security tools for software development l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security Tools For Software Development PowerPoint Presentation
Download Presentation
Security Tools For Software Development

Loading in 2 Seconds...

play fullscreen
1 / 39

Security Tools For Software Development - PowerPoint PPT Presentation


  • 207 Views
  • Uploaded on

Security Tools For Software Development. Ivan Medvedev Security Development Lead Microsoft Corporation. Overview. Introduction to our team Security Development Lifecycle Tools available to developers Threat Modeling Tool Visual Studio Compiler Switches FxCop AppVerifier

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security Tools For Software Development' - saburo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security tools for software development

Security Tools ForSoftware Development

Ivan Medvedev

Security Development Lead

Microsoft Corporation

overview
Overview
  • Introduction to our team
  • Security Development Lifecycle
  • Tools available to developers
    • Threat Modeling Tool
    • Visual Studio Compiler Switches
    • FxCop
    • AppVerifier
    • Upcoming new tools!
  • Fuzz testing
security engineering and communications
Security Engineering And Communications
  • Microsoft Security Response Center (MSRC)
    • Primary interface with security research community
    • Software Security Incident Response Process (SSIRP)
  • Secure Windows Initiative (company-wide)
    • Training for developers and partners
    • Security Milestones in the development process
    • Attack and Penetration teams
    • Final Security Reviews
  • Strategy and Policy
    • Security Development Lifecycle
    • Councils, Buddy programs, etc.
    • CERT, CSIRT interface, other government initiatives, including common criteria
    • Windows Privacy (Phishing, spam, etc)
the security development lifecycle sdl
The Security Development Lifecycle (SDL)
  • Security best practices in Microsoft
  • Provides guidance within established development processes
    • Design considerations
    • Creating effective security plans
    • Leveraging tools across the development cycle
  • Better then simply hunting for bugs

Requirements Design Implementation Verification Release Response

what is threat modeling
What is Threat Modeling?
  • A process to understand and document security threats to a system that:
    • Closely simulates an adversary’s thought process
    • Will describe the system’s threat profile
    • Allows the security of the system to be characterized
    • May find vulnerabilities
key concepts
Key Concepts
  • The threat profile is an enumeration of adversary goals
  • A threat is not a vulnerability, and the point of a threat model is more than just finding vulnerabilities
  • Threats justify security features and secure coding guidelines
key concepts8
Key Concepts
  • A system is anything that exposes functionality to an end user:
    • Single feature
    • Shipping product
    • Web application and its supporting infrastructure
    • Etc.
threat modeling tool
Threat Modeling Tool
  • Provides structure to a threat model document
    • Lists all of the key areas for consideration
    • Links assets, threats, and vulnerabilities for easier prioritization
  • Saves as XML for portability
what is a buffer overrun
What Is A Buffer Overrun?
  • Buffers are blocks of memory, usually in the form of an array
  • When the size of an array is not verified, it is possible to write outside the allocated buffer
  • If such an action takes place in memory addresses higher than the buffer, it is called a buffer overrun
  • A buffer overrun that injects code into a running process is referred to as an exploitable buffer overrun
what is a buffer overrun12

2A

00

00

00

00

00

00

00

00

00

00

00

What Is A Buffer Overrun?
  • The ability to arbitrarily corrupt memory
  • Overflows lead to arbitrary code
  • Underflows lead to denial of service
  • Problem is usually isolated to C and C++

int x = 42;char zip[6];strcpy(zip, userinput);printf("x = %i\n", x);

types of exploits

Previous function’s

stack frame

Function arguments

Return address

Frame pointer

EH frame

Local variables andlocally declaredbuffers

Callee saveregisters

Garbage

Types Of Exploits
  • Stack smashing
  • Register hijacking
  • Local pointer subterfuge
  • V-Table hijacking
  • C++ EH clobbering
  • SEH clobbering
  • Multistage attacks
  • Parameter pointer subterfuge
visual studio security options
Visual Studio Security Options
  • /GS
    • A "speed bump," or cookie, between the buffer and the return address. When function exits, the cookie is checked
    • Helped lower Blaster impact on Win 2003
  • /SAFESEH
    • Created in response to CodeRed
    • Verifies the exception handler
stack layout in vc 2003
Stack Layout In VC++ 2003

Previous function’s

stack frame

Function prolog:

Function arguments

sub esp,24h

mov eax,dword ptr

[___security_cookie (408040h)]

mov dword ptr [esp+20h],eax

Return address

Frame pointer

Cookie

EH frame

Locally declared

buffers

Function epilog:

mov ecx,dword ptr [esp+20h]

add esp,24h

jmp __security_check_cookie

4010B2h)

Local variables

Callee saveregisters

Garbage

fxcop17
FxCop
  • A static code analysis tool that examines managed assemblies for design and code correctness issues
  • Console and graphical applications that manage:
    • Targets (items for analysis)
    • Rules (checks to execute)
    • Messages (feedback from rules)
  • A general infrastructure for writing checks against managed code
benefits
Benefits
  • FxCop helps create:
    • More consistent API, easily discoverable via help, IntelliSense, etc.
    • Better performance in code
    • More secure applications
    • Fewer globalization and COM/cross-language interoperability issues
    • Increased understanding of .NET Framework
  • Extends compiler-provided checks
fxcop and security
FxCop and Security
  • Current version (1.30) has 21 security rules
  • Examples of security rules
    • Fields that are arrays should not be read-only
    • Link demand security checks on types do not prevent access to the type’s fields
    • Security checks on value-type constructors do not prevent the value-type from being instantiated
demo title

