Basics of Secure Software Design, Development and Test
Contents
1. Basics of Secure Software Design Development and Test Michael Howard mikehow microsoft com Senior Security Program Manager Security Engineering Group amp Comms Spy Mi ft Corp icrosoft Corp AES Last update 8 Feb 2005 Microsoft Confidential Agenda Who Trustworthy Computing 5 Security Development Lifecycle 5 Secure Design Tenets Threat Models Security Testing Coding Issues Copyright Microsoft Corp 2004 The Security Engineering amp Communications Group Help you secure your products Security as in threats NOT Security as in crypto mailto switeam http swi Copyright Microsoft Corp 2004 Security Development Lifecycle Copyright Microsoft Corp 2004 Early Results of the SDL Cite Ina ant Seauniiyy Bulletins ASSE Copyright Microsoft Corp 2004 A Case Study MS04 011 VULNERABILITY IDENTIFIERS IMPACT OF WINDOWS WINDOWS WINDOWS VULNERABILITY 2000 xP SERVER SASS Vulnerability CAN 2003 0533 Remote Code Execution Critical Critical Tow LDAP Vulnerability CAN 2003 0663 Denial Of Service important None None PCT Vulnerability CAN 2003 0719 Remote Cade Execution Critical important Tow Winlogon Vulnerability CAN 2003 0806 Remote Code Execution Moderate Moderate None Metafile Vulnerability CAN 2002. they are the attacker s goal s Be N Threat ol Copyright Microsoft Corp 2004 A Threat Modeling Process Gather Background Spoofing Info Tampering Repudiation Use scenarios Bound scope Determine dependencies Denial of Service Elevation of Privilege Model thi System Data flow diagrams Identify Identify entry points amp assets Threats Determine threat paths Threat type STRIDE Threat Trees Resolve Risk Threats Fix Work around Notification Do nothing Copyright Microsoft Corp 2004 Information Disclosure 22 Context Diagram Services for Macintosh operations Logging iia Admin and results Copyright Microsoft Corp 2004 Level 0 DFD Services for Macintosh Copyright Microsoft Corp 2004 24 Level 1 DFD Services for Macintosh File Copyright Microsoft Corp 20 Determining Threat Types P the DFD is susceptible to one or more threat types Each element in 26 DFD Elements are Threat Targets A Work list Data Flow S i R l D E 1 gt 5 v v v ach Visa z Z potential threat 7 gt 8 4 to the system Data Store ri v y v 9 v a v 1 4 sf 7 Each threat is Interactor governed by the 1v v conditions 2 mi which make the 8v v threat possible Process 3 4 5 6 0 Copyrig
3. 3 0906 Remote Code Execution Critical Critical None Help and Support Center Vulnerability CAN 2003 0907 Remote Code Execution None Critical Cria BQ Utiity Manager Vulnerabiliy CAN 2003 0908 Privilege Elevation important None None Windows Management Vulnerabilly CAN 2003 0909 Privilege Elevation Noone important None Local Descriptor Table Vulnerabiliy CAN 2003 0010 Privilege Elevation important None None 11 323 Vulnerability CAN 2004 0117 Remote Code Execution Important Important Immportane Virtual DOS Machine Vulnerabiliy CAN 2004 0118 Privilege Elevation important None None Negotiate SSP Vulnerability CAN 2004 0110 Remote Code Execution Critical Critical Critical 4 SSL Vulnerability CAN 2004 0120 Denial Of Service important important TE ASN 1 Double Free Vulnerability CAN 2004 0123 Remote Code Execution Critical Critical Critical 4 Aggregate Severity of All Vulnerabilities Critical Critical Critical l ode fixed in Windows Server 2003 50 J Code not fixed in Windows Server 2003 50 Ea Extra Defense in Windows Server 2003 29 of Q Copyright Microsoft Corp 2 Secure Design Reduce Attack Surface Defense in Depth Least Privilege Secure Defaults Copyright Microsoft Corp 2004 Defense in Depth MS03 007 Windows Server 2003 Unaffected The underlying DLL NTDLL DLL not Code fixed during the Windows Security Pus
4. h vulnerable IIS 6 0 not running by default on Windows Server 2003 Even if it was vulnerable Even if it was running IIS 6 0 doesn t have WebDAV enabled by default Even if it did have WebDAV enabled Default maximum URL length 16kb prevented exploitation gt 64kb needed Even if the buffer was Process halts rather than executes malicious code large enough due to buffer overrun detection code GS Would only network service privileges commensurate with a normal user Even if it there was an exploitable buffer overrun Least Privilege Problem Definition Least Privilege 5 Not being an administrator helps ensure Don t just pin aS users cannot easily compromise a admin o stufi Works computer or the network H Attacker sisti works 1 The 1 ask of IT administrators interested Look at Network and in increased security and reducing TCO Local Service BIncreased reliability pon t write user data Attractive to Abby as it improves computer ae a Files or security and parental controls OWINEITO 5 Use HKCU or Part of the spyware issue userprofile 5 Don t open resources for ALL_ACCESS Secure Defaults Attack Surface Reduction ASR l Ideas Less code running by default less stuff to attack by default 5E Slammer amp CodeRed would not have happened if the features were not enabled by default Reduces the urgency to deploy security fixe
