View
214
Download
0
Embed Size (px)
Citation preview
Case Study:Case Study: Building a More Secure Browser in IE7Building a More Secure Browser in IE7
Rob Franco, Lead Program ManagerRob Franco, Lead Program ManagerInternet Explorer SecurityInternet Explorer Security
FUNL03FUNL03
Tony
Group Program Manager - IE Laurel
Lead PM, IE Platform
I hope Rob can focus this PDC
session better than his camera!
Who are you?Who are you?
Developer for an internet facing app?Developer for an internet facing app?
Developer of an IE extension?Developer of an IE extension?
About this presentationAbout this presentationIn this presentation, we will cover:In this presentation, we will cover:
The Security Development LifecycleThe Security Development LifecycleGuiding principles for IE SecurityGuiding principles for IE SecurityHigh level browser threat modelHigh level browser threat model
Data flow and Architecture of IEData flow and Architecture of IEData flow and threats for:Data flow and threats for:
User InterfaceUser InterfaceNetwork requestsNetwork requestsPage RenderingPage Rendering
How IE7 addresses the threatsHow IE7 addresses the threatsDynamic protection against web fraud & data theftDynamic protection against web fraud & data theftMore user control over add-onsMore user control over add-onsAdvanced malware protectionAdvanced malware protection
Security Training
Security Kickoff& Register with
SWI
Security DesignBest
Practices
Security Arch & Attack SurfaceReview
Use SecurityDevelopment
Tools &Security BestDev & Test Practices
Create Security
Docsand Tools
For Product
PrepareSecurity
ResponsePlan
Security Push
Pen Testing
FinalSecurity Review
Security Servicing &ResponseExecution
Feature ListsQuality Guidelines
Arch DocsSchedules
DesignSpecifications
Testing and Verification
Development of New Code
Bug Fixes
Code Signing A Checkpoint
Express Signoff
RTM
Product SupportService Packs/QFEs Security
Updates
Requirements Design Implementation Verification ReleaseSupport
&Servicing
Security Deployment Security Deployment Lifecycle Lifecycle Tasks and ProcessesTasks and Processes
ThreatModeling
FunctionalSpecifications
Traditional Microsoft Software Product Development Lifecycle Tasks and ProcessesTraditional Microsoft Software Product Development Lifecycle Tasks and Processes
Recommended ReadingRecommended Reading
Writing Secure Writing Secure Code Second Code Second EditionEdition
Threat ModelingThreat Modeling
Guiding principlesGuiding principles
Balance our customers’ need for Balance our customers’ need for browsing that’s powerful but also browsing that’s powerful but also securesecure
Architectural changes eradicate classes of Architectural changes eradicate classes of vulnerabilities in major releasesvulnerabilities in major releases
Mitigations reduce severity or prevent Mitigations reduce severity or prevent future vulnerabilities in service packsfuture vulnerabilities in service packs
Security Updates address targeted Security Updates address targeted vulnerabilities and variationsvulnerabilities and variations
Every release goes through threat Every release goes through threat modeling, penetration testing and modeling, penetration testing and code analysis toolscode analysis tools
Browser basicsBrowser basicsData flowData flow
Outbound:Outbound:URLs URLs
HTTP requests HTTP requests
Auth & cookie Auth & cookie datadata
Inbound:Inbound:URLsURLs
HTMLHTML
ScriptScript
Non-IE filesNon-IE files
www.BadGuys.com
Cache boundary
User Profile
Internet Explorer
External Helper Applications
Program Files, Registry, etc.
Requests
Content
Documents, Settings,
etc.
ActiveX controlsDownloads, etc.
