Security Tools ForSecurity Tools ForSoftware DevelopmentSoftware DevelopmentSecurity Tools ForSecurity Tools ForSoftware DevelopmentSoftware Development

Ivan MedvedevIvan MedvedevSecurity Development LeadSecurity Development LeadMicrosoft CorporationMicrosoft Corporation

OverviewOverview

Introduction to our teamIntroduction to our team

Security Development LifecycleSecurity Development Lifecycle

Tools available to developersTools available to developersThreat Modeling ToolThreat Modeling Tool

Visual Studio Compiler SwitchesVisual Studio Compiler Switches

FxCopFxCop

AppVerifierAppVerifier

Upcoming new tools!Upcoming new tools!

Fuzz testingFuzz testing

Security Engineering And Security Engineering And CommunicationsCommunications

Microsoft Security Response Center (MSRC)Microsoft Security Response Center (MSRC)Primary interface with security research communityPrimary interface with security research communitySoftware Security Incident Response Process (SSIRP)Software Security Incident Response Process (SSIRP)

Secure Windows Initiative (company-wide)Secure Windows Initiative (company-wide)Training for developers and partnersTraining for developers and partnersSecurity Milestones in the development processSecurity Milestones in the development processAttack and Penetration teamsAttack and Penetration teamsFinal Security ReviewsFinal Security Reviews

Strategy and Policy Strategy and Policy Security Development LifecycleSecurity Development LifecycleCouncils, Buddy programs, etc.Councils, Buddy programs, etc.CERT, CSIRT interface, other government initiatives, CERT, CSIRT interface, other government initiatives, including common criteriaincluding common criteriaWindows Privacy (Phishing, spam, etc)Windows Privacy (Phishing, spam, etc)

The Security Development The Security Development Lifecycle (SDL)Lifecycle (SDL)

Security best practices in MicrosoftSecurity best practices in Microsoft

Provides guidance within established Provides guidance within established development processesdevelopment processes

Design considerationsDesign considerations

Creating effective security plans Creating effective security plans

Leveraging tools across the Leveraging tools across the development cycledevelopment cycle

Better then simply hunting for bugsBetter then simply hunting for bugs

Requirements Design Implementation Verification Release Response

The Threat Modeling ToolThe Threat Modeling ToolThe Threat Modeling ToolThe Threat Modeling Tool

What is Threat Modeling?What is Threat Modeling?

A process to understand and A process to understand and document security threats to a document security threats to a system that:system that:

Closely simulates an adversary’s Closely simulates an adversary’s thought processthought process

Will describe the system’s threat profileWill describe the system’s threat profile

Allows the security of the system to Allows the security of the system to be characterizedbe characterized

May find vulnerabilitiesMay find vulnerabilities

Key ConceptsKey Concepts

The threat profile is an enumeration The threat profile is an enumeration of adversary goalsof adversary goals

A threat is not a vulnerability, and A threat is not a vulnerability, and the point of a threat model is more the point of a threat model is more than just finding vulnerabilitiesthan just finding vulnerabilities

Threats justify security features and Threats justify security features and secure coding guidelinessecure coding guidelines

Key ConceptsKey Concepts

A system is anything that exposes A system is anything that exposes functionality to an end user:functionality to an end user:

Single featureSingle feature

Shipping productShipping product

Web application and its supporting Web application and its supporting infrastructureinfrastructure

Etc.Etc.

Threat Modeling ToolThreat Modeling Tool

Provides structure to a threat model Provides structure to a threat model document document

Lists all of the key areas for Lists all of the key areas for considerationconsideration

Links assets, threats, and vulnerabilities Links assets, threats, and vulnerabilities for easier prioritizationfor easier prioritization

Saves as XML for portabilitySaves as XML for portability

Visual Studio Visual Studio Compiler OptionsCompiler OptionsVisual Studio Visual Studio Compiler OptionsCompiler Options

What Is A Buffer Overrun?What Is A Buffer Overrun?

