tom gallagher – senior security test lead, office trustworthy computing david conger – software...

Under the Kimono of Office Security Engineering

Tom Gallagher – Senior Security Test Lead, Office Trustworthy Computing David Conger – Software Design Engineer in Test II, Microsoft Access

Agenda History of Office Security Our approach to securing Office Demos of internal tools and protections

in Office 2010.

History of Office Security

Oldest threat Macro viruses

Around 1999 a rash of Outlook attachment issues and ActiveX repurposing attacks.

Prior to 2006, very few malformed documents attacks to corrupt memory (overflows, double free, etc).

Security Org of OfficeMSEC Office TwC

Product 1 Sec

Contacts

Feature Owner

Feature Owner

Feature Owner

Product2 Sec

Contacts

Feature Owner

Feature Owner

Feature Owner

Product3 Sec

Contacts

Feature Owner

Feature Owner

Feature Owner

Product4 Sec

Contacts

Feature Owner

Feature Owner

Feature Owner

Office SE (CAPES)

Layered Defenses

Harden the

Attack Surface

Reduce the

Attack Surface

Improve User

Experience

Mitigate the

Exploits

Harden Attack Surface

SDL Compliant OACR (Automated Code Review

Tool) SafeInt Remove old parsers Intensive Distributed Fuzzing

Harden the

Attack Surface

Office’s fuzzing surface

HUGE! 300+ file formats

Many formats may not be obvious at first Example: WPD files could be parsed by 3 different parsers

Specialized “smarter” fuzzers for many formats

Different fuzzers find different bugs Experience in line with BlueHat Fuzzing Olympics results

and Charlie Miller’s 2008 CanSecWest presentation.

Before the Distributed Fuzzing Framework….

Managing SDL compliance gets messy…. Each team has a subset of the supported

formats. Unclear how many iterations completed

by each. Machine logs often duplicate failures

Across machines, runs, formats (core failures) Best practices not centralized and shared

Machine Resources

Leverage machines in testers offices Machines manually configured. Testers often needed to use these machines

for their normal test passes. Became a bottleneck for completing fuzz runs No easy way to leverage unused resources.

If one team finishes their fuzzing passes, they need to manually find out who might need help and how to config those runs. (Doesn’t happen.)

Distributed Fuzzing Framework Goals Teams don’t need to manage hardware. Use any machine with Office installed for fuzzing. Machines join in fuzzing of multiple products/runs. Run any fuzzer. Simple run definition. Automate regression of previously found crashes. Centrally manage all fuzzing jobs. Detect duplicate crashes across runs and in

Product Studio. Automate logging crashes to bug database..

Distributed Fuzzing Framework Goals Teams don’t need to manage hardware. Use any machine with Office installed for fuzzing. Machines join in fuzzing of multiple products/runs. Run any fuzzer. Simple run definition. Automate regression of previously found crashes. Centrally manage all fuzzing jobs. Detect duplicate crashes across runs and in

Product Studio. Automate logging crashes to bug database..

- Hardware and Multiple Products

Teams can dedicate their

existing testing resources.

Existing lab resources can

be shared across multiple

teams and products.

DFF infrastructure is managed by TwC and DFF Admins.

Teams in Office can use DFF without supplying any hardware resources.

- Hardware and Multiple Products

Contribute to a specific team’s effort or every

team.Additional settings also make the Client easier for team members to

use on their test machine(s).

Simple controls make it easy for

team members to contribute their

machine(s).

- Hardware and Multiple Products

Status and settings can be controlled

from the web. Move machines easily between

Teams and Runs.Some machines are dedicated to specific products,

some contribute in any available

product.

Distributed Fuzzing Framework Goals Teams don’t need to manage hardware. Use any machine with Office installed for fuzzing. Machines join in fuzzing of multiple products/runs. Run any fuzzer. Simple run definition. Automate regression of previously found crashes. Centrally manage all fuzzing jobs. Detect duplicate crashes across runs and in

Product Studio. Automate logging crashes to bug database.

- Fuzzers, Runs, and Regression

Hundreds of Fuzzer configurations across many

different types of fuzzers are available.

- Fuzzers, Runs, and Regression

Any fuzzer (or tools that generates

files) can be used in DFF.

A fuzzer in DFF can be diff of another

fuzzer.

More than just random mutation

file fuzzing. Distribute an

ActiveX or sequential fuzzer.

- Fuzzers, Runs, and Regression

Choose fuzzers and templates from simple

lists of system wide and team defined fuzzers and

templates.

Fuzz against on the version you are ready to test.

Define runs that run once or

multiple times.

Easily define a run to retest all previous failures based on a

Call Stack or Bug, with failures found in any

product using a matching

configuration.

DFF aids with machine throttling for less powerful

machines.

Distributed Fuzzing Framework Goals Teams don’t need to manage hardware. Use any machine with Office installed for fuzzing. Machines join in fuzzing of multiple products/runs. Run any fuzzer Simple run definition. Automate regression of previously found crashes. Centrally manage all fuzzing jobs. Detect duplicate crashes across runs and in

Product Studio. Automate logging crashes to bug database.

