How the SDL helped improve Security in Office 2010
Hello, my name is Didier and I am a Security Program Manager in the Microsoft Security Engineering Center. We focus on helping teams like Office go beyond the minimum requirements of the Security Development Lifecycle (SDL). For Office 2010, I worked closely with members of the Office TWC team. The Microsoft SDL is a security assurance process that is focused on software development. As a company-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process.
I would like to highlight some achievements that were completed during Office 2010 development that will help keep our customers secure.
There are more than 50 requirements in the SDL that apply to the phases in the development process: training, requirements, design, implementation, verification, release, and response (post-release). The requirements and recommendations of SDL are not static; they are changed on a regular basis in the light of emerging threats and improvements to supporting infrastructure, tools, and processes. The following image shows the phases in the SDL process:
![clip_image002[4]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/office2010/WindowsLiveWriter/604cc06a4b8e_13427/clip_image002%5B4%5D.png "clip_image002[4]")
Some of the tools and techniques that are used to support the SDL process have been released externally. It is possible to download these tools and others from the Microsoft SDL Tools Repository (https://www.microsoft.com/security/sdl/getstarted/tools.aspx).
In addition to passing the Final Security Review mandated by the SDL process, the Office 2010 team also met additional emerging SDL requirements such as integrating the improved integer overflow libraries, compiling with the enhanced GS flag, and executing a number of fuzzing iterations far beyond the SDL requirement. These were the most impactful of the additional SDL requirements met by Office 2010.
Training Phase
The Office TWC team developed customized training on integer overflow mitigations, file fuzzing and Web security (mostly Cross-Site Scripting (XSS) and Cross-Site Request Forgery (XSRF)). These trainings were mandatory across the entire Office Division. In addition, more specific training was designed and delivered to bring FAST, a newly acquired product, up to speed with the various tools and activities required by the SDL.
Requirements Phase
Office TWC and MSEC worked on redefining the security bug bar and the security bug triage process to include newer attacks. Part of the process was to leverage expertise in both the Office and TWC divisions to review security bugs.
Design Phase
During the design phase, several work items were identified to strengthen the trustworthiness of Office documents. These work items brought improvement to the Trust Center by adding Trusted Documents, File Block improvement that allows users to choose which files they want to open or save on their network, Office File Validation and Protected View. These improvements were done so customers can trust Office documents without fear of being attacked. In addition, another goal was to provide this additional security while avoiding unnecessary prompts that would lead to prompt fatigue, decreasing the security value of these features. You can read more on those features at https://blogs.technet.com/office2010/archive/2009/07/21/office-2010-application-security.aspx.
Office TWC did a large scale threat model exercise across the division, creating and reviewing over 500 threat models. Through the threat model activity, the team identified and fixed over 1000 potential security issues.
Another area of improvement was the Cryptography support in Office 2010. These improvements included support for XAdES digital signature, making the Office client applications cryptographically agile by allowing them to use any cryptographic algorithm made available by the operating system (Windows Vista and above only), and a new feature for Enterprises enabling domain password policy for password encryption.
Implementation Phase
Office TWC implemented an automated solution to improve the reporting of Office Automated Code Review (OACR) results allowing MSEC and Office TWC to identify Office product teams with code quality issues prior to the verification phase or before any penetration testing was performed. This allowed teams to direct their effort at areas where it was more valuable.
Based on the analysis done on incoming reported vulnerabilities in previous versions of Office, an improved version of safeInt was developed and used in Office 2010
An improved version of GS (enhanced GS which is available in Visual Studio 2010) was introduced during the Office 2010 development cycle and was piloted with 3 large components of Office 2010, no major regression issues were found and this feature will be integrated in the next version of Office. Office 2010 enables Data Execution Prevention (DEP) for the first time and if you are using Office 2010 on Windows 7, it will use SEHOP, preventing the exploitation of structured exception handlers (https://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx).
Additional mitigations have been put in place in SharePoint 2010 to improve multi-tenant hosting and Cross Site Scripting mitigations. The most important security improvements were sandboxing SharePoint solutions using a mix of Code Access Security and a custom developed sandbox. An additional mitigation for Cross Site Scripting was to use browser headers to force potentially unsafe content to download and we raised permissions required to author scripts.
Verification Phase
Distributed fuzzing was run from the beginning of the development cycle with constant refinement on the fuzzers used. This persistent effort has been one of the greatest investments made by Office to improve the security of the parsers in Office. The use of Distributed Fuzzing Framework is now expanded across the company and will be one of the key elements of the next SDL version. The number of fuzzing iterations for Office 2010 was over 800 million iterations across over 400 file formats resulting in over 1800 bugs fixed. In addition to file format fuzzing, the Distributed Fuzzing Framework was used to fuzz all ActiveX controls shipping with Office 2010 extensively.
An automated infrastructure was setup during Office 2010 to run most of the verification tools required by the SDL (like BinScope) as part of the build process. This allowed the Office Team to run those tools more frequently allowing for timely identification and faster remediation of issues.
Both internal and external penetration testing was conducted during the Office 2010 development cycle. This testing targeted the high risk features identified during the design phase and covered several products both in the client and server SKUs
Hopefully all of these efforts combined will make Office 2010 much more robust and will bring back some peace of mind for customers when the receive documents from untrusted sources.
In addition to this post, Microsoft published a whitepaper couple of months ago on how SDL helped improved the 2007 Microsoft Office System. You can find this whitepaper at https://go.microsoft.com/?linkid=9714223
Thanks,
Didier Vandenbroeck
Lead Security Program Manager
Microsoft Security Engineering Center