Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Study: Building a More Secure Browser in IE7 Rob Franco, Lead Program Manager Internet Explorer Security FUNL03.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Case Study: Building a More Secure Browser in IE7 Rob Franco, Lead Program Manager Internet Explorer Security FUNL03."— Presentation transcript:

1 Case Study: Building a More Secure Browser in IE7 Rob Franco, Lead Program Manager Internet Explorer Security FUNL03

2 Tony Group Program Manager - IE Laurel Lead PM, IE Platform I hope Rob can focus this PDC session better than his camera!

3 Who are you? Developer for an internet facing app? Developer of an IE extension?

4 About this presentation In this presentation, we will cover: The Security Development Lifecycle Guiding principles for IE Security High level browser threat model Data flow and Architecture of IE Data flow and threats for: User Interface Network requests Page Rendering How IE7 addresses the threats Dynamic protection against web fraud & data theft More user control over add-ons Advanced malware protection

5 Security Training Security Kickoff & Register with SWI Security Design Best Practices Security Arch & Attack Surface Review Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Feature Lists Quality Guidelines Arch Docs Schedules Design Specifications Testing and Verification Development of New Code Bug Fixes Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates RequirementsDesignImplementationVerificationRelease Support & Servicing Security Deployment Lifecycle Tasks and Processes Threat Modeling Functional Specifications Traditional Microsoft Software Product Development Lifecycle Tasks and Processes

6 Recommended Reading Writing Secure Code Second Edition Threat Modeling

7 Guiding principles Balance our customers’ need for browsing that’s powerful but also secure Architectural changes eradicate classes of vulnerabilities in major releases Mitigations reduce severity or prevent future vulnerabilities in service packs Security Updates address targeted vulnerabilities and variations Every release goes through threat modeling, penetration testing and code analysis tools

8 Browser basics Data flow Outbound:URLs HTTP requests Auth & cookie data Inbound:URLsHTMLScript Non-IE files

9 User Interface IEFrame Network request layer Page Rendering Browser basics Architecture WinINet URLMon Browser Helper Objects Toolbars Mimefilters MSHTML ActiveX Script Engine BinaryBehaviors

10 Sample Threats: URLs parsed incorrectly Domain spoofed buffer overrun User can’t read URL Dangerous files launch & install User clicks “OK” Logic error in prompt Scripted Windows trick user Overlays UI warnings User lowers security settings Threats from Data Flow User Interface Layer

11 Sample Threats: Auth Credentials encryption cracked URL parsed incorrecty buffer overrun Security settings not enforced Data sniffer buffer overrun or logic failure Faulty pluggable protocol loads Threats from Data Flow Network Req

12 Sample Threats URLs parsed incorrectly buffer overrun Page Access rules fail HTML parser buffer overrun Faulty COM object loads Page Access rules fail Unsafe access defaults Page Redirects Threats from Data Flow Page Rendering Layer

13 About this presentation In this presentation, we will cover: The Security Development Lifecycle Guiding principles for IE Security High level browser threat model Data flow and Architecture of IE Data flow and threats for: UI Layer Network request layer Page Rendering layer How IE7 addresses the threats Dynamic protection against web fraud & data theft More user control over add-ons Advanced malware protection

14 In this demo, you will see how IE 7: Uses a dynamic Phishing-Filter to protect users from phishing sites Uses heuristics to detect suspicious sites Highlights the user experience for secure sites (SSL) Warns users about unsafe settings Dynamic protection against fraud Safer UI for browsing

15 Tariq, Manav, John and I try to catch the Phishers

16 The UX team added Address bars to pop-up windows, Unsafe settings warnings and Pop-up blocking

17 Problems: ActiveX controls can expose dangerous functions and security bugs to any page on the web Users have no control over the number of controls installed by default Users suspect Add-ons have privacy and reliability problems Solutions: Unused ActiveX controls will prompt on first use the same as downloaded controls Users can run in Add-ons disabled mode to shut off more extensions like BHOs User Control Over Add-ons ActiveX Opt-in & No Add-ons Mode

18 Best practices: Threat model controls Limit reads and writes, beware redirects Site-Lock control to only work on one site Clearly identify your control with signatures Find more here: http://msdn.microsoft.com/library/default.asp?url=/workshop/ components/activex/security.asp User Control Over Add-ons Building safer ActiveX controls

