1 / 39

Security Tools For Software Development

Security Tools For Software Development. Ivan Medvedev Security Development Lead Microsoft Corporation. Overview. Introduction to our team Security Development Lifecycle Tools available to developers Threat Modeling Tool Visual Studio Compiler Switches FxCop AppVerifier

saburo
Télécharger la présentation

Security Tools For Software Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Tools ForSoftware Development Ivan Medvedev Security Development Lead Microsoft Corporation

  2. Overview • Introduction to our team • Security Development Lifecycle • Tools available to developers • Threat Modeling Tool • Visual Studio Compiler Switches • FxCop • AppVerifier • Upcoming new tools! • Fuzz testing

  3. Security Engineering And Communications • Microsoft Security Response Center (MSRC) • Primary interface with security research community • Software Security Incident Response Process (SSIRP) • Secure Windows Initiative (company-wide) • Training for developers and partners • Security Milestones in the development process • Attack and Penetration teams • Final Security Reviews • Strategy and Policy • Security Development Lifecycle • Councils, Buddy programs, etc. • CERT, CSIRT interface, other government initiatives, including common criteria • Windows Privacy (Phishing, spam, etc)

  4. The Security Development Lifecycle (SDL) • Security best practices in Microsoft • Provides guidance within established development processes • Design considerations • Creating effective security plans • Leveraging tools across the development cycle • Better then simply hunting for bugs Requirements Design Implementation Verification Release Response

  5. The Threat Modeling Tool

  6. What is Threat Modeling? • A process to understand and document security threats to a system that: • Closely simulates an adversary’s thought process • Will describe the system’s threat profile • Allows the security of the system to be characterized • May find vulnerabilities

  7. Key Concepts • The threat profile is an enumeration of adversary goals • A threat is not a vulnerability, and the point of a threat model is more than just finding vulnerabilities • Threats justify security features and secure coding guidelines

  8. Key Concepts • A system is anything that exposes functionality to an end user: • Single feature • Shipping product • Web application and its supporting infrastructure • Etc.

  9. Threat Modeling Tool • Provides structure to a threat model document • Lists all of the key areas for consideration • Links assets, threats, and vulnerabilities for easier prioritization • Saves as XML for portability

  10. Visual Studio Compiler Options

  11. What Is A Buffer Overrun? • Buffers are blocks of memory, usually in the form of an array • When the size of an array is not verified, it is possible to write outside the allocated buffer • If such an action takes place in memory addresses higher than the buffer, it is called a buffer overrun • A buffer overrun that injects code into a running process is referred to as an exploitable buffer overrun

  12. 2A 00 00 00 00 00 00 00 00 00 00 00 What Is A Buffer Overrun? • The ability to arbitrarily corrupt memory • Overflows lead to arbitrary code • Underflows lead to denial of service • Problem is usually isolated to C and C++ int x = 42;char zip[6];strcpy(zip, userinput);printf("x = %i\n", x);

  13. Previous function’s stack frame Function arguments Return address Frame pointer EH frame Local variables andlocally declaredbuffers Callee saveregisters Garbage Types Of Exploits • Stack smashing • Register hijacking • Local pointer subterfuge • V-Table hijacking • C++ EH clobbering • SEH clobbering • Multistage attacks • Parameter pointer subterfuge

  14. Visual Studio Security Options • /GS • A "speed bump," or cookie, between the buffer and the return address. When function exits, the cookie is checked • Helped lower Blaster impact on Win 2003 • /SAFESEH • Created in response to CodeRed • Verifies the exception handler

  15. Stack Layout In VC++ 2003 Previous function’s stack frame Function prolog: Function arguments sub esp,24h mov eax,dword ptr [___security_cookie (408040h)] mov dword ptr [esp+20h],eax Return address Frame pointer Cookie EH frame Locally declared buffers Function epilog: mov ecx,dword ptr [esp+20h] add esp,24h jmp __security_check_cookie 4010B2h) Local variables Callee saveregisters Garbage

  16. FxCop

  17. FxCop • A static code analysis tool that examines managed assemblies for design and code correctness issues • Console and graphical applications that manage: • Targets (items for analysis) • Rules (checks to execute) • Messages (feedback from rules) • A general infrastructure for writing checks against managed code

  18. Benefits • FxCop helps create: • More consistent API, easily discoverable via help, IntelliSense, etc. • Better performance in code • More secure applications • Fewer globalization and COM/cross-language interoperability issues • Increased understanding of .NET Framework • Extends compiler-provided checks

