Professional Documents
Culture Documents
JamesRH PDC Security Final
JamesRH PDC Security Final
James Hamilton
General Manager SQL Server Webdata
Development & Security Architect
Agenda
Risk Escalating Rapidly
SQL Injection Demo
Case Study: SQL Server Security Push
SQL Server Lessons Learned
Security Tools & Automation
Admin, Data Protection, & App Design
Summary
Incidents Reported Industry Wide
CERT/CC incident statistics 1988 through 2003
Incident: single security issue grouping together all
impacts of that that issue
Issue: disruption, DOS, loss of data, misuse, damage,
loss of confidentiality
90000
80000
70000
60000
50000
40000
30000
20000
10000
0
Source: http://www.cert.org/stats/cert_stats.html
Know Your Enemy
Black Hat Port Scan
ners
Community Sharing
pwd crackers
orce
Brute F
Crac
ker T
ools
s
i ffe r
n
or kS
tw
Ne Dicti
on ary B
a se d
pwd
cra ckers
pi ler s
om Deb
De-c ugge
rs
Data Thief Architecture
Attack string SQL-Injected query
Form values appended Contains an
with extra SQL OPENROWSET
statement statement
Vulnerable
App.
Application Database
Local
DB
SQL injected OPENROWSET
statement causes remote DB to
connect back to attackers DB,
sending back useful data
Girish Chander
SQL Server Security PM
Use Scenarios
Entry Points
Implementation
Assumptions
Trust Levels
Analyze Threats/
Determine
External Security
Vulnerabilities
Notes
Data Flow
Diagrams/Process
Models
Internal Security
Notes
Push: Example Data Flow Diagram
Push: Threat Modeling
Threats must be understood to build secure systems
Every spec/design goes through threat analysis
Model of component is created (typically a DFD)
Threats categorized based on STRIDE
Severity ranked based on DREAD
NOT how hard it is to fix
S---Spoofing
D---Damage potential
T---Tampering of Data
R---Reproducibility
R---Repudiation
E---Exploitability
I---information Disclosure
A---Affected Users
D---Denial of Service
D---Discoverability
E---Escalation of Privileges
Push: Security SWAT Team
Central team focused on cross component analysis
Members chosen from different teams
Build and share security expertise
Overall Approach:
Met on daily basis
Choose component based on priority & risk
Invite relevant team members for that component
Collectively brainstorm to ferret out cross component threats
Experience: an effective approach:
Part of ongoing, regular effort to audit product security
Push: Dead Code Removal
…
CHAR buff[MAX_PATH];
GetWindowsDirectory(buff, sizeof(buff));
Warning: Failure to check return value GetWindowsDirectory can fail
in low-memory situations
SetCurrentDirectory(buff, sizeof(buff));
Example Defect Classes
Memory Management Resource Leakage
Double frees Leaking Memory/Resource
Freeing pointer to non-allocated
memory (stack, global, etc.)
Freeing pointer in middle of memory
Pointer Management
block
Dereferencing NULL pointer
Dereferencing invalid pointer
Dereferencing or returning pointer
Initialization to freed memory
Using uninitialized memory
Freeing or dereferencing uninitialized
pointer
Illegal State
Resource in illegal state
Illegal value
Bounds violations Divide by zero
Overrun & Underrun Writing to constant string
Failure to validate buffer size
TITLE