Office Security Engineering presented at BlueHat 2009

by Tom Gallagher ( Microsoft ), David Conger ( Microsoft ),

Tags: Security

Summary : This is a multipart presentation by engineers working on Microsoft Office security. The first part will detail a distributed fuzzing framework. The second part will detail engineering defenses to fuzzing attacks in the upcoming release of Office (Office 2010).
Security researchers and zero day exploits continue to leverage fuzzing bugs in Microsoft products. What are we doing to defend our products? As presented during last year's Blue Hat, the more fuzzing iterations performed, the more likely you are to find bugs. The SDL now requires a clean fuzz run of half a million iterations in order to ship. Seems like a good idea and achievable, but what happens if your application parses more than 200 formats? Time to think like a black hat and leverage the power of a botnet to get your work done ñ complete with fuzzing commands and control servers to delegate work to the fuzzing bots.
This presentation covers a framework built by the Office team to efficiently fuzz any file format parser. This framework can be used by any internal product team that parses file input, and significantly reduces the pain around file fuzzing. This framework is not a fuzzer itself. You won't need to rewrite your fuzzers. Instead it allows existing fuzzers to plugin and run in a distributed fashion. The Office team is using this system to perform millions of iterations per day without purchasing any additional hardware. The Office team turned desktop machines and lab machines into a botnet for fuzzing during downtime. Other challenges that are solved by the distributed fuzzing framework and covered in this presentation include central run management, recurring job scheduling, duplicate detection across machines and runs, automated regression passes, and automated bug filing.
Even with millions of fuzz iterations and following the best practices of the Security Development Lifecycle (SDL), some bugs will be missed. The Office security team has engineered a series of layered defenses in addition, to strengthen the parsers themselves. This presentation also covers two of these layers. The first layer, Gatekeeper, helps validate if the data should be loaded by the target application. The Gatekeeper architecture allows it to be used by other applications and describe additional binary formats. The second layer discussed leverages Windows Integrity Levels and is known as Protected View. Even if malicious code runs inside of Protected View, it should not be able to alter the host machine. The presentation will demonstrate how recent MSRC cases are mitigated by Protected View and Gatekeeper.

Tom Gallagher: Tom Gallagher is the lead of the Microsoft Office Security Test team, where he focuses on penetration testing, writing security testing tools, and providing security education.