stranger in a strange land: reflections on a linux guy’s first year at microsoft crispin cowan,...

Stranger in a Strange Land: Reflections on a Linux Guys First Year at Microsoft Crispin Cowan, PhD Senior PM, Windows Security Microsoft

Crispin Who?! CS Prof at Oregon Graduate Institute 1995-2000 Invented StackGuard Stack Canaries Copied by ProPolice, -fstack_protect in GCC Independently invented by Microsoft /GS Now protecting nearly all x86 code on the planet Founded Immunix, Inc. Largest security Linux distro Acquired by Novell in 2005 Produced AppArmor: Standard on SUSE, Ubuntu, and Mandriva

Crispin Who?! Often vocal Microsoft critic E.g. Virus problem, and consequent AV industry, is purely Microsofts fault Mail clients that auto-execute embedded scripts Document editors (Office) that auto-execute embedded scripts Removable media that auto-execute Run it all as root Administrator What do you really expect?!

Crispin Joins Microsoft in 2008 What! What! What!? Has Hell opened a ski resort? No, not really This talk is about my experience at Microsoft as a long-time Linux guy Its really different and not so different, really

Talk Outline Comparing Code Security between Open Source and Microsoft Comparing operating systems between Linux and Windows Comparing communities between Open Source and Microsoft

Comparing Security

Theoretical Open Source Security Many eyes make all bugs shallow ESR If many people look at code, from many perspectives, then surely someone will find most of the bugs You can audit and fix your own code If there is a bug in some software you use, then you can fix it yourself Feed the fix back upstream Share and enjoy You can apply security tools Crispin Such as StackGuard, ITS4, RATS, etc.

Theoretical Microsoft Security Microsoft is an evil monopoly, doesnt have to care No need to fix security Microsoft cares more about features than security Bloated software, full of bugs Closed source means they can hide embarrassingly bad code And theres nothing you can do about it

Reality Open Source Security Many eyes make bugs shallow, but only if they actually look A few projects, e.g. Linux kernel, get deep inspection Vast majority of OSS never gets examined Bugs are rife, and last for years E.g. Debian SSL keys You can fix your own code, but no one does Enterprise users of OSS rely on supported software, dont dare touch it You can apply security tools, but no one does, see above

Reality Microsoft Security Microsoft security really did suck (because security was not the priority) until the 2002 Memo Microsoft halted the entire software production line for everyone to go learn how to code securely Cost over $200M in wages for the whole company for that month; serious investment

Reality Microsoft Security Consider Microsoft SQL 2003: The Slammer/Sapphire Worm Single UDP datagram buffer overflowed the SQL server, caused it to start scanning the internet and sending more infection packets 2004: Microsoft SQL one of the first applications to go through SDL A single vulnerability since 2004 Including zero vulnerabilities in a.0 release for two years MySQL: 12 vulnerabilities in 3 years Times have changed

Reality Open Source Security Consider my Sardonix project Try to motivate proper security auditing of source code using a Slashdot-inspired rating system Audit more code, and do it well, earn a better reputation Result? Squat the only audits turned in were from David Wagners security class Security audits are tedious, difficult, exacting work requiring lots of expertise You can only get people to do it by paying them

Reality Microsoft Security Microsoft does pay people to audit software Lots and lots of people Armies of contractors for external review of big products around ship time Full-time staff do both internal design and code audits of everything that ships Anything with a vulnerable attack surface requires mandatory fuzzing before it gets to ship And it shows: bug density in Microsoft products is way down from the bad old days of 2000 And far below the bug density of any OSS

Security Development Lifecycle How Successful is SDL Analysis? IIS 6 has had only 5 exploits since March 2003 (its release date) http://secunia.com/product/1438 Not a single, major public attack Apache web server has had over 33 exploits in the same time period

Security Development Lifecycle How Successful is SDL Analysis? Vistas 1-year period vs. XPs 1-year period

Security Development Lifecycle How Successful is SDL Analysis? Windows vs. Major Competitors

Security Development Lifecycle How Successful is SDL Analysis? IE vs. Competitors

Comparing Operating Systems

Funny Thing About Software it turns out to be less flexible than hardware Intel Core II Duo has very little to do with a 386SX Windows still supports APIs from the early 1990s The value of Windows is the rich application base That application base exists because of continuous backward compatibility Many of these applications are actually dependent on legacy Windows bugs Dont get to change the Windows architecture

Some Problems In the Windows Architecture Heavy reliance on thread injection One application on the desktop can inject a thread into another application Execute arbitrary code in another applications address space Used enough that you dont get to block it, or it might break app compat Windows messages Millions of them Any access control check on Windows messages must be blazing fast -> cant do anything complex

