1. The “Everything Developer Security” Talk Michael Howard Principal Security Program Manager Microsoft Corp

2. Come ask questions, voice concerns, get insights and guidance at this interactive theater talk that has no defined agenda, other than developer-related security issues. Michael will simply put a list of topics that interest him on the screen, and from that point on it’s open season! Examples include: -GS, ASLR, DEP, C/C++ security, Windows Vista security, the SDL and how it applies to agile methods, and lessons learned from five years of Trustworthy Computing.

3. How do I sell security to management?

4. Selling Security Don’t sell security CxOs are sick of hearing “the sky might fall” There is little ROI evidence for security today Unless your stock symbol is MSFT! Sell privacy Get the risk management folks in the room Spending €100,000 to offset €17,000,000 of risk is a no-brainer

5. What is the #1 Skill Developers should Learn?

6. Never Trust Data “All data is evil, until proven otherwise” The most heinous bugs are because of too much trust in data Buffer overruns Cross-site scripting HTTP response splitting Cross-site request forgery SQL injection Command injection XPath injection Etc.

7. Never Trust Data: Evidence 47% of security bugs tracked by CVE between 2001- 2004 were due to too much trust in data Stragglers include: Breaking a sandbox, poor crypto, information disclosure etc.

8. Never Trust Data: Action Don’t solely use “blocklists” Constrain Only allow what you know to be good Eg: constrain to only a valid email address Reject Reject that which you know is bad Eg; reject bad characters, often environment specific (Web etc) such as <>& etc Sanitize Encode if possible Eg; HTML encode

9. Do NOT look ONLY for “bad things.” It assumes you know all the “bad things”  deldeleteete from table

10. What is the #1 Skill Testers should Learn?

11. Fuzz! Fuzzing was designed to find reliability bugs It turns out many reliability bugs are actually security bugs A buffer overrun defect might crash an app The right payload could execute malicious code

12. Fuzz: Evidence Just about every file parsing bug ever found in the history of software was found through fuzzing! XLS (MS06-012) BMP (MS06-005, MS05-002) TNEF (MS06-003) EOT (MS06-002) WMF (MS06-001, MS05-053) EMF (MS06-053) PNG (MS05-009) GIF (MS05-052, MS04-025) JPG (MS04-028) ICC (MS05-036) ICO (MS05-002) CUR (MS05-002) ANI (MS05-002) DOC (MS05-035) ZIP (MS04-034) ASN.1 (MS04-007) Etc…

13. Fuzz: Action Fuzz all formats you consume SDL mandates 100,000 iterations per file format Build an ‘evil layer’

14. Fuzz: Action Fuzz all formats you consume SDL mandates 100,000 iterations per file format Build an ‘evil layer’ ClientServer ‘pure evil’ #ifdef __EVIL__ #endif

15. void FuzzBuf(__inout_bcount(cbBuf) char *pBuf, __inout size_t *pcbBuf) { if (!*pcbBuf || !*pBuf) return; if ((rand() % 100) > 7) return; // fuzz about 7% of Buffers size_t loop = 1 + (rand() % 4); for (size_t j = 0; j < loop; j++) { size_t i=0, iLow = rand() % *pcbBuf, iHigh = 1+rand() % *pcbBuf; if (iLow > iHigh) {size_t t=iHigh; iHigh=iLow; iLow=t;} char ch=0; switch(rand() % 7) { case 0 : // flip upper bit for (i=iLow; i<iHigh; i++) { pBuf[i] ^= 0x80; } break; case 1 : // write a series of random bytes for (i=iLow; i<iHigh; i++) { pBuf[i] = (char)(rand() % 256); } break; case 2 : // set NULL bytes to random value for (i=iLow; i<iHigh; i++) { if (!pBuf[i]) pBuf[i] = (char)(rand() % 256);} break; case 3 : // switch bytes at random for (i=iLow; i<__max(iHigh-1,iLow); i+= rand() % 8) {char t=pBuf[i]; pBuf[i]=pBuf[i+1]; pBuf[i+1] = t;} break; case 4 : // write a random series of bytes at random locations for (i=iLow; i<__max(iHigh-1,iLow); i+= rand() % 8) {pBuf[i] = (char)(rand()%256);} break; case 5 : // write a random byte to a range ch=(char)(rand() % 256); for (i=iLow; i < iHigh; i++) { pBuf[i] = ch; } break; default: // truncate the data *pcbBuf = iHigh; break; }

16. Pop Quiz: What’s wrong with this design? When a TCP/IP SYN packet arrives, the TCP/IP stack uses the following algorithm to derive a 12-bit integer, and the result is used as an insertion and look-up value in a hash-table. value  32-bit packed source IP address value  value XOR source port value  value MOD 4093