- Centrally manage all fuzzing jobs

Control a runs stats (Queued, Private,

Disabled) or modify its settings..

See progress and machine allocation all on one page.

Begin investigating failures as soon as they are found.

On top of only seeing runs you own, you can filter active runs to

see only what you care most about.

- Centrally manage all fuzzing jobs

Easily review the failure history of

regenerating runs for multiple builds.

Distributed Fuzzing Framework Goals Teams don’t need to manage hardware. Use any machine with Office installed for fuzzing. Machines join in fuzzing of multiple products/runs. Run any fuzzer. Simple run definition. Automate regression of previously found crashes. Centrally manage all fuzzing jobs. Detect duplicate crashes across runs and in

Product Studio. Automate logging crashes to bug database.

- Duplicates and Logging

- Duplicates and Logging

Easily know what the run is and a general

overview of the results.

Failures are grouped and

categorized based on the Fuzzer’s

results.

Easily log or tag bugs for multiple failures in the run.

Failures can be hit across multiple

products.

Files collected can be restricted to a small set.

DFF will recommend bugs

for failures.Find out additional failure details including EIP, Fault

Address, Instructions, Registers, a complete call stack, repro files, dumps,

and OS version.

Bug icons helps the tester to know the status of the bug without loading Product Studio.

- Duplicates and Logging

Teams Utilizing DFF today Office Windows SharePoint Services SWI/MSEC-React FAST Search MSN Client Expression Blend, Design, and Encoder

Results with DFF

• Aggressive about fixing issues. Exploitability not important if fixed.• Fixing some issues that aren’t security issues.

• Example: derefs when initialized to null.• Data was obtained 5/31/2010.

1900

600

225 250

1800

File Block and Gatekeeper

File Block Block unused file formats Easy policy enforcement

‘Gatekeeper’ Runs automatically on open Evaluates file for ‘correctness’ Protects against unknown

exploits Faster Updates

Reduce the

Attack Surface

Gatekeeper DemoMost MSRC cases reported from January 2007 – today are automatically detected

The Office ‘Protected Viewer’

Mitigate the

Exploits

Office Protected

Viewer

Files that failed

Gatekeeper

Files that don’t comply

with File Block Policy

Files in unsafe folders

Outlook attachments fromexternal senders

Files from the

Internet Zone

Protected View Architecture Architecture uses two app instances:

“Host” process Runs with full rights. Owns top level app window (window caption,

ribbon, etc.)

“Client” process Runs inside highly restrictive sandbox. Parses and renders document content. Owns a single child window (parented to host

window) that corresponds to document canvas.

Host Window

Client Window

Sandbox Components Restricted Token Job Object User Interface Privilege Isolation (UIPI)

Net Impact of Sandbox At a high level:

Can only write to places (e.g., disk, registry) that have been explicitly ACL’d to allow it

Can only read from places that Everyone can read from (e.g., can read from c:\windows, but not My Documents)

Net effect: Malware is mitigated against installing a root kit,

corrupting/deleting documents, compromising your profile, changing your settings, etc.

Key Protected View Benefits Key “last line of defense” for exploits

that: Make it past Gatekeeper validation And are not thwarted by NX, ASLR, GS, etc.

Allows us to build more seamless user experience by reducing prompt fatigue

Provides mitigation for Gatekeeper false positives

Inside Winword.exe The real guts of Word lives inside of

wwlib.dll. winword.exe calls into the dll. Wwlib decides if ProtectedView should

be used. If necessary wwlib creates a new

instance of winword.exe running in low integrity.

Broker Process

Sandbox Process

Process Explorer View:

Protected View Configurable

Read Zone.IdentifierTIF, shares, etc.Write Zone.Identifier

C:\Program Files\Microsoft Office\Office14>WINWORD.EXE /vp c:\MyDocs\test.doc

// Force open in Protected View (/vp)

C:\Program Files\Microsoft Office\Office14>WINWORD.EXE /vu c:\MyDocs\test.doc

// Force open without Protected View (/vu)

ProtectedView Architecture Demo

Improve User Experience

Better information to make trust decisions

Avoid forcing choice between security and productivity

Areas for improvement remainImprove

User Experien

ce

Office 2007 Prompts

Improve User Experience

‘My Stuff’...IncomingStrong protection from all classes of malware inside

sandbox.

Trust decisions are ‘sticky’View document before trust

decision is made. Many scenarios stop here – reading is enough.

Open email attachment

‘Gatekeeper’Validation

SandboxedViewer

User Clicks ‘Enable’

Document opens, fully

enabled

SaveDocument

ReopenDocument

MSRC Case Demo against Office 2010

Appreciate help…

Lots of improvements, but not perfect. External people also continue to

innovate. If you have crashing files you feel are

security issues, even if you can’t show they are exploitable, please send them to us (secure@microsoft.com).

We will investigate and credit you for the find.

Thanks…

Brad Albrecht Atin Bansil Brian Carver Rob Cooper David Heise Eric Jarvi Hidetake Jo David Leblanc

Vikas Malhotra Alan Myrvold David Seidman Jason Shirk Kumar

Srinivasamurthy Octavian Timofte

Questions?