hardening windows applications hardening windows
play

Hardening Windows Applications Hardening Windows Applications olleB - PowerPoint PPT Presentation

Nov 01, 2023 •201 likes •532 views

www.toolcrypt.org Standing on the shoulders of the Blue Monster: Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The Toolcrypt Group www.toolcrypt.org www.toolcrypt.org Agenda Agenda Introduction

  1. www.toolcrypt.org Standing on the shoulders of the Blue Monster: Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The Toolcrypt Group www.toolcrypt.org

  2. www.toolcrypt.org Agenda Agenda • Introduction to Windows security model • Windows security-related features • Strategies for hardening Windows Apps • Question time

  3. www.toolcrypt.org Intro to Windows security model Intro to Windows security model • Security Identifiers • Security Descriptors • Access Control Lists • Objects and Handles • Tokens and Privileges

  4. www.toolcrypt.org Intro to Windows security model Intro to Windows security model • Security Identifiers (SIDs) – Authority, n x Sub-Authority, Relative ID Example: S-1-5-32-544 Revision Authority Sub Authority RID 1 5 32 544 First “NT” Builtin Administrators

  5. www.toolcrypt.org Intro to Windows security model Intro to Windows security model • Security Descriptors SECURITY_DESCRIPTOR Header (revision number and control flags) Owner SID Group SID (used for POSIX compatibility) DACL (Discretionary Access Control List) SACL (System Access Control List)

  6. www.toolcrypt.org Intro to Windows security model Intro to Windows security model • Access Control Lists (ACLs) – Lists of Access Control Entries (ACEs) • DACLs list “access permissions” • SACLs list system info (auditing, etc.) ACL Contents: Revision ACE Count ACE [0] ... ACE [n]

  7. www.toolcrypt.org Intro to Windows security model Intro to Windows security model • Access Control Entries (ACEs) – Type and Flags determine meaning – Checked in order (first match, default deny) ACE Contents: Type (Allow, Deny, Audit, etc.) Flags (inheritance, etc.) Access Mask (e.g. GENERIC_READ) Trustee SID

  8. www.toolcrypt.org Intro to Windows security model Intro to Windows security model • Objects and Handles – Kernel Objects are ref-counted structs • Common header (with type, refcounts, etc.) • Contains Security Descriptor => “Securable Object” OBJECT_HEADER Pointer Reference Count Handle Reference Count Type (Pointer to type object) Misc. Flags and Control Structures Security Descriptor

  9. www.toolcrypt.org Intro to Windows security model Intro to Windows security model • Objects and Handles – Kernel ref by pointer, usermode by handle – Handles are kept per-process in kernel tables – Many different processes can have “open” handles to same Kernel Object – Handles closed by CloseHandle() or Exit() – Objects destroyed when refcounts reach 0

  10. www.toolcrypt.org Intro to Windows security model Intro to Windows security model • Tokens and Privileges – An Access Token is a Securable Object – Describes security context of process (or thread) TOKEN (abridged) TOKEN_SOURCE Privileges User/Group SID count User/Group SID list Impersonation Level

  11. www.toolcrypt.org Intro to Windows security model Intro to Windows security model • Tokens and Privileges – Processes get a “Primary Token” at creation – Process or thread can temporarily have different Token assigned by “Impersonation” (or delegation) – Privileges can be assigned to users / groups – Privileges stored in Token, must be “enabled”

  12. www.toolcrypt.org Windows security-related features Windows security-related features • Restricted Tokens • Desktop Objects and Window Stations • Job Objects • MIC / UAC / UIPI • Memory protection • Exploit mitigations

  13. www.toolcrypt.org Windows security-related features Windows security-related features • Restricted Tokens – CreateRestrictedToken() • Remove Privileges from Token • Prevent SIDs from granting accesses • Restrict SID list to a certain subset – CreateProcessAsUser() • Normally requires SeTokenPrivilege – not with Restricted version of callers' Primary Token – which becomes the Primary Token of new process!

