crispin cowan phd senior pm windows security microsoft n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Stranger in a Strange Land: Reflections on a Linux Guy’s First Year at Microsoft PowerPoint Presentation
Download Presentation
Stranger in a Strange Land: Reflections on a Linux Guy’s First Year at Microsoft

Loading in 2 Seconds...

play fullscreen
1 / 41

Stranger in a Strange Land: Reflections on a Linux Guy’s First Year at Microsoft - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

Crispin Cowan, PhD Senior PM, Windows Security Microsoft. Stranger in a Strange Land: Reflections on a Linux Guy’s First Year at Microsoft. Crispin Who?!. CS Prof at Oregon Graduate Institute 1995-2000 Invented StackGuard Stack Canaries Copied by ProPolice , - fstack_protect in GCC

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Stranger in a Strange Land: Reflections on a Linux Guy’s First Year at Microsoft' - tamar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
crispin cowan phd senior pm windows security microsoft
Crispin Cowan, PhD

Senior PM, Windows Security

Microsoft

Stranger in a Strange Land:Reflections on a Linux Guy’sFirst Year at Microsoft
crispin who
Crispin Who?!
  • CS Prof at Oregon Graduate Institute 1995-2000
  • Invented StackGuard
    • Stack Canaries
    • Copied by ProPolice, -fstack_protect in GCC
    • Independently invented  by Microsoft /GS
    • Now protecting nearly all x86 code on the planet
  • Founded Immunix, Inc.
    • Largest security Linux distro
    • Acquired by Novell in 2005
    • Produced AppArmor: Standard on SUSE, Ubuntu, and Mandriva
crispin who1
Crispin Who?!
  • Often vocal Microsoft critic
  • E.g. “Virus problem, and consequent AV industry, is purely Microsoft’s fault”
    • Mail clients that auto-execute embedded scripts
    • Document editors (Office) that auto-execute embedded scripts
    • Removable media that auto-execute
    • Run it all as root Administrator
  • What do you really expect?!
crispin joins microsoft in 2008
Crispin Joins Microsoft in 2008
  • What! What! What!?
  • Has Hell opened a ski resort? 
  • No, not really
  • This talk is about my experience at Microsoft as a long-time Linux guy
  • It’s really different …
    • … and not so different, really
talk outline
Talk Outline
  • Comparing Code Security between Open Source and Microsoft
  • Comparing operating systems between Linux and Windows
  • Comparing communities between Open Source and Microsoft
theoretical open source security
Theoretical Open Source Security
  • “Many eyes make all bugs shallow” – ESR
    • If many people look at code, from many perspectives, then surely someone will find most of the bugs
  • You can audit and fix your own code
    • If there is a bug in some software you use, then you can fix it yourself
    • Feed the fix back upstream
    • Share and enjoy
  • “You can apply security tools” – Crispin
    • Such as StackGuard, ITS4, RATS, etc.
theoretical microsoft security
Theoretical Microsoft Security
  • “Microsoft is an evil monopoly, doesn’t have to care”
    • No need to fix security
  • “Microsoft cares more about features than security”
    • Bloated software, full of bugs
  • “Closed source means they can hide embarrassingly bad code”
    • And there’s nothing you can do about it
reality open source security
Reality Open Source Security
  • Many eyes make bugs shallow, but only if they actually look
    • A few projects, e.g. Linux kernel, get deep inspection
    • Vast majority of OSS never gets examined
    • Bugs are rife, and last for years
    • E.g. Debian SSL keys 
  • You can fix your own code, but no one does
    • Enterprise users of OSS rely on supported software, don’t dare touch it
  • You can apply security tools, but no one does, see above
reality microsoft security
Reality Microsoft Security
  • Microsoft security really did suck …
    • (because security was not the priority)
  • … until the 2002 Memo
    • Microsoft halted the entire software production line for everyone to go learn how to code securely
    • Cost over $200M in wages for the whole company for that month; serious investment
reality microsoft security1
Reality Microsoft Security
  • Consider Microsoft SQL
  • 2003: The Slammer/Sapphire Worm
    • Single UDP datagram buffer overflowed the SQL server, caused it to start scanning the internet and sending more infection packets
  • 2004: Microsoft SQL one of the first applications to go through SDL
    • A single vulnerability since 2004
    • Including zero vulnerabilities in a .0 release for two years
    • MySQL: 12 vulnerabilities in 3 years
  • Times have changed …
reality open source security1
Reality Open Source Security
  • Consider my Sardonix project
    • Try to motivate proper security auditing of source code using a Slashdot-inspired rating system
    • Audit more code, and do it well, earn a better reputation
    • Result? Squat the only audits turned in were from David Wagner’s security class
  • Security audits are tedious, difficult, exacting work requiring lots of expertise
    • You can only get people to do it by paying them
reality microsoft security2
Reality Microsoft Security
  • Microsoft does pay people to audit software
    • Lots and lots of people
  • Armies of contractors for external review of big products around ship time
  • Full-time staff do both internal design and code audits of everything that ships
  • Anything with a vulnerable attack surface requires mandatory fuzzing before it gets to ship
  • And it shows: bug density in Microsoft products is way down from the bad old days of 2000
    • And far below the bug density of any OSS
security development lifecycle
Security Development Lifecycle

