Download Basics of Secure Software Design, Development and Test

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Transcript 
2
Agenda
Basics of
Secure Software
Design, Development
and Test
Who?
Trustworthy Computing
Security Development Lifecycle
Secure Design Tenets
Threat Models
Michael Howard
[email protected]
Senior Security Program Manager
Security Engineering Group & Comms
Microsoft Corp.
Microsoft Confidential
Security Testing
Coding Issues
Last update: 8-Feb-2005
Copyright Microsoft Corp. 2004
3
The Security Engineering &
Communications Group
4
Security Development Lifecycle
Help you secure your products
“Security-as-in-threats” NOT
“Security-as-in-crypto”
mailto:switeam
http://swi
http://msnsecurity/sdl
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
1
5
6
A Case Study: MS04-011
Early Results of the SDL
55
VULNERABILITY IDENTIFIERS
IMPACT OF
VULNERABILITY
WINDOWS
2000
WINDOWS
XP
WINDOWS
SERVER 2003
LSASS Vulnerability - CAN-2003-0533
Remote Code Execution
Critical
Critical
Low
LDAP Vulnerability – CAN-2003-0663
Denial Of Service
Important
None
None
PCT Vulnerability - CAN-2003-0719
Remote Code Execution
Critical
Important
Low
Winlogon Vulnerability - CAN-2003-0806
Remote Code Execution
Moderate
Moderate
None
Metafile Vulnerability - CAN-2003-0906
Remote Code Execution
Critical
Critical
None
Help and Support Center Vulnerability - CAN-2003-0907
Remote Code Execution
None
Critical
Critical
Utility Manager Vulnerability - CAN-2003-0908
Privilege Elevation
Important
None
None
Windows Management Vulnerability - CAN-2003-0909
Privilege Elevation
None
Important
None
Local Descriptor Table Vulnerability - CAN-2003-0910
Privilege Elevation
Important
None
None
H.323 Vulnerability* - CAN-2004-0117
Remote Code Execution
Important
Important
Important
Virtual DOS Machine Vulnerability - CAN-2004-0118
Privilege Elevation
Important
None
None
Negotiate SSP Vulnerability - CAN-2004-0119
Remote Code Execution
Critical
Critical
Critical
SSL Vulnerability - CAN-2004-0120
Denial Of Service
Important
Important
Important
ASN.1 “Double Free” Vulnerability - CAN-2004-0123
Remote Code Execution
Critical
Critical
Critical
Critical
Critical
Critical
Aggregate Severity of All Vulnerabilities
17
Code fixed in Windows Server 2003 (50%)
Code not fixed in Windows Server 2003 (50%)
Copyright Microsoft Corp. 2004
Extra Defense in Windows Server 2003 (29% of
455
)
Copyright Microsoft Corp. 2004
7
Secure Design
Reduce Attack Surface
Defense in Depth
Least Privilege
Secure Defaults
Copyright Microsoft Corp. 2004
8
Defense in Depth (MS03-007)
Windows Server 2003 Unaffected
The underlying DLL
(NTDLL.DLL) not
vulnerable
Code fixed during the Windows Security Push
Even if it was vulnerable
IIS 6.0 not running by default on
Windows Server 2003
Even if it was running
IIS 6.0 doesn’t have WebDAV enabled by default
Even if it did have
WebDAV enabled
Default maximum URL length (16kb) prevented
exploitation (>64kb needed)
Even if the buffer was
large enough
Process halts rather than executes malicious code,
due to buffer-overrun detection code (-GS)
Even if it there was an
exploitable buffer overrun
Would only ‘network service’ privileges –
commensurate with a normal user
Copyright Microsoft Corp. 2004
2
9
Least Privilege Problem Definition
10
Least Privilege
Not being an administrator helps ensure
users cannot easily compromise a
computer or the network
Don’t just run as
admin so stuff works
The #1 ask of IT administrators interested
in increased security and reducing TCO
Look at Network and
Local Service
Don’t write user data
to HKLM,
C:\Program Files or
%windir%
Attacker’s stuff works
too!
Increased reliability
Attractive to Abby, as it improves computer
security and parental controls
“We strongly recommend that compromised
hosts be taken off line and completely rebuilt,
including a fresh install of the operating system
and application of all relevant patches.”
