Inside the Microsoft Security Development Lifecycle (and how you can use it!)

Michael HowardPrincipal Security Program Mgr.Microsoft Corp.DPR203

Who Is This Guy?

mikehow@microsoft.comMicrosoft employee for 17 yearsAlways in securityWorked on the SDL since inception

Feels like

eternity!

Agenda

The SDLRecommendations vs. RequirementsSDL Recommendations and Requirements

My Only ObjectiveGive you actionable ideas that will improve

the security of your software.

Links to tools and other resourcesare in the speaker notes.

IMPORTANT

This session does not cover every SDL itemThis session covers very little privacy and nothing to do with security response and servicingNor does it cover any internal Microsoft-specific issues

The SDL

“Reduce the Number of Vulnerabilities in your code.”“Reduce the Severity of the Vulnerabilities you miss.”

Does SDL Apply to Your Product?

Yes, if…It handles valuable data (e.g., PII, sensitive business/medical data)Has a large customer baseHas functional risk

Eg: one socket from the ’netPart of an acquisition

Recommendations vs. Requirements

Requirement is something you must do prior to shippingRecommendation is something you should considerMany requirements start life as recommendations

Identify Primary Security & Privacy Contact

REQUIREMENTSomeone (or some people) must handle the security and privacy for the team

ACTIONPick a security person to be the “Security Champ”“Grow” this person if needed

Security Training

REQUIREMENTFits into the “rhythm of the product”At least 80% trained

ACTIONAdopt ongoing training for your teamIf you have *NEVER* attended *ANY* security training, do so ASAP

Track Security BugsREQUIREMENT

Configure your bug database to track security bugsACTION

Create the following in your database:Security Criticality

None, Critical, Important, Moderate, Low, Defense in Depth

Security CauseNone, Buffer overflow/underflow, Arithmetic, SQL injection, Race Condition, XSS, Crypto, etc…

Security EffectNone, STRIDE

Use Strong-Named Assemblies and but not APTCA

REQUIREMENTStrong-named assemblies prevent DLL Hell and provide tamper detectionAdds a defense: immediate callers must be granted FullTrustAllowPartiallyTrustedCallersAttributes allows partially trusted callers (i.e., code from the ’net)

ACTIONRun FxCop on your strong-named assemblies

Code review CA2116 & CA2117Consider using SecurityTransparent

Use Secure Crypto Design (1 of 3)

REQUIREMENTCovers: algorithms, agility, use of standard libsAgility: Do not hard-code algorithms in your code

ACTIONUse a class factory

SHA1Managed sha = new SHA1Managed();

HashAlgorithm alg = HashAlgorithm.Create(“MyAppHash”);

Use Secure Crypto Design (2 of 3)

ACTIONUse Microsoft standard crypto libraries

System.Security.Cryptography for managedCryptoAPI, CNG for native

Use DPAPI for secretsUse approved random number generators

CryptGenRandomrand_sRNGCryptoServiceProvider

Use Secure Crypto Design (3 of 3)

ACTIONUse appropriate algorithms

Use: AES (128-bit or better), RSA (2048 or better), SHA-256 (+)Use nothing else!

Download SDLCryptoCheck, run on your code and triage results

Firewall Requirements

REQUIREMENTFirewall setting changes must be logged in the system security logDo not disable the firewallDo not create an inbound rule to allow the traffic through the firewallCannot allow exception by user without admin privilegesDocument your networking requirements

ACTIONSee above :-)

Threat Models

REQUIREMENTBuild a threat model for your product

Threats to a Windows Azure solution are different threats to a native Windows solution

Helps you understand secure design issuesService updates do not need threat modeling

ACTIONLearn how to do threat modeling, then download the SDL Threat Modeling tool and use it

Support UAC

REQUIREMENTMost applications should run correctly as normal users and not require unnecessary privileges

ACTIONMake sure you test your application as a non-admin on Windows Vista or Windows 7Use Aaron Margosis’ LUABuglight to help ascertain why your application fails as non-adminOr use LuaPriv with Application VerifierRead Writing Secure for Windows Vista

Granular Feature Control

RECOMMENDATIONTo reduce attack surface, expose only the most common functionality

ACTIONSupport granular enable/disable features and parsersIIS7 is the poster child

Grant Minimal Privileges

RECOMMENDATIONApplications should run with only enough privilege to perform the tasks required, and no more

ACTION(See UAC) and don’t run your services as SYSTEM unless you absolutely mustDrop privileges on service startup

