Case Study: Building a More Secure Browser in IE7 Rob Franco, Lead Program Manager Internet Explorer Security FUNL03

Case Study:Case Study: Building a More Secure Browser in IE7Building a More Secure Browser in IE7

Rob Franco, Lead Program ManagerRob Franco, Lead Program ManagerInternet Explorer SecurityInternet Explorer Security

FUNL03FUNL03

Tony

Group Program Manager - IE Laurel

Lead PM, IE Platform

I hope Rob can focus this PDC

session better than his camera!

Who are you?Who are you?

Developer for an internet facing app?Developer for an internet facing app?

Developer of an IE extension?Developer of an IE extension?

About this presentationAbout this presentationIn this presentation, we will cover:In this presentation, we will cover:

The Security Development LifecycleThe Security Development LifecycleGuiding principles for IE SecurityGuiding principles for IE SecurityHigh level browser threat modelHigh level browser threat model

Data flow and Architecture of IEData flow and Architecture of IEData flow and threats for:Data flow and threats for:

User InterfaceUser InterfaceNetwork requestsNetwork requestsPage RenderingPage Rendering

How IE7 addresses the threatsHow IE7 addresses the threatsDynamic protection against web fraud & data theftDynamic protection against web fraud & data theftMore user control over add-onsMore user control over add-onsAdvanced malware protectionAdvanced malware protection

Security Training

Security Kickoff& Register with

SWI

Security DesignBest

Practices

Security Arch & Attack SurfaceReview

Use SecurityDevelopment

Tools &Security BestDev & Test Practices

Create Security

Docsand Tools

For Product

PrepareSecurity

ResponsePlan

Security Push

Pen Testing

FinalSecurity Review

Security Servicing &ResponseExecution

Feature ListsQuality Guidelines

Arch DocsSchedules

DesignSpecifications

Testing and Verification

Development of New Code

Bug Fixes

Code Signing A Checkpoint

Express Signoff

RTM

Product SupportService Packs/QFEs Security

Updates

Requirements Design Implementation Verification ReleaseSupport

&Servicing

Security Deployment Security Deployment Lifecycle Lifecycle Tasks and ProcessesTasks and Processes

ThreatModeling

FunctionalSpecifications

Traditional Microsoft Software Product Development Lifecycle Tasks and ProcessesTraditional Microsoft Software Product Development Lifecycle Tasks and Processes

Recommended ReadingRecommended Reading

Writing Secure Writing Secure Code Second Code Second EditionEdition

Threat ModelingThreat Modeling

Guiding principlesGuiding principles

Balance our customers’ need for Balance our customers’ need for browsing that’s powerful but also browsing that’s powerful but also securesecure

Architectural changes eradicate classes of Architectural changes eradicate classes of vulnerabilities in major releasesvulnerabilities in major releases

Mitigations reduce severity or prevent Mitigations reduce severity or prevent future vulnerabilities in service packsfuture vulnerabilities in service packs

Security Updates address targeted Security Updates address targeted vulnerabilities and variationsvulnerabilities and variations

Every release goes through threat Every release goes through threat modeling, penetration testing and modeling, penetration testing and code analysis toolscode analysis tools

Browser basicsBrowser basicsData flowData flow

Outbound:Outbound:URLs URLs

HTTP requests HTTP requests

Auth & cookie Auth & cookie datadata

Inbound:Inbound:URLsURLs

HTMLHTML

ScriptScript

Non-IE filesNon-IE files

www.BadGuys.com

Cache boundary

User Profile

Internet Explorer

External Helper Applications

Program Files, Registry, etc.

Requests

Content

Documents, Settings,

etc.

ActiveX controlsDownloads, etc.

Helper requests

User Interface IEFrameIEFrame

Network request layer

PageRendering

Browser basicsBrowser basicsArchitectureArchitecture

WinINetWinINet

URLMonURLMon

Browser Browser Helper Helper ObjectsObjects

ToolbarsToolbars

MimefilteMimefiltersrs

MSHTMLMSHTML

ActiveXActiveX

Script Script EngineEngine

BinaryBinaryBehaviorsBehaviors

Sample Threats:Sample Threats:URLs parsed URLs parsed incorrectlyincorrectly

Domain spoofedDomain spoofedbuffer overrunbuffer overrunUser can’t read User can’t read URLURL

Dangerous files Dangerous files launch & installlaunch & install

User clicks “OK”User clicks “OK”Logic error in Logic error in promptprompt

Scripted Windows Scripted Windows trick usertrick user

Overlays UI Overlays UI warningswarnings

User lowers User lowers security settingssecurity settings

User Interface(IEFrame)