  14. www.toolcrypt.org Windows security-related features Windows security-related features • Desktop Objects and Window Stations – Session => Window Station => Desktop • Winsta0 only interactive Window Station • Interactive Desktop selected by SwitchDesktop() – Processes assigned to a Window Station – Threads assigned to a Desktop – Desktop is container for UI objects • Windows, message queues, etc.

  15. www.toolcrypt.org Windows security-related features Windows security-related features • Job Objects – Container for processes • Processes can be associated to Job Object • Processes created inherit Job Object association – Imposes limits on associated processes • Memory / CPU usage limits • Prohibit access to SwitchDesktop() • Prohibit access to UI objects (e.g. clipboard) • Prohibit access to sensitive APIs

  16. www.toolcrypt.org Windows security-related features Windows security-related features • MIC – Mandatory Integrity Control – “Mandatory Label” new ACE in SACL • RID in SID of ACE defines “Integrity Level” • ACE attributes define a policy – NoWriteUp, NoReadUp, NoExecuteUp – Label defaulted if not explicitly present • Objects default to “Medium” and NoWriteUp • Processes to “Medium” and NoWriteUp / NoReadUp – Anyone with WRITE_OWNER can set lower IL • Need SeRelabelPrivilege to set higher IL than own

  17. www.toolcrypt.org Windows security-related features Windows security-related features • UAC – User Account Control – Admin users run as Standard by default – “Elevation” required to use Admin rights – Privilege separation by “Linked Tokens” – New service “AppInfo” controls Elevation – Apps request Admin rights using Manifest

  18. www.toolcrypt.org Windows security-related features Windows security-related features • UIPI – User Interface Privilege Isolation – Blocks windows messages between windows of processes with differing Integrity Level – “Message Filter” is list of allowed messages – ChangeWindowsMessageFilter() • Processes at or below “Low” IL cannot use

  19. www.toolcrypt.org Windows security-related features Windows security-related features • Memory protection – Hardware can enforce access permissions on “pages” of virtual memory space – Permission bits in PTE => R / W / X – VirtualProtect(), VirtualAlloc()

  20. www.toolcrypt.org Windows security-related features Windows security-related features • Exploit mitigations – Stack overwrite protection – Heap overwrite protection – Safe SEH, SEH Overwrite Protection – Data Execution Prevention – Adress Space Layout Randomization

  21. www.toolcrypt.org Windows security-related features Windows security-related features • Exploit mitigations – Stack overwrite protection (or “/GS”) • Inserts “cookie” value into stack frame – Check integrity of cookie before returning – Protects return address and stack variables • Default compiler option since VS 2003

  22. www.toolcrypt.org Windows security-related features Windows security-related features • Exploit mitigations – Heap overwrite protection • Check forward / back links when unlinking lists – In all Windows versions since XP SP2 • XORing / checksumming to “detect” overwrites – Since XP SP3, increasing protection in Vista – HeapSetInformation(HeapEnableTerminationOnCorruption) • Don't use third-party dynamic memory managers! Don't use third-party dynamic memory managers!

  23. www.toolcrypt.org Windows security-related features Windows security-related features • Exploit mitigations – Safe SEH • Linker inserts table of known exception handlers • “/SAFESEH” option available since VS 2003 – SEH Overwrite Protection (SEHOP) • Checks integrity of exception handler chain • Available since Vista SP1, Server 2008 • Disabled by default on client systems

  24. www.toolcrypt.org Windows security-related features Windows security-related features • Exploit mitigations – Data Execution Prevention (DEP) • Makes stack and heap non-executable by default • Modes: OptIn/OpOut/AlwaysOn/AlwaysOff • SetProcessDEPPolicy() or “/NXCOMPAT” – Address Space Layout Randomization (ASLR) • Complement to DEP prevents simple bypasses • Available in Vista and later, for supporting modules • Link all modules with “/DYNAMICBASE” to enable

  25. www.toolcrypt.org Strategies for hardening Windows Apps Strategies for hardening Windows Apps • Standing on Microsoft's shoulders • Securing your application boundaries • Partitioning your application code • Wrapping the onion (in tin foil)

