
 Consistent
Measurable
SQL Server 2005
16
3
0
Category 1 –
Security
Requirements
Category 3 Secure
Implementation
Category 2 - Security
Design
Category 4 - Secure
Verification
Category 5 Secure Release
Category 2 - Security
Design
Category 1 –
Security
Requirements
Category 3 Secure
Implementation
Category 5 Secure Release
Category 4 - Secure
Verification
Category 2 - Security
Design
Category 3 Secure
Implementation
Category 1 –
Security
Requirements
Category 5 Secure Release
Category 4 - Secure
Verification
MSF development methodology
Category 1 –
Security
Requirements
Category 5 Secure Release
Category 4 - Secure
Verification
Category 2 - Security
Design
Category 3 Secure
Implementation
SDL Integration into a typical Project
Planning
Objectives
Security Requirements
& Education
Design
Secure Design
& Threat Modeling
Development
Secure Implementation
Testing
Secure Verification
Deployment
Secure Release
Activities
Security
Questions to Ask
Data Validation
Will solution accept data from outside sources?
Authentication
Will solution require claims that a party using it is trusted?
Authorization
Will solution require controlled access for its resources?
Configuration Mgt
Are there restrictive deployment constraints?
Sensitive Data
Will solution handle confidential data?
Session Management Will solution need to create unique interactive sessions?
Cryptography
Are secrets going to be used in the solution?
Exception Mgt
Will the solution need to be highly available?
Auditing and Logging
Will the solution require non-repudiation of activities?
Intangible Assets
Would a successful attack embarrass corporate values?
Compliance
Are there 3rd party policies and legislation that the
proposed solution must adhere to?
Admin
Content
creator
Reader
Anonymous
User
creation
Permission
modification
√
√
Object
creation
Object
removal
Object
read
√
√
√
√
√
Increases attacker’s risk of detection
Reduces attacker’s chance of success
HIGH - ACLs, encryption, EFS, Rights
Management
Data
Application
Host
Deployment Topologies
Network Infrastructure
Physical Security
Security Policies & Procedures
HIGH - Application design
MEDIUM - OS hardening, authentication, patch
management,, antivirus
MEDIUM – Domain Isolation, IPSec, SSL, TLS
LOW - Firewalls, Network Access Control
LOW - Guards, locks, tracking devices
LOW - Security documents, user education
Application Security
Host Security
Deployment Topologies
Remote
Application Tier
Local Application
Tier
Network Infrastructure Security
Router
Firewall
Switch
Security Policies and Procedures
Data Security
Network
Shares
Auditing
Services
File System
Accounts
Registry
Protocols
Ports
Patching
Operating
System
Action: Define Threats!
Apply Mitigations!
Create Test Cases!
Application
Deployment and
Infrastructure
Security Frame
Host
Network
Layer-by-layer
Analysis
Presentation
•Criticalabout
•Learn
•“Walk
through”
areastarget
should
deployment
each
be
reviewed
tier
environment
•Areas
are common
•Security
•Evaluate
across
systems
policies?
security
•Restrictions
choices
•Threat
Modeling
available
imposed
can
by infrastructure
focus
on concerns
layer
security?
Business
Data
Security Frame
Boundaries
Data Validation
Session
Management
DataFlows
Authentication
Cryptography
Processes
Authorization
Exception
Files
Management
SQL
Endpoints
Dependencies
The Registry
Named Pipes
Configuration
Management
Sensitive Data
Auditing and
Logging
Environmental Variables Sockets
HTTP Endpoints
Privilege
E-mail
•Does
•Who
•Do
•How
•What
you
does
are
did
app.
dohandle
does
you
what
you?
your
scrub
application
keeping
do?
and
secrets?
application
input
when?
secrets
before
do when
handle
run
(confidentiality)?
business
as?
aInterfaces
method
user processing?
sessions?
fails?
User
Command-line
•Are
•Do
•How
•Can
you
you
you
doyour
is
are
much
handle
you
Allowed
allowed
you
trace
do
trust
application
tamper-proofing
you
abnormal
confidential
to
in
your
reveal?
do
thethis?
data?
System?
administered?
activity?
information?
your data or libraries
Arguments
•How are
(integrity)?
•Does
your
these
application
settingsfail
secured?
gracefully?
Programmatic Interfaces
Network
Shares
Auditing
Services
File System
Accounts
Registry
Protocols
Ports
Patching
Operating
System
Risk rating = exposure [chance] * potency [damage]
Define a LOW
Define a MEDIUM
Define a HIGH
• Use-case scenarios
• architecture
• Determine
dependencies
• Giblets?
• Identify data-flow
in diagrams
• Identify entry
points & assets
• Determine threat
paths
• Threat exposure
(STRIDE)
• Threat potency
• Countermeasures?
• Accept risk?
• Create test cases
External
entity
• Other systems
• Anonymous
Data
Process
• DLLs
• EXEs
• Web Services
• Http endpoints
Boundary
• Trust boundary
• Process boundary
Flow
• Function calls
• Network traffic
• IP traffic
Data Store
• Database
• File
• Registry
Threat
Property
Definition
Example
Spoofing
Authentication
Impersonating
something or
someone else.