Buffers are blocks of memory, usually Buffers are blocks of memory, usually in the form of an arrayin the form of an array

When the size of an array is not When the size of an array is not verified, it is possible to write outside verified, it is possible to write outside the allocated bufferthe allocated buffer

If such an action takes place in If such an action takes place in memory addresses higher than the memory addresses higher than the buffer, it is called a buffer overrunbuffer, it is called a buffer overrun

A buffer overrun that injects code A buffer overrun that injects code into a running process is referred to into a running process is referred to as an exploitable buffer overrunas an exploitable buffer overrun

What Is A Buffer Overrun?What Is A Buffer Overrun?

The ability to arbitrarily corrupt The ability to arbitrarily corrupt memorymemory

Overflows lead to arbitrary codeOverflows lead to arbitrary code

Underflows lead to denial of serviceUnderflows lead to denial of service

Problem is usually isolated to C and Problem is usually isolated to C and C++C++

00 00 00 00

00 00 00 00

2A 00 00 00int x = 42;int x = 42;char zip[6];char zip[6];strcpy(zip, userinput);strcpy(zip, userinput);printf("x = %i\n", x);printf("x = %i\n", x);

Types Of ExploitsTypes Of Exploits

Stack smashingStack smashing

Register hijackingRegister hijacking

Local pointer subterfugeLocal pointer subterfuge

V-Table hijackingV-Table hijacking

C++ EH clobberingC++ EH clobbering

SEH clobberingSEH clobbering

Multistage attacksMultistage attacks

Parameter pointer subterfugeParameter pointer subterfuge

Previous function’sPrevious function’sstack framestack frame

Return addressReturn address

EH frameEH frame

Callee saveCallee saveregistersregisters

GarbageGarbage

Local variables andLocal variables andlocally declaredlocally declaredbuffersbuffers

Frame pointerFrame pointer

Function argumentsFunction arguments

Visual Studio Security Visual Studio Security OptionsOptions

/GS /GS A "speed bump," or cookie, between the A "speed bump," or cookie, between the buffer and the return address. When buffer and the return address. When function exits, the cookie is checkedfunction exits, the cookie is checked

Helped lower Blaster impact on Win Helped lower Blaster impact on Win 20032003

/SAFESEH/SAFESEHCreated in response to CodeRedCreated in response to CodeRed

Verifies the exception handlerVerifies the exception handler

Stack Layout In VC++ Stack Layout In VC++ 20032003

Function prolog:Function prolog: Previous function’sPrevious function’sstack framestack frame

Return addressReturn address

EH frameEH frame

Callee saveCallee saveregistersregisters

GarbageGarbage

Frame pointerFrame pointer

Function argumentsFunction arguments

CookieCookie

sub esp,24hsub esp,24h

mov eax,dword ptrmov eax,dword ptr

[___security_cookie (408040h)][___security_cookie (408040h)]

mov dword ptr [esp+20h],eaxmov dword ptr [esp+20h],eax

mov ecx,dword ptr [esp+20h]mov ecx,dword ptr [esp+20h]

add esp,24hadd esp,24h

jmp __security_check_cookiejmp __security_check_cookie

4010B2h) 4010B2h)

Function epilog:Function epilog: Locally declaredLocally declaredbuffersbuffers

Local variablesLocal variables

FxCopFxCopFxCopFxCop

FxCopFxCop

A static code analysis tool that A static code analysis tool that examines managed assemblies for examines managed assemblies for design and code correctness issuesdesign and code correctness issues

Console and graphical applications Console and graphical applications that manage:that manage:

Targets (items for analysis)Targets (items for analysis)

Rules (checks to execute)Rules (checks to execute)

Messages (feedback from rules)Messages (feedback from rules)

A general infrastructure for writing A general infrastructure for writing checks against managed codechecks against managed code

BenefitsBenefits

FxCop helps create:FxCop helps create:More consistent API, easily discoverable More consistent API, easily discoverable via help, IntelliSense, etc.via help, IntelliSense, etc.

