Case Study: Building a More Secure Browser in IE7 Rob Franco, Lead Program Manager Internet Explorer Security FUNL03.

Slides:



Advertisements
Similar presentations
IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Advertisements

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Configuring Windows Internet Explorer 7 Security Lesson 5.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Windows Vista Security model and vulnerabilities.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 9: Configuring Internet Explorer. Internet Explorer Usability Features Reorganized user interface Instant Search box RSS support Tabbed browsing.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Information for Developers Windows XP Service Pack 2 Information for Developers.
Software Security Testing by Gary McGraw, Bruce Potter presented by Edward Bonver 11/07/2005.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Computer Security and Penetration Testing
Lesson 18: Configuring Application Restriction Policies
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Internet Explorer 7 Security Features Steve Lamb Technical Security Microsoft Ltd
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Cyra Richardson Microsoft Corporation Internet Explorer 7.
Microsoft ® Official Course Module 9 Configuring Applications.
1 Windows Vista: Enabling Parental Controls in your Application Brian Trenbeath FUN304 Program Manager Microsoft Corporation.
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Data Security.
1 What’s New In Internet Explorer 7? Chris Wilson PRS203 Group Program Manager, IE Platform & Security Microsoft Corporation.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
Information for Developers Windows XP Service Pack 2 Information for Developers Tony Goodhew Product manager Developer Division Microsoft Corp
Using Windows Firewall and Windows Defender
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.
JavaScript, Fourth Edition
Copyright 2000 eMation SECURITY - Controlling Data Access with
COMPREHENSIVE Windows Tutorial 5 Protecting Your Computer.
®® Microsoft Windows 7 Windows Tutorial 5 Protecting Your Computer.
Troubleshooting Windows Vista Security Chapter 4.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Using Internet Explorer 7.0 to Access Cisco Unity 5.0(1) Web Interfaces Unity 5.0(1)
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Module 5: Configuring Internet Explorer and Supporting Applications.
Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.
Microsoft ® Office ® 2010 Office 2010 Security: Protecting your files.
11 MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY Chapter 12.
IE Security: Past, Present, and Future Tony Chor Group Program Manager Rob Franco Lead Program Manager Internet Explorer Microsoft Corporation.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
MIS Week 5 Site:
Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3.
Securing Tomorrow’s World Microsoft Security Roadmap Ed Gibson & Steve Lamb Microsoft Ltd.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
ITMT Windows 7 Configuration Chapter 7 – Working with Applications.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Windows Vista Configuration MCTS : Network Security.
Windows Tutorial 5 Protecting Your Computer
ArcGIS for Server Security: Advanced
TMG Client Protection 6NPS – Session 7.
MOAC : Configuring Windows 8.1
Microsoft’s Security Strategy
Jon Peppler, Menlo Security Channels
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
The Application Lifecycle
Windows Vista Inside Out
Designing IIS Security (IIS – Internet Information Service)
Using Software Restriction Policies
Chapter 9: Configuring Internet Explorer
Presentation transcript:

Case Study: Building a More Secure Browser in IE7 Rob Franco, Lead Program Manager Internet Explorer Security FUNL03

Tony Group Program Manager - IE Laurel Lead PM, IE Platform I hope Rob can focus this PDC session better than his camera!

Who are you? Developer for an internet facing app? Developer of an IE extension?

About this presentation In this presentation, we will cover: The Security Development Lifecycle Guiding principles for IE Security High level browser threat model Data flow and Architecture of IE Data flow and threats for: User Interface Network requests Page Rendering How IE7 addresses the threats Dynamic protection against web fraud & data theft More user control over add-ons Advanced malware protection

Security Training Security Kickoff & Register with SWI Security Design Best Practices Security Arch & Attack Surface Review Use Security Development Tools & Security Best Dev & Test Practices Create Security Docs and Tools For Product Prepare Security Response Plan Security Push Pen Testing Final Security Review Security Servicing & Response Execution Feature Lists Quality Guidelines Arch Docs Schedules Design Specifications Testing and Verification Development of New Code Bug Fixes Code Signing A Checkpoint Express Signoff RTM Product Support Service Packs/ QFEs Security Updates RequirementsDesignImplementationVerificationRelease Support & Servicing Security Deployment Lifecycle Tasks and Processes Threat Modeling Functional Specifications Traditional Microsoft Software Product Development Lifecycle Tasks and Processes

Recommended Reading Writing Secure Code Second Edition Threat Modeling

Guiding principles Balance our customers’ need for browsing that’s powerful but also secure Architectural changes eradicate classes of vulnerabilities in major releases Mitigations reduce severity or prevent future vulnerabilities in service packs Security Updates address targeted vulnerabilities and variations Every release goes through threat modeling, penetration testing and code analysis tools

Browser basics Data flow Outbound:URLs HTTP requests Auth & cookie data Inbound:URLsHTMLScript Non-IE files

User Interface IEFrame Network request layer Page Rendering Browser basics Architecture WinINet URLMon Browser Helper Objects Toolbars Mimefilters MSHTML ActiveX Script Engine BinaryBehaviors