Some Problems In the Windows Architecture Impersonation Many services have the impersonation privilege Used so they can impersonate a client identity and do stuff on behalf of the client Obvious security problems, highlighted in great detail by Cesar Cerrudos Token Kidnapping work

Some Problems In the Windows Architecture Massive dependence on Administrator privilege Way back in NT 3.51 time, Microsoft chose to port the win32 environment to NT To get that very valuable application base for NT Problem: Win16 and Win32 (Win 3.1, Win95) has only a single privilege level All code that runs has command of the entire machine Result: default user on NT, Win2K, and XP is Administrator (root) All the fancy security features in NT kernel are effectively disabled

Fixing Administrator You could just change Windows Make the default account a Standard User without Administrator privilege But that would (you guessed it) break app compat Fixing dependence on Administrator is what UAC is all about UAC is really just sudo Functions in Windows as training wheels for switching to Standard User some day Allows broken apps that need Administrator to be used in a semi-unprivileged context

But UAC Sucks! Everyone Knows That It isnt UAC per se that is sucking Moving the Windows application base to non- privileged operation is a painful, drawn-out process If you were barefoot your whole life, hiking boots would not be comfortable, even if you were about to cross a field of broken glass UAC doesnt suck, it is the applications that abuse privilege that suck

Remember abuse Privilege

UAC Suckage UAC sucks less than you might think 88% of users leave UAC enabled Trend is improving over time slowly 50% of user sessions were prompt free at Vista RTM in 2006 65% in VistaSP1 today for consumers 80% in VistaSP1 for enterprise users

Some Problems In the Linux Architecture The UNIX/Linux process model is mostly sound At least has two levels of privilege Except for ptrace Complex semantics, often broken Allows any process to debug any other process owned by the same user E.g. all of root, or all of your desktop Saving grace: ptrace only really used for debugging, so you can block it AppArmor and SELinux do block it

Some Problems In the Linux Architecture The X11 security model not so much E.g. Any desktop process can keylog any other desktop process That is enough for any malware that makes it to your desktop to steal your password, roots password, your credit card numbers, your social security number, etc. Core problem: X11 server is a giant MUX with no access control, so everything on a desktop has co-mingled privilege SELinux branch working on enhancing X11 security Has been working on it for 3 years now

The Interesting Market Economies of Malware In a competitive market of selling software, the #2 and #3 positions are still valuable Can make money selling applications for Macintosh In the competitive malware market, only #1 matters Because consumers (victims) are not selecting anything, rather the attackers select the victims Result: only economic to write malware for #1 Approximately no one attacks Linux or Mac Approximately no one attacks Vista yet either because XP is #1

Comparing Communities

Theoretical Linux Community An open community of passionate experts Open: anyone can join Passion: everyone cares about Linux Experts: everyone is convinced that they are right Your job: convince everyone that you are right Can lead to shouting

Theoretical Microsoft Community Closed garden of clods who cant code for beans and only care about money Bloated, baroque architecture Mountains of bugs & vulnerabilities Mountains of money

Reality Linux Community Not so open: Newbies are harshly treated Shockingly hostile to women Not overtly, you just are required to be willing to shout down detractors Fail to conform to all the social norms, and you had better have asbestos shorts God help you if you top-post Passion: anyone who disagrees with your idea will tell you that you dont care about Linux Experts: everyone is an argumentative butt-head

Reality Microsoft Community Closed garden: perhaps, but Garden is 100K people, so walls are very far away Admission criteria to get hired not that different from the OSS hazing rituals: must show your worth Clods who cant code: No, it is priorities Before 2002: features and ship date 2002-6: features and security Future: trying to balance all three Money: having money/resources is nice Windows Security is bigger than all of SUSE combined

My Changed Impression Before I got here Hmmm, Windows security seems to suck Ill go show them how it is really done

My Changed Impression After I have been here for a while Microsoft is stuffed with brilliant people Almost every good idea I suggested not only has already been suggested, but had already been tried and failed, because for some stupid reason it couldnt be done The real work is to figure out how to break the app compat log jam, so you can add security without breaking app compat

Academic Security Received wisdom: security must be designed in at the start Cant retrofit security This is for sissies In theory, theory is just like practice, but in practice, it isnt Any chump can design a secure operating system from scratch But retrofitting security is art Retrofit security is what I did to Linux with StackGuard and AppArmor Retrofit security is what I intend to do for Windows Microsoft is hiring Microsoft is always hiring good people

Questions Contact: [email protected] [email protected] [email protected] [email protected] http://crispincowan.com/ http://crispincowan.com/ Feedback http://feedback.shmoocon.org/ http://feedback.shmoocon.org/

stranger in a strange land: reflections on a linux guy’s first year at microsoft crispin cowan,...

Documents