5. ht Microsoft Corp 2007 Threat Tree Format Threat _ Or clause lt Condition Condition And clause Condition Copyright Microsoft Corp 2004 28 Threat Tree Pattern Examples Spoofing Copyright Microsoft Corp 2004 Threat Tree Pattern Examples Thinking Like a Security Pro A Special Note about Information Disclosure threats All information disclosure threats are potential privacy issues Raising the Risk Is the data sensitive or PII Copyright Microsoft Corp 2004 31 Calculating Risk with Numbers DREAD etc 5 Very subjective Often requires the analyst be a security expert On a scale of 0 0 to 1 0 just how likely is it that an attacker could access a private key Where do you draw the line Do you fix everything above 0 4 risk and leave everything below as Won t Fix Copyright Microsoft Corp 20 04 Calculating Risk with Heuristics 5 Simple rules of thumb Derived from the MSRC bulletin rankings Copyright Microsoft Corp 2004 Mitigation Techniques Threat Spoofing Tampering Repudiation Mitigation Feature Authentication Integrity Nonrepudiaton Confidentiality Availability Authorization Information Disclosure Denial of Service Elevation
6. m Cr NULL Cn Zero Cz Wrong type Cw Wrong Sign Cs Out of Bounds Co Valid Invalid Cv Special Chars Cp Script Cps HTML Cph Length Long LI Small Ls 0 Length Lz letwork Replay Nr Out of sync No High volume Nh Quotes Cpq Slashes Cpl Escaped chars Cpe nars Copyright Microsoft Corp 2004 Attack Ideas Rule 1 There are no rules Attacks by admins are uninteresting If you provide a client to access the server don t use it Mimic the client in code If you rely on a specific service build a bogus one Copyright Microsoft Corp 2004 Copyright Microsoft Corp 2004 44 Bang for the Buck Attack Ideas E Consume files Try device names and jLook for hangs access to other files I Fuzz data structures jLook for AVs or memory leaks appverifier Look for PII data in information disclosure threats ActiveX especially Safe For Scripting jLook at each method property and ask what could a bad guy do 11 Bang for the Buck Attack Ideas Look for privilege elevation boundaries Pushing data from low priv to high priv process Admin Full Control Everyone Read Everyone Write Copyright Microsoft Corp 2004 46 12
7. of Privilege Attend Secure Design Principles Copyright Microsoft Corp 2004 Code Review and the DFD Copyright Microsoft Testing Threats STRIDE Classification m Information Denial of IZ Spoofing I Tampering I Repudiation p3 infomation p Denial Elevation of Privilege D Adversary acquires another usi fD Adversary retrieves another us Adversary accesses the bac Adversary modifies a user s pix TD Adversary accesses insurance Adversary prevents a user from Adversary prevents insurat Copyright Microsoft Corp 2004 Security Testing Microsoft Confidential Security Testing faults Traditional Intended functionality Copyright Microsoft Corp 2004 T Poor Missing Defenses cun m Actual software functionality r Unintended undocumented or unknown functionality Extra functionality Testing Like an Attacker Footprint the application Copyright Microsoft Corp 2004 40 10 The Nature of Fuzzing Copyright Microsoft Corp 2004 42 Fuzz the data ontainer Name On Link to other Ol Exists Oe Does not exist Od No access Oa Restricted Access Or Name Contents Length Cl Rando
8. s 5 A critical may be rated important Defense in depth removes single points of failure Service Autostart SYSTEM Reduces the need for customers to harden the product Reduces your testing workload Reduce your attack surface early Copyright Microsoft Corp 2004 Copyright Microsoft Corp 2004 Turn off less used ports R TCP UDP a FO y C ay R TCP UDP Ko TCP UDP Service Autostart SYSTEM Turn off UDP connections R TCP UDP a Service Autostart SYSTEM Restrict requests to a small IP range and subnet R ha 8 8 Service Autostart SYSTEM Authenticate Connections ve TCP only a 8 Service Autostart SYSTEM Reduce Privilege and Disable Ra of ByNetwork DDE Started Automatic Local System By Network DDE lanual Network Service Copyright Microsoft Corp 2004 Harden ACLs Copyright Microsoft Corp 2004 R TCP ony a Increased Attack Surface means Increased Security Scrutiny Copyright Microsoft Corp 2004 Copyright Microsol MR duce attack Surfa ce Desi S 2 Under e Checklist tand th to you educe atta SDL it applies Surface EARLy Threat Analysis Secure software starts with understanding the threats Threats are not vulnerabilities Threats live forever
Download Pdf Manuals
Related Search