Use HKCU or
%userprofile%
Part of the spyware issue
Don’t open resources
for ALL_ACCESS
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
11
Secure Defaults
Less code running by default = less stuff to attack
by default
12
Attack Surface Reduction (ASR)
Ideas
TCP/UDP
Slammer & CodeRed would not have happened if
the features were not enabled by default
Reduces the urgency to deploy security fixes
TCP/UDP
A ‘critical’ may be rated ‘important’
TCP/UDP
Defense in depth removes single points of failure
Reduces the need for customers to ‘harden’ the
product
Service: Autostart SYSTEM
Reduces your testing workload
Reduce your attack surface early!
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
3
TCP only
13
Turn off less-used ports
14
Turn off UDP connections
TCP/UDP
TCP/UDP
TCP/UDP
TCP/UDP
Service: Autostart SYSTEM
Service: Autostart SYSTEM
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
15
Restrict requests to a small
IP range and subnet
16
Authenticate Connections
TCP only
Service: Autostart SYSTEM
Copyright Microsoft Corp. 2004
TCP only
Service: Autostart SYSTEM
Copyright Microsoft Corp. 2004
4
17
Reduce Privilege and Disable
18
Harden ACLs
TCP only
TCP only
Service: Manual NetService
Service: Manual NetService
Everyone (Full Control)
Admin (Full Control)
Everyone (Read)
Service (RW)
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
19
20
Increased Attack Surface
means
Increased Security Scrutiny…
• On by default
• Running as SYSTEM
• Open, unauth TCP socket
Copyright Microsoft Corp. 2004
Design
Checkli
! Und
st
ers
to you tand the SD
!
L – it app
lies
! Red
uce att
ack su
! Redu
rface
ce atta
ck surf
ace EA
RLY!
• Off by default
• Running with least priv
• Open, TCP socket
limited to local subnet
Copyright Microsoft Corp. 2004
Every
industrone in the
do this y should
securi
ty stuff
5
21
Threat Analysis
22
A Threat Modeling Process
Gather
Background
Info
Secure software starts with understanding
the threats
Threats are not vulnerabilities
Threats live forever, they are the attacker’s
goal(s)
• Use-scenarios
• Bound scope
• Determine
dependencies
Model the
System
• Data flow
diagrams
• Identify entry
points & assets
• Determine threat
paths
Asset
Mitigation
Threat
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
Identify
Threats
• Threat type
(STRIDE)
• Threat Trees
• Risk
•
•
•
•
Vulnerability
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
Fix?
Work-around?
Notification?
Do nothing?
Copyright Microsoft Corp. 2004
23
Context Diagram
Services for Macintosh
Resolve
Threats
24
Level-0 DFD
Services for Macintosh
Copyright Microsoft Corp. 2004
6
25
Level-1 DFD
Services for Macintosh (File)
26
Determining Threat Types
TID
SR
1.0
6.0
TID
5.0
TID
7.0
STRI
DE
TID
8.0
10.0
STRI
DE
SR
2.0.
Each element in
the DFD is
susceptible to
one or more
threat types
TID
11.0
9.0
TID
4.0
STRI
3.0DE
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
27
DFD Elements are Threat Targets
A “Work list”
28
Threat Tree Format
Each " is a
potential threat
to the system.
Threat
‘And’ clause
Condition
Condition
‘Or’ clause
Each threat is
governed by the
conditions
which make the
threat possible
Condition
Condition
Copyright Microsoft Corp. 2004
Condition
Condition
Condition
Copyright Microsoft Corp. 2004
7
29
Threat Tree Pattern Examples
30
Threat Tree Pattern Examples
Spoofing
Thinking Like a Security Pro!
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
31
A Special Note about Information
Disclosure threats
All information disclosure
threats are potential
privacy issues.
Raising the Risk.
Is the data sensitive or PII?
32
Calculating Risk with
Numbers
DREAD etc.
Very subjective
Often requires the analyst be a security
expert
On a scale of 0.0 to 1.0, just how likely is it that
an attacker could access a private key?
Where do you draw the line?
Do you fix everything above 0.4 risk and leave
everything below as “Won’t Fix”?
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
8
33
Calculating Risk with Heuristics
34
Mitigation Techniques
Simple rules of thumb
Derived from the MSRC bulletin rankings
Threat
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
Mitigation Feature
Authentication
Integrity
Nonrepudiaton
Confidentiality
Availability
Authorization
Attend “Secure Design Principles”
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
35
Code Review and the DFD
36
Testing Threats
Review code and data on the anonymous data flows, the threat path
– this is where the bad guys go – they follow the line of least-resistance.
