400 likes | 724 Views
Security Tools For Software Development. Ivan Medvedev Security Development Lead Microsoft Corporation. Overview. Introduction to our team Security Development Lifecycle Tools available to developers Threat Modeling Tool Visual Studio Compiler Switches FxCop AppVerifier
E N D
Security Tools ForSoftware Development Ivan Medvedev Security Development Lead Microsoft Corporation
Overview • Introduction to our team • Security Development Lifecycle • Tools available to developers • Threat Modeling Tool • Visual Studio Compiler Switches • FxCop • AppVerifier • Upcoming new tools! • Fuzz testing
Security Engineering And Communications • Microsoft Security Response Center (MSRC) • Primary interface with security research community • Software Security Incident Response Process (SSIRP) • Secure Windows Initiative (company-wide) • Training for developers and partners • Security Milestones in the development process • Attack and Penetration teams • Final Security Reviews • Strategy and Policy • Security Development Lifecycle • Councils, Buddy programs, etc. • CERT, CSIRT interface, other government initiatives, including common criteria • Windows Privacy (Phishing, spam, etc)
The Security Development Lifecycle (SDL) • Security best practices in Microsoft • Provides guidance within established development processes • Design considerations • Creating effective security plans • Leveraging tools across the development cycle • Better then simply hunting for bugs Requirements Design Implementation Verification Release Response
What is Threat Modeling? • A process to understand and document security threats to a system that: • Closely simulates an adversary’s thought process • Will describe the system’s threat profile • Allows the security of the system to be characterized • May find vulnerabilities
Key Concepts • The threat profile is an enumeration of adversary goals • A threat is not a vulnerability, and the point of a threat model is more than just finding vulnerabilities • Threats justify security features and secure coding guidelines
Key Concepts • A system is anything that exposes functionality to an end user: • Single feature • Shipping product • Web application and its supporting infrastructure • Etc.
Threat Modeling Tool • Provides structure to a threat model document • Lists all of the key areas for consideration • Links assets, threats, and vulnerabilities for easier prioritization • Saves as XML for portability
What Is A Buffer Overrun? • Buffers are blocks of memory, usually in the form of an array • When the size of an array is not verified, it is possible to write outside the allocated buffer • If such an action takes place in memory addresses higher than the buffer, it is called a buffer overrun • A buffer overrun that injects code into a running process is referred to as an exploitable buffer overrun
2A 00 00 00 00 00 00 00 00 00 00 00 What Is A Buffer Overrun? • The ability to arbitrarily corrupt memory • Overflows lead to arbitrary code • Underflows lead to denial of service • Problem is usually isolated to C and C++ int x = 42;char zip[6];strcpy(zip, userinput);printf("x = %i\n", x);
Previous function’s stack frame Function arguments Return address Frame pointer EH frame Local variables andlocally declaredbuffers Callee saveregisters Garbage Types Of Exploits • Stack smashing • Register hijacking • Local pointer subterfuge • V-Table hijacking • C++ EH clobbering • SEH clobbering • Multistage attacks • Parameter pointer subterfuge
Visual Studio Security Options • /GS • A "speed bump," or cookie, between the buffer and the return address. When function exits, the cookie is checked • Helped lower Blaster impact on Win 2003 • /SAFESEH • Created in response to CodeRed • Verifies the exception handler
Stack Layout In VC++ 2003 Previous function’s stack frame Function prolog: Function arguments sub esp,24h mov eax,dword ptr [___security_cookie (408040h)] mov dword ptr [esp+20h],eax Return address Frame pointer Cookie EH frame Locally declared buffers Function epilog: mov ecx,dword ptr [esp+20h] add esp,24h jmp __security_check_cookie 4010B2h) Local variables Callee saveregisters Garbage
FxCop • A static code analysis tool that examines managed assemblies for design and code correctness issues • Console and graphical applications that manage: • Targets (items for analysis) • Rules (checks to execute) • Messages (feedback from rules) • A general infrastructure for writing checks against managed code
Benefits • FxCop helps create: • More consistent API, easily discoverable via help, IntelliSense, etc. • Better performance in code • More secure applications • Fewer globalization and COM/cross-language interoperability issues • Increased understanding of .NET Framework • Extends compiler-provided checks