Helper requests
User Interface IEFrameIEFrame
Network request layer
PageRendering
Browser basicsBrowser basicsArchitectureArchitecture
WinINetWinINet
URLMonURLMon
Browser Browser Helper Helper ObjectsObjects
ToolbarsToolbars
MimefilteMimefiltersrs
MSHTMLMSHTML
ActiveXActiveX
Script Script EngineEngine
BinaryBinaryBehaviorsBehaviors
Sample Threats:Sample Threats:URLs parsed URLs parsed incorrectlyincorrectly
Domain spoofedDomain spoofedbuffer overrunbuffer overrunUser can’t read User can’t read URLURL
Dangerous files Dangerous files launch & installlaunch & install
User clicks “OK”User clicks “OK”Logic error in Logic error in promptprompt
Scripted Windows Scripted Windows trick usertrick user
Overlays UI Overlays UI warningswarnings
User lowers User lowers security settingssecurity settings
User Interface(IEFrame)
Network Requests(Wininet & URLMon)
Page Rendering (MSHTML)
URL Requests
URLs, Files
WindowCommands
Threats from Data FlowThreats from Data FlowUser Interface LayerUser Interface Layer
www.BadGuys.com
Cache boundary
NetworkRequests
(Wininet & URLMon)
Pluggable Protocols
Requests
Content
URLs,HTML
Helper requests
Page Rendering (MSHTML)
User Interface(IEFrame)
URL Requests
URL Requests
URLs,Non-HTML files
Helper requests
Sample Threats:Sample Threats:Auth Credentials Auth Credentials encryption encryption crackedcracked
URL parsed URL parsed incorrectyincorrecty
buffer overrun buffer overrun
Security settings Security settings not enforcednot enforced
Data sniffer Data sniffer buffer overrun or buffer overrun or logic failurelogic failure
Faulty pluggable Faulty pluggable protocol loadsprotocol loads
Threats from Data Flow Threats from Data Flow Network ReqNetwork Req
Network Requests(Wininet & URLMon)
Script Engine
URLs,HTML
Page access
Page Rendering (MSHTML)
URL Requests
Script
ActiveX Controls
COM Calls
COM Calls
URL Requests
COM Calls
Sample ThreatsSample ThreatsURLs parsed URLs parsed incorrectlyincorrectly
buffer overrun buffer overrun
Page Access Page Access rules failrules fail
HTML parser HTML parser buffer overrunbuffer overrun
Faulty COM Faulty COM object loadsobject loads
Page Access Page Access rules failrules fail
Unsafe access Unsafe access defaultsdefaults
Page RedirectsPage Redirects
Threats from Data FlowThreats from Data FlowPage Rendering LayerPage Rendering Layer
About this presentationAbout this presentationIn this presentation, we will cover:In this presentation, we will cover:
The Security Development LifecycleThe Security Development LifecycleGuiding principles for IE SecurityGuiding principles for IE SecurityHigh level browser threat modelHigh level browser threat model
Data flow and Architecture of IEData flow and Architecture of IEData flow and threats for:Data flow and threats for:
UI LayerUI LayerNetwork request layer Network request layer Page Rendering layerPage Rendering layer
How IE7 addresses the threatsHow IE7 addresses the threatsDynamic protection against web fraud & data theftDynamic protection against web fraud & data theftMore user control over add-onsMore user control over add-onsAdvanced malware protectionAdvanced malware protection
In this demo, you will see how In this demo, you will see how IE 7:IE 7:Uses a dynamic Phishing-Filter Uses a dynamic Phishing-Filter
to protect users from phishing to protect users from phishing sites sites
Uses heuristics to detect Uses heuristics to detect suspicious sitessuspicious sites
Highlights the user experience Highlights the user experience for secure sites (SSL)for secure sites (SSL)
Warns users about unsafe Warns users about unsafe settingssettings
Dynamic protection against Dynamic protection against fraudfraudSafer UI for browsingSafer UI for browsing
Tariq, Manav, John and I try to catch the Phishers
The UX team added Address bars to pop-up windows, Unsafe settings warnings and Pop-up