How Successful is SDL Analysis?

  • IIS 6 has had only 5 exploits since March 2003 (it’s release date)
    • http://secunia.com/product/1438
  • Not a single, major public attack
  • Apache web server has had over 33 exploits in the same time period
security development lifecycle1
Security Development Lifecycle

How Successful is SDL Analysis?

  • Vista’s 1-year period vs. XP’s 1-year period
security development lifecycle2
Security Development Lifecycle

How Successful is SDL Analysis?

  • Vista’s 1-year period vs. XP’s 1-year period
security development lifecycle3
Security Development Lifecycle

How Successful is SDL Analysis?

  • Windows vs. Major Competitors
security development lifecycle4
Security Development Lifecycle

How Successful is SDL Analysis?

  • IE vs. Competitors
security development lifecycle5
Security Development Lifecycle

How Successful is SDL Analysis?

  • IE vs. Competitors
security development lifecycle6
Security Development Lifecycle

How Successful is SDL Analysis?

  • IE vs. Competitors
funny thing about software
Funny Thing About Software …
  • … it turns out to be less flexible than hardware
    • Intel Core II Duo has very little to do with a 386SX
    • Windows still supports APIs from the early 1990s
  • The value of Windows is the rich application base
    • That application base exists because of continuous backward compatibility
    • Many of these applications are actually dependent on legacy Windows bugs
  • Don’t get to change the Windows architecture 
some problems in the windows architecture
Some Problems In theWindows Architecture
  • Heavy reliance on thread injection
    • One application on the desktop can inject a thread into another application
      • Execute arbitrary code in another application’s address space
    • Used enough that you don’t get to block it, or it might break app compat
  • Windows messages
    • Millions of them
    • Any access control check on Windows messages must be blazing fast -> can’t do anything complex
some problems in the windows architecture1
Some Problems In theWindows Architecture
  • Impersonation
    • Many services have the impersonation privilege
      • Used so they can impersonate a client identity and do stuff on behalf of the client
    • Obvious security problems, highlighted in great detail by Cesar Cerrudo’s Token Kidnapping work
some problems in the windows architecture2
Some Problems In theWindows Architecture
  • Massive dependence on Administrator privilege
    • Way back in NT 3.51 time, Microsoft chose to port the win32 environment to NT
      • To get that very valuable application base for NT
    • Problem: Win16 and Win32 (Win 3.1, Win95) has only a single privilege level
      • All code that runs has command of the entire machine
    • Result: default user on NT, Win2K, and XP is Administrator (root)
      • All the fancy security features in NT kernel are effectively disabled
fixing administrator
Fixing Administrator
  • You could just change Windows
    • Make the default account a Standard User without Administrator privilege
    • But that would (you guessed it) break app compat
  • Fixing dependence on Administrator is what UAC is all about
    • UAC is really just sudo
    • Functions in Windows as training wheels for switching to Standard User some day
    • Allows broken apps that need Administrator to be used in a semi-unprivileged context
but uac sucks everyone knows that
“But UAC Sucks! Everyone Knows That …”
  • It isn’t UAC per se that is sucking
    • Moving the Windows application base to non-privileged operation is a painful, drawn-out process
    • If you were barefoot your whole life, hiking boots would not be comfortable, even if you were about to cross a field of broken glass
    • UAC doesn’t suck, it is the applications that abuse privilege that suck
remember
Remember …

