metro (down the tube) - global appsec · 2014. 12. 15. · the app container integrity levels....
TRANSCRIPT
![Page 1: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/1.jpg)
Metro (down the Tube)
![Page 2: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/2.jpg)
Marion McCune
20 Years in IT
Worked with Microsoft products since DOS 3
Director of own security testing company for 3 years
Web Applications, MS products and mobile
![Page 3: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/3.jpg)
Introducing Windows Store Apps
Background
Windows Store
Some Apps
Security Architectur
e
Microsoft Testing Process
Development
Environments-
HTML, JavaScript
.NET
Store Requireme
nts and Certificatio
n
Win RT(Windows Runtime)
![Page 4: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/4.jpg)
Background
![Page 5: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/5.jpg)
The Windows Store
![Page 6: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/6.jpg)
The Internet as Sewer….
![Page 7: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/7.jpg)
Some Apps….
![Page 8: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/8.jpg)
Security Architecture
Apps run in a Sandbox
The App Container
Integrity Levels
![Page 9: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/9.jpg)
Security Architecture (cont)
Capabilities
Contracts
Broker Process
![Page 10: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/10.jpg)
Win RT
![Page 11: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/11.jpg)
Development Environments
.NET – C# and VB.NET with XAML
C++ with XAML
JavaScript and HTML
59%
5%
36%
![Page 12: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/12.jpg)
Store Requirements and Certification Package up the App and Deploy to the Store
Various requirements – mostly to do with development practices and content
Give it a WACK!!
If it passes WACK it still may fail acceptance for the Store (but they will indicate why)
![Page 13: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/13.jpg)
Security Tests
BinScope Binary Analyzer Tests
AllowPartiallyTrustedCallersAttribute /SafeSEH Exception Handling Protection Data Execution Prevention Address Space Layout Randomization Read/Write Shared PE Section AppContainerCheck ExecutableImportsCheck WXCheck
Attack Surface Analyzer• Secure executable files that have weak ACLs• Secure directories that contain objects and have weak ACLs• •Secure registry keys with weak ACLs• •Services that allow access to non-administrator accounts and are
vulnerable to tampering• •Services that have fast restarts or might restart more than twice
every 24 hours
![Page 14: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/14.jpg)
Great, But…..
https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html
Protect the OS
Defeat Malware
App v. User or User v. App?
User A v. User B?
![Page 15: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/15.jpg)
Security Testing Windows Store Apps
Where are they?
Some lessons
from another country
Testing Approaches
Software Setup
Web Services
Decompilation/Code Review
The Way we Were
JavaScript/HTML
![Page 16: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/16.jpg)
Where are they?C:\Program Files\WindowsApps\
Show hidden files and folders
Go to Security Tab and take ownership
Then take control when prompted
Must be logged in as an Administrator
![Page 17: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/17.jpg)
App Packages
![Page 18: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/18.jpg)
Danger Will Robinson…….
![Page 19: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/19.jpg)
The Way we Were
![Page 20: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/20.jpg)
Buy Burger £10.99
My Proprietal Secret Sauce App!!
Buy Chicken £12.50
Buy Milkshake £5.25
My Credit £2.99
![Page 21: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/21.jpg)
Buy Burger £1.99
My Evil Hacker App!!
Buy Chicken £2.50
Buy Milkshake £0.25
My Credit £2000.99
![Page 22: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/22.jpg)
Salad – FREE
My Ethical Open Source App!!
Fruit - FREE
Milk - FREE My TCO £????
![Page 23: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/23.jpg)
The Way we areWindows resource protection makes it difficult to modify WindowsApps
Checksum prevents apps from running after modification
Verification back to Store – hacked now fixed…
Down to the individual App as of now
![Page 24: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/24.jpg)
Testing Approaches
Attacking the Sandbox?
Web Application
Local Data
Decompilation/Code Review
Web Services
![Page 25: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/25.jpg)
Software Setup
![Page 26: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/26.jpg)
![Page 27: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/27.jpg)
![Page 28: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/28.jpg)
![Page 29: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/29.jpg)
JavaScript/HTML Apps
Really are Web Applications and can be tested as such
Local context versus Web context
Run as a headless version of IE – can be seen in task explorer as ‘wwahost.exe’
Suffer from the typical problems of apps with a good framework
Unlikely (but possible) to get XSS
No less likely (maybe more!) to have other flaws
![Page 30: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/30.jpg)
![Page 31: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/31.jpg)
WWA Host running in Low Integrity Process
![Page 32: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/32.jpg)
Decompilation/Code Review
.NET Apps can be trivially decompiled but may be obfuscated
A lot depends on your ability to read the language
Credentials/Keys
Developer Mode
SSL - <meta name="ms-https-connections-only" content="true"/>
![Page 33: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/33.jpg)
Bad Coding Practices
Eval, ExecScript, MsAppExecUnsafeLocalFunction
![Page 34: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/34.jpg)
Bad Coding Practices
XMLHttpRequest
Untrusted dynamic content
var myDiv = document.createElement("div");myDiv.innerHTML = xhr.responseText document.body.appendChild(myDiv);
document.writeln(xhr.responseText);
![Page 35: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/35.jpg)
Local Data
Apps can write to C:\users\username\AppData\Packages\appname
LocalState or RemoteState
![Page 36: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/36.jpg)
Web Services
![Page 37: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/37.jpg)
Web Services<?xml version="1.0" encoding="utf-8"?>
<soap:body><Process_ID xmlns="http://tempuri.org>
<id>a' and 1=0/@@version;--</id></Process_ID>
</soap:body></xml>
<soap:body><soap:fault><faultcode>soap:server</faultcode></faultstring>Server was unable to process
request. ---> Conversion failed when converting the nvarchar valueMicrosoft SQL Server 2008 R2 (SP2) - 10.50.4000.0(X64)
June28 2012 08:36:30Copyright (c) Microsoft CorporationEnterprise Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1)'
to data type int. </faultstring></soap:fault>
</soap:body>
![Page 38: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/38.jpg)
Some lessons from another Country
![Page 39: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/39.jpg)
OWASP Mobile Top Ten
Insecure Data Storage
Weak Server Side Controls
Insufficient
Transport Layer
Protection
Client Side Injection
Poor Authorization and Authentication
Improper Session Handling
Security Decisions via Untrusted Inputs
Side Channel Data Leakage
Broken Cryptography
Sensitive Information Disclosure
![Page 40: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/40.jpg)
Turning it on its head….
Compile with VS
Minimize App Capibilities
Use File Pikcer instead of
library capabilities
Don’t trust remote data
Don’t let the web access WinRT
Authenticate correctly
Validate content
Use HTTPs
![Page 41: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/41.jpg)
OWASP Project Training Application to assist Developers and
testers
Web Goat, Rails Goat, Droid Goat
Store Sheep (“A Friend for Ewe”)
A Friend for Ewe
![Page 42: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/42.jpg)
![Page 43: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/43.jpg)
![Page 44: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/44.jpg)
Conclusion
![Page 45: Metro (down the Tube) - Global AppSec · 2014. 12. 15. · The App Container Integrity Levels. Security Architecture (cont) Capabilities Contracts Broker Process. Win RT. Development](https://reader035.vdocuments.site/reader035/viewer/2022071016/5fcfb3e81cdbb9176e0002de/html5/thumbnails/45.jpg)
Questions? Answers?Questions?Answers?