Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ivan Medvedev - Security Development Lifecycle Tools


Published on

International Security Conference "ZeroNights 2011" -

Published in: Technology, Education

Ivan Medvedev - Security Development Lifecycle Tools

  1. 1. Ivan MedvedevPrincipal Security Development LeadMicrosoft Corporation
  2. 2. Session Objectives and TakeawaysSession Objective(s):• Give an overview of the Security Development Lifecycle• Discuss the externally available tools that support the SDL• Provide guidance on using the tools to build more secure softwareKey takeaways:• Microsoft is investing into supporting the SDL• Customers should use the tools to build more secure software
  3. 3. Security Timeline at Microsoft… Now • Optimize the process 2005-2007 through feedback, analysis and automation • SDL is enhanced • Evangelize 2004 • “Fuzz” testing the SDL to the software • Microsoft Senior • Code analysis development community: 2002-2003 Leadership Team agrees • Crypto design • SDL Process Guidance requirements SDL Optimization Model to require SDL for all •• Bill Gates writes • Privacy SDL Pro Network products that: • “Trustworthy Computing” • Are exposed to • Banned APIs • SDL Threat Modeling Tool memo early 2002 meaningful risk and/or • and more… • SDL Process Templates• “Windows security push” • Process sensitive data • Windows Vista is the for Windows Server 2003 first OS to go through full SDL cycle• Security push and FSR extended to other products
  4. 4. SDL – Continual ImprovementMicrosoft’s secure development processes have come a longway since the SDL was first introduced – the SDL is constantlyevolving
  5. 5. SDL for Spiral/Waterfall DevelopmentEducation Process Accountability Ongoing Process Improvements
  6. 6. SDL for Agile Development Simple:Major differentiators of Agile:No distinct phasesShort release cycles Comprehensive: Customizable:
  7. 7. What About the Cloud?Native code requirements address implementation of cloud servicesSDL has applied to web properties since v3.2• Requirements address issues such as cross site scripting and SQL injectionCloud services and web properties often use agile development models• “Product cycle” might be 2 weeks, not three yearsMultiple iterations of SDL for agile development since 2006
  8. 8. Motivation for ActionThe application space is under attack things are bad, and gettingworse• Users now expect security *without* having to pay for itSoftware security and holistic development practices are becominga competitive differentiator• ProcurementShowing up in government regulations• DISA STIG• NIST Smart Grid RequirementsFailure to show forward momentum will lead to unintendedconsequences and loss of consumer trust
  9. 9. Tools for SDL: Requirements and ReleaseSDL Process TemplateMSF-Agile + SDL Process Template
  10. 10. SDL Template for VSTS (Spiral) Incorporates • SDL requirements as work items • SDL-based check-in policies • Generates Final Security Review report • Third-party security tools • Security bugs and custom queries • A library of SDL how-to guidance Integrates with previously released free SDL tools • SDL Threat Modeling ToolThe SDL Process Template integrates SDL 4.1 directly • Binscope Binary Analyzerinto the VSTS software development environment. • Minifuzz File Fuzzer
  11. 11. MSF Agile + SDL Template for VSTS Automatically creates new security workflow items for SDL requirements whenever users check in code or create new sprints Ensures important security processes are not accidentally skipped or forgotten Integrates with previously released free SDL tools • SDL Threat Modeling Tool • Binscope Binary AnalyzerIncorporates SDL-Agile secure development practices • Minifuzz File Fuzzerdirectly into the Visual Studio IDE - now available as beta(planned release at the end of Q2CY10) Will be updated for VS2010
  12. 12. Tools for SDL: DesignSDL Threat Modeling Tool
  13. 13. SDL Threat Modeling ToolTransforms threat modeling from an expert-led Provides:process into a process that any software • Guidance in drawing threat diagramsarchitect can perform effectively • Guided analysis of threats and mitigations • Integration with bug tracking systems • Robust reporting capabilities
