ie security: past, present, and future tony chor group program manager rob franco lead program...
TRANSCRIPT
IE Security: Past, Present, IE Security: Past, Present, and Futureand Future
Tony ChorTony ChorGroup Program ManagerGroup Program Manager
Rob FrancoRob FrancoLead Program ManagerLead Program ManagerInternet ExplorerInternet ExplorerMicrosoft CorporationMicrosoft Corporation
About this presentationAbout this presentation
PastPastPresentPresent
Guiding principles for IE SecurityGuiding principles for IE SecurityThe SecurThe Securityity Development Lifecycle Development Lifecycle (SDL)(SDL)
FutureFutureHigh level browser threat modelHigh level browser threat modelHow IE7 addresses the threatsHow IE7 addresses the threats
PastPast
Compatibility and features trumpCompatibility and features trumpeded securitysecurity
Users fooled into making bad Users fooled into making bad trust trust decisionsdecisions
Malware installed via aMalware installed via architectural flawsrchitectural flaws
Powerful extensibility misusedPowerful extensibility misused
Security Security seen asseen as a servicing problem a servicing problem
Adversarial relationship with Adversarial relationship with communitycommunity
PastPast
“I suggest dumping Microsoft’s Internet Explorer Web browser, which has a history of security breaches.”
Walt MossbergWall Street JournalSeptember 2004
Present: IE is back!Present: IE is back!
IE team reborn 24 months agoIE team reborn 24 months agoImproved security responseImproved security response
IE 6.0 for Windows XP SP2IE 6.0 for Windows XP SP2
New versionsNew versions
Engaging the communityEngaging the community
Security is integral to our engineering Security is integral to our engineering practicespractices
Present: Guiding principlesPresent: Guiding principles
The web must be safeThe web must be safeReduce attack surfaceReduce attack surface
Build defense-in-depthBuild defense-in-depth
Secure by defaultSecure by default
Enable users to make smarter choicesEnable users to make smarter choices
The web must be usefulThe web must be usefulApp compat and site compat are criticalApp compat and site compat are critical
Corporate IT has different needs from Corporate IT has different needs from consumersconsumers
Partner with the communityPartner with the community
Engineering Engineering ExcellenceExcellence
Security Security Development Development LifecycleLifecycle
Security Security Response CenterResponse Center
Community Community feedbackfeedback
Improved quality Improved quality of updates & of updates & toolstools
Security Development Security Development LifecycleLifecycle
IE Security: PresentIE Security: Present“The assumption that Internet Explorer is easier to exploit is a common misconception…Internet Explorer has become quite tough, and it is very difficult to find vulnerabilities in it.”
Security Focus NewsletterMay 12, 2005
Future: IE 7Future: IE 7
SDL-driven security strategySDL-driven security strategyDynamic protection against fraudDynamic protection against fraud
User control over extensibilityUser control over extensibility
Architectural enhancements against Architectural enhancements against malware malware
Proactive engagement with Proactive engagement with communitycommunity
Threat Model:Threat Model:
Browser Browser Data Flow Data Flow DiagramDiagram
Outbound:Outbound:URLs URLs
HTTP requests HTTP requests
Auth & cookie Auth & cookie datadata
Inbound:Inbound:URLsURLs
HTMLHTML
ScriptScript
Non-IE filesNon-IE files
www.BadGuys.com
Cache boundary
User Profile
Internet Explorer
External Helper Applications
Program Files, Registry, etc.
Requests
Content
Documents, Settings,
etc.
ActiveX controlsDownloads, etc.
Helper requests
User Interface IEFrameIEFrame
Network request layer
PageRendering
WinINetWinINet
URLMonURLMon
Browser Browser Helper Helper ObjectsObjects
ToolbarsToolbars
MimefilteMimefiltersrs
MSHTMLMSHTML
ActiveXActiveX
Script Script EngineEngine
BinaryBinaryBehaviorsBehaviors
Threat Model:Threat Model:
Internet Explorer ArchitectureInternet Explorer Architecture
Sample Threats:Sample Threats:
Site spoofs userSite spoofs user
User lowers User lowers security settingssecurity settings
Buffer overrunBuffer overrun
User Interface(IEFrame)
Network Requests(Wininet & URLMon)
Page Rendering (MSHTML)
URL Requests
URLs, Files
WindowCommands
Threat Model:Threat Model: User Interface LayerUser Interface Layer
In this demo, you will see how In this demo, you will see how IE 7:IE 7:
Uses a phishing filter to Uses a phishing filter to dynamically protect users from dynamically protect users from fraudfraud
Warns users about unsafe settingsWarns users about unsafe settings
Demo:Demo:
User InterfaceUser Interface MitigationsMitigations
www.BadGuys.com
Cache boundary
NetworkRequests
(Wininet & URLMon)
Pluggable Protocols
Requests
Content
URLs,HTML
Helper requests
Page Rendering (MSHTML)
User Interface(IEFrame)
URL Requests
URL Requests
URLs,Non-HTML files
Helper requests
Sample Threats:Sample Threats:
URL parsed URL parsed incorrectlyincorrectly
Buffer overrun Buffer overrun
Threat Model:Threat Model: Network Request Network Request LayerLayer
Threat ModelThreat Model: Network Request Layer: Network Request Layer Unified URL ParsingUnified URL Parsing
Problem:Problem:URLs passed as strings may be parsed URLs passed as strings may be parsed inconsistently through the stackinconsistently through the stack
