Hi, Michael here.
No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and that all the problems of security, this is a vulnerability we can learn and if necessary can use to future versions of the Security Development Lifecycle (SDL).
Before I go to in certain details, it is important to understand that the SDL is a multi-pronged security to reduce the systemic weaknesses. In theory, if one aspect of the SDL is not to prevent or catch a bug, then every other aspect should avoid detection or error. The SDL also mandates the use of security-defense, because we know very well that the SDL process will never catch any safety deficiencies. As we have said many times, the goal of the SDL is “to reduce vulnerability and mitigate the consequences of what was missed.”
In this article I would like to SDL code required for analysis, code review, fuzzing and the compiler and operating systems defense and how it is delivered.
Code analysis and examination
I would like to begin by analyzing the code to understand why we do not find this error by manual code review or through our static analysis tools. The code in question is relatively complex to canonicalize street names, such as strips of “..” Such signs and to the simplest possible directory name. Bug is a stack-based buffer overflow in a loop; find buffer overflows in grinding, particularly complex loops that are difficult to detect with a high degree of probability, but many false positives. At a later stage, I will publish more of the source code for the function.
Loop function within walking on a string to determine whether a character in the path May on a short, short, short, slash or backslash and the next, the canonical algorithms.
The irony of the bug, which also requires a limited function call:
_tcscpy_s (previous Last slash, pBufferEnd – Last slash past, ptr 2);
This feature is a macro that expands to wcscpy_s (dest, len, source), technically, the error is not included in the invitation to wcscpy_s, but it is on the way of reasoning is calculated. As I already mentioned, all three arguments are very dynamic and constantly updated, while in ()-loop. There are a lot of pointer arithmetic in this cycle. Without going into all the details of the attack category, a special kind, and after the while () loop has gone through a few times, the pointer, earlier last slash, May will be clobbered.
In my opinion hand examine this issue and success in this error would be a much skill and luck. So what about tools? It is very difficult to make an algorithm to analyze C or C code for these kinds of mistakes. The possible variable states is growing very fast. It is still difficult, such algorithms and scope to non-trivial code base. This is even more complicated, because the function of an entirely different argument, it is not that the argument is a value of 1, 2 or 3! Our current tools do not catch this error.
OK, now I’m really on a part with the next section.
In the past year or so, I noticed that the security vulnerability in Microsoft, but most noticeably in Windows have been wrong in a class I call “onesey – twosies” in other words, individual errors. It is a good side and bad side to this. First the good news, I think we May have removed a large number of low-hanging vulnerability of many of our products, especially the newer code. The bad news is that we continue to have security problems, because you can not train a developer to hunt unique wrong, and the creation of tools to search for such errors is also difficult to do without an incredible amount of False Positive. With all this said, I will add details about the individual errors to our internal training, I think it is important that people realize that even with great tools and experienced security engineers, there are still bugs that are difficult to find.
Fuzz Testing
Let me blunt, we do not catch Fuzz testing, and they should have. So we return to our fuzzing algorithms and libraries to update on this issue. For what it is worth, we are constantly updating our fuzz testing heuristics and rules so that this error is not unique.
Defense
If you want all the details of the defense, and how they play in Windows Vista and Windows Server 2008, I urge you to read the sword in the team-depth analysis, once it is posted.
A major focus of the SDL is to define and to require the defense, because we have no illusions about the search or prevent any security problems by trying to run the code right the whole time, because nobody can do it. None. See my comment above about individual fault!
Let’s take a look at each SDL requirements and how they cut in the light of this vulnerability.
-GS
The GS-is not so simple. Many run before a cookie, and the attacker can overflow because the flooding starts with an offset in the stack buffer, instead of the stack buffer itself. Thus, the attacker can overwrite the other frames of the call stack, similar functions to return before a cookie check is done. It is a long way to say that-GS was not to prevent this kind of scenario.
ASLR and NX
The code, in order to fully with SDL, and in connection with the / DYNAMIC BASE, and / NXCOMPAT on Windows Vista and Windows Server 2008. There is a great defense, if used together, and reduce the risk of a successful attack significantly. Stack is also a randomized deterministic attack even more unlikely.
Service restart policy
By default, the services concerned are marked at the start only twice after a crash on Windows Vista and Windows Server 2008, which means that the attacker only has two attempts to attack the right side. Before Windows Vista, the attacker has unlimited attempts since the service started an indefinite period.
Authentication
Thanks to the mandatory integrity control (MIC) settings (which comes with the kind permission of UAC) in the network endpoint, which cause the vulnerable code requires authentication under Windows Vista and Windows Server 2008 enabled by default. Before Windows Vista, the end is always anonymous, so that everyone can attack it, as long as the attacker can pass through the firewall. This is an excellent example of SDL emphasis on attack surface reduction, which requires authentication: the number of attackers with access to entry are dramatically reduced.
Firewall
We activated the firewall in Windows XP SP2 and later, this was a direct teachings of the Blaster worm. By default, ports 139 and 445 is not open to the Internet in Windows XP SP2, Windows Vista and Windows Server 2008.
Abstract
The $ 64,000 question we ask ourselves if we have a bulletin is “SDL has not?” and the answer in this case is the categorical “No!” No, because as I said earlier goal of SDL is “reduce vulnerability and to mitigate the consequences of what you missed.” Windows Vista and Windows Server 2008 customers by the defense in the operating system has developed that in one part of SDL. The development team built, that the related section together and in connection with the settings in the Windows Vista ISV Security and Writing Secure Code for Windows Vista, so that their service is through the operating system.
The team is not blind holes through the firewall unnecessarily, in accordance with the SDL.
The team reduced their attack surface, in accordance with the SDL, which authenticated connections instead of anonymous connections by default.
We know that the SDL mission-GS has very strict HEURISTICS so some features are not protected by a stack cookie, but in this case, there is no buffer on the stack, so there will be no cake. We know this. There are currently no plans to be put in a short time.
Fuzzing missed, we will update our HEURISTICS Fuzz testing, but we are constantly updating our fuzzing HEURISTICS anyway.
In short, based on what we know now, Windows Vista and Windows Server 2008 customers are protected because the SDL defense missions in the operating system, and because the development team followed to the letter of SDL to use this defense.
Chalk one for the Windows Vista and later and SDL!
As always, questions and comments are welcome.
By the way.. Check out cool stuff at…
Blackhatworld And on Blackhatzen
a0rta
