1 / 41

Stranger in a Strange Land: Reflections on a Linux Guy’s First Year at Microsoft

Crispin Cowan, PhD Senior PM, Windows Security Microsoft. Stranger in a Strange Land: Reflections on a Linux Guy’s First Year at Microsoft. Crispin Who?!. CS Prof at Oregon Graduate Institute 1995-2000 Invented StackGuard Stack Canaries Copied by ProPolice , - fstack_protect in GCC

emery
Download Presentation

Stranger in a Strange Land: Reflections on a Linux Guy’s First Year at Microsoft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Crispin Cowan, PhD Senior PM, Windows Security Microsoft Stranger in a Strange Land:Reflections on a Linux Guy’sFirst Year at Microsoft

  2. Crispin Who?! • CS Prof at Oregon Graduate Institute 1995-2000 • Invented StackGuard • Stack Canaries • Copied by ProPolice, -fstack_protect in GCC • Independently invented  by Microsoft /GS • Now protecting nearly all x86 code on the planet • Founded Immunix, Inc. • Largest security Linux distro • Acquired by Novell in 2005 • Produced AppArmor: Standard on SUSE, Ubuntu, and Mandriva

  3. Crispin Who?! • Often vocal Microsoft critic • E.g. “Virus problem, and consequent AV industry, is purely Microsoft’s fault” • Mail clients that auto-execute embedded scripts • Document editors (Office) that auto-execute embedded scripts • Removable media that auto-execute • Run it all as root Administrator • What do you really expect?!

  4. Crispin Joins Microsoft in 2008 • What! What! What!? • Has Hell opened a ski resort?  • No, not really • This talk is about my experience at Microsoft as a long-time Linux guy • It’s really different … • … and not so different, really

  5. Talk Outline • Comparing Code Security between Open Source and Microsoft • Comparing operating systems between Linux and Windows • Comparing communities between Open Source and Microsoft

  6. Comparing Security

  7. Theoretical Open Source Security • “Many eyes make all bugs shallow” – ESR • If many people look at code, from many perspectives, then surely someone will find most of the bugs • You can audit and fix your own code • If there is a bug in some software you use, then you can fix it yourself • Feed the fix back upstream • Share and enjoy • “You can apply security tools” – Crispin • Such as StackGuard, ITS4, RATS, etc.

  8. Theoretical Microsoft Security • “Microsoft is an evil monopoly, doesn’t have to care” • No need to fix security • “Microsoft cares more about features than security” • Bloated software, full of bugs • “Closed source means they can hide embarrassingly bad code” • And there’s nothing you can do about it

  9. Reality Open Source Security • Many eyes make bugs shallow, but only if they actually look • A few projects, e.g. Linux kernel, get deep inspection • Vast majority of OSS never gets examined • Bugs are rife, and last for years • E.g. Debian SSL keys  • You can fix your own code, but no one does • Enterprise users of OSS rely on supported software, don’t dare touch it • You can apply security tools, but no one does, see above

  10. Reality Microsoft Security • Microsoft security really did suck … • (because security was not the priority) • … until the 2002 Memo • Microsoft halted the entire software production line for everyone to go learn how to code securely • Cost over $200M in wages for the whole company for that month; serious investment

  11. Reality Microsoft Security • Consider Microsoft SQL • 2003: The Slammer/Sapphire Worm • Single UDP datagram buffer overflowed the SQL server, caused it to start scanning the internet and sending more infection packets • 2004: Microsoft SQL one of the first applications to go through SDL • A single vulnerability since 2004 • Including zero vulnerabilities in a .0 release for two years • MySQL: 12 vulnerabilities in 3 years • Times have changed …

  12. Reality Open Source Security • Consider my Sardonix project • Try to motivate proper security auditing of source code using a Slashdot-inspired rating system • Audit more code, and do it well, earn a better reputation • Result? Squat the only audits turned in were from David Wagner’s security class • Security audits are tedious, difficult, exacting work requiring lots of expertise • You can only get people to do it by paying them

  13. Reality Microsoft Security • Microsoft does pay people to audit software • Lots and lots of people • Armies of contractors for external review of big products around ship time • Full-time staff do both internal design and code audits of everything that ships • Anything with a vulnerable attack surface requires mandatory fuzzing before it gets to ship • And it shows: bug density in Microsoft products is way down from the bad old days of 2000 • And far below the bug density of any OSS

  14. Security Development Lifecycle How Successful is SDL Analysis? • IIS 6 has had only 5 exploits since March 2003 (it’s release date) • http://secunia.com/product/1438 • Not a single, major public attack • Apache web server has had over 33 exploits in the same time period

  15. Security Development Lifecycle How Successful is SDL Analysis? • Vista’s 1-year period vs. XP’s 1-year period

  16. Security Development Lifecycle How Successful is SDL Analysis? • Vista’s 1-year period vs. XP’s 1-year period

  17. Security Development Lifecycle How Successful is SDL Analysis? • Windows vs. Major Competitors

  18. Security Development Lifecycle How Successful is SDL Analysis? • IE vs. Competitors

  19. Security Development Lifecycle How Successful is SDL Analysis? • IE vs. Competitors

  20. Security Development Lifecycle How Successful is SDL Analysis? • IE vs. Competitors

  21. Comparing Operating Systems

  22. Funny Thing About Software … • … it turns out to be less flexible than hardware • Intel Core II Duo has very little to do with a 386SX • Windows still supports APIs from the early 1990s • The value of Windows is the rich application base • That application base exists because of continuous backward compatibility • Many of these applications are actually dependent on legacy Windows bugs • Don’t get to change the Windows architecture 

