Microsoft Platform Security - An Overview. Prasad Nelabhotla Security Consultant ACE Security Team Microsoft India

Transcription

1 Microsoft Platform Security - An Overview Prasad Nelabhotla Security Consultant ACE Security Team Microsoft India

2 Agenda Avoiding Common Mistakes Principles to live by Knowing the Enemy Conclusion

3 App level Vulnerabilities Hackers worked overtime in October 07 and defaced over 143 Indian websites during the month compared to just 60 sites that were defaced during September 07. Times of India - Source :

4 Common Mistakes 1. Buffer overruns 2. Format String Problems 3. Integer Overflows 4. Dynamic SQL 5. Command Injection 6. Failure to Handle Errors 7. Cross-Site Scripting 8. Failure to Protect Network Traffic 9. Use of Magic URLs and Hidden Forms 10.Improper Use of SSL 11. Use of Weak Passwordbased Systems 12. Failure to Store and Protect Data Securely 13. Information Leakage 14. Trusting Network Address Resolution 15. Improper File Access 16. Race Conditions 17. Unauthenticated Key Exchange 18. Failure to Use Cryptographically Strong Random Numbers 19. Poor Usability

5 Common Mistakes 1. Buffer overruns 2. Format String Problems 3. Integer Overflows 4. Dynamic SQL 5. Command Injection 6. Failure to Handle Errors 7. Cross-Site Scripting 8. Failure to Protect Network Traffic 9. Use of Magic URLs and Hidden Forms 10.Improper Use of SSL 11. Use of Weak Passwordbased Systems 12. Failure to Store and Protect Data Securely 13. Information Leakage 14. Trusting Network Address Resolution 15. Improper File Access 16. Race Conditions 17. Unauthenticated Key Exchange 18. Failure to Use Cryptographically Strong Random Numbers 19. Poor Usability

6 What s Wrong Here? string Status = "No"; string sqlstring = ""; try { SqlConnection sql = new source=localhost;" + "user id=sa;password=password;"); sql.open(); sqlstring = "SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if ((int)cmd.executescalar()!= 0) Status = "Yes"; } catch (SqlException se) { Status = sqlstring + " failed\n\r"; foreach (SqlError e in se.errors) { Status += e.message + "\n\r"; } } catch (Exception e) { Status = e.tostring(); }

7 Why It s Wrong (1 of 2) sqlstring="select HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; Good Guy SELECT HasShipped FROM Shipment WHERE ID='1001' Not so Good Guy SELECT HasShipped FROM Shipment WHERE ID= '1001' or 2>1 -- '

8 Why It s Wrong (2 of 2) sqlstring="select HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; Really Bad Guy SELECT HasShipped FROM Shipment WHERE ID= '1001 ; drop table orders -- ' Downright Evil Guy SELECT HasShipped FROM Shipment WHERE ID= '1001 ; exec xp_cmdshell('...') -- '

9 SQL Injection - Causes Loose or unchecked SQL parameter input. Statements are submitted and executed from a priveledged SQL account SqlConnect sql=new SqlConnect("data source=myserver;user id=sa;password=password;"); Arbitrary statements are allowed to execute CREATE PROCEDURE varchar(128) AS EXEC (@input)

10 SQL Injection - Mitigation Input Validation Parameterized Queries with Stored Procedures

11 Common Mistakes 1. Buffer overruns 2. Format String Problems 3. Integer Overflows 4. SQL Injection 5. Command Injection 6. Failure to Handle Errors 7. Cross-Site Scripting 8. Failure to Protect Network Traffic 9. Use of Magic URLs and Hidden Forms 10.Improper Use of SSL 11. Use of Weak Passwordbased Systems 12. Failure to Store and Protect Data Securely 13. Information Leakage 14. Trusting Network Address Resolution 15. Improper File Access 16. Race Conditions 17. Unauthenticated Key Exchange 18. Failure to Use Cryptographically Strong Random Numbers 19. Poor Usability

12 How would you deface this? /location=<script>document.images[4].src= "

13 XSS in Action Cookie Stealing Welcome.asp Hello, <%= request.querystring( name )%> <a href= <script> document.write( <img src= %2bdocument.cookie%2b> ) </script> here</a>

14 XSS - Mitigation Input Validation Use white list approach Use regular expression Optional ASP.Net ValidateInput Output Encode HTML Encode Anti XSS Library Download:

15 Common Mistakes 1. Buffer overruns 2. Format String Problems 3. Integer Overflows 4. SQL Injection 5. Command Injection 6. Failure to Handle Errors 7. Cross-Site Scripting 8. Failure to Protect Network Traffic 9. Use of Magic URLs and Hidden Forms 10.Improper Use of SSL 11. Use of Weak Passwordbased Systems 12. Failure to Store and Protect Data 13. Information Leakage 14. Trusting Network Address Resolution 15. Improper File Access 16. Race Conditions 17. Unauthenticated Key Exchange 18. Failure to Use Cryptographically Strong Random Numbers 19. Poor Usability

