Microsoft Security Fundamentals - PowerPoint PPT Presentation

About This Presentation

Title:

Microsoft Security Fundamentals

Description:

Microsoft Security Fundamentals Andrew Cushman EUSecWest - London February 20, 2006 Intro Who am I? Director of Security Community Outreach to Community Community ... – PowerPoint PPT presentation

Number of Views:253

Avg rating:3.0/5.0

Slides: 36

Provided by: AndrewC63

Category:

more less

Transcript and Presenter's Notes

Title: Microsoft Security Fundamentals

1
Microsoft Security Fundamentals

Andrew Cushman
EUSecWest - London
February 20, 2006

2
Intro Who am I?

Director of Security Community
Outreach to Community
Community Advocate w/in Microsoft
16 year MS veteran
Enabled for Code Red and Nimda
Rejected MSADC vdir defaults change for IIS5
Responsible for IIS 6 security
Engineering Group manager for IIS6
Hired _at_stake for Pen Test engagement

3
Agenda Why am I here?

To show our work the MS security fundamentals
Brief review how we got here
Describe the holistic approach the security
lifecycle
Specifics customer requirements our solutions
3 things I want you to take away
MS understands the industry wide security problem
And that Security requires industry wide
solutions
MS delivering excellent results
Maybe not perfect, but reasonable and industry
leading
MS committed to the long term security
investments
Security is a journey - its not a destination

4
Brief History

MSRC creation and early years
SWI (Secure Windows Initiative)
2 guys in their spare time
TwC memo from Chairman Bill
Code Red, Nimda, Blaster, Slammer
Security Community Outreach (03 party at Black
Hat)
XPsp2

5
Todays Changed Ecosystem

Security Industry Matures
Expanding number of tools experts researchers
low barrier to entry attracts new entrants
More researchers more areas lots more bugs
Criminal element fueling new actions patterns
AdWare and SpyWare
The rise of botnets and botherders
Attacks are constant and targeted
Move toward targeted attacks
News reports of corporate and government
espionage
Still on the upswing
unlimited researcher creativity new attack
surface
new class of attacks and new vectors

6
The Changing Ecosystem
Indictments were filed by an Israeli prosecutor
against nine men in the industrial espionage case
that involved planting Trojan horses on rival
companies' computers to spy out their secrets.
Security experts have revealed details about a
group of Chinese hackers who are suspected of
launching intelligence-gathering attacks against
the U.S. government.
Alan Paller, SANS Institute in ZDNet November
23, 2005
InformationWeek July 8, 2005
Foreign governments are the primary threat to
the U.K.'s critical national infrastructure
because of their hunger for information, a
British government agency said.
Roger Cummins NISCC Director in ZDNet November
22, 2005
7
Top Security Challenges

Security Researchers ISVs at odds
Customers safety is a common goal, but
Disagreement on tactics
Security Researchers distrust Software ISVs
No consensus on Responsible Disclosure
Differing views of benefit of Exploit code and
PoC
Changed economic landscape
Attribution in Bulletins losing value in new
economy
Vulns have value in an above ground economy
Changed Threat Landscape
Shrinking delta btw publish and exploitation
Vuln Full Disclosure increases customer risk

8
Security Focus Microsoft Corporation
Vision

A secure platform strengthened by security
products, services and guidance to help keep
customers safe

Excellence in fundamentals
Security innovations

Scenario-based content and tools
Authoritative incident response

Awareness and education
Collaboration and partnership

9
Technology Investments
10
Security Engineering Communications

The Security Fundamentals Group at Microsoft
One team responsible for Microsofts
Security Development Lifecycle
Security Engineering (Eng. Standards)
Penetration Testing (Stds. Enforcement)
Security Response Updates
Emergency Incident Response
Community Outreach

11
Security Focus Sec Fundamentals Group
Vision

Embed Industry leading Security in the Microsoft
development culture and in every MS product and
service

Cutting edge Research - /GS
Heap mitigations
Fuzzing
Analysis Tools
Patchguard

Internal Training
SWI KB
SDL article on MSDN
MSRC Bulletins
Security Advisories
Conf. Presentations

