After five years, Windows Vista is on the home stretch to being released. And thanks to Microsoft's Security Development Lifecycle (SDL), it's expected to be the most secure product the company has ever released.
Michael Howard, senior security program manager at Microsoft, told attendees at the OWASP AppSec Seattle conference how the company's use of the SDL helped find and handle security bugs throughout Vista's development so that most of the security issues will have been eliminated by the time the operating system is released.
"The point of the SDL is to squeeze bugs out throughout the process," Howard said.
That process, he said, begins with prescriptive guidance to the developers followed by mandatory education for them. In fact, Microsoft requires yearly ongoing education training for engineers. It helps raise awareness and set expectations for them, Howard said.
"You get the biggest bang for your buck from education," he said. "Education reduces your chance of having security bugs. That's because if you don't know what you're looking for, you're not going to find it."
Next in the SDL are the "quality gates," Howard said. This is where you can "stop the bleeding," he said. Using tools, developers check for such things as banned APIs, banned crypto, buffer overruns, weak ACLs and integer arithmetic issues.
Howard pointed out the importance of the Standard Annotation Language (SAL), which is used by static analysis tools. It adds annotations to your code, which helps tools uncover harder-to-find bugs.
Following those checks, comes central analysis. During this phase, inter-procedural analysis, binary analysis and attack surface analysis is conducted. This is also the time when banned APIs and crypto are removed.
Fuzzing tools also come into play during central analysis.
"A huge quantity of bugs found in the wild are due to malformed data," Howard said. "Fuzz testing can find these."
Howard stressed, however, that tools alone do not make software secure. "They help scale the process and they help enforce policy," he said.
The process doesn't end with central analysis. Threat analysis comes next. During this phase threat modelling comes into play. Use these models to help find design issues, Howard said. If you find them upfront rather than at the end of the development process, you can avoid having to go back and rework the code, which can be a laborious process.
"All components of Vista were threat-modelled," Howard said. That meant 1,400 threat models.
"We've learned a great deal about making threat models easier to create by non-security experts," he said. Ways that they've done that is they've moved from threat trees to patterns of threats and they use risk heuristics instead of risk calculations.
If you give developers numbers, they can fudge them, Howard said. Instead developers are given four levels to determine the risk, ranging from critical to low. "Anything rated critical to important, you fix. There's no argument," he said.
The last phase of the SDL is external review. At Microsoft, most of the security work is done by Windows engineers, but the company does hire outside companies to look at the code. The bugs found here should be those that are really hard to find. Once again, Howard stressed, the people involved have to know what to look for. If they don't, "you'll have a warm fuzzy feeling thinking you're secure when actually you have bugs," he said.
Despite the SDL, however, one has to assume code and design will never be perfect, Howard said. And yet customers must still be protected. How did the developers do that with Vista? Defences were built in to protect the operating system from being corrupt, he said.
"If all upfront engineering fails, we've incorporated four types of defences in," Howard said. Those include service hardening; isolation, in which users are no longer admins by default and integrity levels help contain damage; and memory defences.
"What's critical about Vista is all the defences are there by default," Howard said. "And these have almost no impact on performance."
Despite all that work, Howard concedes that there could still be security issues with Vista.
"There will be security bugs in Vista, but over time we'll see," he said. "I think a lot of our competitors are in denial of their security problems, whereas we're doing something about them. Are we perfect? No. Are we making progress? You bet."