Network Requests(Wininet & URLMon)

Page Rendering (MSHTML)

URL Requests

URLs, Files

WindowCommands

Threats from Data FlowThreats from Data FlowUser Interface LayerUser Interface Layer

www.BadGuys.com

Cache boundary

NetworkRequests

(Wininet & URLMon)

Pluggable Protocols

Requests

Content

URLs,HTML

Helper requests


User Interface(IEFrame)

URL Requests

URL Requests

URLs,Non-HTML files

Helper requests

Sample Threats:Sample Threats:Auth Credentials Auth Credentials encryption encryption crackedcracked

URL parsed URL parsed incorrectyincorrecty

buffer overrun buffer overrun

Security settings Security settings not enforcednot enforced

Data sniffer Data sniffer buffer overrun or buffer overrun or logic failurelogic failure

Faulty pluggable Faulty pluggable protocol loadsprotocol loads

Threats from Data Flow Threats from Data Flow Network ReqNetwork Req

Network Requests(Wininet & URLMon)

Script Engine

URLs,HTML

Page access


URL Requests

Script

ActiveX Controls

COM Calls

COM Calls

URL Requests

COM Calls

Sample ThreatsSample ThreatsURLs parsed URLs parsed incorrectlyincorrectly

buffer overrun buffer overrun

Page Access Page Access rules failrules fail

HTML parser HTML parser buffer overrunbuffer overrun

Faulty COM Faulty COM object loadsobject loads

Page Access Page Access rules failrules fail

Unsafe access Unsafe access defaultsdefaults

Page RedirectsPage Redirects

Threats from Data FlowThreats from Data FlowPage Rendering LayerPage Rendering Layer

About this presentationAbout this presentationIn this presentation, we will cover:In this presentation, we will cover:

The Security Development LifecycleThe Security Development LifecycleGuiding principles for IE SecurityGuiding principles for IE SecurityHigh level browser threat modelHigh level browser threat model

Data flow and Architecture of IEData flow and Architecture of IEData flow and threats for:Data flow and threats for:

UI LayerUI LayerNetwork request layer Network request layer Page Rendering layerPage Rendering layer

How IE7 addresses the threatsHow IE7 addresses the threatsDynamic protection against web fraud & data theftDynamic protection against web fraud & data theftMore user control over add-onsMore user control over add-onsAdvanced malware protectionAdvanced malware protection

In this demo, you will see how In this demo, you will see how IE 7:IE 7:Uses a dynamic Phishing-Filter Uses a dynamic Phishing-Filter

to protect users from phishing to protect users from phishing sites sites

Uses heuristics to detect Uses heuristics to detect suspicious sitessuspicious sites

Highlights the user experience Highlights the user experience for secure sites (SSL)for secure sites (SSL)

Warns users about unsafe Warns users about unsafe settingssettings

Dynamic protection against Dynamic protection against fraudfraudSafer UI for browsingSafer UI for browsing

Tariq, Manav, John and I try to catch the Phishers

The UX team added Address bars to pop-up windows, Unsafe settings warnings and Pop-up

blocking

Problems:Problems:ActiveX controls can expose dangerous ActiveX controls can expose dangerous functions and security bugs to any page on functions and security bugs to any page on the webthe web

Users have no control over the number of Users have no control over the number of controls installed by defaultcontrols installed by default

Users suspect Add-ons have privacy and Users suspect Add-ons have privacy and reliability problemsreliability problems

Solutions:Solutions:Unused ActiveX controls will prompt on first Unused ActiveX controls will prompt on first use the same as downloaded controlsuse the same as downloaded controls

Users can run in Add-ons disabled mode to Users can run in Add-ons disabled mode to shut off more extensions like BHOsshut off more extensions like BHOs

User Control Over Add-onsUser Control Over Add-onsActiveX Opt-in & No Add-ons ModeActiveX Opt-in & No Add-ons Mode

Best practices:Best practices:Threat model controlsThreat model controls

Limit reads and writes, beware Limit reads and writes, beware redirectsredirects

Site-Lock control to only work on one Site-Lock control to only work on one sitesite

Clearly identify your control with Clearly identify your control with signatures signatures

Find more here:Find more here:http://msdn.microsoft.com/library/default.asp?url=/http://msdn.microsoft.com/library/default.asp?url=/workshop/components/activex/security.aspworkshop/components/activex/security.asp

User Control Over Add-onsUser Control Over Add-onsBuilding safer ActiveX controlsBuilding safer ActiveX controls

John, Phoebe and Vidya planning for IE7 Platform and Network features

Advanced malware Advanced malware protectionprotectionUnified URL parsingUnified URL parsingProblem:Problem:

Special characters complicate URL Special characters complicate URL parsingparsing

http://[email protected]://[email protected]

URLs passed as strings maybe parsed URLs passed as strings maybe parsed inconsistently through the stackinconsistently through the stack

Solution:Solution:iURI is IE’s single URL parsing objectiURI is IE’s single URL parsing object

Canonicalizes URLs targeting RFC 3986Canonicalizes URLs targeting RFC 3986

IE passes URLs the pre-parsed object IE passes URLs the pre-parsed object through the stackthrough the stack

Partners can also use the iURI object Partners can also use the iURI object in URLMON to canonicalize URLSin URLMON to canonicalize URLS

Advanced malware Advanced malware protectionprotectionSample using iURI to parse Sample using iURI to parse hostnamehostname

#include <urlmon.h>#include <urlmon.h>

......

IUri *pIUri = NULL;IUri *pIUri = NULL;

HRESULT hr = CreateUri(pwzUrl, Uri_CREATE_ALLOW_RELATIVE, 0, &pIUri);HRESULT hr = CreateUri(pwzUrl, Uri_CREATE_ALLOW_RELATIVE, 0, &pIUri);

if (SUCCEEDED(hr))if (SUCCEEDED(hr))

{{

BSTR bstrHost = NULL;BSTR bstrHost = NULL;

hr = pIUri->GetHost(&bstrHost);hr = pIUri->GetHost(&bstrHost);

if (S_OK == hr) // Host exists. Do something with it.if (S_OK == hr) // Host exists. Do something with it.

{{

SysFreeString(bstrHost);SysFreeString(bstrHost);

}}

else if (S_FALSE == hr) // Host doesn’t exist in this URI.else if (S_FALSE == hr) // Host doesn’t exist in this URI.

{{

}}

pIUri->Release();pIUri->Release();

}}

Early documentation here:Early documentation here:

http://msdn.microsoft.com/library/http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/default.asp?url=/workshop/networking/moniker/reference/ifaces/iuri/iuri.asp?moniker/reference/ifaces/iuri/iuri.asp?frame=trueframe=true

Networking Dev & Test captured on film away from their work

ElemenElementt

<H><H>

IDID CardCard

ColorColor BlackBlack

SizeSize 3232

TextText %Credit Card#%%Credit Card#%

DomainDomain www.MyBank.cowww.MyBank.comm

Script in the Internet Zone has to go through a domain check in order to access the element.

RULE #1 : Only script from the same domain can access an element

ScriptScript Card.color=“RECard.color=“RED”D”


%Credit Card#%

Advanced malware Advanced malware protectionprotectionCross Domain SecurityCross Domain Security

%Credit Card#%

ElemenElementt

<H><H>

IDID CardCard

ColorColor BlackBlack

SizeSize 3232

TextText %Credit Card#%%Credit Card#%


ScriptScript Card.color=“RECard.color=“RED”D”

DomainDomain www.evil.comwww.evil.com

Advanced malware Advanced malware protectionprotectionCross Domain SecurityCross Domain SecurityRULE #1 :

Only script from the same domain can access an element

Problems:Problems:Hackers use script protocols to run domain-Hackers use script protocols to run domain-less script in the navigation codepathless script in the navigation codepath

Type this in your address bar:Type this in your address bar:javascript:alert(document.body.innerHTML)javascript:alert(document.body.innerHTML)

Redirects sometimes evade Domain checksRedirects sometimes evade Domain checks

Solutions:Solutions:Migrate the script protocol to run as script in Migrate the script protocol to run as script in the originating pagethe originating page

Deny access to objects that aren’t redirect-Deny access to objects that aren’t redirect-awareaware

Partner code should also enforce Partner code should also enforce secure domain access rules and be secure domain access rules and be redirect-awareredirect-aware

Advanced malware Advanced malware protectionprotectionCross Domain SecurityCross Domain Security

ElemenElementt

<IMG><IMG>

SRCSRC ..\..\BufferOverrun.jpgBufferOverrun.jpg

DomainDomain www.evil.comwww.evil.com

<H1>

<IMG SRC = “xxx…xxxx”>

George

</H1>

Parser

Problem:

•Attacker finds a place where the parser does not check for size of an argument

Solutions:

•IE uses automated code review tools, fuzz testing and safe memory APIs to help prevent buffer overruns

Partners can use the same tools we use to find and prevent buffer overruns. These tools are part of Visual Studio .Net

szImagePath[20];

lstrcpy(szImagePath,szUserInput);

szImagePath[20];

lstrcpy(szImagePath,”xxx…xxxx”);

