Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Secure Client Applications In Windows "Longhorn"

Published byMiranda McCarthy Modified over 6 years ago

Similar presentations

Presentation on theme: "Building Secure Client Applications In Windows "Longhorn""— Presentation transcript:

1 Building Secure Client Applications In Windows "Longhorn"
6/26/2018 3:53 AM Session Code: CLI411 Building Secure Client Applications In Windows "Longhorn" Steve Hiskey Program Manager, Windows Security Microsoft Corporation © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2 Security Pain Developer Pain Customer Pain
6/26/2018 3:53 AM Security Pain Developer Pain Devs want to make their apps secure Try to lower attack surface Time spent doing security testing Bad Deployment Experience Customer Pain 40% click no to every dialog, 20% random Users are afraid to try new stuff Unintelligible security messages, often after the fact. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 Intro And Agenda SEE – Secure Execution Environment
6/26/2018 3:53 AM Intro And Agenda SEE – Secure Execution Environment Quick Code Access Security overview What is the SEE? SEE Principles LUA –Limited User Account / PA – Protected Admin / Application Impact Management Why Least Privilege is important Longhorn Plan Call to Action © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 Code Access Security (CAS)
6/26/2018 3:53 AM Code Access Security (CAS) Based on trust of code Recognizes that trusted users (e.g. admin) run less trusted code (e.g. browsing the web) System intersects rights of code with rights of user = 2 levels of defense Key features Evidence (location, signature, etc.) is combined with policy to grant permissions to code Protected operations require permissions All callers must have permissions so bad code cannot “trick” good code and be exploited © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5 CAS: How It Works Managed code verifiably robust
6/26/2018 3:53 AM CAS: How It Works Managed code verifiably robust No buffer overruns! No unsafe casting! Only well-defined interactions (no ptrs) Components can protect their interfaces Trusted libraries as security gate keepers Before doing a protected operations, library demands permission of its callers Stack walk – all callers must have permission to proceed; otherwise exception prevents it When demand succeeds the library can override (Assert) and do the operation safely © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6 CAS Permission Enforcement
6/26/2018 3:53 AM CAS Permission Enforcement Library code enforces permissions before allowing protected operation Form permission that is to be required Demand all callers have permission EnvironmentPermission ep = new EnvironmentPermission ( EnvironmentPermissionAccess.Read, "variable"); ep.Demand(); © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7 Code Access Security (CAS)
6/26/2018 3:53 AM Code Access Security (CAS) Demand must be satisfied by all callers Ensures all code in causal chain is authorized Cannot exploit other code with more privilege A has P? Code A B has P? calls Code B demand calls Code C © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8 6/26/2018 3:53 AM CAS © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

9 What Is The Secure Execution Environment?
6/26/2018 3:53 AM What Is The Secure Execution Environment? A new platform for secure applications Code written to the SEE is inherently more secure because only safe operations are possible within it Security restrictions are enforced by CLR Permission Elevation is possible in a declarative and predictable way, and there is a user experience. The SEE is simply a default grant set of Code Access Security permissions © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

10 Why Code To The SEE? Deploy without Trust Dialogs! Reduce test surface
6/26/2018 3:53 AM Why Code To The SEE? Deploy without Trust Dialogs! Reduce test surface You know that your code cannot harm users machine Reduce TCO Business: admin doesn’t have to worry about what the code might do. Home: SEE app cannot harm your machine © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

11 Why The SEE Is Safe SEE applications Security principles
6/26/2018 3:53 AM Why The SEE Is Safe SEE applications All code has only limited safe permissions Can only use SEE-approved trusted libraries Security principles Code can further restrict self to least privilege Application isolation Library code is limited to a known safe set © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

12 SEE Principles Platform: Only Longhorn Top Priority: Web scenarios
6/26/2018 3:53 AM SEE Principles Platform: Only Longhorn Top Priority: Web scenarios Education /Entertainment DHTML Presentation Media Second Priority: Line-of-Business scenarios No user security decisions! © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

13 Authoring In Least Privilege
6/26/2018 3:53 AM Authoring In Least Privilege © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

14 What To Do Now Code in Least Privilege (less than full trust)
6/26/2018 3:53 AM What To Do Now Code in Least Privilege (less than full trust) Code to Windows Forms Attempt to stay within the Internet-Zone permission set © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

15 6/26/2018 3:53 AM SEE Q&A © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 6/26/2018 3:53 AM Limited User Account(LUA) Protected Admin (PA) Application Impact Management © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

17 6/26/2018 3:53 AM LUA Problem Statement Running with elevated privilege leads to disasters One reason why viruses can cause damaged is because too many people run with full privilege Wash Post even is telling us to run without privilege Every Admin tells us they want to limit users, but… Most people demand to run as admin because: Rich web experience, dependant on ActiveX installation, currently requires admin privilege “If we don’t run as admin, stuff breaks” Testing is really easy when everyone’s an admin! Everything works including malicious code! Our customers want tools and help “Please help us to get applications that run with Least Privilege” Win98 & XP users are admin, so apps are built for admin This is the vicious circle that we must break © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

18 LUA – The Good And The Bad
6/26/2018 3:53 AM LUA – The Good And The Bad Long term: we will greatly improve the TCO and “Secure by Deployment” story with Limited User LUA apps have no legitimate reason to ask for admin privilege Good LUA apps do not try to change system or domain state – they work on XP today as LUA Bad LUA apps (the majority) inadvertently change system state Short term: some LUA apps will not be fixable by Application Impact Management The target is to have only 20% of apps in this category The expected behavior is that these apps will fail for Longhorn © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