Better performance in codeBetter performance in code

More secure applicationsMore secure applications

Fewer globalization and COM/cross-Fewer globalization and COM/cross-language interoperability issueslanguage interoperability issues

Increased understanding of .NET Increased understanding of .NET FrameworkFramework

Extends compiler-provided checksExtends compiler-provided checks

FxCop and SecurityFxCop and Security

Current version (1.30) has 21 Current version (1.30) has 21 security rulessecurity rules

Examples of security rulesExamples of security rulesFields that are arrays should not be Fields that are arrays should not be read-onlyread-only

Link demand security checks on types Link demand security checks on types do not prevent access to the type’s do not prevent access to the type’s fieldsfields

Security checks on value-type Security checks on value-type constructors do not prevent the value-constructors do not prevent the value-type from being instantiatedtype from being instantiated

FxCop Security RulesFxCop Security Rules

The Windows The Windows Application VerifierApplication VerifierThe Windows The Windows Application VerifierApplication Verifier

Windows Application Windows Application Verifier (AppVerifier)Verifier (AppVerifier)

Provide developers with Provide developers with Tools and knowledge used in Windows Tools and knowledge used in Windows developmentdevelopment

A testing infrastructure to detect run A testing infrastructure to detect run time issues in Win32 applicationstime issues in Win32 applications

Targeted towards developers and QA Targeted towards developers and QA teams with debugging knowledgeteams with debugging knowledge

BenefitsBenefits

Significantly reduces debugging time Significantly reduces debugging time detectingdetecting

Memory corruptionsMemory corruptions

HangsHangs

Security issuesSecurity issues

Reduces crashesReduces crashes67.8% of 3rd party user mode crashes could 67.8% of 3rd party user mode crashes could have been detected using the AppVerifierhave been detected using the AppVerifier

Aids in Logo/Certification testingAids in Logo/Certification testingNon-administrator scenariosNon-administrator scenarios

Resource managementResource management

Version checkingVersion checking

Security And The Security And The AppVerifierAppVerifier

Enable the SecurityChecks TestEnable the SecurityChecks TestInsecure API usageInsecure API usage

Misuses of CreateProcessMisuses of CreateProcess

Interactive servicesInteractive servicesMany server applications are vulnerable to “Shatter” Many server applications are vulnerable to “Shatter” attacksattacks

Potentially allows an interactive user to get the Potentially allows an interactive user to get the privileges of a service running as LOCAL_SYSTEMprivileges of a service running as LOCAL_SYSTEM

Removed from Longhorn completelyRemoved from Longhorn completely

Weak security descriptor usageWeak security descriptor usageGranting EVERYONE_WRITE access to a file or registry Granting EVERYONE_WRITE access to a file or registry key is an opportunity for elevation of privilegekey is an opportunity for elevation of privilege

Creating an object with a NULL DACL at anytime is a Creating an object with a NULL DACL at anytime is a security issuesecurity issue

The Application VerifierThe Application Verifier

Advanced Technique: Advanced Technique: FuzzingFuzzingAdvanced Technique: Advanced Technique: FuzzingFuzzing

What Is Fuzzing?What Is Fuzzing?

Fuzz testing is a method of finding Fuzz testing is a method of finding software security holes by feeding software security holes by feeding purposely invalid and ill-formed data as purposely invalid and ill-formed data as input to program interfaces input to program interfaces Inputs include:Inputs include:

FilesFiles

Network portsNetwork ports

APIsAPIs

Based on the analysis of a number of Based on the analysis of a number of software security vulnerabilities uncovered software security vulnerabilities uncovered in the past the belief is that a large in the past the belief is that a large percentage of them could have been found percentage of them could have been found by doing fuzz testingby doing fuzz testing

What Is Fuzzing?What Is Fuzzing?

Fuzzing is a variation of negative Fuzzing is a variation of negative testingtesting

Specific characteristics:Specific characteristics:High volume of testing (using multiple High volume of testing (using multiple variations and test passes)variations and test passes)

Fuzz testing is generally automatedFuzz testing is generally automated

Finds many problems related to Finds many problems related to reliability; many of which are potential reliability; many of which are potential security holessecurity holes

Fuzz testing does not typically validate Fuzz testing does not typically validate proper reaction to invalid dataproper reaction to invalid data

BenefitsBenefits

Easily automatedEasily automated

Doubles as robustness testingDoubles as robustness testing

Exercise more failure cases in codeExercise more failure cases in code

Finds LOTS of bugsFinds LOTS of bugs

MethodologyMethodology

Dumb vs. SmartDumb vs. SmartDumb fuzzing generates data with no Dumb fuzzing generates data with no regard to the formatregard to the formatSmart fuzzing requires knowledge of the Smart fuzzing requires knowledge of the data format or how the data is data format or how the data is consumedconsumed

