1. Security Tools For Software Development Ivan Medvedev Security Development Lead Microsoft Corporation

2. Overview Introduction to our team Security Development Lifecycle Tools available to developers Threat Modeling Tool Visual Studio Compiler Switches FxCopAppVerifier Upcoming new tools! Fuzz testing

3. Security Engineering And Communications Microsoft Security Response Center (MSRC) Primary interface with security research community Software Security Incident Response Process (SSIRP) Secure Windows Initiative (company-wide) Training for developers and partners Security Milestones in the development process Attack and Penetration teams Final Security Reviews Strategy and Policy Security Development Lifecycle Councils, Buddy programs, etc. CERT, CSIRT interface, other government initiatives, including common criteria Windows Privacy (Phishing, spam, etc)

4. The Security Development Lifecycle (SDL) Security best practices in Microsoft Provides guidance within established development processes Design considerations Creating effective security plans Leveraging tools across the development cycle Better then simply hunting for bugs Requirements Design Implementation Verification Release Response

5. The Threat Modeling Tool

6. What is Threat Modeling? A process to understand and document security threats to a system that: Closely simulates an adversary’s thought process Will describe the system’s threat profile Allows the security of the system to be characterized May find vulnerabilities

7. Key Concepts The threat profile is an enumeration of adversary goals A threat is not a vulnerability, and the point of a threat model is more than just finding vulnerabilities Threats justify security features and secure coding guidelines

8. Key Concepts A system is anything that exposes functionality to an end user: Single feature Shipping product Web application and its supporting infrastructure Etc.

9. Threat Modeling Tool Provides structure to a threat model document Lists all of the key areas for consideration Links assets, threats, and vulnerabilities for easier prioritization Saves as XML for portability

10. Visual Studio Compiler Options

11. What Is A Buffer Overrun? Buffers are blocks of memory, usually in the form of an array When the size of an array is not verified, it is possible to write outside the allocated buffer If such an action takes place in memory addresses higher than the buffer, it is called a buffer overrun A buffer overrun that injects code into a running process is referred to as an exploitable buffer overrun

12. What Is A Buffer Overrun? The ability to arbitrarily corrupt memory Overflows lead to arbitrary code Underflows lead to denial of service Problem is usually isolated to C and C++ 00 2A00 int x = 42; char zip[6]; strcpy(zip, userinput); printf("x = %i\n", x);

13. Types Of Exploits Stack smashing Register hijacking Local pointer subterfuge V-Table hijacking C++ EH clobbering SEH clobbering Multistage attacks Parameter pointer subterfuge Previous function’s stack frame Return address EH frame Callee save registers Garbage Local variables and locally declared buffers Frame pointer Function arguments

14. Visual Studio Security Options /GS A "speed bump," or cookie, between the buffer and the return address. When function exits, the cookie is checked Helped lower Blaster impact on Win 2003 /SAFESEH Created in response to CodeRed Verifies the exception handler

15. Stack Layout In VC++ 2003 Function prolog: Previous function’s stack frame Return address EH frame Callee save registers Garbage Frame pointer Function arguments Cookie sub esp,24h mov eax,dword ptr [___security_cookie (408040h)] [___security_cookie (408040h)] mov dword ptr [esp+20h],eax mov ecx,dword ptr [esp+20h] add esp,24h jmp __security_check_cookie 4010B2h) 4010B2h) Function epilog: Locally declared buffers Local variables

16. FxCopFxCop

17. FxCop A static code analysis tool that examines managed assemblies for design and code correctness issues Console and graphical applications that manage: Targets (items for analysis) Rules (checks to execute) Messages (feedback from rules) A general infrastructure for writing checks against managed code

18. Benefits FxCop helps create: More consistent API, easily discoverable via help, IntelliSense, etc. Better performance in code More secure applications Fewer globalization and COM/cross-language interoperability issues Increased understanding of.NET Framework Extends compiler-provided checks

19. FxCop and Security Current version (1.30) has 21 security rules Examples of security rules Fields that are arrays should not be read-only Link demand security checks on types do not prevent access to the type’s fields Security checks on value-type constructors do not prevent the value-type from being instantiated