17. What is the #1 Skill Designers should Learn?

18. Build Threat Models Help make sure the correct defenses are in place What data are you storing? Privacy concerns: Is the data personally identifiable or confidential? Threat models not only benefit design They can be used to understand more about your code Where does the data come from (local, remote, local subnet) What trust level is required to communicate with your code (anonymous, user, admin) Pay special attention to external dependencies and assumptions

19. Build Threat Models Who can access this entry point, and from where? Rock solid code handling incoming data

20. BuildThreat Models: Action Build effective threat models Identify all entry points into the system, and rank their accessibility Local vs local subnet vs remote Admin vs user vs anonymous Higher attack surface == better be good code! Consider reducing attack surface Review code along the anonymous data paths Increasing attack surface

21. Pop Quiz: What’s Wrong with this code? string Status = "No"; string sqlstring =""; try { SqlConnection sql= new SqlConnection( @"data source=localhost;" + "user id=sa;password=password;"); sql.Open(); sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if ((int)cmd.ExecuteScalar() != 0) Status = "Yes"; } catch (SqlException se) { Status = sqlstring + " failed\n\r"; foreach (SqlError e in se.Errors) { Status += e.Message + "\n\r"; } } catch (Exception e) { Status = e.ToString(); } Hard to guess password! Connecting as sysadmin String concat for dynamic SQL Telling the bad guy too much on failure

22. I have a gazillion lines of code to review – how do I prioritize?

23. Potentially, How Buggy is the Code? An estimate of the total population of bugs (B) is given by X/B = N/Y This is a classic capture/recapture technique pioneered in biology, but widely used in software engineering X=Bugs found by first team Y=Bugs found by second team N

24. Example: Potentially, How Buggy is the Code? X=10 bugsY=12 bugs X/B = N/Y 10/B = 4/12  B = 30 If found 10 bugs, and found 12, and there are about 30 bugs, then you better keep on looking! And they found 4 bugs in common (N)

25. Run all available tools Compile C/C++ at /W4 /analyze FxCop Are some sources files ‘bug-dense’? Many need more review

26. Other Heuristics More review Old code On by default Elevated Anonymous access Listening on network Planetary access UDP C/C++/ASM A ‘history’ Complex Undoc’d interface Handles PII etc Big functions Hard to maintain Lots of churn Less review New code Off by default Least privilege Authenticated access Not listening Local subnet or machine TCP Managed code Clean ‘history’ Simple or well understood Doc’d interface Does not handle PII etc Little functions Easy to maintain Stable code

27. What does the bad guy control? The Golden Question

28. Pop Quiz: Is this a security bug? int main(int argc, char *argv[]) { char t[32]; if (argc==2) strcpy(t,argv[1]); // etc }

29. Explain to me again the “Turkish-I” problem

30. The Turkish-I problem (Applies also to Azerbaijan!) Turkish has four letter ‘I’s i (U+0069) ı (U+0131) İ (U+0130) I (U+0049) In Turkish locale UC("file")==FİLE // Do not allow "FILE://" URLsFILE:// if(url.ToUpper().Left(5) == "FILE:") return ERROR; getStuff(url);  // Only allow " HTTP://" URLs HTTP:// if(url.ToUpper(CULTURE_INVARIANT).Left(5) == " HTTP:") getStuff(url); else return ERROR;

31. Pop Quiz: What does this mean?

32. What should I not use RC4?

33. Issues with Stream Ciphers Stream ciphers are simply random number generators They create a key stream of random bytes The ‘seed’ is the symmetric key Issues: C a xor C b == P a xor P b C a xor P a == K Bit flip attacks P0P0 C0C0 K0K0 P1P1 C1C1 K1K1 …

34. Don’t use ECB-mode either! ECB CBC

35. Questions? Email mikehow@microsoft.com Blog blogs.msdn.com\michael_howard

36. Resources Technical Communities, Webcasts, Blogs, Chats & User Groups http://www.microsoft.com/communities/default.mspx http://www.microsoft.com/communities/default.mspx Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx http://www.microsoft.com/learning/default.mspx Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet http://microsoft.com/msdn http://microsoft.com/technet Trial Software and Virtual Labs http://www.microsoft.com/technet/downloads/trials/defa ult.mspx http://www.microsoft.com/technet/downloads/trials/defa ult.mspx New, as a pilot for 2007, the Breakout sessions will be available post event, in the TechEd Video Library, via the My Event page of the website Required slide: Please customize this slide with the resources relevant to your session MSDN Library Knowledge Base Forums MSDN Magazine User Groups Newsgroups E-learning Product Evaluations Videos Webcasts V-labs Blogs MVPs Certification Chats learn support connect subscribe Visit MSDN in the ATE Pavilion and get a FREE 180-day trial of MS Visual Studio Team System!

37. Complete your evaluation on the My Event pages of the website at the CommNet or the Feedback Terminals to win!

38. © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.