Sample Threats: URLs parsed incorrectly Domain spoofed buffer overrun User can’t read URL Dangerous files launch & install User clicks “OK” Logic error in prompt Scripted Windows trick user Overlays UI warnings User lowers security settings Threats from Data Flow User Interface Layer

Sample Threats: Auth Credentials encryption cracked URL parsed incorrecty buffer overrun Security settings not enforced Data sniffer buffer overrun or logic failure Faulty pluggable protocol loads Threats from Data Flow Network Req

Sample Threats URLs parsed incorrectly buffer overrun Page Access rules fail HTML parser buffer overrun Faulty COM object loads Page Access rules fail Unsafe access defaults Page Redirects Threats from Data Flow Page Rendering Layer

About this presentation In this presentation, we will cover: The Security Development Lifecycle Guiding principles for IE Security High level browser threat model Data flow and Architecture of IE Data flow and threats for: UI Layer Network request layer Page Rendering layer How IE7 addresses the threats Dynamic protection against web fraud & data theft More user control over add-ons Advanced malware protection

In this demo, you will see how IE 7: Uses a dynamic Phishing-Filter to protect users from phishing sites Uses heuristics to detect suspicious sites Highlights the user experience for secure sites (SSL) Warns users about unsafe settings Dynamic protection against fraud Safer UI for browsing

Tariq, Manav, John and I try to catch the Phishers

The UX team added Address bars to pop-up windows, Unsafe settings warnings and Pop-up blocking

Problems: ActiveX controls can expose dangerous functions and security bugs to any page on the web Users have no control over the number of controls installed by default Users suspect Add-ons have privacy and reliability problems Solutions: Unused ActiveX controls will prompt on first use the same as downloaded controls Users can run in Add-ons disabled mode to shut off more extensions like BHOs User Control Over Add-ons ActiveX Opt-in & No Add-ons Mode

Best practices: Threat model controls Limit reads and writes, beware redirects Site-Lock control to only work on one site Clearly identify your control with signatures Find more here: components/activex/security.asp User Control Over Add-ons Building safer ActiveX controls

John, Phoebe and Vidya planning for IE7 Platform and Network features

Advanced malware protection Unified URL parsing Problem: Special characters complicate URL parsing URLs passed as strings maybe parsed inconsistently through the stack Solution: iURI is IE’s single URL parsing object Canonicalizes URLs targeting RFC 3986 IE passes URLs the pre-parsed object through the stack  Partners can also use the iURI object in URLMON to canonicalize URLS

Advanced malware protection Sample using iURI to parse hostname #include #include... IUri *pIUri = NULL; IUri *pIUri = NULL; HRESULT hr = CreateUri(pwzUrl, Uri_CREATE_ALLOW_RELATIVE, 0, &pIUri); HRESULT hr = CreateUri(pwzUrl, Uri_CREATE_ALLOW_RELATIVE, 0, &pIUri); if (SUCCEEDED(hr)) if (SUCCEEDED(hr)) { BSTR bstrHost = NULL; BSTR bstrHost = NULL; hr = pIUri->GetHost(&bstrHost); hr = pIUri->GetHost(&bstrHost); if (S_OK == hr) // Host exists. Do something with it. if (S_OK == hr) // Host exists. Do something with it. { SysFreeString(bstrHost); SysFreeString(bstrHost); } else if (S_FALSE == hr) // Host doesn’t exist in this URI. else if (S_FALSE == hr) // Host doesn’t exist in this URI. { } pIUri->Release(); pIUri->Release(); } Early documentation here: workshop/networking/moniker/reference/ifaces /iuri/iuri.asp?frame=true

Networking Dev & Test captured on film away from their work

Element<H>IDCard ColorBlack Size32 Text %Credit Card#% Domainwww.MyBank.com Script in the Internet Zone has to go through a domain check in order to access the element. RULE #1 : Only script from the same domain can access an elementScriptCard.color=“RED”Domainwww.MyBank.com %Credit Card#% Advanced malware protection Cross Domain Security

%Credit Card#%Element<H>IDCard ColorBlack Size32 Text Domainwww.MyBank.com ScriptCard.color=“RED”Domainwww.evil.com Advanced malware protection Cross Domain Security RULE #1 : Only script from the same domain can access an element

Problems: Hackers use script protocols to run domain-less script in the navigation codepath Type this in your address bar: javascript:alert(document.body.innerHTML) Redirects sometimes evade Domain checks Solutions: Migrate the script protocol to run as script in the originating page Deny access to objects that aren’t redirect-aware  Partner code should also enforce secure domain access rules and be redirect-aware Advanced malware protection Cross Domain Security

Element<IMG> SRC..\BufferOverrun.jpg Domainwww.evil.com George Parser Problem: Attacker finds a place where the parser does not check for size of an argument Solutions: IE uses automated code review tools, fuzz testing and safe memory APIs to help prevent buffer overruns  Partners can use the same tools we use to find and prevent buffer overruns. These tools are part of Visual Studio.Net szImagePath[20]; lstrcpy(szImagePath,szUserInput); szImagePath[20]; lstrcpy(szImagePath,”xxx…xxxx”); Advanced Malware Protection Preventing Buffer Overruns