Advanced Malware Advanced Malware ProtectionProtectionPreventing Buffer OverrunsPreventing Buffer Overruns

IExplore.exeIExplore.exe

Install a driver,

Run Windows Update

Change Settings,

Download a Picture

Cache Web content

Exploit can install MALWARE

Exploit can install MALWARE

Admin-Rights Access

Admin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

Advanced Malware Advanced Malware ProtectionProtectionThreats w admin rightsThreats w admin rights

LoRIELoRIE

Install a driver,

Install an ActiveX control

Change settings,

Save a picture

Inte

gri

ty C

on

tro

l

Bro

ker

Pro

cess

Redirected settings & files

Com

pat

Red

irect

or

Cache Web content

Admin-Rights Access

Admin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

HKCR

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

Advanced Malware Advanced Malware ProtectionProtectionProtected Mode IE, UAP contain Protected Mode IE, UAP contain threatsthreats

In this demo, IE for Windows Vista will:In this demo, IE for Windows Vista will:Protect the user from a potentially Protect the user from a potentially

unsafe control unsafe control Run with restrictions to prevent Run with restrictions to prevent

exploits from installing malware on exploits from installing malware on user’s systemsuser’s systems

Still allows users to download files or Still allows users to download files or change settingschange settings

Allow Intranet sites to run without Allow Intranet sites to run without restrictionsrestrictions

Advanced Malware ProtectionAdvanced Malware ProtectionActiveX Opt-in and Protected Mode ActiveX Opt-in and Protected Mode IEIE

Build “Protected Mode” for your app if it Build “Protected Mode” for your app if it handles untrusted datahandles untrusted data

Set any file/registry ACLs that are safe and Set any file/registry ACLs that are safe and needed to LOWneeded to LOW

Eg. %AppData%\%YourAppName%\Untrusted DataEg. %AppData%\%YourAppName%\Untrusted Data

Create your process with the Low Integrity Create your process with the Low Integrity tokentokenCreate a broker process for Medium or High Create a broker process for Medium or High Integrity OperationsIntegrity Operations

Add-ons inside of IE, run “Low” by defaultAdd-ons inside of IE, run “Low” by defaultWrites to the user’s profile will be Writes to the user’s profile will be automatically redirected to a subdirectory of automatically redirected to a subdirectory of the TIFthe TIFExtensions can use the SaveAs APIs to call the Extensions can use the SaveAs APIs to call the broker to prompt the user to save a file to the broker to prompt the user to save a file to the user profile systemuser profile system

Advanced Malware Advanced Malware ProtectionProtectionOptions for running at “least Options for running at “least privilege”privilege”

User consent or “Allow list” let’s User consent or “Allow list” let’s extensions launch Apps at “Medium”extensions launch Apps at “Medium”

An allow-list will let known apps elevate An allow-list will let known apps elevate to medium without user intervention to medium without user intervention

Other processes spawned from IE will Other processes spawned from IE will throw an “information bar” unless throw an “information bar” unless marked for lowmarked for low

Compat logging will help diagnose Compat logging will help diagnose failed or redirected writes and failed or redirected writes and create processcreate process

Advanced Malware Advanced Malware ProtectionProtectionOptions for running at “least Options for running at “least privilege”privilege”

Anantha and Bogdan powering through to code complete

Marc and Robert from the Protected Mode IE team test their code on a demo page

DeanGeneral Manager

IE unmasked?IE unmasked? “You know, I have one simple request.

And that is to have anti-phishing frickin' laser beams attached to the browser! Now evidently my security team informs me that that cannot be done.

Ah, would you remind me what I pay you people for, honestly?

Throw me a bone here!”

Security Development Lifecycle helps Security Development Lifecycle helps mitigate riskmitigate risk

Users count on our industry to be Users count on our industry to be secure and compatible secure and compatible

Tools available for you to useTools available for you to useTrain using Writing secure code and the Threat Train using Writing secure code and the Threat Modeling booksModeling books

Correctly handle URLs with IE7’s iURICorrectly handle URLs with IE7’s iURI

Threat model extensions like ActiveX controlsThreat model extensions like ActiveX controls

Remove Buffer Overruns from your code with Remove Buffer Overruns from your code with tools in Visual Studio Whidbeytools in Visual Studio Whidbey

Run with least privilege using Mandatory Run with least privilege using Mandatory Integrity Control in Windows VistaIntegrity Control in Windows Vista

SummarySummaryTarget: Secure and CompatibleTarget: Secure and Compatible

PRS 203 “What’s new in IE7” PRS 203 “What’s new in IE7” Tuesday, 4:15 (past)Tuesday, 4:15 (past)Halls C&DHalls C&D

FUN 406 “Windows Vista User Account FUN 406 “Windows Vista User Account Protection”Protection”

Wednesday, 11:00 AM (past)Wednesday, 11:00 AM (past)402AB402AB

DAT 320 “Building RSS enabled applications”DAT 320 “Building RSS enabled applications”Thursday, 2:15Thursday, 2:15403AB403AB

FUN 314 “Architecting apps for the future with FUN 314 “Architecting apps for the future with compatibility”compatibility”

Thursday, 2:15Thursday, 2:15408AB408AB

Related Talks at the PDCRelated Talks at the PDC

Questions?Questions?