abuse Privilege

uac suckage
UAC Suckage …
  • UAC sucks less than you might think
    • 88% of users leave UAC enabled
  • Trend is improving over time … slowly
    • 50% of user sessions were prompt free at Vista RTM in 2006
    • 65% in VistaSP1 today for consumers
    • 80% in VistaSP1 for enterprise users
some problems in the linux architecture
Some Problems In theLinux Architecture
  • The UNIX/Linux process model is mostly sound
    • At least has two levels of privilege 
  • Except for ptrace
    • Complex semantics, often broken
    • Allows any process to debug any other process owned by the same user
      • E.g. all of root, or all of your desktop
    • Saving grace: ptrace only really used for debugging, so you can block it
      • AppArmor and SELinuxdo block it
some problems in the linux architecture1
Some Problems In theLinux Architecture
  • The X11 security model … not so much
  • E.g. Any desktop process can keylog any other desktop process
    • That is enough for any malware that makes it to your desktop to steal your password, root’s password, your credit card numbers, your social security number, etc. 
    • Core problem: X11 server is a giant MUX with no access control, so everything on a desktop has co-mingled privilege
  • SELinux branch working on enhancing X11 security
    • Has been working on it for 3 years now …
the interesting market economies of malware
The Interesting Market Economies of Malware
  • In a competitive market of selling software, the #2 and #3 positions are still valuable
    • Can make money selling applications for Macintosh
  • In the competitive malware market, only #1 matters
    • Because “consumers” (victims) are not selecting anything, rather the attackers select the victims
    • Result: only economic to write malware for #1
      • Approximately no one attacks Linux or Mac
      • Approximately no one attacks Vista yet either  because XP is #1
theoretical linux community
Theoretical Linux Community
  • An open community of passionate experts
    • Open: anyone can join
    • Passion: everyone cares about Linux
    • Experts: everyone is convinced that they are right 
  • Your job: convince everyone that you are right
    • Can lead to shouting 
theoretical microsoft community
Theoretical Microsoft Community
  • “Closed garden of clods who can’t code for beans and only care about money”
    • Bloated, baroque architecture
    • Mountains of bugs & vulnerabilities
    • Mountains of money 
reality linux community
Reality Linux Community
  • Not so open: Newbies are harshly treated
    • Shockingly hostile to women
      • Not overtly, you just are required to be willing to shout down detractors
    • Fail to conform to all the social norms, and you had better have asbestos shorts
    • God help you if you top-post 
  • Passion: anyone who disagrees with your idea will tell you that “you don’t care about Linux” 
  • Experts: everyone is an argumentative butt-head
reality microsoft community
Reality Microsoft Community
  • “Closed garden”: perhaps, but …
    • “Garden” is 100K people, so walls are very far away
    • Admission criteria to get hired not that different from the OSS hazing rituals: must show your worth
  • “Clods who can’t code”: No, it is priorities …
    • Before 2002: features and ship date
    • 2002-6: features and security
    • Future: trying to balance all three 
  • Money: having money/resources is nice 
    • Windows Security is bigger than all of SUSE combined
my changed impression
My Changed Impression
  • Before I got here
    • Hmmm, Windows security seems to suck
    • I’ll go show them how it is really done …
my changed impression1
My Changed Impression
  • After I have been here for a while
    • Microsoft is stuffed with brilliant people
    • Almost every good idea I suggested not only has already been suggested, but had already been tried and failed, because for some stupid reason it couldn’t be done 
    • The real work is to figure out how to break the app compat log jam, so you can add security without breaking app compat
academic security
Academic Security
  • Received wisdom: security must be designed in at the start
    • Can’t retrofit security
  • This is for sissies 
    • In theory, theory is just like practice, but in practice, it isn’t
  • Any chump can design a secure operating system from scratch
    • But retrofitting security is art
    • Retrofit security is what I did to Linux with StackGuard and AppArmor
    • Retrofit security is what I intend to do for Windows
  • Microsoft is hiring
    • Microsoft is always hiring good people
questions
Questions
  • Contact:
    • crispin@microsoft.com
    • crispin@crispincowan.com
    • http://crispincowan.com/
  • Feedback
    • http://feedback.shmoocon.org/