16 Storing Secrets Software cannot defend itself, therefore: Storing secrets securely in software is impossible! Embedded secrets don t stay secret for long

17 Encryption or Encraption? XOR is not your friend! Don t roll your own crypto algorithms Use System.Security.Cryptography Evaluate based on usage Are algorithms appropriate? Use AES (Rijndael) for symmetric encryption Use SHA-1 or better for hashing

18 Key Management Keys are literally the keys to the castle the weakest point in the defense Common key management mistakes Hard coding key values anywhere in the source, including resource files Failure to protect key data in memory or when persisted to file Using key data too often in your application, the more you use it the more chances an attacker will have to steal it Generating the key from a password that is not strong enough

19 Cryptography - Mitigations Don t use home-grown crypto solutions Never hardcode keys Use DPAPI Avoid passing secrets around in memory

20 Defending Against Hacking

21 Principles to Live By

22 Rule #1 - Trust No Input All input is evil, until proven otherwise! Buffer Overruns SQL Injection Blake Blake or 1=1 -- Cross-Site Scripting Blake <script>var i=document</script>

23 Do NOT look only for bad things It assumes you know all the bad things

24 Rule #2 Practice Defense in Depth

25 Defense in Depth Assume you are the last piece of code standing Everything in front of you is destroyed Now protect yourself! We re secure, we use a firewall!

26 Defense in Depth Apply Appropriate Measures for Each Layer Check security Check security Application2.dl l Application.exe Check security Secure resource with an ACL Application.dll Check security

27 Rule #3 - Run With Least Privilege Don t require apps to run with excessive privilege Is it an ACL requirement? Is it a privilege requirement? Revert back to minimum privileges after the task is complete If we don t run as admin, stuff breaks!

28 More Security Principles to Live By Secure Weakest Link First Assume External Systems are Insecure Minimize Attack Surface Use Secure Defaults Use Apt Access Control Security Features!= Secure Features There is no Security thru Obscurity Don t Re-invent the Wheel Don't Mix Code and Data Don't Forget Privacy

29 Knowing the Enemy

30 Why Threat Model? Principle behind threat modeling: One can t feasibly build a secure system until one understands the threats against it Why threat model? Identify threats prior to development Create a defensive security strategy Threat Model to enable application risk management throughout the SDLC and beyond!

31 Benefits Benefits for Application Teams Translates technical risk to business impact Provides a security strategy Prioritize security features Understand value of countermeasures Benefits for Security Team More focused Security Assessments Translates vulnerabilities to business impact Improved Security Awareness Bridges the gap between security teams and application teams

32 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations

33 Where to do TM? Security Kickoff Security Training Security Design Best Practices Security Arch & Attack Surface Review Threat Modeling Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Traditional Microsoft Software Product Development Lifecycle Tasks and Processes Feature Lists Quality Guidelines Arch Docs Schedules Functional Specifications Design Specifications Development of New Code Testing and Verification Bug Fixes Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates Requirements Design Implementation Verification Release Support & Servicing

34 Definitions: Threat, Attack, Vulnerability And Countermeasure Threat Realized through Attacks Materialize through Vulnerabilities Mitigated with Countermeasures Possibility of something bad happening How it happens (the exploit) Why it happens (the cause) How to prevent it (the fix)

35 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations

36 Define Scenarios & Background Info Define the most common and realistic use scenarios for the application Example from Windows Server 2003 and Internet Explorer Think about an admin browsing the Internet from a Domain Controller Example from Windows CE The stolen device Define your users

37 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations

38 Data Flow Diagrams Representation of how data enters, leaves, and traverses your component Not a Class Diagram or Flow Chart! Shows all data sources and destinations Shows all relevant processes that data goes through * Diagrams taken from Writing Secure Code, 2 nd Edition

39 Implementation Examples External Entity Process Data Flow Data Store Real People Services Function call Database News feeds Data feeds Events Notifications Web Services Assemblies DLLs EXEs COM object Network traffic Shared memory File Registry Shared Memory Queue/Stack

40 Building DFDs Context Level 1 Level 0 Level 2 Context Diagram Very high-level; entire component / product / system Level 0 Diagram High level; single feature / scenario Level 1 Diagram Low level; detailed subcomponents of features Level n Diagram Even more detailed; unlikely to go beyond Level 2

41 Pet Shop: Context Diagram Request View Files and Logging Data Users (1.0) Pet Shop (4.0) Admin (3.0) Response Apply Settings Request Anonymous User (2.0) Response Source: Secure Development Lifecycle - Mike Howard, Steve Lipner (MS Press)

