InsideMicrosoft’sSecureWindowsInitiative幻灯片.pptVIP

Changing the Process: Our Ultimate Goal Not to inject security bugs into the code in the first place! Short term: remove existing flaws Longer term: don’t add flaws to the code You can’t do this through code review …or testing They only remove existing flaws You have to teach people to do the right things…! You must change the process! The Turkish-? problem(Applies also to Azerbaijan!) Turkish has four letter ‘I’s i (U+0069) I (U+0049) ? (U+0131) ? (U+0130) In Turkish locale UC(file)==F?LE // Do not allow FILE:// URLs if(url.ToUpper().Left(4) == FILE) return ERROR; getStuff(url); ? // Only allow HTTP:// URLs if(url.ToUpper(CULTURE_INVARIANT).Left(4) == HTTP) getStuff(url); else return ERROR; ? ? Summary Who Am I? What is SWI? SD3 + c Secure Development Process Threat Models Relative Attack Surface How can you help? When is a threat model complete? How does privacy apply to TMs? A more complete taxonomy of mitigation techniques and technologies A more complete taxonomy of attack techniques Is Relative Attack Surface accurate? Is it worthwhile? ? 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Backup Slides DREAD Rankings Damage Potential Minor [1] → Complete Subversion [10] Reproducibility Rare [1] → Every Time [10] Exploitability NSA Only [1] → My Mom [10] Affected Users 10% [1] → 100% [10] Discoverability Very Subtle [1] → Already on Bugtraq [10] * * Inside Microsoft’s Secure Windows Initiative Steve Lipner Director of Security Engineering Strategy Security Business Unit Microsoft Corporation Agenda Who Am I? What is SWI? SD3 + c Secure Development Process Threat Models Relative Attack Surface Open Questions Who is this guy? SLipner@ Been at Microsoft for 3.5 years Always in security Started working in security in 1970 Experience includes A1 systems, firewalls, consulting, other stuff Pragmatic A chief conspirator! What is SWI? Secu