Inside Microsoft’s Inside Microsoft’s Secure Windows InitiativeSecure Windows Initiative

Steve LipnerSteve LipnerDirector of Security Engineering StrategyDirector of Security Engineering StrategySecurity Business UnitSecurity Business UnitMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

Who Am I?Who Am I? What is SWI?What is SWI? SDSD33 + c + c Secure Development ProcessSecure Development Process Threat ModelsThreat Models Relative Attack SurfaceRelative Attack Surface Open QuestionsOpen Questions

Who is this guy?Who is this guy?

SLipner@microsoft.comSLipner@microsoft.com Been at Microsoft for 3.5 yearsBeen at Microsoft for 3.5 years

Always in securityAlways in security

Started working in security in 1970Started working in security in 1970 Experience includes A1 systems, Experience includes A1 systems,

firewalls, consulting, other stufffirewalls, consulting, other stuff

PragmaticPragmatic A chief conspirator!A chief conspirator!

What is SWI?What is SWI?

Secure Windows InitiativeSecure Windows Initiative Work across MicrosoftWork across Microsoft Focus on securing productsFocus on securing products Security Features != Secure FeaturesSecurity Features != Secure Features Two sub-groupsTwo sub-groups

Defensive SWI Defensive SWI Offensive SWIOffensive SWI

Building SoftwareBuilding Softwarefor Peoplefor People

SoftwareSoftware

SecurityPrivacy

Reliability

Supportable

Manageable

DeployableCompatible

Affordable

International

Accessible

Usable (Features)

Doable (Schedule, $, skills)

You cannot build software ‘for people’ in a vacuum

Building SoftwareBuilding Softwarefor Peoplefor People

SoftwareSoftware

SecuritySecurity

PrivacyPrivacy

ReliabilityReliability

Supportable

Manageable

DeployableCompatible

Affordable

International

Accessible

Usable (Features)

Doable (Schedule, $, skills)

SDSD33 + Communications + Communications

Clear security commitmentClear security commitmentFull member of the security communityFull member of the security communityMicrosoft Security Response Center Microsoft Security Response Center

A Security FrameworkA Security Framework

Secure Secure by Designby Design

Secure Secure by Defaultby Default

Secure in Secure in DeploymentDeployment

CommunicationsCommunications

Secure architecture & codeSecure architecture & codeThreat analysisThreat analysisReduce vulnerabilitiesReduce vulnerabilities

Reduce attack surface areaReduce attack surface areaUnused features off by defaultUnused features off by defaultOnly require minimum privilegeOnly require minimum privilege

Protect, detect, defend, recover, manageProtect, detect, defend, recover, manageProcess: How to’s, architecture guidesProcess: How to’s, architecture guidesPeople: TrainingPeople: Training

SDSD33 At Work – MS03-007 At Work – MS03-007Windows Server 2003 UnaffectedWindows Server 2003 Unaffected

The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable

The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable

Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push

EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default

EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled

Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)

EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003

EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun

EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun

Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’

EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough

Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)

Secure Product Secure Product Development TimelineDevelopment Timeline

Secure questionsSecure questionsduring interviewsduring interviews

Concept /Concept /RequirementsRequirements

DesignsDesignsCompleteComplete

Test plansTest plansCompleteComplete

CodeCodeCompleteComplete

ShipShip PostPostShipShip

ThreatThreatanalysisanalysis

SWISWIReviewReview

Group memberGroup membertrainingtraining Data mutationData mutation

& Least Priv& Least PrivTestsTests

Security sign-offSecurity sign-offcriteria determinedcriteria determined

Review old defects Review old defects Check-ins checkedCheck-ins checkedSecure coding guidelinesSecure coding guidelinesUse toolsUse tools

Security auditSecurity audit

Learn & Learn & RefineRefine

External External reviewreview

Security pushSecurity push

Threat AnalysisThreat AnalysisYou cannot build secure applications You cannot build secure applications

unless you understand threatsunless you understand threats Adding security features does not mean Adding security features does not mean

you have secure softwareyou have secure software ““We use SSL!”We use SSL!”