42 Pet Shop: Level Zero DFD Customer (1.0) Request 1 Web App Config (4.1) R CRU CU R User Profile (4.5) R CU User Profile Data (4.8) Response CU 1 CRUD Request Web App 4.2 R Membership (4.6) R CU Membership Data (4.9) Anon User (2.0) Response R Web Pages (4.3) 1 CRUD CU R Ordering (4.7) 1 CRUD 1 Admin (3.0) Source: Secure Development Lifecycle - Mike Howard, Steve Lipner (MS Press)

43 Pet Shop: Level One DFD (Order Processing) CRD (purge) CRUD Audit Log Orders Write Audit Entry Logging Engine R Web App 4.2 CU 1 Admin (3.0) Create Audit Entry Order Processor Place Order Get Order Status Or Confirmation Synch Order Get Order Status Or Confirmation Place Order Asynch Order Place Order Get Order Status Or Confirmation 1 Place Order 1 CRUD CRUD Get Order Status Or Confirmation CRU Data Access RU Inventory Asynch Orders CRU Queuing Source: Secure Development Lifecycle - Mike Howard, Steve Lipner (MS Press)

44 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations

45 Threat Types: STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

46 How to determine STRIDE Is this item susceptible to spoofing? Can this item be tampered with? Can an attacker repudiate this action? Can an attacker view this item? Can an attacker deny service to this process or data flow? Can an attacker elevate their privilege by attacking this process?

47 Asset S T R I D E External Entity Process Data Store Data Flow

48 Threats by Assets: External Entities

49 Threats by Assets: Processes

50 Threats by Assets: Data Stores

51 Threats by Assets: Data Flows

52 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations

53 Threat Trees Threat Primary Threat Condition Condition And Clause Or Clause Condition Condition Condition Condition Each Leaf Node is a Secondary Threat to be Evaluated

54 Threat Tree Pattern Tampering with datastore Null Protection Scheme Bypass Protection Scheme Violate store semantics Overcapacity failures Canonicalization failure Overly permissive protection Other Null monitor Bypass monitor Discard Wraparound Other Extra-monitor access Tampering against monitor process EoP against monitor process

55 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations

56 Measuring Risk: DREAD Damage Potential Reproducibility Exploitability Affected Users Discoverability

57 Using DREAD to Calculate Risk Risk = Impact x Probability Impact derived from: Damage Potential Affected Users Probability derived from: Discoverability Exploitability Reproducibility

58 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations

59 Mitigation Options Leave as-is Remove from product Remedy with technology countermeasure Warn user

60 Threat Modeling Process Define Scenarios Create DFD Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations

61 Threat Modeling Process Define Scenarios Create DFD Manual Rote Determine Threat Types Leverage Threat Trees Determine Risk Plan Mitigations

62 CVE Data for Database level Vulns

63 CVE Data for OS level Vulns

64 Security Tools Visual C++ /GS Switch Mitigation against Buffer Overruns, Int Overflows FxCop Static Code Analysis Tool Enforces Design and Code Correctness PermCalc Calculate minimum permissions required to run code

65 Security Tools - ACE Tools SPIDER: Security Profiler Intelligent Detection Engine for Remediation is a Computer Assisted Audit Technique (CAAT). CAATs can be used in a fiduciary audit environment to ensure regulatory compliance and to provide visibility into the strategic and technical management of mission critical systems to industry best practice standards. TAMe: Threat Analysis and Modeling tool for enterprise. Is the enterprise version of the famous Threat Analysis and Modeling (TAM) tool which is available on MSDN for free download. Download :

66 Threat Modeling- for Apps TAM v2 (2006) TAM Enterprise (2007) TAM v1 (2004)

67 Video Threat Modeling using TAM

68 Measure Validate Model Define Threat Modeling for Applications Application Context Data A.C.M. Use Cases Generate Threats Identify Countermeasures Determine Risk Response Determine Impact/Prob of Risk Validate / Optimize Threat Model Manual Generated

69 Video TAM Analytics

70 In Summary Avoiding Common Mistakes Is Easy if you are Careful Read 19 Deadly Sins of Software Security Principles to Live By Incorporate in daily coding Read Writing Secure Code 2 nd Ed Knowing the Enemy Model Threats: Need to know what you are fighting against Read Secure Development Lifecycle Tools and Technology to Use Ship as a part of the OS and Visual Studio ACE Tools TAMe/SPIDER/CAT.NET

71 Application Security Consulting Services Services offered by Microsoft ACE Services: Application Security Code Reviews Threat Modeling/Design Reviews Training: Secure Application Development Threat Modeling Assistance with developing and deploying SDL-IT within your environment Contact

72 Questions? ACE Team Blog Site:

73