  19. FxCop and Security • Current version (1.30) has 21 security rules • Examples of security rules • Fields that are arrays should not be read-only • Link demand security checks on types do not prevent access to the type’s fields • Security checks on value-type constructors do not prevent the value-type from being instantiated

  20. Demo Title FxCop Security Rules

  21. The Windows Application Verifier

  22. Windows Application Verifier (AppVerifier) • Provide developers with • Tools and knowledge used in Windows development • A testing infrastructure to detect run time issues in Win32 applications • Targeted towards developers and QA teams with debugging knowledge

  23. Benefits • Significantly reduces debugging time detecting • Memory corruptions • Hangs • Security issues • Reduces crashes • 67.8% of 3rd party user mode crashes could have been detected using the AppVerifier • Aids in Logo/Certification testing • Non-administrator scenarios • Resource management • Version checking

  24. Security And The AppVerifier • Enable the SecurityChecks Test • Insecure API usage • Misuses of CreateProcess • Interactive services • Many server applications are vulnerable to “Shatter” attacks • Potentially allows an interactive user to get the privileges of a service running as LOCAL_SYSTEM • Removed from Longhorn completely • Weak security descriptor usage • Granting EVERYONE_WRITE access to a file or registry key is an opportunity for elevation of privilege • Creating an object with a NULL DACL at anytime is a security issue

  25. Demo Title The Application Verifier

  26. Advanced Technique: Fuzzing

  27. What Is Fuzzing? • Fuzz testing is a method of finding software security holes by feeding purposely invalid and ill-formed data as input to program interfaces Inputs include: • Files • Network ports • APIs • Based on the analysis of a number of software security vulnerabilities uncovered in the past the belief is that a large percentage of them could have been found by doing fuzz testing

  28. What Is Fuzzing? • Fuzzing is a variation of negative testing • Specific characteristics: • High volume of testing (using multiple variations and test passes) • Fuzz testing is generally automated • Finds many problems related to reliability; many of which are potential security holes • Fuzz testing does not typically validate proper reaction to invalid data

  29. Benefits • Easily automated • Doubles as robustness testing • Exercise more failure cases in code • Finds LOTS of bugs

  30. Methodology • Dumb vs. Smart • Dumb fuzzing generates data with no regard to the format • Smart fuzzing requires knowledge of the data format or how the data is consumed • Generation vs. Mutation • The generation technique creates new files from scratch • The mutation technique transforms a sample input file to create a new one • Most fuzzing tools are a mix of each approach

  31. Measuring And Triaging • Measuring • Reliability metrics MTTF (Mean Time To Failure), MTBF, failures per 1K variations • Code Coverage delta • Triaging • Crash means input can divert program flow • Figuring out exploitability is expensive • Just fix it!

  32. Upcoming New Tools • In .NET Framework 2.0 / VS 2005 • PreFast • Source code static analysis • Has security checks, such as buffer overrun detection, etc. • PermCalc • Static binary analysis for managed code • Calculates .NET permissions needed for .NET assemblies to run • Integrated into Visual Studio

  33. Call To Action • Raise the bar for security in your own applications • Adopt these tools in your development • Consider adding additional security best practices from “Writing Secure Code” • Provide feedback on the tools • Bug reports • Feature requests

  34. General Security Resources • General • http://www.microsoft.com/security • XP SP2 Resources for the IT Professional • http://www.microsoft.com/technet/winxpsp2 • Security Guidance Center • http://www.microsoft.com/security/guidance • Tools • http://www.microsoft.com/technet/Security/tools • How Microsoft IT Secures Microsoft • http://www.microsoft.com/technet/itsolutions/msit • E-Learning Clinics • https://www.microsoftelearning.com/security • Events and Webcasts • http://www.microsoft.com/seminar/events/security.mspx

  35. Additional Documentation • Writing Secure Code: • http://www.microsoft.com/MSPress/books/5957.asp • Thread Modeling: • http://www.microsoft.com/MSPress/books/6892.asp • Threat Modeling Online • http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx • Compiler Security Checks In Depth • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/vctchcompilersecuritychecksindepth.asp

  36. FxCop Resources • http://www.gotdotnet.com/team/fxcop/ • FxCop download site/bulletin board • FxCop docs and rule topics • Support • AskFxCop@Microsoft.com

  37. AppVerifier Resources • Download Site: http://www.microsoft.com/windows/appexperience • Newsgroup: • microsoft.public.win32.programmer.tools • http://msdn.microsoft.com/newsgroups/managed

  38. Questions? • We want your feedback!

  39. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

More Related