blocking
Problems:Problems:ActiveX controls can expose dangerous ActiveX controls can expose dangerous functions and security bugs to any page on functions and security bugs to any page on the webthe web
Users have no control over the number of Users have no control over the number of controls installed by defaultcontrols installed by default
Users suspect Add-ons have privacy and Users suspect Add-ons have privacy and reliability problemsreliability problems
Solutions:Solutions:Unused ActiveX controls will prompt on first Unused ActiveX controls will prompt on first use the same as downloaded controlsuse the same as downloaded controls
Users can run in Add-ons disabled mode to Users can run in Add-ons disabled mode to shut off more extensions like BHOsshut off more extensions like BHOs
User Control Over Add-onsUser Control Over Add-onsActiveX Opt-in & No Add-ons ModeActiveX Opt-in & No Add-ons Mode
Best practices:Best practices:Threat model controlsThreat model controls
Limit reads and writes, beware Limit reads and writes, beware redirectsredirects
Site-Lock control to only work on one Site-Lock control to only work on one sitesite
Clearly identify your control with Clearly identify your control with signatures signatures
Find more here:Find more here:http://msdn.microsoft.com/library/default.asp?url=/http://msdn.microsoft.com/library/default.asp?url=/workshop/components/activex/security.aspworkshop/components/activex/security.asp
User Control Over Add-onsUser Control Over Add-onsBuilding safer ActiveX controlsBuilding safer ActiveX controls
John, Phoebe and Vidya planning for IE7 Platform and Network features
Advanced malware Advanced malware protectionprotectionUnified URL parsingUnified URL parsingProblem:Problem:
Special characters complicate URL Special characters complicate URL parsingparsing
http://[email protected]://[email protected]
URLs passed as strings maybe parsed URLs passed as strings maybe parsed inconsistently through the stackinconsistently through the stack
Solution:Solution:iURI is IE’s single URL parsing objectiURI is IE’s single URL parsing object
Canonicalizes URLs targeting RFC 3986Canonicalizes URLs targeting RFC 3986
IE passes URLs the pre-parsed object IE passes URLs the pre-parsed object through the stackthrough the stack
Partners can also use the iURI object Partners can also use the iURI object in URLMON to canonicalize URLSin URLMON to canonicalize URLS
Advanced malware Advanced malware protectionprotectionSample using iURI to parse Sample using iURI to parse hostnamehostname
#include <urlmon.h>#include <urlmon.h>
......
IUri *pIUri = NULL;IUri *pIUri = NULL;
HRESULT hr = CreateUri(pwzUrl, Uri_CREATE_ALLOW_RELATIVE, 0, &pIUri);HRESULT hr = CreateUri(pwzUrl, Uri_CREATE_ALLOW_RELATIVE, 0, &pIUri);
if (SUCCEEDED(hr))if (SUCCEEDED(hr))
{{
BSTR bstrHost = NULL;BSTR bstrHost = NULL;
hr = pIUri->GetHost(&bstrHost);hr = pIUri->GetHost(&bstrHost);
if (S_OK == hr) // Host exists. Do something with it.if (S_OK == hr) // Host exists. Do something with it.
{{
SysFreeString(bstrHost);SysFreeString(bstrHost);
}}
else if (S_FALSE == hr) // Host doesn’t exist in this URI.else if (S_FALSE == hr) // Host doesn’t exist in this URI.
{{
}}
pIUri->Release();pIUri->Release();
}}
Early documentation here:Early documentation here:
http://msdn.microsoft.com/library/http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/default.asp?url=/workshop/networking/moniker/reference/ifaces/iuri/iuri.asp?moniker/reference/ifaces/iuri/iuri.asp?frame=trueframe=true
Networking Dev & Test captured on film away from their work
ElemenElementt
<H><H>
IDID CardCard
ColorColor BlackBlack
SizeSize 3232
TextText %Credit Card#%%Credit Card#%
DomainDomain www.MyBank.cowww.MyBank.comm
Script in the Internet Zone has to go through a domain check in order to access the element.