IExplore.exe Install a driver, Run Windows Update Change Settings, Download a Picture Cache Web contentExploit can install MALWARE Admin-Rights Access User-Rights Access Temp Internet Files HKLM Program Files HKCU My Documents Startup Folder Untrusted files & settings Advanced Malware Protection Threats w admin rights

LoRIE Install a driver, Install an ActiveX control Change settings, Save a picture Integrity Control Broker Process Redirected settings & files Compat Redirector Cache Web content Admin-Rights Access User-Rights Access Temp Internet Files HKLM HKCR Program Files HKCU My Documents Startup Folder Untrusted files & settings Advanced Malware Protection Protected Mode IE, UAP contain threats

In this demo, IE for Windows Vista will: Protect the user from a potentially unsafe control Run with restrictions to prevent exploits from installing malware on user’s systems Still allows users to download files or change settings Allow Intranet sites to run without restrictions Advanced Malware Protection ActiveX Opt-in and Protected Mode IE

Build “Protected Mode” for your app if it handles untrusted data Set any file/registry ACLs that are safe and needed to LOW Eg. %AppData%\%YourAppName%\Untrusted Data Create your process with the Low Integrity token Create a broker process for Medium or High Integrity Operations Add-ons inside of IE, run “Low” by default Writes to the user’s profile will be automatically redirected to a subdirectory of the TIF Extensions can use the SaveAs APIs to call the broker to prompt the user to save a file to the user profile system Advanced Malware Protection Options for running at “least privilege”

User consent or “Allow list” let’s extensions launch Apps at “Medium” An allow-list will let known apps elevate to medium without user intervention Other processes spawned from IE will throw an “information bar” unless marked for low Compat logging will help diagnose failed or redirected writes and create process Advanced Malware Protection Options for running at “least privilege”

Anantha and Bogdan powering through to code complete

Marc and Robert from the Protected Mode IE team test their code on a demo page

Dean General Manager IE unmasked? “You know, I have one simple request. And that is to have anti- phishing frickin' laser beams attached to the browser! Now evidently my security team informs me that that cannot be done. Ah, would you remind me what I pay you people for, honestly? Throw me a bone here!”

Security Development Lifecycle helps mitigate risk Users count on our industry to be secure and compatible Tools available for you to use Train using Writing secure code and the Threat Modeling books Correctly handle URLs with IE7’s iURI Threat model extensions like ActiveX controls Remove Buffer Overruns from your code with tools in Visual Studio Whidbey Run with least privilege using Mandatory Integrity Control in Windows Vista Summary Target: Secure and Compatible

PRS 203 “What’s new in IE7” Tuesday, 4:15 (past) Halls C&D FUN 406 “Windows Vista User Account Protection” Wednesday, 11:00 AM (past) 402AB DAT 320 “Building RSS enabled applications” Thursday, 2:15 403AB FUN 314 “Architecting apps for the future with compatibility” Thursday, 2:15 408AB Related Talks at the PDC

Questions?

BACKUPS

In this demonstration, you will see how Internet Explorer 7: Uses a dynamic Phishing-Filter to protect users from phishing sites Uses heuristics to detect suspicious sites Highlights the user experience for secure sites (SSL) Warns users about unsafe settings Dynamic protection against fraud Safer UI for browser settings

Dynamic protection against fraud Problem: IP address and misleading URLs convince users to give away personal information Solutions: Dynamic Phishing Filter blocks known attacks Improved URL parsing robust against encoding tricks

Solution (continued) Address bar on every pop-up window Background Tabs can’t open windows Dynamic protection against fraud

Solution (continued) International Domain Names (IDN) must be in a language supported by the user’s system Multiple languages can’t be mixed in an IDN URL Dynamic protection against fraud

Security settings per zone aka URLActions Note: Windows Server 2003 has stricter defaults than other versions of IE Dynamic protection against fraud Safer UI for browser settings

Intranet Machine names in your domain MED-LOW, Automatic domain login Internet Fully-qualified domain names MED, Only uses safe extensibility Restricted sites Empty unless configured HIGH, only renders HTML, loads no extensions Problems: Users opt to change settings My Computer and Trusted are targets My Computer zone Not shown in the UI Any HTML content on the local machine LOW--, Unrestricted access to scriptable APIs Trusted sites Empty unless configured LOW, sites can silently install signed ActiveX Dynamic protection against fraud Safer UI for browser settings

Intranet Disabled on Consumer PCs MED-LOW, Automatic domain login Internet Fully-qualified domains MED-HIGH Restricted sites Empty unless configured HIGH, only renders HTML, loads no extensions Solutions: More secure defaults UI to prevent unsafe settings My Computer zone HIGH when used in IE Trusted sites Empty unless configured MED, only uses safe extensibility Dynamic protection against fraud Safer UI for browser settings

Shown under address bar Dynamic protection against fraud Safer UI for browser settings

In this demo, you will see how Internet Explorer for Windows Vista: Runs with restrictions to prevent exploits from installing malware on user’s systems Still allows users to download files or changing settings Allows Intranet sites to run without restrictions Advanced Malware Protection Demo: Protected Mode IE