Special characters complicate URL Special characters complicate URL parsingparsing
http://[email protected]://[email protected]
Solution:Solution:iURI is IE’s single URL parsing objectiURI is IE’s single URL parsing object
Canonicalizes URLs targeting RFC 3986Canonicalizes URLs targeting RFC 3986
IE passes the pre-parsed object IE passes the pre-parsed object through the stackthrough the stack
iURI available to ISVsiURI available to ISVs
Network Requests(Wininet & URLMon)
Script Engine
URLs,HTML
Page access
Page Rendering (MSHTML)
URL Requests
Script
ActiveX Controls
COM Calls
COM Calls
URL Requests
COM Calls
Sample ThreatsSample Threats
ActiveX ActiveX controls controls misusedmisused
Page Access Page Access rules failrules fail
Unsafe access Unsafe access defaultsdefaults
Page RedirectsPage Redirects
Buffer overrunBuffer overrun
Threat ModelThreat Model:: Page Rendering LayerPage Rendering Layer
Problem:Problem:ActiveX controls can expose ActiveX controls can expose dangerous functions and security dangerous functions and security bugs to any page on the webbugs to any page on the web
Solution:Solution:Pre-installed ActiveX controls will Pre-installed ActiveX controls will prompt on first use the same as prompt on first use the same as downloaded controlsdownloaded controlsUsers can run in Add-ons disabled Users can run in Add-ons disabled mode to shut off more extensions like mode to shut off more extensions like BHOsBHOs
““This move is worth praise.”This move is worth praise.”Joe Wilcox, Jupiter Research, September 13, 2005Joe Wilcox, Jupiter Research, September 13, 2005
Threat Model: Page Rendering LayerThreat Model: Page Rendering Layer ActiveX Opt-inActiveX Opt-in
Problem:Problem:Hackers use script protocols to run Hackers use script protocols to run domain-less script domain-less script javascript:alert(document.body.innerHTML)javascript:alert(document.body.innerHTML)
Solution:Solution:Migrate the script protocol to run as Migrate the script protocol to run as script in the originating pagescript in the originating page
Threat Model: Page Rendering LayerThreat Model: Page Rendering Layer Cross Domain SecurityCross Domain Security
Problem: Attacker finds a place where the parser does not check for size of an argument
Solutions:Automated code review toolsSafe memory APIs Fuzz testing
These tools are part of Visual Studio 2005
Threat Model: GeneralThreat Model: General Prevent Buffer OverrunsPrevent Buffer Overruns
IExplore.exeIExplore.exe
Install an ActiveXcontrol
Change Settings,
Download a Picture
Cache Web content
Exploit can install MALWARE
Exploit can install MALWARE
Admin-Rights Access
Admin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
Threat Model: GeneralThreat Model: General EOP: TodayEOP: Today
ProtectedMode
IE
ProtectedMode
IE
Install an ActiveX control
Change settings,
Save a picture
Inte
gri
ty C
on
tro
l
Bro
ker
Pro
cess
Redirected settings & files
Com
pat
Red
irect
or
Cache Web content
Admin-Rights Access
Admin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
HKCR
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
Threat Model: GeneralThreat Model: General EOP: Protected ModeEOP: Protected Mode
Bro
ker
Pro
cess
Demo: Protected Mode IEDemo: Protected Mode IE
In this demo, In this demo, you will see how you will see how IE IE 77::RunRunss with restrictions to prevent exploits with restrictions to prevent exploits from installing malware on users’ from installing malware on users’ systemssystems
KeepKeepss the web useful the web usefulStill allows users to download files or change Still allows users to download files or change settingssettings
Allows Intranet sites to run without Allows Intranet sites to run without restrictionsrestrictions
IE Security: FutureIE Security: Future
“If all Windows users were running Vista [with IE7], the Internet would be a much safer place.”
Larry SeltzereWeek
July 29, 2005
Internet Explorer 7.0Internet Explorer 7.0
Win reviews and the popular voteWin reviews and the popular voteImproving Trustworthy BrowsingImproving Trustworthy Browsing
Amazing Everyday BrowsingAmazing Everyday Browsing
Good Web Developer Platform Good Web Developer Platform
Release datesRelease datesWindows Vista: 2Windows Vista: 2ndnd half of 2006 half of 2006
Windows XP SP2, Windows Server 2003 SP1, Windows XP SP2, Windows Server 2003 SP1, x64: TBDx64: TBD
StatusStatusBeta 1 released in JuneBeta 1 released in June
Beta 2 Preview in OctoberBeta 2 Preview in October
Beta 2 later this yearBeta 2 later this year
ResourcesResources
BooksBooksWriting Secure CodeWriting Secure Code Second EditionSecond EditionMichael Howard and David LeBlancMichael Howard and David LeBlanc
Threat ModelingThreat ModelingFrank Swiderski and Window SnyderFrank Swiderski and Window Snyder
ResourcesResourcesblogs.msdn.com/ie/blogs.msdn.com/ie/
[email protected]@microsoft.com
ToolsToolsVisual Studio 2005Visual Studio 2005
ConclusionConclusion
We’ve come a long way.We’ve come a long way.
We have a long way to go.We have a long way to go.
We’d like your helpWe’d like your helpTest IE 7 for security and compatibilityTest IE 7 for security and compatibility
Give us feedback – we’re listening!Give us feedback – we’re listening!
Q&AQ&A
Your quotes?Your quotes?
Your thoughts?Your thoughts?
Your questions?Your questions?