Find issues before the code is createdFind issues before the code is createdFind different bugs than code review Find different bugs than code review

and testingand testing Implementation bugs vs higher-level Implementation bugs vs higher-level

design issuesdesign issuesApprox 50% of issues come from threat Approx 50% of issues come from threat

modelsmodels

Threat Modeling ProcessThreat Modeling Process Create model of app (DFD, UML etc)Create model of app (DFD, UML etc)

Build a list of assets that require protectionBuild a list of assets that require protection Categorize threats to each attack target Categorize threats to each attack target

node with STRIDEnode with STRIDE Spoofing, Tampering, Repudiation, Spoofing, Tampering, Repudiation,

Info Disclosure, Denial of Service, Elevation of Info Disclosure, Denial of Service, Elevation of PrivilegePrivilege

Build threat tree for each threatBuild threat tree for each threat Derived from hardware fault treesDerived from hardware fault trees

Rank threats by riskRank threats by risk Risk = Potential * DamageRisk = Potential * Damage DREAD: Damage potential, Reproducibility, DREAD: Damage potential, Reproducibility,

Exploitability, Affected Users, DiscoverabilityExploitability, Affected Users, Discoverability

1.0User

5.0Serviceclient

request

Payrollrequest

Payrollresponse

Portion of DFDPortion of DFD

Inte

rnet

Dat

a C

entr

e

Potentially sensitivePayroll information(Info Disc threat - Privacy issue)

User privilegeRequired

S – T – R – I – D – E –

Data flowData flow5.0 5.0 1.0 1.0

Data flowData flow1.0 1.0 5.0 5.0

Information Disclosure Information Disclosure Threat to Payroll DataThreat to Payroll Data

Threat #1 (I)View payroll data

1.1Traffic is unprotected

1.2Attacker viewstraffic

1.2.1Sniff traffic with protocol analyzer

1.2.2Listen to routertraffic

1.2.2.1Router is unpatched

1.2.2.2Compromise router

1.2.2.3Guess routerpassword

1.0 View payroll data (I) 1.1 Traffic is unprotected (AND) 1.2 Attacker views traffic 1.2.1 Sniff traffic with protocol analyzer 1.2.2 Listen to router traffic 1.2.2.1 Router is unpatched (AND) 1.2.2.2 Compromise router 1.2.2.3 Guess router password

Applying Risk (W.I.P.)Applying Risk (W.I.P.)

Threat #1 (I)View payroll data

1.1Traffic is unprotected

1.2Attacker viewstraffic

1.2.1Sniff traffic with protocol analyzer

1.2.2Listen to routertraffic

1.2.2.1Router is unpatched

1.2.2.2Compromise router

1.2.2.3Guess routerpassword

•Damage potential•Affected Users-or-•Damage

•Reproducibility•Exploitability•Discoverability-or-•Chance

Applying Risk (W.I.P.)Applying Risk (W.I.P.)Using Risk = Chance*DamageUsing Risk = Chance*Damage

Threat #1 (I)View payroll data

1.1Traffic is unprotected

1.2Attacker viewstraffic

1.2.1Sniff traffic with protocol analyzer

1.2.2Listen to routertraffic

1.2.2.1Router is unpatched

1.2.2.2Compromise router

1.2.2.3Guess routerpassword

Damage = 9

Chance=10

Chance=9

Chance=5 Chance=3 Chance=1 AND = min(C1, C2, Cn)OR = max(C1, C2, Cn)

max(1.2.2.3, min(1.2.2.1, 1.2.2.2))Calculated Chance=3

max(1.2.1, 1.2.2)Calculated Chance=9

min(1.1, 1.2)Calculated Chance = 9

Gotta fix it!

Risk = 9 * 981

Designing to a Threat Designing to a Threat ModelModel Threat types have mitigation techniquesThreat types have mitigation techniques

SpoofingSpoofing Authentication (authn), good credential storageAuthentication (authn), good credential storage

TamperingTampering Authorization (authz), MAC, signingAuthorization (authz), MAC, signing

RepudiationRepudiation Authn, Authz, signing, logging, trusted third partyAuthn, Authz, signing, logging, trusted third party

Info DisclosureInfo Disclosure Authz, encryptionAuthz, encryption

Denial of ServiceDenial of Service Filtering, Authn, AuthzFiltering, Authn, Authz

Elev of PrivElev of Priv Don’t run with elevated privsDon’t run with elevated privs

Threat Mitigation Threat Mitigation Techniques & TechnologiesTechniques & Technologies

ThreatType

(STRIDE)

MitigationTechnique

MitigationTechnique

Technology Technology Technology Technology

Spoofing Authentication

NTLMX.509 certsPGP keysBasicDigestKerberosSSL/TLS

PatchingPolicy

PasswordPolicy

Defensein depth

Threat MitigationThreat Mitigation

Threat #1 (I)View payroll data

1.1Traffic is unprotected

1.2Attacker viewstraffic

1.2.1Sniff traffic with protocol analyzer

1.2.2Listen to routertraffic

1.2.2.1Router is unpatched

1.2.2.2Compromise router

1.2.2.3Guess routerpassword

Look for high-level AND clauses

SSL/TLS,WS-Security,

IPSecetc.