  26. www.toolcrypt.org Strategies for hardening Windows Apps Strategies for hardening Windows Apps • Standing on Microsoft's shoulders – Use exploit mitigations • always build with latest version of toolchain – Read and adopt from the SDL • Architecture review and Threat Modelling • Secure coding guidelines! (Musts and Don'ts) – Use safe libraries and templates • SafeInt / intsafe.h • Banned APIs / Secure Template Overload

  27. www.toolcrypt.org Strategies for hardening Windows Apps Strategies for hardening Windows Apps • Securing your application boundaries – Architect using modular components – Make sure components aren't too large – Identify interfaces to other components • Data flows • Execution flow – Apply safe default DACLs on resources

Recommend

Sug Suggested Actions sted Actions on W on WebSAMS bSAMS Suggested Actions Keep Latest

Sug Suggested Actions sted Actions on W on WebSAMS bSAMS Suggested Actions Keep Latest

Sug Suggested Actions sted Actions on W on WebSAMS bSAMS Suggested Actions Keep Latest Windows Security Update Keep Latest Windows Security Update Check Windows Hardening Status Check Windows Hardening Status Check

238 views • 23 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
8. WinForms Applications Writing native Windows programs Overview Windows Applications

8. WinForms Applications Writing native Windows programs Overview Windows Applications

8. WinForms Applications Writing native Windows programs Overview Windows Applications Events and event handlers Layered (tiered) model of software Focus Form designer and controls Dialog boxes and forms Delegates

268 views • 22 slides
Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

837 views • 58 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public Service Commission May 4, 2007 Mark A. Jamison, PURC Director Leadership in Infrastructure Policy Leadership in Infrastructure Policy

487 views • 45 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

September 2016 BalCCon 2k16 Kernel Exploitation and Hardening Why we could have nice things! (using Split Kernel) Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel Vulnerabilities Kernel

1.07k views • 39 slides
Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS introduced a mess of new terms for Windows 8, and I have to go through them so we dont get confused. Windows RT: An edition of Windows 8 that runs on

389 views • 8 slides
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

CHAPTER 26 W INDOWS S ECURITY 26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE.................. 2 26.2 WINDOWS VULNERABILITIES ................................................. 18 26.3 WINDOWS SECURITY DEFENSES

537 views • 43 slides
Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System

Installing and Demonstrating Cantera 1.7 for Windows ChE 641 Combustion Modeling System Requirements A PC running MS Windows 2000, or Windows XP Matlab (6.5, 2007a/b or 2008a/b) Python 2.5 Download the Windows installer from

288 views • 10 slides
Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray inc. @dotgray Sunday, March 15, 15 Resources Codex.WordPress.org / Hardening_WordPress Blog.Sucuri.net / WordPress Security WPSecure.net /

608 views • 32 slides
Roadmap for Section A.1 General Concepts - Windows Networking Domains & Active Directory The

Roadmap for Section A.1 General Concepts - Windows Networking Domains & Active Directory The

Unit OS A: Windows Networking A.1. Networking Components in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section A.1 General Concepts - Windows Networking Domains &

443 views • 28 slides
Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden telemetry to Mozilla Per Foyer per@foyer.se 10 10 Cryptoparty 201911-R1 Hardening Firefox: Method To harden Firefox we need to: 1. Adjust

470 views • 14 slides
Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass

Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass

Windows | Doors | Facades Products and Services | Windows | Doors | Facades | Frameless glass partitions | Stainless steel handrails Windows Windows , that reflect your style Window systems AWS 65 AWS 70.HI

215 views • 19 slides
Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Unit OS2: Operating System Principles 2.3. Windows on Windows - OS Personalities Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 2.3. Environment Subsystems System

678 views • 20 slides
Mastering Windows Presentation Foundation: Master the art of building modern desktop applications

Mastering Windows Presentation Foundation: Master the art of building modern desktop applications

Mastering Windows Presentation Foundation: Master the art of building modern desktop applications on Windows by Sheridan Yuen book Ebook Mastering Windows Presentation Foundation: Master the art of building modern desktop applications on Windows

680 views • 3 slides

More recommend