19 John, Phoebe and Vidya planning for IE7 Platform and Network features

20 Advanced malware protection Unified URL parsing Problem: Special characters complicate URL parsing http://www.good.com@bad.com URLs passed as strings maybe parsed inconsistently through the stack Solution: iURI is IE’s single URL parsing object Canonicalizes URLs targeting RFC 3986 IE passes URLs the pre-parsed object through the stack  Partners can also use the iURI object in URLMON to canonicalize URLS

21 Advanced malware protection Sample using iURI to parse hostname #include #include... IUri *pIUri = NULL; IUri *pIUri = NULL; HRESULT hr = CreateUri(pwzUrl, Uri_CREATE_ALLOW_RELATIVE, 0, &pIUri); HRESULT hr = CreateUri(pwzUrl, Uri_CREATE_ALLOW_RELATIVE, 0, &pIUri); if (SUCCEEDED(hr)) if (SUCCEEDED(hr)) { BSTR bstrHost = NULL; BSTR bstrHost = NULL; hr = pIUri->GetHost(&bstrHost); hr = pIUri->GetHost(&bstrHost); if (S_OK == hr) // Host exists. Do something with it. if (S_OK == hr) // Host exists. Do something with it. { SysFreeString(bstrHost); SysFreeString(bstrHost); } else if (S_FALSE == hr) // Host doesn’t exist in this URI. else if (S_FALSE == hr) // Host doesn’t exist in this URI. { } pIUri->Release(); pIUri->Release(); } Early documentation here: http://msdn.microsoft.com/library/default.asp?url=/ workshop/networking/moniker/reference/ifaces /iuri/iuri.asp?frame=true

22 Networking Dev & Test captured on film away from their work

23 Element<H>IDCard ColorBlack Size32 Text %Credit Card#% Domainwww.MyBank.com Script in the Internet Zone has to go through a domain check in order to access the element. RULE #1 : Only script from the same domain can access an elementScriptCard.color=“RED”Domainwww.MyBank.com %Credit Card#% Advanced malware protection Cross Domain Security

24 %Credit Card#%Element<H>IDCard ColorBlack Size32 Text Domainwww.MyBank.com ScriptCard.color=“RED”Domainwww.evil.com Advanced malware protection Cross Domain Security RULE #1 : Only script from the same domain can access an element

25 Problems: Hackers use script protocols to run domain-less script in the navigation codepath Type this in your address bar: javascript:alert(document.body.innerHTML) Redirects sometimes evade Domain checks Solutions: Migrate the script protocol to run as script in the originating page Deny access to objects that aren’t redirect-aware  Partner code should also enforce secure domain access rules and be redirect-aware Advanced malware protection Cross Domain Security

26 Element<IMG> SRC..\BufferOverrun.jpg Domainwww.evil.com George Parser Problem: Attacker finds a place where the parser does not check for size of an argument Solutions: IE uses automated code review tools, fuzz testing and safe memory APIs to help prevent buffer overruns  Partners can use the same tools we use to find and prevent buffer overruns. These tools are part of Visual Studio.Net szImagePath[20]; lstrcpy(szImagePath,szUserInput); szImagePath[20]; lstrcpy(szImagePath,”xxx…xxxx”); Advanced Malware Protection Preventing Buffer Overruns

27 IExplore.exe Install a driver, Run Windows Update Change Settings, Download a Picture Cache Web contentExploit can install MALWARE Admin-Rights Access User-Rights Access Temp Internet Files HKLM Program Files HKCU My Documents Startup Folder Untrusted files & settings Advanced Malware Protection Threats w admin rights

28 LoRIE Install a driver, Install an ActiveX control Change settings, Save a picture Integrity Control Broker Process Redirected settings & files Compat Redirector Cache Web content Admin-Rights Access User-Rights Access Temp Internet Files HKLM HKCR Program Files HKCU My Documents Startup Folder Untrusted files & settings Advanced Malware Protection Protected Mode IE, UAP contain threats

29 In this demo, IE for Windows Vista will: Protect the user from a potentially unsafe control Run with restrictions to prevent exploits from installing malware on user’s systems Still allows users to download files or change settings Allow Intranet sites to run without restrictions Advanced Malware Protection ActiveX Opt-in and Protected Mode IE

30 Build “Protected Mode” for your app if it handles untrusted data Set any file/registry ACLs that are safe and needed to LOW Eg. %AppData%\%YourAppName%\Untrusted Data Create your process with the Low Integrity token Create a broker process for Medium or High Integrity Operations Add-ons inside of IE, run “Low” by default Writes to the user’s profile will be automatically redirected to a subdirectory of the TIF Extensions can use the SaveAs APIs to call the broker to prompt the user to save a file to the user profile system Advanced Malware Protection Options for running at “least privilege”

