410 likes | 574 Views
Crispin Cowan, PhD Senior PM, Windows Security Microsoft. Stranger in a Strange Land: Reflections on a Linux Guy’s First Year at Microsoft. Crispin Who?!. CS Prof at Oregon Graduate Institute 1995-2000 Invented StackGuard Stack Canaries Copied by ProPolice , - fstack_protect in GCC
E N D
Crispin Cowan, PhD Senior PM, Windows Security Microsoft Stranger in a Strange Land:Reflections on a Linux Guy’sFirst Year at Microsoft
Crispin Who?! • CS Prof at Oregon Graduate Institute 1995-2000 • Invented StackGuard • Stack Canaries • Copied by ProPolice, -fstack_protect in GCC • Independently invented by Microsoft /GS • Now protecting nearly all x86 code on the planet • Founded Immunix, Inc. • Largest security Linux distro • Acquired by Novell in 2005 • Produced AppArmor: Standard on SUSE, Ubuntu, and Mandriva
Crispin Who?! • Often vocal Microsoft critic • E.g. “Virus problem, and consequent AV industry, is purely Microsoft’s fault” • Mail clients that auto-execute embedded scripts • Document editors (Office) that auto-execute embedded scripts • Removable media that auto-execute • Run it all as root Administrator • What do you really expect?!
Crispin Joins Microsoft in 2008 • What! What! What!? • Has Hell opened a ski resort? • No, not really • This talk is about my experience at Microsoft as a long-time Linux guy • It’s really different … • … and not so different, really
Talk Outline • Comparing Code Security between Open Source and Microsoft • Comparing operating systems between Linux and Windows • Comparing communities between Open Source and Microsoft
Theoretical Open Source Security • “Many eyes make all bugs shallow” – ESR • If many people look at code, from many perspectives, then surely someone will find most of the bugs • You can audit and fix your own code • If there is a bug in some software you use, then you can fix it yourself • Feed the fix back upstream • Share and enjoy • “You can apply security tools” – Crispin • Such as StackGuard, ITS4, RATS, etc.
Theoretical Microsoft Security • “Microsoft is an evil monopoly, doesn’t have to care” • No need to fix security • “Microsoft cares more about features than security” • Bloated software, full of bugs • “Closed source means they can hide embarrassingly bad code” • And there’s nothing you can do about it
Reality Open Source Security • Many eyes make bugs shallow, but only if they actually look • A few projects, e.g. Linux kernel, get deep inspection • Vast majority of OSS never gets examined • Bugs are rife, and last for years • E.g. Debian SSL keys • You can fix your own code, but no one does • Enterprise users of OSS rely on supported software, don’t dare touch it • You can apply security tools, but no one does, see above
Reality Microsoft Security • Microsoft security really did suck … • (because security was not the priority) • … until the 2002 Memo • Microsoft halted the entire software production line for everyone to go learn how to code securely • Cost over $200M in wages for the whole company for that month; serious investment
Reality Microsoft Security • Consider Microsoft SQL • 2003: The Slammer/Sapphire Worm • Single UDP datagram buffer overflowed the SQL server, caused it to start scanning the internet and sending more infection packets • 2004: Microsoft SQL one of the first applications to go through SDL • A single vulnerability since 2004 • Including zero vulnerabilities in a .0 release for two years • MySQL: 12 vulnerabilities in 3 years • Times have changed …
Reality Open Source Security • Consider my Sardonix project • Try to motivate proper security auditing of source code using a Slashdot-inspired rating system • Audit more code, and do it well, earn a better reputation • Result? Squat the only audits turned in were from David Wagner’s security class • Security audits are tedious, difficult, exacting work requiring lots of expertise • You can only get people to do it by paying them
Reality Microsoft Security • Microsoft does pay people to audit software • Lots and lots of people • Armies of contractors for external review of big products around ship time • Full-time staff do both internal design and code audits of everything that ships • Anything with a vulnerable attack surface requires mandatory fuzzing before it gets to ship • And it shows: bug density in Microsoft products is way down from the bad old days of 2000 • And far below the bug density of any OSS
Security Development Lifecycle How Successful is SDL Analysis? • IIS 6 has had only 5 exploits since March 2003 (it’s release date) • http://secunia.com/product/1438 • Not a single, major public attack • Apache web server has had over 33 exploits in the same time period
Security Development Lifecycle How Successful is SDL Analysis? • Vista’s 1-year period vs. XP’s 1-year period
Security Development Lifecycle How Successful is SDL Analysis? • Vista’s 1-year period vs. XP’s 1-year period
Security Development Lifecycle How Successful is SDL Analysis? • Windows vs. Major Competitors
Security Development Lifecycle How Successful is SDL Analysis? • IE vs. Competitors
Security Development Lifecycle How Successful is SDL Analysis? • IE vs. Competitors
Security Development Lifecycle How Successful is SDL Analysis? • IE vs. Competitors
Funny Thing About Software … • … it turns out to be less flexible than hardware • Intel Core II Duo has very little to do with a 386SX • Windows still supports APIs from the early 1990s • The value of Windows is the rich application base • That application base exists because of continuous backward compatibility • Many of these applications are actually dependent on legacy Windows bugs • Don’t get to change the Windows architecture
Some Problems In theWindows Architecture • Heavy reliance on thread injection • One application on the desktop can inject a thread into another application • Execute arbitrary code in another application’s address space • Used enough that you don’t get to block it, or it might break app compat • Windows messages • Millions of them • Any access control check on Windows messages must be blazing fast -> can’t do anything complex