  14. 14. Tools for SDL: ImplementationBanned.hCode Analysis for C/C++• Visual Studio Premium and UltimateMicrosoft Code Analysis Tool .NET (CAT.NET) 1.0 CTP• Detects common web app vulnerabilities, like XSSFxCop 10.0• Standalone or integrated into VS Premium and UltimateAnti-Cross Site Scripting (Anti-XSS) Library 4.0SiteLock ATL Template
  15. 15. Tools for SDL: VerificationBinScope Binary Analyzer• Ensures the build process followed the SDLMiniFuzz File Fuzzer• !exploitableRegexFuzerAttack Surface Analyzer Beta• Snapshot based analysisAppVerifier• Dynamic analysis
  16. 16. Binscope Binary Analyzer Provides an extensive analysis of an application binary Checks done by Binscope • /GS - to prevent buffer overflows • /SafeSEH - to ensure safe exception handling • /NXCOMPAT - to prevent data execution • /DYNAMICBASE - to enable ASLR • Strong-Named Assemblies - to ensure unique key pairs and strong integrity checks • Known good ATL headers are being used Use either standalone or integrated with Visual Studio (VS) and Team Foundation Server (TFS)
  17. 17. MiniFuzz File Fuzzer MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. • Creates corrupted variations of valid input files • Exercises the code in an attempt to expose unexpected application behaviors. • Lightweight, for beginner or advanced security testing • Use either standalone or integrated with Visual Studio (VS) and Team Foundation Server (TFS)
  18. 18. !exploitableCreates hashes to determine the uniqueness of a crashAssigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown.An extension of Microsoft debuggers• windbg badapp.exe usersmikedesktopminifuzzcrashesfoobar8776.bad• !load winextmsec.dll• Run the process and have it parse the file: g• Finally, run !exploitable to take a first pass analysis of the failure: !exploitableOpen source
  19. 19. Attack Surface Analyzer Takes system attack surface snapshots One before and one after installing the product Compares the snapshots and generates a report
  20. 20. SDL Tools: ResponseEMET
  21. 21. EMET: Simplifying mitigation deploymentGUI and command line interfaceConfigure system-wide mitigationsEnable mitigations for specific applicationsVerify mitigation settings
  22. 22. EMET: Protecting applicationsProtect at-risk or known vulnerable applicationsProtect against active 0day attacks in the wildGranular control over which mitigations are enabled
  23. 23. Important ResourcesMicrosoft SDL Portal Tools (with download links and training/videos) Studio 2010 documentation!exploitable
  24. 24. BlueHat Prize AnnouncementFirst BlueHat Prize Challenge:• Design a novel runtime mitigation technology that is capable of preventing the exploitation of memory safety vulnerabilitiesEntry Period: Aug 3, 2011 – Apr 1, 2012Winners announced: BlackHat USA August 2012IP remains the property of the inventor, with a license for Microsoft to use thetechnology Grand Prize: • $200,000 in cash Second Prize: • $50,000 in cash Third Prize: • MSDN subscription ($10,000 value)
  25. 25. Examples of Mitigation TechnologyData Execution Prevention (DEP) • Sets non executable memory pagesAddress Space Layout Randomization (ASLR) • Randomizes memory in which apps loadStructured Exception Handler Overwrite Protection (SEHOP) • Verifies exception handler lists have not been corrupted Mitigation tools from Microsoft: Download EMET
  26. 26. BlueHat Prize Judging CriteriaPracticality – 30% • Can the solution be implemented and deployed at a large scale on Windows? • Overhead must be low (e.g. CPU and memory cost no more than 5%). • No application compatibility regressions should occur. • No usability regressions should occur. • Reasonable to develop, test, and deploy.Robustness – 30% • How easy would it be to bypass the proposed solution?Impact – 40% • Does the solution strongly address key open problems or significantly refine an existing approach? • Would the solution strongly mitigate modern exploits above and beyond our current arsenal?
  27. 27. For More Information…BlueHat Prize Web site:• Questions? bluehatprize.@microsoft.comMSRC Blog: Blog: Defend the Planet: us on Twitter: @k8em0 and @MSFTSecResponse
  28. 28. In Review: Session Objectives and TakeawaysSession Objective(s):• Give an overview of the Secure Development lifecycle• Discuss the externally available tools that support the SDL• Provide guidance on using the tools to build more secure softwareKey takeaways:• Microsoft is investing into supporting the SDL• Our customers should use the tools to build more secure software
  29. 29. We are hiring