Encryption

Coding to a Threat ModelCoding to a Threat Model

Threat models help you determine the Threat models help you determine the most ‘dangerous’ portions of the most ‘dangerous’ portions of the applicationapplication Prioritize security push effortsPrioritize security push efforts Prioritize on-going code reviewsPrioritize on-going code reviews Help determine the defense mechanisms Help determine the defense mechanisms

to useto use

Determine data flowDetermine data flow ““All input is evil, until proven otherwise”All input is evil, until proven otherwise”

Testing to a Threat ModelTesting to a Threat Model

Testers have problemsTesters have problems Most are not security testers (read: evil)Most are not security testers (read: evil) What needs testing?What needs testing? How do you test?How do you test?

Each threat in the model must have a test Each threat in the model must have a test planplan

The threat model helps drive testing The threat model helps drive testing conceptsconcepts

Allows for Whitehat and Blackhat testingAllows for Whitehat and Blackhat testing Prove the mitigations workProve the mitigations work Prove they don’t work :-)Prove they don’t work :-)

Testing to a Threat ModelTesting to a Threat Model

Mitigation techniques have blackhat testing Mitigation techniques have blackhat testing techniquestechniques SpoofingSpoofing

AuthenticationAuthentication Brute force creds, cred replay, downgrade to less Brute force creds, cred replay, downgrade to less

secure authn, view creds on wiresecure authn, view creds on wire Good credential storageGood credential storage

Use Information Disclosure attacksUse Information Disclosure attacks TamperingTampering

AuthorizationAuthorization Attempt authz bypassAttempt authz bypass

MAC, signingMAC, signing Tamper and re-hash?Tamper and re-hash? Create invalid hash data Create invalid hash data Force app to use less secure protocol (no SSL)Force app to use less secure protocol (no SSL)

Testing to a Threat ModelTesting to a Threat Model

RepudiationRepudiation Authn & AuthzAuthn & Authz

See Spoofing and TamperingSee Spoofing and Tampering SigningSigning

See Tampering See Tampering LoggingLogging

Prevent auditing, spoof log entries (CR/LF)Prevent auditing, spoof log entries (CR/LF) Trusted third party Trusted third party

DoS the third partyDoS the third party Info DisclosureInfo Disclosure

NOTE: Is there any PII/sensitive data in the data?NOTE: Is there any PII/sensitive data in the data? AuthorizationAuthorization

See TamperingSee Tampering EncryptionEncryption

View on-the-wire dataView on-the-wire data Kill process and scavenge for sensitive dataKill process and scavenge for sensitive data Failure leads to disclosure in error messagesFailure leads to disclosure in error messages

Testing to a Threat ModelTesting to a Threat Model

Denial of ServiceDenial of Service FilteringFiltering

Flooding, malformed dataFlooding, malformed data Authn & AuthzAuthn & Authz

See Spoofing and tamperingSee Spoofing and tamperingResource pressureResource pressure

Elev of PrivElev of Priv Don’t run with elevated privsDon’t run with elevated privs

Spend more time here!Spend more time here!

Threat Modeling NotesThreat Modeling Notes Scenario-drivenScenario-driven Note infrastructure mitigating techniques Note infrastructure mitigating techniques

vs. application mitigating techniquesvs. application mitigating techniques Determine privilege to initiate data flowDetermine privilege to initiate data flow

Helps determine chance of attackHelps determine chance of attack Be wary of unauthenticated data flowsBe wary of unauthenticated data flows

Attackers follow the path of least resistanceAttackers follow the path of least resistance All information disclosure threats are All information disclosure threats are

potentially privacy issuespotentially privacy issues Any non-mitigated threat is a potential Any non-mitigated threat is a potential

vulnerabilityvulnerability All security features must mitigate one or All security features must mitigate one or

more threatsmore threats Work on the higher-risk items firstWork on the higher-risk items first

Relative Attack SurfaceRelative Attack Surface Simple way of measuring potential for Simple way of measuring potential for

attackattack Goal of a product should be to reduce Goal of a product should be to reduce

attack surfaceattack surfaceLower privilegeLower privilegeTurn features offTurn features offDefense in depthDefense in depth

Does not address code qualityDoes not address code quality Hard to compare dissimilar productsHard to compare dissimilar products On-going work by Microsoft ResearchOn-going work by Microsoft Research

The ‘Simple’ ProcessThe ‘Simple’ Process

OldVulns

DetermineAttack

Vector(s)

Apply Bias Σ RASQ

Think of it as ‘Cyclomatic Complexity’ for Security!