Demo Title

FxCop Security Rules

windows application verifier appverifier
Windows Application Verifier (AppVerifier)
  • Provide developers with
    • Tools and knowledge used in Windows development
    • A testing infrastructure to detect run time issues in Win32 applications
  • Targeted towards developers and QA teams with debugging knowledge
benefits23
Benefits
  • Significantly reduces debugging time detecting
    • Memory corruptions
    • Hangs
    • Security issues
  • Reduces crashes
    • 67.8% of 3rd party user mode crashes could have been detected using the AppVerifier
  • Aids in Logo/Certification testing
    • Non-administrator scenarios
    • Resource management
    • Version checking
security and the appverifier
Security And The AppVerifier
  • Enable the SecurityChecks Test
    • Insecure API usage
      • Misuses of CreateProcess
    • Interactive services
      • Many server applications are vulnerable to “Shatter” attacks
      • Potentially allows an interactive user to get the privileges of a service running as LOCAL_SYSTEM
      • Removed from Longhorn completely
    • Weak security descriptor usage
      • Granting EVERYONE_WRITE access to a file or registry key is an opportunity for elevation of privilege
      • Creating an object with a NULL DACL at anytime is a security issue
demo title25

Demo Title

The Application Verifier

what is fuzzing
What Is Fuzzing?
  • Fuzz testing is a method of finding software security holes by feeding purposely invalid and ill-formed data as input to program interfaces Inputs include:
    • Files
    • Network ports
    • APIs
  • Based on the analysis of a number of software security vulnerabilities uncovered in the past the belief is that a large percentage of them could have been found by doing fuzz testing
what is fuzzing28
What Is Fuzzing?
  • Fuzzing is a variation of negative testing
  • Specific characteristics:
    • High volume of testing (using multiple variations and test passes)
    • Fuzz testing is generally automated
    • Finds many problems related to reliability; many of which are potential security holes
    • Fuzz testing does not typically validate proper reaction to invalid data
benefits29
Benefits
  • Easily automated
  • Doubles as robustness testing
  • Exercise more failure cases in code
  • Finds LOTS of bugs
methodology
Methodology
  • Dumb vs. Smart
    • Dumb fuzzing generates data with no regard to the format
    • Smart fuzzing requires knowledge of the data format or how the data is consumed
  • Generation vs. Mutation
    • The generation technique creates new files from scratch
    • The mutation technique transforms a sample input file to create a new one
  • Most fuzzing tools are a mix of each approach
measuring and triaging
Measuring And Triaging
  • Measuring
    • Reliability metrics MTTF (Mean Time To Failure), MTBF, failures per 1K variations
    • Code Coverage delta
  • Triaging
    • Crash means input can divert program flow
    • Figuring out exploitability is expensive
    • Just fix it!
upcoming new tools
Upcoming New Tools
  • In .NET Framework 2.0 / VS 2005
    • PreFast
      • Source code static analysis
      • Has security checks, such as buffer overrun detection, etc.
    • PermCalc
      • Static binary analysis for managed code
      • Calculates .NET permissions needed for .NET assemblies to run
      • Integrated into Visual Studio
call to action
Call To Action
  • Raise the bar for security in your own applications
    • Adopt these tools in your development
    • Consider adding additional security best practices from “Writing Secure Code”
  • Provide feedback on the tools
    • Bug reports
    • Feature requests
general security resources
General Security Resources
  • General
    • http://www.microsoft.com/security
  • XP SP2 Resources for the IT Professional
    • http://www.microsoft.com/technet/winxpsp2
  • Security Guidance Center
    • http://www.microsoft.com/security/guidance
  • Tools
    • http://www.microsoft.com/technet/Security/tools
  • How Microsoft IT Secures Microsoft
    • http://www.microsoft.com/technet/itsolutions/msit
  • E-Learning Clinics
    • https://www.microsoftelearning.com/security
  • Events and Webcasts
    • http://www.microsoft.com/seminar/events/security.mspx
additional documentation
Additional Documentation
  • Writing Secure Code:
    • http://www.microsoft.com/MSPress/books/5957.asp
  • Thread Modeling:
    • http://www.microsoft.com/MSPress/books/6892.asp
  • Threat Modeling Online
    • http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx
  • Compiler Security Checks In Depth
    • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/vctchcompilersecuritychecksindepth.asp
fxcop resources
FxCop Resources
  • http://www.gotdotnet.com/team/fxcop/
    • FxCop download site/bulletin board
    • FxCop docs and rule topics
    • Support
  • AskFxCop@Microsoft.com
appverifier resources
AppVerifier Resources
  • Download Site: http://www.microsoft.com/windows/appexperience
  • Newsgroup:
    • microsoft.public.win32.programmer.tools
    • http://msdn.microsoft.com/newsgroups/managed
questions
Questions?
  • We want your feedback!
slide39

© 2005 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.