Some Problems In theWindows Architecture • Impersonation • Many services have the impersonation privilege • Used so they can impersonate a client identity and do stuff on behalf of the client • Obvious security problems, highlighted in great detail by Cesar Cerrudo’s Token Kidnapping work
Some Problems In theWindows Architecture • Massive dependence on Administrator privilege • Way back in NT 3.51 time, Microsoft chose to port the win32 environment to NT • To get that very valuable application base for NT • Problem: Win16 and Win32 (Win 3.1, Win95) has only a single privilege level • All code that runs has command of the entire machine • Result: default user on NT, Win2K, and XP is Administrator (root) • All the fancy security features in NT kernel are effectively disabled
Fixing Administrator • You could just change Windows • Make the default account a Standard User without Administrator privilege • But that would (you guessed it) break app compat • Fixing dependence on Administrator is what UAC is all about • UAC is really just sudo • Functions in Windows as training wheels for switching to Standard User some day • Allows broken apps that need Administrator to be used in a semi-unprivileged context
“But UAC Sucks! Everyone Knows That …” • It isn’t UAC per se that is sucking • Moving the Windows application base to non-privileged operation is a painful, drawn-out process • If you were barefoot your whole life, hiking boots would not be comfortable, even if you were about to cross a field of broken glass • UAC doesn’t suck, it is the applications that abuse privilege that suck
Remember … abuse Privilege
UAC Suckage … • UAC sucks less than you might think • 88% of users leave UAC enabled • Trend is improving over time … slowly • 50% of user sessions were prompt free at Vista RTM in 2006 • 65% in VistaSP1 today for consumers • 80% in VistaSP1 for enterprise users
Some Problems In theLinux Architecture • The UNIX/Linux process model is mostly sound • At least has two levels of privilege • Except for ptrace • Complex semantics, often broken • Allows any process to debug any other process owned by the same user • E.g. all of root, or all of your desktop • Saving grace: ptrace only really used for debugging, so you can block it • AppArmor and SELinuxdo block it
Some Problems In theLinux Architecture • The X11 security model … not so much • E.g. Any desktop process can keylog any other desktop process • That is enough for any malware that makes it to your desktop to steal your password, root’s password, your credit card numbers, your social security number, etc. • Core problem: X11 server is a giant MUX with no access control, so everything on a desktop has co-mingled privilege • SELinux branch working on enhancing X11 security • Has been working on it for 3 years now …
The Interesting Market Economies of Malware • In a competitive market of selling software, the #2 and #3 positions are still valuable • Can make money selling applications for Macintosh • In the competitive malware market, only #1 matters • Because “consumers” (victims) are not selecting anything, rather the attackers select the victims • Result: only economic to write malware for #1 • Approximately no one attacks Linux or Mac • Approximately no one attacks Vista yet either because XP is #1
Theoretical Linux Community • An open community of passionate experts • Open: anyone can join • Passion: everyone cares about Linux • Experts: everyone is convinced that they are right • Your job: convince everyone that you are right • Can lead to shouting
Theoretical Microsoft Community • “Closed garden of clods who can’t code for beans and only care about money” • Bloated, baroque architecture • Mountains of bugs & vulnerabilities • Mountains of money
Reality Linux Community • Not so open: Newbies are harshly treated • Shockingly hostile to women • Not overtly, you just are required to be willing to shout down detractors • Fail to conform to all the social norms, and you had better have asbestos shorts • God help you if you top-post • Passion: anyone who disagrees with your idea will tell you that “you don’t care about Linux” • Experts: everyone is an argumentative butt-head
Reality Microsoft Community • “Closed garden”: perhaps, but … • “Garden” is 100K people, so walls are very far away • Admission criteria to get hired not that different from the OSS hazing rituals: must show your worth • “Clods who can’t code”: No, it is priorities … • Before 2002: features and ship date • 2002-6: features and security • Future: trying to balance all three • Money: having money/resources is nice • Windows Security is bigger than all of SUSE combined
My Changed Impression • Before I got here • Hmmm, Windows security seems to suck • I’ll go show them how it is really done …
My Changed Impression • After I have been here for a while • Microsoft is stuffed with brilliant people • Almost every good idea I suggested not only has already been suggested, but had already been tried and failed, because for some stupid reason it couldn’t be done • The real work is to figure out how to break the app compat log jam, so you can add security without breaking app compat
Academic Security • Received wisdom: security must be designed in at the start • Can’t retrofit security • This is for sissies • In theory, theory is just like practice, but in practice, it isn’t • Any chump can design a secure operating system from scratch • But retrofitting security is art • Retrofit security is what I did to Linux with StackGuard and AppArmor • Retrofit security is what I intend to do for Windows • Microsoft is hiring • Microsoft is always hiring good people
Questions • Contact: • crispin@microsoft.com • crispin@crispincowan.com • http://crispincowan.com/ • Feedback • http://feedback.shmoocon.org/