RULE #1 : Only script from the same domain can access an element
ScriptScript Card.color=“RECard.color=“RED”D”
DomainDomain www.MyBank.cowww.MyBank.comm
%Credit Card#%
Advanced malware Advanced malware protectionprotectionCross Domain SecurityCross Domain Security
%Credit Card#%
ElemenElementt
<H><H>
IDID CardCard
ColorColor BlackBlack
SizeSize 3232
TextText %Credit Card#%%Credit Card#%
DomainDomain www.MyBank.cowww.MyBank.comm
ScriptScript Card.color=“RECard.color=“RED”D”
DomainDomain www.evil.comwww.evil.com
Advanced malware Advanced malware protectionprotectionCross Domain SecurityCross Domain SecurityRULE #1 :
Only script from the same domain can access an element
Problems:Problems:Hackers use script protocols to run domain-Hackers use script protocols to run domain-less script in the navigation codepathless script in the navigation codepath
Type this in your address bar:Type this in your address bar:javascript:alert(document.body.innerHTML)javascript:alert(document.body.innerHTML)
Redirects sometimes evade Domain checksRedirects sometimes evade Domain checks
Solutions:Solutions:Migrate the script protocol to run as script in Migrate the script protocol to run as script in the originating pagethe originating page
Deny access to objects that aren’t redirect-Deny access to objects that aren’t redirect-awareaware
Partner code should also enforce Partner code should also enforce secure domain access rules and be secure domain access rules and be redirect-awareredirect-aware
Advanced malware Advanced malware protectionprotectionCross Domain SecurityCross Domain Security
ElemenElementt
<IMG><IMG>
SRCSRC ..\..\BufferOverrun.jpgBufferOverrun.jpg
DomainDomain www.evil.comwww.evil.com
<H1>
<IMG SRC = “xxx…xxxx”>
George
</H1>
Parser
Problem:
•Attacker finds a place where the parser does not check for size of an argument
Solutions:
•IE uses automated code review tools, fuzz testing and safe memory APIs to help prevent buffer overruns
Partners can use the same tools we use to find and prevent buffer overruns. These tools are part of Visual Studio .Net
szImagePath[20];
lstrcpy(szImagePath,szUserInput);
szImagePath[20];
lstrcpy(szImagePath,”xxx…xxxx”);
Advanced Malware Advanced Malware ProtectionProtectionPreventing Buffer OverrunsPreventing Buffer Overruns
IExplore.exeIExplore.exe
Install a driver,
Run Windows Update
Change Settings,
Download a Picture
Cache Web content
Exploit can install MALWARE
Exploit can install MALWARE
Admin-Rights Access
Admin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
Advanced Malware Advanced Malware ProtectionProtectionThreats w admin rightsThreats w admin rights
LoRIELoRIE
Install a driver,
Install an ActiveX control
Change settings,
Save a picture
Inte
gri
ty C
on
tro
l
Bro
ker
Pro
cess
Redirected settings & files
Com
pat
Red
irect
or
Cache Web content
Admin-Rights Access
Admin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
HKCR
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
Advanced Malware Advanced Malware ProtectionProtectionProtected Mode IE, UAP contain Protected Mode IE, UAP contain threatsthreats
In this demo, IE for Windows Vista will:In this demo, IE for Windows Vista will:Protect the user from a potentially Protect the user from a potentially
unsafe control unsafe control Run with restrictions to prevent Run with restrictions to prevent
exploits from installing malware on exploits from installing malware on user’s systemsuser’s systems
Still allows users to download files or Still allows users to download files or change settingschange settings
Allow Intranet sites to run without Allow Intranet sites to run without restrictionsrestrictions
Advanced Malware ProtectionAdvanced Malware ProtectionActiveX Opt-in and Protected Mode ActiveX Opt-in and Protected Mode IEIE
Build “Protected Mode” for your app if it Build “Protected Mode” for your app if it handles untrusted datahandles untrusted data