31 User consent or “Allow list” let’s extensions launch Apps at “Medium” An allow-list will let known apps elevate to medium without user intervention Other processes spawned from IE will throw an “information bar” unless marked for low Compat logging will help diagnose failed or redirected writes and create process Advanced Malware Protection Options for running at “least privilege”

32 Anantha and Bogdan powering through to code complete

33 Marc and Robert from the Protected Mode IE team test their code on a demo page

34 Dean General Manager IE unmasked? “You know, I have one simple request. And that is to have anti- phishing frickin' laser beams attached to the browser! Now evidently my security team informs me that that cannot be done. Ah, would you remind me what I pay you people for, honestly? Throw me a bone here!”

35 Security Development Lifecycle helps mitigate risk Users count on our industry to be secure and compatible Tools available for you to use Train using Writing secure code and the Threat Modeling books Correctly handle URLs with IE7’s iURI Threat model extensions like ActiveX controls Remove Buffer Overruns from your code with tools in Visual Studio Whidbey Run with least privilege using Mandatory Integrity Control in Windows Vista Summary Target: Secure and Compatible

36 PRS 203 “What’s new in IE7” Tuesday, 4:15 (past) Halls C&D FUN 406 “Windows Vista User Account Protection” Wednesday, 11:00 AM (past) 402AB DAT 320 “Building RSS enabled applications” Thursday, 2:15 403AB FUN 314 “Architecting apps for the future with compatibility” Thursday, 2:15 408AB Related Talks at the PDC

37 Questions?

38 BACKUPS

39 In this demonstration, you will see how Internet Explorer 7: Uses a dynamic Phishing-Filter to protect users from phishing sites Uses heuristics to detect suspicious sites Highlights the user experience for secure sites (SSL) Warns users about unsafe settings Dynamic protection against fraud Safer UI for browser settings

40 Dynamic protection against fraud Problem: IP address and misleading URLs convince users to give away personal information Solutions: Dynamic Phishing Filter blocks known attacks Improved URL parsing robust against encoding tricks

41 Solution (continued) Address bar on every pop-up window Background Tabs can’t open windows Dynamic protection against fraud

42 Solution (continued) International Domain Names (IDN) must be in a language supported by the user’s system Multiple languages can’t be mixed in an IDN URL Dynamic protection against fraud

43 Security settings per zone aka URLActions Note: Windows Server 2003 has stricter defaults than other versions of IE Dynamic protection against fraud Safer UI for browser settings

44 Intranet Machine names in your domain MED-LOW, Automatic domain login Internet Fully-qualified domain names MED, Only uses safe extensibility Restricted sites Empty unless configured HIGH, only renders HTML, loads no extensions Problems: Users opt to change settings My Computer and Trusted are targets ----------------------------------- My Computer zone Not shown in the UI Any HTML content on the local machine LOW--, Unrestricted access to scriptable APIs Trusted sites Empty unless configured LOW, sites can silently install signed ActiveX Dynamic protection against fraud Safer UI for browser settings

45 Intranet Disabled on Consumer PCs MED-LOW, Automatic domain login Internet Fully-qualified domains MED-HIGH Restricted sites Empty unless configured HIGH, only renders HTML, loads no extensions Solutions: More secure defaults UI to prevent unsafe settings ----------------------------------- My Computer zone HIGH when used in IE Trusted sites Empty unless configured MED, only uses safe extensibility Dynamic protection against fraud Safer UI for browser settings

46 Shown under address bar Dynamic protection against fraud Safer UI for browser settings

47 In this demo, you will see how Internet Explorer for Windows Vista: Runs with restrictions to prevent exploits from installing malware on user’s systems Still allows users to download files or changing settings Allows Intranet sites to run without restrictions Advanced Malware Protection Demo: Protected Mode IE

48

49

50

51

52

53

54

55

56

Download ppt "Case Study: Building a More Secure Browser in IE7 Rob Franco, Lead Program Manager Internet Explorer Security FUNL03."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Configuring Windows Internet Explorer 7 Security Lesson 5.

Configuring Windows Internet Explorer 7 Security Lesson 5.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 9: Configuring Internet Explorer. Internet Explorer Usability Features Reorganized user interface Instant Search box RSS support Tabbed browsing.

Chapter 9: Configuring Internet Explorer. Internet Explorer Usability Features Reorganized user interface Instant Search box RSS support Tabbed browsing.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.

Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd

Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Similar presentations

Ads by Google