BACKUPSBACKUPS

In this demonstration, you will see In this demonstration, you will see how Internet Explorer 7:how Internet Explorer 7:

Uses a dynamic Phishing-Filter to protect Uses a dynamic Phishing-Filter to protect users from phishing sites users from phishing sites

Uses heuristics to detect suspicious sitesUses heuristics to detect suspicious sites

Highlights the user experience for secure Highlights the user experience for secure sites (SSL)sites (SSL)

Warns users about unsafe settingsWarns users about unsafe settings

Dynamic protection against fraudDynamic protection against fraudSafer UI for browser settingsSafer UI for browser settings

Dynamic protection against fraudDynamic protection against fraud

Problem:Problem:IP address and misleading URLs IP address and misleading URLs convince users to give away personal convince users to give away personal informationinformation

Solutions:Solutions:Dynamic Phishing Filter blocks known Dynamic Phishing Filter blocks known attacksattacksImproved URL parsing robust against Improved URL parsing robust against encoding tricksencoding tricks

Solution (continued)Solution (continued)Address bar on every pop-up windowAddress bar on every pop-up window

Background Tabs can’t open windowsBackground Tabs can’t open windows


Solution (continued)Solution (continued)International Domain Names (IDN) must International Domain Names (IDN) must be in a language supported by the user’s be in a language supported by the user’s systemsystem

Multiple languages can’t be mixed in an Multiple languages can’t be mixed in an IDN URLIDN URL


Security settings per zone

aka URLActions

Note: Windows Server 2003 has stricter defaults Note: Windows Server 2003 has stricter defaults than other versions of IEthan other versions of IE


IntranetIntranetMachine names in your Machine names in your domain domain MED-LOW, Automatic MED-LOW, Automatic domain logindomain login

InternetInternetFully-qualified domain Fully-qualified domain names names MED, Only uses safe MED, Only uses safe extensibilityextensibility

Restricted sitesRestricted sitesEmpty unless configuredEmpty unless configuredHIGH, only renders HIGH, only renders HTML, HTML, loads no extensionsloads no extensions

Problems:Problems:Users opt to change settingsUsers opt to change settingsMy Computer and Trusted My Computer and Trusted are targetsare targets

----------------------------------------------------------------------My Computer zoneMy Computer zone

Not shown in the UINot shown in the UIAny HTML content on the Any HTML content on the local machinelocal machineLOW--, Unrestricted access LOW--, Unrestricted access to to

scriptable APIsscriptable APIs

Trusted sitesTrusted sitesEmpty unless configuredEmpty unless configuredLOW, sites can silentlyLOW, sites can silentlyinstall signed ActiveXinstall signed ActiveX


IntranetIntranetDisabledDisabled on Consumer on Consumer PCs PCs MED-LOW, Automatic MED-LOW, Automatic domain logindomain login

InternetInternetFully-qualified domains Fully-qualified domains MED-HIGHMED-HIGH

Restricted sitesRestricted sitesEmpty unless configuredEmpty unless configuredHIGH, only renders HIGH, only renders HTML, HTML, loads no extensionsloads no extensions

Solutions:Solutions:More secure defaultsMore secure defaultsUI to prevent unsafe UI to prevent unsafe settingssettings

----------------------------------------------------------------------My Computer zoneMy Computer zone

HIGH HIGH when used in IEwhen used in IE

Trusted sitesTrusted sitesEmpty unless configuredEmpty unless configuredMEDMED, only uses safe , only uses safe extensibilityextensibility


Shown under address bar


In this demo, you will see how In this demo, you will see how Internet Explorer for Windows Vista:Internet Explorer for Windows Vista:

Runs with restrictions to prevent Runs with restrictions to prevent exploits from installing malware on exploits from installing malware on user’s systemsuser’s systems

Still allows users to download files Still allows users to download files or changing settingsor changing settings

Allows Intranet sites to run without Allows Intranet sites to run without restrictionsrestrictions

Advanced Malware Advanced Malware ProtectionProtectionDemo: Protected Mode IEDemo: Protected Mode IE