Pretending to be any of billg, microsoft.com
or ntdll.dll
Modifying data or
code
Modifying a DLL on disk or DVD, or a
packet as it traverses the LAN.
Authorization
Tampering
Repudiation
Data Validation
Sensitive Data
Cryptography
Cryptography
Auditing
Information
Session Mgt
Disclosure
Exception Mgt
Claiming to have not “I didn’t send that email,” “I didn’t modify
performed an action. that file,” “I certainly didn’t visit that web
site, dear!”
Exposing
information to
someone not
authorized to see it
Allowing someone to read the Windows
source code; publishing a list of customers
to a web site.
Denial of Service
Configuration Mgt
Deny or degrade
service to users
Crashing Windows or a web site, sending
a packet and absorbing seconds of CPU
time, or routing packets into a black hole.
Elevation of
Exception Mgt
Gain capabilities
without proper
authorization
Allowing a remote internet user to run
commands is the classic example, but also
going from a limited user to admin.
Privilege
Authorization
Stack Overflows
Security Frame
Input Validation
Trust
Stack and Heap Manipulation
Boundaries
(Buffer Overflows)
Top of Stack
Session
•Stack overflows - dataData
is written
Flow
past end of buffers for stack memory
Management
•Arithmetic Errors - data type is
void
BadStack(const
char* uncheckedData)
Authentication
Cryptography
Entry
assigned a value outside
itsPoints
range.
{
May lead to buffer overflows if used
to allocate memory
char localVariable[4];
Exception
int anotherLocalVariable; Dependencies
Authorization
Management
•Heap overruns - complex data type
is written outside of heap allocation
strcpy (localVariable,
uncheckedData);
Configuration
Auditing and
•Exists primarily in unmanaged
}Management
Logging
Privileged Code
C/C++ code
Sensitive Data
char[4]
int
Return
address
“The symptoms of security vulnerabilities are very
different from those of traditional bugs”
“How To Break Software Security”
“Because secure systems are designed to prevent
attack, how the systems fail is critical.”
“Beyond Fear-Thinking Sensibly about Security in an Uncertain World ”
“The designers and the specifications might outline
a secure design, the developers might be diligent
and write secure code, but it’s the testing
process that determines whether the product is
secure in the real world”
“Writing Secure Code, Second Edition”
Conclusion
People
Technology
Process
Your defence is as strong as your weakest link
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Questions ?
Appendix
Resources
Get Guidance and Training Content
These are a good start, and remember: Bing is your friend!
• ASP.NET
http://www..asp.net/
• AJAX
http://www..asp.net/ajax
• JQuery
http://jquery.com/
• Silverlight
http://www.silverlight.net/
• Patterns & Practices
•
http://msdn.microsoft.com/practices/
• Channel 9
http://channel9.msdn.com
Resources
Update to Visual Studio 2010 and MSDN
http://www.microsoft.com/visualstudio/en-ca/products/2010/default.mspx
and
http://www.microsoft.com/visualstudio/enca/products/msdn/default.mspx
... Or Bing it!
Visual Studio 2010:
• The all-in-one work environment
for coding, modeling, testing,
debugging and deploying
• Ready to build and debug
SharePoint 2010 applications with
a click of “New Project…”
MSDN:
• The ultimate developer resource
with downloads and
documentation, software and
support, and Azure compute time
too!
Resources
Go to TechDays
http://techdays.ca/
• It’s our big cross-Canada training
conference held in the fall
(covering 8 cities this year)
• Big conference content,
but with local speakers and
a down-home price of admission
(especially if you register early!)
• Deep dives into Microsoft tools and
technology, including ALM scenarios
• Access to content from the TechDays
and TechEd North America
conferences
• Great giveaways
• An excellent networking opportunity
Resources
Go to Other Conferences
To find them, remember that Bing is your friend!
• Microsoft Developer
Conferences
•
•
•
DevTeach
PDC
MIX
• Code Camps
•
Local developer conferences held
by user groups and local heroes
• Microsoft Security Web sites: www.microsoft.ca/security and
www.microsoft.ca/protect
• Sign up to receive notifications on security updates:
www.microsoft.com/security/bulletins/alerts.mspx
• Sign up for the Security Bulletin Web cast:
www.microsoft.com/technet/security/bulletin/summary.mspx
• RSS Feeds for Security Bulletins:
www.microsoft.com/technet/security/bulletin/secrssinfo.mspx
• More from the Microsoft Security Response Center:
– Web site: www.microsoft.com/msrc
– Blog: http://blogs.technet.com/msrc
• Security Bulletins Search:
www.microsoft.com/technet/security/current.aspx
• Security Advisories: www.microsoft.com/technet/security/advisory
• Security Guidance Center for Enterprises:
www.microsoft.com/security/guidance
• Protect Your PC: www.microsoft.com/protect
Attack
Description
Attack Authentication
routines [ID, password,
etc]
Check for secrets (eg.