Set any file/registry ACLs that are safe and Set any file/registry ACLs that are safe and needed to LOWneeded to LOW
Eg. %AppData%\%YourAppName%\Untrusted DataEg. %AppData%\%YourAppName%\Untrusted Data
Create your process with the Low Integrity Create your process with the Low Integrity tokentokenCreate a broker process for Medium or High Create a broker process for Medium or High Integrity OperationsIntegrity Operations
Add-ons inside of IE, run “Low” by defaultAdd-ons inside of IE, run “Low” by defaultWrites to the user’s profile will be Writes to the user’s profile will be automatically redirected to a subdirectory of automatically redirected to a subdirectory of the TIFthe TIFExtensions can use the SaveAs APIs to call the Extensions can use the SaveAs APIs to call the broker to prompt the user to save a file to the broker to prompt the user to save a file to the user profile systemuser profile system
Advanced Malware Advanced Malware ProtectionProtectionOptions for running at “least Options for running at “least privilege”privilege”
User consent or “Allow list” let’s User consent or “Allow list” let’s extensions launch Apps at “Medium”extensions launch Apps at “Medium”
An allow-list will let known apps elevate An allow-list will let known apps elevate to medium without user intervention to medium without user intervention
Other processes spawned from IE will Other processes spawned from IE will throw an “information bar” unless throw an “information bar” unless marked for lowmarked for low
Compat logging will help diagnose Compat logging will help diagnose failed or redirected writes and failed or redirected writes and create processcreate process
Advanced Malware Advanced Malware ProtectionProtectionOptions for running at “least Options for running at “least privilege”privilege”
Anantha and Bogdan powering through to code complete
Marc and Robert from the Protected Mode IE team test their code on a demo page
DeanGeneral Manager
IE unmasked?IE unmasked? “You know, I have one simple request.
And that is to have anti-phishing frickin' laser beams attached to the browser! Now evidently my security team informs me that that cannot be done.
Ah, would you remind me what I pay you people for, honestly?
Throw me a bone here!”
Security Development Lifecycle helps Security Development Lifecycle helps mitigate riskmitigate risk
Users count on our industry to be Users count on our industry to be secure and compatible secure and compatible
Tools available for you to useTools available for you to useTrain using Writing secure code and the Threat Train using Writing secure code and the Threat Modeling booksModeling books
Correctly handle URLs with IE7’s iURICorrectly handle URLs with IE7’s iURI
Threat model extensions like ActiveX controlsThreat model extensions like ActiveX controls
Remove Buffer Overruns from your code with Remove Buffer Overruns from your code with tools in Visual Studio Whidbeytools in Visual Studio Whidbey
Run with least privilege using Mandatory Run with least privilege using Mandatory Integrity Control in Windows VistaIntegrity Control in Windows Vista
SummarySummaryTarget: Secure and CompatibleTarget: Secure and Compatible
PRS 203 “What’s new in IE7” PRS 203 “What’s new in IE7” Tuesday, 4:15 (past)Tuesday, 4:15 (past)Halls C&DHalls C&D
FUN 406 “Windows Vista User Account FUN 406 “Windows Vista User Account Protection”Protection”
Wednesday, 11:00 AM (past)Wednesday, 11:00 AM (past)402AB402AB
DAT 320 “Building RSS enabled applications”DAT 320 “Building RSS enabled applications”Thursday, 2:15Thursday, 2:15403AB403AB
FUN 314 “Architecting apps for the future with FUN 314 “Architecting apps for the future with compatibility”compatibility”
Thursday, 2:15Thursday, 2:15408AB408AB
Related Talks at the PDCRelated Talks at the PDC
Questions?Questions?