FxCop and Security • Current version (1.30) has 21 security rules • Examples of security rules • Fields that are arrays should not be read-only • Link demand security checks on types do not prevent access to the type’s fields • Security checks on value-type constructors do not prevent the value-type from being instantiated
Demo Title FxCop Security Rules
Windows Application Verifier (AppVerifier) • Provide developers with • Tools and knowledge used in Windows development • A testing infrastructure to detect run time issues in Win32 applications • Targeted towards developers and QA teams with debugging knowledge
Benefits • Significantly reduces debugging time detecting • Memory corruptions • Hangs • Security issues • Reduces crashes • 67.8% of 3rd party user mode crashes could have been detected using the AppVerifier • Aids in Logo/Certification testing • Non-administrator scenarios • Resource management • Version checking
Security And The AppVerifier • Enable the SecurityChecks Test • Insecure API usage • Misuses of CreateProcess • Interactive services • Many server applications are vulnerable to “Shatter” attacks • Potentially allows an interactive user to get the privileges of a service running as LOCAL_SYSTEM • Removed from Longhorn completely • Weak security descriptor usage • Granting EVERYONE_WRITE access to a file or registry key is an opportunity for elevation of privilege • Creating an object with a NULL DACL at anytime is a security issue
Demo Title The Application Verifier
What Is Fuzzing? • Fuzz testing is a method of finding software security holes by feeding purposely invalid and ill-formed data as input to program interfaces Inputs include: • Files • Network ports • APIs • Based on the analysis of a number of software security vulnerabilities uncovered in the past the belief is that a large percentage of them could have been found by doing fuzz testing
What Is Fuzzing? • Fuzzing is a variation of negative testing • Specific characteristics: • High volume of testing (using multiple variations and test passes) • Fuzz testing is generally automated • Finds many problems related to reliability; many of which are potential security holes • Fuzz testing does not typically validate proper reaction to invalid data
Benefits • Easily automated • Doubles as robustness testing • Exercise more failure cases in code • Finds LOTS of bugs
Methodology • Dumb vs. Smart • Dumb fuzzing generates data with no regard to the format • Smart fuzzing requires knowledge of the data format or how the data is consumed • Generation vs. Mutation • The generation technique creates new files from scratch • The mutation technique transforms a sample input file to create a new one • Most fuzzing tools are a mix of each approach
Measuring And Triaging • Measuring • Reliability metrics MTTF (Mean Time To Failure), MTBF, failures per 1K variations • Code Coverage delta • Triaging • Crash means input can divert program flow • Figuring out exploitability is expensive • Just fix it!
Upcoming New Tools • In .NET Framework 2.0 / VS 2005 • PreFast • Source code static analysis • Has security checks, such as buffer overrun detection, etc. • PermCalc • Static binary analysis for managed code • Calculates .NET permissions needed for .NET assemblies to run • Integrated into Visual Studio
Call To Action • Raise the bar for security in your own applications • Adopt these tools in your development • Consider adding additional security best practices from “Writing Secure Code” • Provide feedback on the tools • Bug reports • Feature requests
General Security Resources • General • http://www.microsoft.com/security • XP SP2 Resources for the IT Professional • http://www.microsoft.com/technet/winxpsp2 • Security Guidance Center • http://www.microsoft.com/security/guidance • Tools • http://www.microsoft.com/technet/Security/tools • How Microsoft IT Secures Microsoft • http://www.microsoft.com/technet/itsolutions/msit • E-Learning Clinics • https://www.microsoftelearning.com/security • Events and Webcasts • http://www.microsoft.com/seminar/events/security.mspx
Additional Documentation • Writing Secure Code: • http://www.microsoft.com/MSPress/books/5957.asp • Thread Modeling: • http://www.microsoft.com/MSPress/books/6892.asp • Threat Modeling Online • http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx • Compiler Security Checks In Depth • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/vctchcompilersecuritychecksindepth.asp
FxCop Resources • http://www.gotdotnet.com/team/fxcop/ • FxCop download site/bulletin board • FxCop docs and rule topics • Support • AskFxCop@Microsoft.com
AppVerifier Resources • Download Site: http://www.microsoft.com/windows/appexperience • Newsgroup: • microsoft.public.win32.programmer.tools • http://msdn.microsoft.com/newsgroups/managed
Questions? • We want your feedback!
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.