Generation vs. MutationGeneration vs. MutationThe generation technique creates new The generation technique creates new files from scratchfiles from scratchThe mutation technique transforms a The mutation technique transforms a sample input file to create a new onesample input file to create a new one

Most fuzzing tools are a mix of each Most fuzzing tools are a mix of each approachapproach

Measuring And TriagingMeasuring And Triaging

MeasuringMeasuringReliability metrics MTTF (Mean Time To Reliability metrics MTTF (Mean Time To Failure), MTBF, failures per 1K variationsFailure), MTBF, failures per 1K variations

Code Coverage deltaCode Coverage delta

TriagingTriagingCrash means input can divert program Crash means input can divert program flowflow

Figuring out exploitability is expensiveFiguring out exploitability is expensive

Just fix it!Just fix it!

Upcoming New ToolsUpcoming New Tools

In .NET Framework 2.0 / VS 2005In .NET Framework 2.0 / VS 2005PreFastPreFast

Source code static analysisSource code static analysis

Has security checks, such as buffer overrun Has security checks, such as buffer overrun detection, etc.detection, etc.

PermCalcPermCalcStatic binary analysis for managed codeStatic binary analysis for managed code

Calculates .NET permissions needed for .NET Calculates .NET permissions needed for .NET assemblies to runassemblies to run

Integrated into Visual StudioIntegrated into Visual Studio

Call To ActionCall To Action

Raise the bar for security in your own Raise the bar for security in your own applicationsapplications

Adopt these tools in your developmentAdopt these tools in your development

Consider adding additional security best Consider adding additional security best practices from “Writing Secure Code”practices from “Writing Secure Code”

Provide feedback on the tools Provide feedback on the tools Bug reportsBug reports

Feature requestsFeature requests

General Security General Security ResourcesResources

General General http://www.microsoft.com/securityhttp://www.microsoft.com/security

XP SP2 Resources for the IT Professional XP SP2 Resources for the IT Professional http://www.microsoft.com/technet/winxpsp2http://www.microsoft.com/technet/winxpsp2

Security Guidance Center Security Guidance Center http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance

Tools Tools http://www.microsoft.com/technet/Security/toolshttp://www.microsoft.com/technet/Security/tools

How Microsoft IT Secures Microsoft How Microsoft IT Secures Microsoft http://www.microsoft.com/technet/itsolutions/msithttp://www.microsoft.com/technet/itsolutions/msit

E-Learning Clinics E-Learning Clinics https://www.microsoftelearning.com/securityhttps://www.microsoftelearning.com/security

Events and Webcasts Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx http://www.microsoft.com/seminar/events/security.mspx

Additional DocumentationAdditional Documentation

Writing Secure Code:Writing Secure Code:http://www.microsoft.com/MSPress/books/5957.asp http://www.microsoft.com/MSPress/books/5957.asp

Thread Modeling:Thread Modeling:http://www.microsoft.com/MSPress/books/6892.asphttp://www.microsoft.com/MSPress/books/6892.asp

Threat Modeling OnlineThreat Modeling Onlinehttp://msdn.microsoft.com/security/securecode/http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx threatmodeling/default.aspx

Compiler Security Checks In DepthCompiler Security Checks In Depthhttp://msdn.microsoft.com/library/default.asp?url=/http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/library/en-us/dv_vstechart/html/vctchcompilersecuritychecksindepth.aspvctchcompilersecuritychecksindepth.asp

FxCop ResourcesFxCop Resources

http://www.gotdotnet.com/team/http://www.gotdotnet.com/team/fxcop/fxcop/

FxCop download site/bulletin boardFxCop download site/bulletin board

FxCop docs and rule topicsFxCop docs and rule topics

SupportSupport

AskFxCop@Microsoft.comAskFxCop@Microsoft.com

AppVerifier ResourcesAppVerifier Resources

Download Site: Download Site: http://www.microsoft.com/windows/ahttp://www.microsoft.com/windows/appexperienceppexperience

Newsgroup:Newsgroup:microsoft.public.win32.programmer.tools microsoft.public.win32.programmer.tools

http://msdn.microsoft.com/newsgroups/http://msdn.microsoft.com/newsgroups/managed managed

Questions?Questions?

We want your feedback!We want your feedback!

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.