BACKUPSBACKUPS
In this demonstration, you will see In this demonstration, you will see how Internet Explorer 7:how Internet Explorer 7:
Uses a dynamic Phishing-Filter to protect Uses a dynamic Phishing-Filter to protect users from phishing sites users from phishing sites
Uses heuristics to detect suspicious sitesUses heuristics to detect suspicious sites
Highlights the user experience for secure Highlights the user experience for secure sites (SSL)sites (SSL)
Warns users about unsafe settingsWarns users about unsafe settings
Dynamic protection against fraudDynamic protection against fraudSafer UI for browser settingsSafer UI for browser settings
Dynamic protection against fraudDynamic protection against fraud
Problem:Problem:IP address and misleading URLs IP address and misleading URLs convince users to give away personal convince users to give away personal informationinformation
Solutions:Solutions:Dynamic Phishing Filter blocks known Dynamic Phishing Filter blocks known attacksattacksImproved URL parsing robust against Improved URL parsing robust against encoding tricksencoding tricks
Solution (continued)Solution (continued)Address bar on every pop-up windowAddress bar on every pop-up window
Background Tabs can’t open windowsBackground Tabs can’t open windows
Dynamic protection against fraudDynamic protection against fraud
Solution (continued)Solution (continued)International Domain Names (IDN) must International Domain Names (IDN) must be in a language supported by the user’s be in a language supported by the user’s systemsystem
Multiple languages can’t be mixed in an Multiple languages can’t be mixed in an IDN URLIDN URL
Dynamic protection against fraudDynamic protection against fraud
Security settings per zone
aka URLActions
Note: Windows Server 2003 has stricter defaults Note: Windows Server 2003 has stricter defaults than other versions of IEthan other versions of IE
Dynamic protection against fraudDynamic protection against fraudSafer UI for browser settingsSafer UI for browser settings
IntranetIntranetMachine names in your Machine names in your domain domain MED-LOW, Automatic MED-LOW, Automatic domain logindomain login
InternetInternetFully-qualified domain Fully-qualified domain names names MED, Only uses safe MED, Only uses safe extensibilityextensibility
Restricted sitesRestricted sitesEmpty unless configuredEmpty unless configuredHIGH, only renders HIGH, only renders HTML, HTML, loads no extensionsloads no extensions
Problems:Problems:Users opt to change settingsUsers opt to change settingsMy Computer and Trusted My Computer and Trusted are targetsare targets
----------------------------------------------------------------------My Computer zoneMy Computer zone
Not shown in the UINot shown in the UIAny HTML content on the Any HTML content on the local machinelocal machineLOW--, Unrestricted access LOW--, Unrestricted access to to
scriptable APIsscriptable APIs
Trusted sitesTrusted sitesEmpty unless configuredEmpty unless configuredLOW, sites can silentlyLOW, sites can silentlyinstall signed ActiveXinstall signed ActiveX
Dynamic protection against fraudDynamic protection against fraudSafer UI for browser settingsSafer UI for browser settings
IntranetIntranetDisabledDisabled on Consumer on Consumer PCs PCs MED-LOW, Automatic MED-LOW, Automatic domain logindomain login
InternetInternetFully-qualified domains Fully-qualified domains MED-HIGHMED-HIGH
Restricted sitesRestricted sitesEmpty unless configuredEmpty unless configuredHIGH, only renders HIGH, only renders HTML, HTML, loads no extensionsloads no extensions
Solutions:Solutions:More secure defaultsMore secure defaultsUI to prevent unsafe UI to prevent unsafe settingssettings
----------------------------------------------------------------------My Computer zoneMy Computer zone
HIGH HIGH when used in IEwhen used in IE
Trusted sitesTrusted sitesEmpty unless configuredEmpty unless configuredMEDMED, only uses safe , only uses safe extensibilityextensibility
Dynamic protection against fraudDynamic protection against fraudSafer UI for browser settingsSafer UI for browser settings
Shown under address bar
Dynamic protection against fraudDynamic protection against fraudSafer UI for browser settingsSafer UI for browser settings
In this demo, you will see how In this demo, you will see how Internet Explorer for Windows Vista:Internet Explorer for Windows Vista:
Runs with restrictions to prevent Runs with restrictions to prevent exploits from installing malware on exploits from installing malware on user’s systemsuser’s systems
Still allows users to download files Still allows users to download files or changing settingsor changing settings
Allows Intranet sites to run without Allows Intranet sites to run without restrictionsrestrictions
Advanced Malware Advanced Malware ProtectionProtectionDemo: Protected Mode IEDemo: Protected Mode IE