Passwords) in plaintext
Change authentication tokens at identified entry
points
Attack Security Tokens
Look for authentication cookies and session
management tokens
Inspect files, registry, application logs, event logs
for sensitive data. Use Fiddler or Ethereal to
inspect traffic for plaintext secrets
change contents in order to change the security
status (i.e. From UnAuth to Auth)
Attack
Description
Attack Network Protocols
Use Ethereal to change protocols used by
application. Observe irregularities
 IP address spoofing
 MAC address spoofing
 Reverse DNS lookups
 SMTP e-mail messages
 HTTP headers
Canonicalization
HTTP, URLs, Response headers
Replace chars with encoding, special chars
Fuzz candidate (eg. FuzzGuru)
Attack
Description
Check for poor
cryptographic
implementation
Try to create weak passwords
Use brute force crackers (eg. John the Ripper)
Find keys and try to acquire them
Check for low-entropy/non-standard algorithms
Check for insecure
communication links
Use a network sniffer (eg. Ethereal) to try to
capture any data being passed along the wire.
Try to modify this data if being sent to application
Attack
Description
Is the data being sent
over an unencrypted
communication channel?
Use a network sniffer (e.g. Ethereal) to try to
capture any data being passed along the wire.
Try to modify this data if being sent to application
Canonicalization
HTTP, URLs, Response headers
Replace chars with encoding, special chars
Fuzz candidate (eg. FuzzGuru)
Attack
Description
Attack input to check for
validation and filtering
Enter command code at input
Inspect results for execution of command code
Fuzz candidate (eg. FuzzGuru)
Attack links from
unmanaged code
Find calls to unmanaged code
Use Ethereal to change data
Fuzz arguments to/from unmanaged code
Observe for crashes or irregularity
Indication of bad memory management in code
Attack
Description
Check for audit trails
Try improper activities (AuthN & AuthZ)
Check event logs for audit of activity
Ensure that activity is being monitored
Attack audit trail data
Find location of logs
Check ACLs for access
Attempt elevation of privilege attack for access
(see below)
Attack
Description
Check for poor
cryptographic
implementation
Try to create weak passwords
Use brute force crackers (eg. John the Ripper)
Find keys and try to acquire them
Check for low-entropy/non-standard algorithms
Attack
Description
Check for weak
authorization
Observe how authorization is handled. Try and
access authorization tokens if stored in local files,
memory or passed in the clear
Check for poor
cryptographic
implementation
Try to create weak passwords
Use brute force crackers (eg. John the Ripper)
Find keys and try to acquire them
Check for low-entropy/non-standard algorithms
Attack
Description
Check for insecure
communication links
Use a network sniffer (e.g. Ethereal) to try to
capture any data being passed along the wire.
Try to modify this data if being sent to application
Check for secrets (eg.
Passwords) in plaintext
Inspect files, registry, application logs, event logs
for sensitive data. Use Fiddler or Ethereal to
inspect traffic for plaintext secrets
Attack
Description
Identifying interesting
data
Data has forensic value to attacker
Is data sensitive?
Us Ethereal to try and read data
Attack
Description
Discovering resource
consumption flaws
Close the application ungracefully
fuzz to input large data nodes
inspect task CPU usage
view reads/writes of application
Attack
Description
Discovering
implementation flaws
Open large number of channels to external apps
Attack input to check for
validation and filtering
Enter command code at input
See if application handles this ok
Inspect results for execution of command code
Fuzz candidate (using a fuzzing framework)
Attack
Description
Attack Network Protocols
Use Ethereal to change protocols used by
application. Observe irregularities
 IP address spoofing
 MAC address spoofing
 Reverse DNS lookups
 SMTP e-mail messages
 HTTP headers
Attack
Description
Check for weak
authorization
Attack AuthZ tokens in memory, passed in clear, in
local resources
Eavesdrop (eg. Ethereal) on traffic from Roleserver
Attack Roleserver
Look for multiple roles (too much AuthZ)
Attack input to check for
validation and filtering
Enter command code at input
Inspect results for execution of command code
Fuzz candidate (eg. FuzzGuru)
Attack
Check for ACL issues
[weak permissions]
Description
Enumerate resources app accesses
Enumerate ACLs of resources
Check for low privilege access
Check for Assert issues
Assert grants access to protected resources
Identify Assert use in code
Test code by calling from low privilege to gain
resource access
Attack
Description
Check for LinkDemand
issues
Similar to a Demand
Only made on immediate caller
Possible luring attack (attacker lures privilege)
Identify where LinkDemand is used
Make test for low privilege call to LinkDemand
Check if call gains access
Test for partially trusted
code
Find AllowPartiallyTrustedCallers attribute in full
trust code
Create partially trusted code to call this
Check if full trust code grants privilege
Attack
Description
Attack links to/from
unmanaged code
Find calls to unmanaged code
Use Ethereal to change data
Fuzz arguments to/from unmanaged code
Observe for crashes or irregularity
Indication of bad memory management in code