Use Minimum Code Generation Suite

REQUIREMENTWe constantly add defenses to the compiler and linkerYou get defenses for free by simply using the latest compilers

ACTIONAt a minimum, you should use VS 2005 SP1But highly recommend you use VS 2008 SP1

And VS 2010 when it comes out, especially for C++Stronger -GS

Use /GS

REQUIREMENT Applies to 32-bit native C/C++ code onlyEven if the code is called by Managed codeDetects some forms of stack-based buffer overrun at runtime

ACTIONCompile all native 32-bit C/C++ code with /GSIt’s on by default in VC++ 2008, so don’t use /GS-Consider using #pragma strict_gs_check(on)

Use Safe Exception Handling

REQUIREMENTDetects compromised exception handlers

C++ and Windows SEHWould have prevented CodeRed

ACTIONLink with /SAFESEH

Use MIDL /ROBUST for RPC/DCOM

REQUIREMENTRPC is subject to potentially dangerous inputLots of services use RPCIn Windows NT4 server-side proxy code was very trustingWe added /ROBUST to MIDL to add more data validation

ACTIONAlways run MIDL with /ROBUST (it’s the default now)Requires Windows 2000 and later

Use ASLR

REQUIREMENTApplies to all codeRandomizes the image in memory, making it harder for attackers to get their exploits working correctly

ACTIONLink your code with /DYNAMICBASE

Use DEP

REQUIREMENTApplies to all codeMarks memory as “no execute” which can stop some forms of buffer overrunASLR is required for DEP to be effective

ACTIONLink your code with /NXCOMPAT

Confirm DEP and ASLR with Process Explorer

Detect Heap Corruption

REQUIREMENTC & C++ onlyWindows Vista and later heap manager detect heap corruption, but Windows will not shut your application down by default

ACTIONAdd the following to your main() or WinMain() function (void)HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, NULL, 0);

No Writeable PE Segments

REQUIREMENTSomewhat esoteric IPC method PE segments are not ACL-able

ACTIONDon’t use PE segmentsThese are all bad:

/section:<name>, RWS#pragma comment(linker, ―/section:<name>, rws‖) #pragma section(<name>, read, write, shared)

Do Not Use Banned APIs

REQUIREMENTSome C runtime functions are prone to errorSo don’t use them, use safer versions

ACTIONCompile with banned.h or strsafe.hTriage C4996 warningsReplace insecure functions with safer C runtime functions or strsafe functionsstrcpy [strcpy_s or String CchCopy]Add the following to auto-migrate functions to safe functions

#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES (1)

Encode Long-lived Pointers

RECOMMENDATIONLong-lived pointers, for example globally scoped, are targets for attackThey need protecting

ACTIONFind all long-lived pointers and protect them with EncodePointer, etc.

// g_pFoo is a global point that points to foo void g_pFoo = EncodePointer(&foo); ...// Decode the pointer when you need to use itvoid *pFoo = DecodePointer(g_pFoo);

Use FxCop on Managed Code

REQUIREMENTFxCop can help find common security vulnerabilities in C# and VB.NET code

Web code or standalone code

ACTIONDownload FxCop (or use Code Analysis in VS)Run it at least once a dayTriage all Security rules

Aim to have zero suppressions and zero warnings

Use /analyze for Unmanaged Code

REQUIREMENTThe PREfast engine can find many common and easy-to-fix security vulnerabilities at compile time

ACTIONCompile with /analyze at least once a day

Don’t use it on your main builds, it doubles compile timesTriage:

6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276

/analyze is very low noise

Help /analyze – Use SAL

RECOMMENDATIONAdding SAL can help /analyze find more security bugs SAL adds valuable interface contract data, e.g.,

_In_z_bytecount_(n)

‘In’ buffer, code will read the buffer

Buffer will be NULL-terminated Buffer byte count is ‘n’

Use /W4

RECOMMENDATIONC and C++ onlyThere is a subset of high-noise warnings that are now potentially real security vulnerabilities

ACTIONCompile C and C++ code with /W4 or the less noisy:

MSC_WARNING_LEVEL=/W3 /WX /we4242 /we4245 /we4254 /we4289 /we4295 /we4296 /we4701

Hand triage the results

Native Code XML Parsers

REQUIREMENTParsing XML safely is hardThere have been many industry-wide security vulnerabilities parsing malicious XML payloadsXML is everywhere!C++ just makes matters worse!

ACTIONUse XmlLiteUse MSXML 6 SP1Use MSXML3 SP9 only if there is a strong business justification

XSS Prevention

REQUIREMENTXSS is the #1 security vulnerability today

Yes, it’s bigger than BOs!