19 Three Customers For LUA
6/26/2018 3:53 AM Three Customers For LUA Fully locked down corporations Lots of research shows that the enterprise admin wants this feature Reduce security threats Reduce number of apps loaded Reduce TCO Admins that need a safe place to run apps Should have the least privilege needed by app At Home where the admin wants to increase security Parental controls, so that the child uses only age-appropriate apps User self lockdown to protect PC from security problems © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

20 6/26/2018 3:53 AM LUA In Longhorn All applications will have a manifest listing the application parts Enabling Windows to provide a safe environment for the application to run. All applications will undergo a Trust Evaluation Contain applications to limit potential damage Create Compartments where code can run Least-privileged User Account (LUA) Most apps can run with user privileges in user space Apps run in LUA space by default in LH Admin Privilege (Protected Admin) Only trusted applications will run with admin privilege in admin space Admins will not enable PA if LUA is not useful © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

21 Fixable Admin  LUA Apps
6/26/2018 3:53 AM App Operations Built for LUA Apps SEE Apps Fixable Admin  LUA Apps (AIM) Full Admin Apps © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

22 Code Validation Process
6/26/2018 3:53 AM Code Validation Process All code validation is a human decision Publishers can get signed app manifest (need to be in cert store) Domain admins can sign deployment manifest (enterprise store) Local admins can “bless” apps By policy user can decide to change default behavior All local validation decisions are preserved in App Context Code Integrity is assured by checking every .EXE and .DLL for validity Application trust is assured at Runtime © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

23 Application Impact Management And LUA/PA
6/26/2018 3:53 AM Application Impact Management And LUA/PA All system impact changes are logged for potential rollback on uninstall LUA & Admin apps will have their impactful registry writes monitored as well Apps are given their own view of certain files & regkeys © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

24 6/26/2018 3:53 AM User Experience Goals Longhorn is Secure by Default yet the system is as flexible and easy to use as Windows XP Users know when they are about to do something potentially unsafe and are able to make an informed decision Longhorn always gives strong Security recommendations Users can undo damaging changes Users feel confident they can install or run any program without compromising their data or their PCs They feel that, compared to previous versions of Windows, Longhorn is much safer. They trust Longhorn more than any other OS Users do not need to learn any major new concepts or procedures to be protected © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 6/26/2018 3:53 AM LUA / PA © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 Other Big Changes Winlogon is being rewritten for Longhorn
6/26/2018 3:53 AM Other Big Changes Winlogon is being rewritten for Longhorn Addressing reliability issues - too many unnecessary processes in Winlogon Addressing performance issues - too many unnecessary components loaded in Winlogon Winlogon in Longhorn will no longer support replaceable GINAs, new mechanisms provide existing functionality New, simpler Credential Provider model Eventing mechanism Stacking/chaining © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 Call To Action All applications include a manifest
We are in this together! Target the SEE To avoid user trust dialogs have the manifest signed by a Trusted Publisher If the machine state is not changed – run as LUA Test as LUA! Run your applications with least privilege Build Internet deployed app with managed code Think about vulnerabilities. Can an attacker exploit your feature? © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 6/26/2018 3:53 AM Relevant Info Jude’s CLI 312 talk on “Enhancements for a Trustworthy Application Experience” Deals a LOT with win32 applications Wednesday, October 29, 5:00:00 PM SECSYM – Security Symposium Thursday, 8:30am Code Access Security Newsgroup: Microsoft.public.windows.developer.winfx.general AppVerify: © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 6/26/2018 3:53 AM Q&A © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

30 © 2003-2004 Microsoft Corporation. All rights reserved.
6/26/2018 3:53 AM © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Building Secure Client Applications In Windows "Longhorn""

Similar presentations

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.

Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.
Visual Studio Whidbey: Deploying Applications Using ClickOnce Sean Draine Program Manager Microsoft Corporation Sean Draine Program Manager Microsoft Corporation.

Visual Studio Whidbey: Deploying Applications Using ClickOnce Sean Draine Program Manager Microsoft Corporation Sean Draine Program Manager Microsoft Corporation.
Information for Developers Windows XP Service Pack 2 Information for Developers Tony Goodhew Product manager Developer Division Microsoft Corp

Information for Developers Windows XP Service Pack 2 Information for Developers Tony Goodhew Product manager Developer Division Microsoft Corp
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
DEV290 Building Office Solutions with Visual Studio Eric Carter Lead Developer Developer Platform & Evangelism Microsoft Corporation.

DEV290 Building Office Solutions with Visual Studio Eric Carter Lead Developer Developer Platform & Evangelism Microsoft Corporation.
DEV325 Deploying Visual Studio.NET Applications Billy Hollis Author / Consultant.

DEV325 Deploying Visual Studio.NET Applications Billy Hollis Author / Consultant.
Mark Aslett Microsoft Introduction to Application Compatibility.

Mark Aslett Microsoft Introduction to Application Compatibility.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.

Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Security Summit West 2004 Redmond, WA Darren Canavor Longhorn Security.

Security Summit West 2004 Redmond, WA Darren Canavor Longhorn Security.
Aaron Margosis Principal Consultant Microsoft Session Code: CLI405.

Aaron Margosis Principal Consultant Microsoft Session Code: CLI405.
Operating Systems Security

Operating Systems Security
Paul Cooke - CISSP Director Microsoft Session Code: CLI322.

Paul Cooke - CISSP Director Microsoft Session Code: CLI322.
Wireless and Mobile Security

Wireless and Mobile Security

Similar presentations

Ads by Google