Conf. sponsorship
CERT collaboration
GIAIS (ISPs)
VIA (Virus ISVs)
BlueHat

12
Security Development Lifecycle
Design
Response
Requirements
Implementation
Verification
Release
Guidelines

Best Practices
Coding Standards
Final Security Review
(
FSR
)
Security
Testing based on threat
Review threat models
Response
models
Feedback loop
Penetration Testing
Tool usage
-
Tools
/
Archiving of Compliance Info
Product Inception
Processes
Threat Modeling
Assign resource
-
Postmortems
Models created
Security Docs

Security plan
-
SRLs
Mitigations in design
Security Push
Tools
and functional specs
Security push training
Customer deliverables
Design
Review threat models
for secure deployment
Design guidelines applied
RTM

Review code
Security architecture
Deployment
Attack testing
Security design review
Signoff
Review against new threats
Ship criteria agreed upon
Meet signoff criteria
13
Security Development Lifecycle

Defines security requirements and milestones
MANDATORY if exposed to meaningful security risks
Requires response and service planning
Includes Final Security Review (FSR) and Sign-off

Mandatory annual training internal trainers
BlueHat external speakers on current trends
Publish guidance on writing secure code, threat
modeling and SDL as well as courses

In-process metrics to provide early warning
Post-release metrics assess final payoff ( of
vulns)
Training compliance for team and individuals

14
SDL and Microsoft Products

SDL applies across Divisions and Businesses
Defines Incident Response Patch Requirements
and Guidelines
Defines Engineering Requirements and Guidelines
Validation to ensure standards are met
Final product security profile combines
Customer requirements
Deployment and Usage requirements and
Security Requirements
SDL in practice takes on the personality of the
Product
IE looks different than Windows Defender
Products must pass Final Security Review to ship
Were paying attention to the what the community
tells us

15
Feedback from the Community

You might have a wee problem w/ file parsers
MS04-011 EMF, WMF
MS04-025 GIF, BMP
MS04-041 WordPad DOC Converters
MS05-002 3 ANI
MS05-005 DOC
MS05-009 PNG
MS05-012 OLE/COM
MS05-014 CDF
MS05-018 Fonts
MS05-020 MSRatings .RAT
MS05-023 DOC
MS05-025 PNG
MS05-025 PNG
MS05-026 .ITS
MS05-036 9 ICM (JPG,PNG,BMP)

16
Windows Vista Security Approach

Stop playing catch up - find fix before ship
Automate proven techniques
parser fuzzing,
banned api removal
tools
Methodically Apply Security expertise on whole
product
Attack Surface Reduction, Service Hardening
Feature reviews
Penetration testing
Defense in Depth Mitigations
new GS, heap improvements, etc

17
Security Engineering in Windows Vista
Central PREfix (etc) runs
18
Vista Security Review Overall Approach
Feature Reviews
Penetration Testing
Special Projects
19
Microsoft Security Training Courses

2003 - Security Basics was the only class
2006 Expanded General discipline specific
offerings
Introduction to the SDL and FSR Process
Basics of Secure Software Design, Development,
and Test
Threat Modeling
Security for Management
Classes of Security Defects
Defect Estimation and Management
Developers
Secure Coding Practices
Security Code Reviews
Testers Program Managers
Introduction to Fuzzing
Implementing Threat Mitigations
Time-tested Security Design Principles
Attack Surface Reduction and Analysis
2007 and beyond Continual and Ongoing effort

20
Education resources
21
BlueHat Conference Training
Training for Execs and Engineers

March 05
Dino Dai Zovi Shane McAuley
Matt Conover
HD Spoonm
Dug Song
Dan Kaminsky

October 05
Skape
Vinnie Liu
Dave Maynor
Brett Moore
Toolcrypt

22
Windows Vista Quality Gates

Many SDL recommended best practices become
required engineering tasks in Vista
Banned API removal
Over 250,000 removed
No incoming code uses these APIs
SAL for ALL headers
ISVs will get benefit in Platform SDK
Over 119,000 functions annotated by the time we
ship
No incoming code missing SAL
Banned crypto removal
ALL new features required threat model along with
Design, Spec, and Test Plan up front
Thousands of threat models
Central Privacy team and Privacy Quality Gate

23
Windows Vista Quality Gates cont

120 functions banned
Use StrSafe or SafeCRT
Mandatory use of IntOverflow PREfast extension
Prohibit executable pages
Writable/Shared PE segments banned
Newer versions of FxCop and AppVerif required
Firewall policy created
The bar to open a port is very high
Over John Lamberts dead body ?
Prohibit use of APTCA without deep security
review
Banned DES, RC2, SHA1, MD4 and MD5 for new code
Crypto Board created