ACTIONCheck all incoming data

Constrain with TryParse, or RegExEncode with HTML EncodingUse AntiXSSUse ValidateRequest‖(defense in depth)Use CAT.NET

XSS Prevention (Safe Tags)

<b> <blockquote> <br> <div>

<em> <i> <li> <ol>

IMPORTANT Only safe if you strip or disallow attributes

bool IsSafeTag(string tag) { bool safe = false; string safeTagsRE = @"^<\/?[b|blockquote|br|div|em|i|li|ol|p|strong|u|ul]+>$";

if (Regex.Match(tag, safeTagsRE,RegexOptions.IgnoreCase).Success) safe = true;

return safe;}

<p> <strong> <u> <ul>

Use ViewStateUserkey

REQUIREMENTHelps mitigate Cross-Site Request Forgery (CSRF) vulnerabilitiesDefense in depth

ACTIONAdd this to your Web applications

protected void Page_Init(object sender, EventArgs e) { this.ViewStateUserKey = Session.SessionID; }

Do Not Use JavaScript eval() or Equivalents

RECOMMENDATIONEvaluates and executes arbitrary string dataWhat if the data is untrusted?

ACTIONTriage the following in your JavaScript code

evalsetTimeoutsetInterval

When using JSON, use fromJSON

Safe Redirect

RECOMMENDATIONRedirecting to an arbitrary Web location specified in an HTTP request is dangerousOpens users of your site to phishing attacks

ACTIONOnly redirect to a known set of safe URLs

Response.Redirect("/error.aspx")

Response.Redirect(Request.QueryString(uri))

SQL Execute Only Permission

REQUIREMENTHelps mitigate SQL Injection vulns

ACTIONRun your app as Network Service (DOMAIN\$machinename)Join that account to a domain group (DOMAIN\webapps)Grant that group execute permission to stored procs, etc.

Use SQL Parameterized Queries

REQUIREMENTSQL injections are hard to pull off with parameterized queries…and easy to pull off with string concatenation

ACTION

SqlDataAdapter cmd = new SqlDataAdapter("exec sp_getshipstatus(@id)",

conn);SqlParameter parm = cmd.SelectCommand.Parameters.Add("@id",id);

string query= "select * from status where id = " + id;

Use SQL Stored Procedures

REQUIREMENTA good way to hide back-end application logic in the event your server is breachedIt also allows you to easily support execute-only database objectsIt’s defense in depth

ACTIONUse sprocs for all your back-end queriesDon’t add EXEC (etc) to your sprocs

Do Not Depend on NTLM

RECOMMENDATIONNTLM provides only client authenticationAll current versions of Windows support Kerberos

ACTIONGrep for the word “NTLM” in your codeUse the Negotiate SSP rather than NTLM SSP

No “Swallow All” Exceptions

RECOMMENDATIONExceptions that handle all possible exceptions can mask serious bugsThey also can make it easier to defeat ASLR

ACTIONHandle only the exceptions you can REALLY handleAll bad:

SEH: __except(EXCEPTION_EXECUTE_HANDLER)C++: catch(…)RPC: RpcExcept(1)Managed Code: catch (Exception)

Safe Error Messages

RECOMMENDATIONYou want to make it easy for users and admins to know why something failedBut, you don’t want to tell attackers too much

ACTIONReview all error message text, make sure they are:

Clear to usersDo not disclose too much information

Especially for errors transmitted across the network

Fuzz TestingREQUIREMENT

Many applications fail when presented with incorrectly or malformed dataA DoS may really be a code execution vulnerability

ACTIONFuzz test

Applications that read untrusted data with a minimum of 100,000 malformed inputs

File parsers are a great candidateActiveX controls marked safe for scripting or safe for initialization

Networking endpoints

Test with Application Verifier

REQUIREMENTApplies to native code onlyA runtime tool that can detect many runtime security vulnerabilitiesRequires good code coverage to be effective

ACTIONRun your application under application verifier using the following rules:

Heaps, handles, memory

Device Driver Issues

REQUIREMENTKernel-mode crashes lead to BSOD

ACTIONRun Driver Verifier with at least the following:

Security ChecksMiscellaneous Checks

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Track Resources

Visit the DPR TLC for a chance to win a copy of Visual Studio Team Suite. Daily drawing occurs every day in the TLC at 4:15pm. Stop by for a raffle tickethttp://www.microsoft.com/visualstudio http://www.microsoft.com/visualstudio/en-us/products/teamsystem/default.mspxPlease visit us in the TLC blue area

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.