How to test
Anonymous
Priv
Remove anonymous data paths
with authentication
User
Priv
Copyright Microsoft Corp. 2004
What needs testing
Copyright Microsoft Corp. 2004
9
37
Thre a t
M
odel C h
! No d
ecklist
es
threat ign is comple
model!
te with
out a
! Follo
w anon
ymous
! Eve
data p
ry thre
aths
at need
plan
s a sec
urity te
! Chec
st
k
threats all informati
on dis
– are th
clo
ey priv
! Be w
acy isssure
ary of
ues?
elevate
! Use
d
proces
the thre
ses
at mod
eling to
vuln ol
threa
t
Security Testing
asset
Copyright Microsoft Corp. 2004
Microsoft Confidential
39
Security Testing
Actual
software
functionality
Traditional
faults
Unintended,
undocumented
or unknown
functionality
Intended
functionality
Missing
Defenses
No authn
Copyright Microsoft Corp. 2004
Poor
Defenses
Weak authn
40
Testing Like an Attacker
‘Footprint’ the application
!
Extra
‘functionality’
BO in authn
Copyright Microsoft Corp. 2004
10
41
The Nature of Fuzzing
42
Fuzz the data!
Container
Name (On)
Link to other (Ol)
Exists (Oe)
Does not exist (Od)
No access (Oa)
Restricted Access (Or)
Network
Replay (Nr)
Out-of-sync (No)
High volume (Nh)
Copyright Microsoft Corp. 2004
Name/Contents
Length (Cl)
Random (Cr)
NULL (Cn)
Zero (Cz)
Wrong type (Cw)
Wrong Sign (Cs)
Out of Bounds (Co)
Valid + Invalid (Cv)
Special Chars (Cp)
Script (Cps)
HTML (Cph)
Quotes (Cpq)
Slashes (Cpl)
Escaped chars (Cpe)
Meta chars (Cpm)
Length
Long (Ll)
Small (Ls)
0-Length (Lz)
Copyright Microsoft Corp. 2004
43
Attack Ideas
Rule #1 – There are no rules
Attacks by admins are uninteresting
If you provide a client to access the server,
don’t use it!
Mimic the client in code
If you rely on a specific service
build a bogus one
44
“Bang for the Buck” Attack Ideas
Consume files?
Try device names and ‘..’
Look for: hangs, access to other files
Fuzz data structures
Look for: AVs or memory leaks (appverifier)
Look for PII data in information disclosure
threats
ActiveX (especially Safe For Scripting)
Look at each method/property and ask, “what
could a bad guy do”
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
11
45
46
“Bang for the Buck” Attack Ideas
Securit
Pushing data from low-priv to high-priv process
Admin: Full Control
Everyone: Read
SYSTEM
y
Testing
! Build
Checkli
fu
resourc zzers for all
st
co
es (file
etc.)
s, net p nsumed
rotoco
! Tools
ls
! Tools
! Tools
!
Look for privilege elevation boundaries
Everyone: Write
!
zz
Fu
Copyright Microsoft Corp. 2004
Copyright Microsoft Corp. 2004
12
Related documents
View PDF - e
View PDF - e
Chrysler 200 Sedan 2012 Owner`s manual
Chrysler 200 Sedan 2012 Owner`s manual
Exploratory Testing
Exploratory Testing
User`s Manual - Viola Systems Ltd.
User`s Manual - Viola Systems Ltd.
Exploratory Testing Explained
Exploratory Testing Explained
Rapid Software Testing
Rapid Software Testing
ATRAR User Manual - ATRAR
ATRAR User Manual - ATRAR
Papers presented at the 1988 Clinic on Library Applications
Papers presented at the 1988 Clinic on Library Applications
Tyre Pressure Monitoring System Tyredog TD2000-X-4
Tyre Pressure Monitoring System Tyredog TD2000-X-4
MX2/RX DeviceNet Option Board User`s Manual - Products
MX2/RX DeviceNet Option Board User`s Manual - Products
CAIRE SeQual April 2012 Med Tips
CAIRE SeQual April 2012 Med Tips
Presentación - DavidHorat.com
Presentación - DavidHorat.com
User manual for ThermalCapture 1 / 14
User manual for ThermalCapture 1 / 14