20. Demo Title FxCop Security Rules

21. The Windows Application Verifier

22. Windows Application Verifier (AppVerifier) Provide developers with Tools and knowledge used in Windows development A testing infrastructure to detect run time issues in Win32 applications Targeted towards developers and QA teams with debugging knowledge

23. Benefits Significantly reduces debugging time detecting Memory corruptions Hangs Security issues Reduces crashes 67.8% of 3rd party user mode crashes could have been detected using the AppVerifier Aids in Logo/Certification testing Non-administrator scenarios Resource management Version checking

24. Security And The AppVerifier Enable the SecurityChecks Test Insecure API usage Misuses of CreateProcess Interactive services Many server applications are vulnerable to “Shatter” attacks Potentially allows an interactive user to get the privileges of a service running as LOCAL_SYSTEM Removed from Longhorn completely Weak security descriptor usage Granting EVERYONE_WRITE access to a file or registry key is an opportunity for elevation of privilege Creating an object with a NULL DACL at anytime is a security issue

25. Demo Title The Application Verifier

26. Advanced Technique: Fuzzing

27. What Is Fuzzing? Fuzz testing is a method of finding software security holes by feeding purposely invalid and ill-formed data as input to program interfaces Inputs include: Files Network ports APIs Based on the analysis of a number of software security vulnerabilities uncovered in the past the belief is that a large percentage of them could have been found by doing fuzz testing

28. What Is Fuzzing? Fuzzing is a variation of negative testing Specific characteristics: High volume of testing (using multiple variations and test passes) Fuzz testing is generally automated Finds many problems related to reliability; many of which are potential security holes Fuzz testing does not typically validate proper reaction to invalid data

29. Benefits Easily automated Doubles as robustness testing Exercise more failure cases in code Finds LOTS of bugs

30. Methodology Dumb vs. Smart Dumb fuzzing generates data with no regard to the format Smart fuzzing requires knowledge of the data format or how the data is consumed Generation vs. Mutation The generation technique creates new files from scratch The mutation technique transforms a sample input file to create a new one Most fuzzing tools are a mix of each approach

31. Measuring And Triaging Measuring Reliability metrics MTTF (Mean Time To Failure), MTBF, failures per 1K variations Code Coverage delta Triaging Crash means input can divert program flow Figuring out exploitability is expensive Just fix it!

32. Upcoming New Tools In.NET Framework 2.0 / VS 2005 PreFast Source code static analysis Has security checks, such as buffer overrun detection, etc. PermCalc Static binary analysis for managed code Calculates.NET permissions needed for.NET assemblies to run Integrated into Visual Studio

33. Call To Action Raise the bar for security in your own applications Adopt these tools in your development Consider adding additional security best practices from “Writing Secure Code” Provide feedback on the tools Bug reports Feature requests

34. General Security Resources General http://www.microsoft.com/security XP SP2 Resources for the IT Professional XP SP2 Resources for the IT Professional http://www.microsoft.com/technet/winxpsp2 Security Guidance Center http://www.microsoft.com/security/guidance Tools http://www.microsoft.com/technet/Security/tools How Microsoft IT Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit E-Learning Clinics https://www.microsoftelearning.com/security Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx

35. Additional Documentation Writing Secure Code: http://www.microsoft.com/MSPress/books/5957.asp Thread Modeling: http://www.microsoft.com/MSPress/books/6892.asp Threat Modeling Online http://msdn.microsoft.com/security/securecode/threatmodeling/de fault.aspx http://msdn.microsoft.com/security/securecode/threatmodeling/de fault.aspx Compiler Security Checks In Depth http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dv_vstechart/html/vctchcompilersecuritychecksindepth.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dv_vstechart/html/vctchcompilersecuritychecksindepth.asp

36. FxCop Resources http://www.gotdotnet.com/team/fxcop/ FxCop download site/bulletin board FxCop docs and rule topics Support AskFxCop@Microsoft.com

37. AppVerifier Resources Download Site: http://www.microsoft.com/windows/appexp erience http://www.microsoft.com/windows/appexp erience http://www.microsoft.com/windows/appexp erienceNewsgroup:microsoft.public.win32.programmer.tools http://msdn.microsoft.com/newsgroups/ managed http://msdn.microsoft.com/newsgroups/ managed

38. Questions? We want your feedback!

39. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.