  23. Some Problems In theWindows Architecture • Heavy reliance on thread injection • One application on the desktop can inject a thread into another application • Execute arbitrary code in another application’s address space • Used enough that you don’t get to block it, or it might break app compat • Windows messages • Millions of them • Any access control check on Windows messages must be blazing fast -> can’t do anything complex

  24. Some Problems In theWindows Architecture • Impersonation • Many services have the impersonation privilege • Used so they can impersonate a client identity and do stuff on behalf of the client • Obvious security problems, highlighted in great detail by Cesar Cerrudo’s Token Kidnapping work

  25. Some Problems In theWindows Architecture • Massive dependence on Administrator privilege • Way back in NT 3.51 time, Microsoft chose to port the win32 environment to NT • To get that very valuable application base for NT • Problem: Win16 and Win32 (Win 3.1, Win95) has only a single privilege level • All code that runs has command of the entire machine • Result: default user on NT, Win2K, and XP is Administrator (root) • All the fancy security features in NT kernel are effectively disabled

  26. Fixing Administrator • You could just change Windows • Make the default account a Standard User without Administrator privilege • But that would (you guessed it) break app compat • Fixing dependence on Administrator is what UAC is all about • UAC is really just sudo • Functions in Windows as training wheels for switching to Standard User some day • Allows broken apps that need Administrator to be used in a semi-unprivileged context

  27. “But UAC Sucks! Everyone Knows That …” • It isn’t UAC per se that is sucking • Moving the Windows application base to non-privileged operation is a painful, drawn-out process • If you were barefoot your whole life, hiking boots would not be comfortable, even if you were about to cross a field of broken glass • UAC doesn’t suck, it is the applications that abuse privilege that suck

  28. Remember … abuse Privilege

  29. UAC Suckage … • UAC sucks less than you might think • 88% of users leave UAC enabled • Trend is improving over time … slowly • 50% of user sessions were prompt free at Vista RTM in 2006 • 65% in VistaSP1 today for consumers • 80% in VistaSP1 for enterprise users

  30. Some Problems In theLinux Architecture • The UNIX/Linux process model is mostly sound • At least has two levels of privilege  • Except for ptrace • Complex semantics, often broken • Allows any process to debug any other process owned by the same user • E.g. all of root, or all of your desktop • Saving grace: ptrace only really used for debugging, so you can block it • AppArmor and SELinuxdo block it

  31. Some Problems In theLinux Architecture • The X11 security model … not so much • E.g. Any desktop process can keylog any other desktop process • That is enough for any malware that makes it to your desktop to steal your password, root’s password, your credit card numbers, your social security number, etc.  • Core problem: X11 server is a giant MUX with no access control, so everything on a desktop has co-mingled privilege • SELinux branch working on enhancing X11 security • Has been working on it for 3 years now …

  32. The Interesting Market Economies of Malware • In a competitive market of selling software, the #2 and #3 positions are still valuable • Can make money selling applications for Macintosh • In the competitive malware market, only #1 matters • Because “consumers” (victims) are not selecting anything, rather the attackers select the victims • Result: only economic to write malware for #1 • Approximately no one attacks Linux or Mac • Approximately no one attacks Vista yet either  because XP is #1

  33. Comparing Communities

  34. Theoretical Linux Community • An open community of passionate experts • Open: anyone can join • Passion: everyone cares about Linux • Experts: everyone is convinced that they are right  • Your job: convince everyone that you are right • Can lead to shouting 

  35. Theoretical Microsoft Community • “Closed garden of clods who can’t code for beans and only care about money” • Bloated, baroque architecture • Mountains of bugs & vulnerabilities • Mountains of money 

  36. Reality Linux Community • Not so open: Newbies are harshly treated • Shockingly hostile to women • Not overtly, you just are required to be willing to shout down detractors • Fail to conform to all the social norms, and you had better have asbestos shorts • God help you if you top-post  • Passion: anyone who disagrees with your idea will tell you that “you don’t care about Linux”  • Experts: everyone is an argumentative butt-head

  37. Reality Microsoft Community • “Closed garden”: perhaps, but … • “Garden” is 100K people, so walls are very far away • Admission criteria to get hired not that different from the OSS hazing rituals: must show your worth • “Clods who can’t code”: No, it is priorities … • Before 2002: features and ship date • 2002-6: features and security • Future: trying to balance all three  • Money: having money/resources is nice  • Windows Security is bigger than all of SUSE combined

  38. My Changed Impression • Before I got here • Hmmm, Windows security seems to suck • I’ll go show them how it is really done …

  39. My Changed Impression • After I have been here for a while • Microsoft is stuffed with brilliant people • Almost every good idea I suggested not only has already been suggested, but had already been tried and failed, because for some stupid reason it couldn’t be done  • The real work is to figure out how to break the app compat log jam, so you can add security without breaking app compat

  40. Academic Security • Received wisdom: security must be designed in at the start • Can’t retrofit security • This is for sissies  • In theory, theory is just like practice, but in practice, it isn’t • Any chump can design a secure operating system from scratch • But retrofitting security is art • Retrofit security is what I did to Linux with StackGuard and AppArmor • Retrofit security is what I intend to do for Windows • Microsoft is hiring • Microsoft is always hiring good people

  41. Questions • Contact: • crispin@microsoft.com • crispin@crispincowan.com • http://crispincowan.com/ • Feedback • http://feedback.shmoocon.org/

More Related