Security Engineering In Windows Vista presented at HITBSecConf Malaysia 2006

by Ian Hellen,

Tags: Security Infrastructure Community Risk Analysis

Summary : Presentation Title:Presentation Details:This paper will present a technical overview of the security engineering process behind Windows Vista. Windows Vista is the first end-to-end major OS release in the Trustworthy Computing era from Microsoft. Come see how we’ve listened to feedback from the security community and how we’ve changed how we engineer our products as a result. The talk covers how the Vista engineering process is different from Windows XP, details from the largest commercial pentest in the world, and a sneak peek at some of the new mitigations in Vista that combat memory overwrite vulnerabilities. It includes behind the scenes details you will only hear from Microsoft!Why this talk rocks:Reason 1:Microsoft has benefited immensely over the years from the feedback from the security community and our customers. This presentation is an opportunity to show them how weu2019ve listened and tried to apply the best of what weu2019ve heard to Windows Vista.Reason 2:This talk describes security improvements made in Windows Vista that raise the bar in terms of difficulty of exploitability.Hack In The Box will be the first Asian venue to learn of these changes.Reason 3:Dave Tamasi is a key member responsible for the security engineering going into Vista. HITB attendees expect to hear authoritative information about the most important things that are going to impact their world. Windows Vista will be one of these products.Detailed Outline:u2022 Intro u2013 Who Am I?u2022 Agendau2022 Here to explain what weu2019re doing in Vistao Overview of security engineering activities in Vistao Some detail on our major security initiativeso Overview of our mitigations worku2022 Here to listen to:o Any engineering focused feedback you haveo How you think weu2019re doingu2022 What you WONu2019T hear today:o Security featureso Whatu2019s changed in Kerberos or PKIo UAC, Low Rights IE, BitLocker, etcu2022 Security Deployment Lifecycle Tasks and Processesu2022 Windows Vista Security Approachu2022 Stop playing catch up - find & fix before shipo Use root cause analysis to ensure weu2019re solid against previous issueso Look forward to get ahead of new classes of issueso Apply all the lessons from XP SP2, WS03 SP1 to a mainline releaseo Automate proven techniqueso Buffer overruns and common coding defectso RPC and File parser fuzzingo Banned API removalu2022 Methodically apply security expertise on whole producto Attack Surface Reduction, Threat Model reviewso Feature reviewso Penetration testingu2022 Defense-in-Depth Mitigationso Firewall on by defaulto Enhanced protections for stack, heap, and moreu2022 Trainingu2022 Threat Modelsu2022 Component level code review and testingPART 1: AUTOMATE PROVEN TECHNIQUESWindows Vista Quality Gatesu2022 Many recommended SDL tasks are required in Vistau2022 Banned API removalu2022 120 functions bannedu2022 No incoming code uses these APIsu2022 Over 250,000 removed for existing codeu2022 Entire code base will be clean by the time we shipu2022 SAL for ALL headersu2022 No incoming code missing SALu2022 ISVs will get benefit in Platform SDKu2022 Over 119,000 functions annotated by the time shipu2022 PREfix and PREfast code scannersu2022 Automate finding BO, I/O, and other defectsu2022 Scales to massive code base many GB in sizeu2022 ALL new features required threat model along with design, spec, and test Plan up frontu2022 1,456 threat models (yes, we checked them)u2022 Weak Crypto Removal (MD4, MD5, etc)u2022 Central Privacy team and Privacy Quality Gateu2022 A Brief Introduction to the Standard Annotation Language (SAL)u2022 Tools can only find u201cso muchu201d without more contextual informationu2022 Case Study: Remember this Buffer Overrun?u2022 PREfast & SAL in Actionu2022 File Parsers: Under Attacku2022 Multi-Prong Approach on Parsersu2022 Automate what you can:u2022 Apply security expertise where you need it:u2022 Manual code review + detailed program analysis on u201cproblem parsersu201du2022 Extended SAL annotations for struct membersu2022 Emit runtime stack protections more aggressively in u201cattack pathu201du2022 Parser AnnotationsPART 2: METHODICALLY APPLY SECURITY EXPERTISEFeature Reviewsu2022 Features prioritized using multiple risk factorsu2022 Feature Reviewer analyzes threat models, design, and attack surfaceu2022 Weak areas referred to pentest for deep inspectionu2022 Internal reviews augmented with security consultantsu2022 Affinitize reviewer to area of expertise where possibleu2022 Each reviewer has a MS u201cdriveru201d to assist with process, pushbacku2022 Overall Feature Review Processu2022 Penetration Testingu2022 Sampling of FindingsPART 3: DEFENSE-IN-DEPTH MITIGATIONSMitigationsu2022 /GS improved in MSVC 8.0 (Visual C++ 2005 aka Whidbey)u2022 Hardened Heap: Many Defense in Depth changes:u2022 Function Pointer Encodingu2022 Data Execution Protection aka NXu2022 Address Space Layout Randomization (ASLR)u2022 Windows Error Reportingu2022 Comprehensive suite of mitigations serve two purposes:u2022 Decrease reliability of exploitationu2022 Trigger feedback mechanismsu2022 How we use these to find security defectsu2022 Service Hardeningu2022 Questions?About IanIan is a Security Program Manager in the Windows security engineering team working on the security reviews of Windows Vista and Windows Server. Joining Microsoft UK as a consultant eight years ago, he has spent most of this time working in the security field from Windows NT 4.0 onwards. He has been in the IT industry for 14 years, previously working for AT&T/NCR and UK Local Government as (at various times) a developer, a systems admin and an infrastructure and network consultant. Ian has spoken at a number of conferences, has written two books on Wireless LAN security and has had several papers on varying security topics published on** Presenting withVishal Kumar(Security Program Manager, Secure Windows Initiative Team, Microsoft Corporation)