Sample Windows Data Sample Windows Data PointsPoints Open socketsOpen sockets Open RPC endpointsOpen RPC endpoints Open named pipesOpen named pipes ServicesServices Services running by Services running by

defaultdefault Services running as Services running as

SYSTEMSYSTEM Active Web handlersActive Web handlers Active ISAPI FiltersActive ISAPI Filters Dynamic Web pagesDynamic Web pages Executable vdirsExecutable vdirs

Enabled AccountsEnabled Accounts Enabled Accounts in Enabled Accounts in

admin groupadmin group Null Sessions to Null Sessions to

pipes and sharespipes and shares Guest account Guest account

enabledenabled Weak ACLs in FSWeak ACLs in FS Weak ACLs in Weak ACLs in

RegistryRegistry Weak ACLs on Weak ACLs on

sharesshares ScriptingScripting

Relative Attack SurfaceRelative Attack Surface

317.7

598.3

342.3

157.1 171.2 178.3

113.2

0

100

200

300

400

500

600

700W

indo

ws

NT

4

Win

dow

s N

T 4

w/I

IS

Win

dow

s 20

00w

/IIS

Win

dow

s S

erve

r20

03

Win

dow

s S

erve

r20

03 w

/IIS

6

Win

dow

s X

P

Win

dow

s X

Pw

/IC

F E

nabl

ed

IIS

Ch

ec

kli

st

IIS

Ch

ec

kli

st

Windows Server 2003 Windows Server 2003 Reduced Attack ProfileReduced Attack Profile 20+ services off by default20+ services off by default 20+ services run in lower privilege20+ services run in lower privilege IIS6 off by defaultIIS6 off by default

Minimal functionality by defaultMinimal functionality by default All code runs in low privilege by defaultAll code runs in low privilege by default

More restrictive ACLs throughoutMore restrictive ACLs throughout Internet Explorer is an “HTML 3.2” browserInternet Explorer is an “HTML 3.2” browser ““.” directory no longer searched first.” directory no longer searched first No games installedNo games installed UDDI Server written in C#UDDI Server written in C# All Active Directory traffic is signed/sealedAll Active Directory traffic is signed/sealed SMB packet signing for Domain Controller trafficSMB packet signing for Domain Controller traffic Defense in depth measuresDefense in depth measures

‘‘safer’ string handling functionssafer’ string handling functions OS compiled with VC++ /GS flagOS compiled with VC++ /GS flag

Detects some kinds of stack-based buffer overruns at run timeDetects some kinds of stack-based buffer overruns at run time Impersonation privilegeImpersonation privilege

Changing the Process: Changing the Process: Our Ultimate GoalOur Ultimate Goal Not to inject security bugs into the Not to inject security bugs into the

code in the first place!code in the first place! Short term: remove existing flawsShort term: remove existing flaws Longer term: don’t add flaws to the codeLonger term: don’t add flaws to the code

You can’t do this through code reviewYou can’t do this through code review ……or testingor testing

They only remove They only remove existingexisting flaws flaws

You have to teach people to do the You have to teach people to do the right things…!right things…!

You must change the process!You must change the process!

The Turkish-İ problemThe Turkish-İ problem(Applies also to Azerbaijan!)(Applies also to Azerbaijan!)

Turkish has four letter ‘I’sTurkish has four letter ‘I’s ii (U+0069) (U+0069) II (U+0049) (U+0049) ıı (U+0131) (U+0131) İİ (U+0130) (U+0130)

In Turkish locale In Turkish locale UC(UC(""filefile"")==FİLE)==FİLE

// Do not allow "FILE://" URLsif(url.ToUpper().Left(4) == "FILE") return ERROR;getStuff(url);

// Only allow "HTTP://" URLsif(url.ToUpper(CULTURE_INVARIANT).Left(4) == "HTTP") getStuff(url);else return ERROR;

İ

SummarySummary

Who Am I?Who Am I? What is SWI?What is SWI? SDSD33 + c + c Secure Development ProcessSecure Development Process Threat ModelsThreat Models Relative Attack SurfaceRelative Attack Surface

How can you help?How can you help?

When is a threat model complete?When is a threat model complete? How does privacy apply to TMs?How does privacy apply to TMs? A more complete taxonomy of A more complete taxonomy of

mitigation techniques and mitigation techniques and technologiestechnologies

A more complete taxonomy of attack A more complete taxonomy of attack techniquestechniques

Is Relative Attack Surface accurate?Is Relative Attack Surface accurate? Is it worthwhile?Is it worthwhile?

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Backup SlidesBackup Slides

DREAD RankingsDREAD Rankings

DDamage Potentialamage Potential Minor [1] Minor [1] →→ Complete Subversion [10] Complete Subversion [10]

RReproducibilityeproducibility Rare [1] Rare [1] →→ Every Time [10] Every Time [10]

EExploitabilityxploitability NSA Only [1] NSA Only [1] → My Mom [10]→ My Mom [10]

AAffected Usersffected Users 10% [1] → 100% [10]10% [1] → 100% [10]

DDiscoverabilityiscoverability Very Subtle [1] → Already on Bugtraq [10]Very Subtle [1] → Already on Bugtraq [10]