24
A Note on SAL

The most important quality tool we have
No-one else uses this kind of technology
Helps source code anaylsis tools find bugs

char fgets(__out_ecount_z(_MaxCount) char
_Buf, __in int _MaxCount, __inout FILE
_File) __checkReturn errno_t
tmpfile_s(__deref_opt_out FILE _File)
__checkReturn Must check return
value __out_ecount_z(n) Outbound null-term
string of len n __in Readonly inbound
argument __inout RW arg, by reference __deref_opt
_out Must deref OK, optional, not null-term
25
Service Hardening

Write restrictions
Restrict which resources are write-able
Define privs you need
SCM grants ONLY those privs regardless of account
Per-service SID
ACL object so only your service can access them
Network restrictions
You describe Vista enforces network access
policy
Eg foo.exe can only open port TCP/123 inbound
ActionAllowDirInLPORT123Protocol17AppSy
stemRoot\foo.exe
If foo.exe has a bug, the rogue code cannot make
outbound connections

26
Vista and LH Server Defenses

UAC User Account Control
Standard User Lower Privileged Account
Elevate via UI prompt or control via policy
Mitigates threats but not absolute security
Process Isolation Challenges
UI Tampering Secure desktop design change just
approved
Registered Window Message
MIC
Patch Guard and Malware defenses
Numerous heap defenses
Metadata encoding integrity checks,
randomized, encoded internal ptrs,
LowFrag heap used more,
algorithm changes based on usage,

27
A Note on Vista Fuzzing

Using numerous internally-built fuzzers
Filefuzzer, FCL, MiddleMan, Rogue, RPCFuzz
instrumented apps
To date
Central team focus only on Fuzzing
Fuzzed 90 parsers with over 61 million malformed
files
By the time we ship
Fuzz over 200 parsers with over 1 billion
malformed files

28
Feature Reviews Pen Testing

Validation in 3 different ways
Features prioritized using multiple risk factors
Internet facing, capable of generating Critical
vuln, etc
Feature Reviewer meets w/ product team analyzes
threat models, design, attack surface
output is bugs, design changes mitigations
Weak areas referred for deeper inspection
A Deeper Look
Targeted review of implementation
Full Blown Pen Test
Feature requires in depth multi-week engagement

29
Security Response Process
30
Security Response
SSIRP Incident Response
Monthly Response Process

Observe the environment
Watch for triggers
Know when something needs response

Evaluate severity, mobilize
Engineering and analysis
Industry Relationship partners
Communications
Legal and Law Enforcement

Deep analysis including malware teardown
Workarounds, solns and tools
Law Enforcement
Communications

Communications
Lessons learned

31
Case Study WMF Background

First noticed on newsgroup December 27.
Immediate escalation to SSIRP Operations Leads
and first responders.
Immediate escalation to Orange SSIRP

Watch (Dec 27)

Teams assembled
Immediately began monitoring for customer impact
Immediate outreach to security partners to assess
initial impact

Alert Mobilize (Dec 27)

Attack analysis and projection
Coded fix and started testing
Intervention partner outreach esp. AV, CERT
PSS customers
Multiple Advisories published including effective
workaround
Site research and aggressive takedown activity
Extensive field outreach Extensive press and PR
response
Test Pass completed early Released ahead of
published schedule

Assess Stabilize (Dec 27-Jan 5)

Post Mortem Completed
Improvements to internal communication process
flow
Early and Aggressive engagement of all product
teams

Resolve (Jan 5 - present)
32
WMF case study from fix to release

Coding the Fix
The team isolated the bug quickly
Built update, Smoke tested and then deliver to
test team
Functional / Regression testing
More than 450,000 individual GDI/User test cases
Approximately 22,000 hours of stress
Over 125 malicious WMFs verified to be fixed by
the update
Over 2,000 WMFs from our image library analyzed
Approximately 15,000 Printing specific variations
run 2,800 pages verified
Application Compatibility Testing
Over 400 Applications tested
Across all 6 supported Windows platforms
Security Update Validation Program
For broad coverage of LOB application
compatibility and deployment
International coverage
Deployment tools
MBSA 1.2, MBSA 2.0, Microsoft Update/Windows
Update, AutoUpdate, Software Update Service
(SUS/WSUS), SMS