Development

Great blog on smartcards deployment

Sergey Simakov — Mon, 20 Nov 2006 19:13:00 GMT

I just found that I've missed a great blog by Steve Patrick (from Critical Problem Resolution team) with invaluable information on SmartCard deployment, so begin with this post - So, you want to use smart cards?. Thanks for sharing this information, Steve! [subscribed]

Microsoft acquires Sysinternals and Wininternals

Sergey Simakov — Tue, 18 Jul 2006 13:44:00 GMT

According to Mark's blog post - Microsoft has acquired Wininternals and Sysinternals: developers of great troubleshooting and management tools such as Recovery Manager, Protection Manager and ERD Commander (part of Administrator Pack), free Autoruns/Process Explorer/Rootkit Revealer, and many others that are included in my must-have utilities list.

Congratulations to Mark and Bruce!

Crypto classes

Sergey Simakov — Tue, 23 May 2006 14:41:00 GMT

Michael Howard posted a link to the lecture materials from University of Washington's cryptography class.

And you should pay attention to the lecturers list:

Brian LaMacchia (ex-security architect for the .NET Framework and Common Language Runtime)
Josh Benaloh (senior cryptographer in Microsoft Research)
John Manferdelli (Distinguished Engineer, worked on the TPM stuff at Microsoft.)

BTW, does anyone mentions that v1.1 of KMDF was released? It supports Windows 2000 now, so driver developers position helped =)

news for last three months

Sergey Simakov — Wed, 14 Dec 2005 19:03:00 GMT

Well, period of silence on this blog ended. Unfortunately I couldn't post for last three months for many reasons and I'm sorry for it :((

In this post I'll try to summarize what interesting things happened in security from my point of view (actually Valery already mentioned most of them in his blog):

Peter Gutmann updated his “Godzilla crypto and security“ tutorial with excellent quote on current state of laws in Russia: “The severity of Russian law is compensated for by it’s non-mandatoryness.”

NSA announced Suite B Cryptography at RSA 2005 consisting of AES, Elliptic Curve Digital Signature and Key Exchange and SHA-256/384.

For this reason I try to describe unofficial Russian “Suite B“:

GOST 28147-89 for encryption
GOST R 34.10-2001 (Elliptic Curve Digital Signature) for DS and Key Exchange (it supersedes GOST R 34.10-94 that should be withdrawn before 1.01.2008)
GOST R 34.11-94 for hash function

More information about using these algorithms with X.509 certificate and CRL profile is currently available as draft (and will be accepted as informational RFC in the nearest time). Basic implementation for OpenSSL 0.9.8 could be downloaded at CryptoCom open-source site.

Bruce Schneier posted his impressions from Cryptographic Hash Workshop hosted by NIST: 1, 2, 3.

This autumn was a bad time for many IPSec ISAKMP/IKE implementations: Protos test suite from Oulu University Secure Programming Group found multiple vendor implementation vulnerabilities. And this is an exact sample of using fuzzing technique to find security flaws.

Sun Microsystem released Solaris 10 source code as OpenSolaris including Kernel Crypto Framework/Drivers, User Crypto Framework (PKCS#11) and Crypto Algorithms (more information is available at Darren J. Moffat blog)

BTW, it is interesting to compare design of future Microsoft CryptoAPI NG from previous post and The (Open)Solaris Cryptographic Framework. They are build of the same cryptoproviders separation as distinct digest, signature, etc providers and both moving to support kernel (right now it's impossible to use CryptoAPI in ipsec driver for example).

And developer part of news: two most successful Microsoft Shared Source projects released as WiX 2.0 and WTL 7.5 - and MSFT could be really proud of them (we use them extensively in our projects).

Windows kernel developers also received new development framework - Kernel Mode Driver Framework 1.0 (unfortunately it didn't support Windows 2000 in version 1.0, but I hope it will due to feedback from developers community) and updated Driver Install Framework Tools 2.01. And best of all - WDF contains Windows Server 2003 SP1 DDK with Static Driver Verifier for free ;-) If you're interested in Windows Kernel development - watch for OSR NTDEV and Steve Dispensa blog.

Well, it's enough for today - thank you for reading =)

Security slide decks at PDC2005

Sergey Simakov — Thu, 15 Sep 2005 16:23:00 GMT

For poor souls like me (who could not attent PDC this year ;-) - at least we can check PDC2005 slide decks [via Sam Gentile].

I'm interested in “Scrubbing Source Code for Common Coding Mistakes (FxCop and PreFast)“, “Building IPv6, Firewall, and IPsec Aware Applications“ and especially “Understanding, Enhancing, and Extending Security End-to-End“ (because it mentions CryptoAPI NG)

[Updated 2005/12/07 to include direct links to presentations and btw CNG is _must read_ for any CSP developer!]

Security Tools for Development

Sergey Simakov — Mon, 25 Apr 2005 10:03:00 GMT

Last friday at Microsoft Moscow office Ivan Medvedev (from SWI team) made a presentation about Security Tools for Software Development. He mentioned new Threat Modeling tool, AppVerifier, PreFast, FxCop, and new Whidbey compiler switches.

[Update] May be Ivan will post some new information at his blog about those and new tools ;-)

An intoduction in testing methods used at Microsoft awake my interesting in fuzzing - a method of finding software security holes by feeding purposely invalid and ill-formed data as input to program interfaces. Microsoft currently uses automated fuzzing tools internally (as desribed in SDL whitepaper). There are tools by other companies in this fields already - Hydra from Security Innovations (authors of Holodeck) or sharefuzz concept from Immunity, but I think they're not automated the same way (but mb it's based on some of this products, as with PreFix from Intrinsa previously).

[Update 28/04/2005] There is also interesting paper A Comparison of Static Analysis and Fault Injection Techniques for Developing Robust System Services by Pete Broadwell and Emil Ong, mentioned at Flawfinder static analysis tool.

Microsoft Knowledgebase is now RSS-enabled

Sergey Simakov — Tue, 19 Apr 2005 04:27:00 GMT

Well, it finally happens. After using kbAlertz for so long time we can use official RSS feeds for Microsoft Knowledgebase at http://support.microsoft.com/selectindex/?target=rss now [via John Howard]

Windows NT kernel internals

Sergey Simakov — Fri, 15 Apr 2005 09:31:00 GMT

Four part video presentation of the Windows NT kernel by Dave Probert (an architect for Windows) is posted at Channel 9. He does a very good job of comparing the Windows kernel to UNIX-style kernels and how they tackle the same problems differently.

Also very interesting Course about Windows Internals by Dave Probert exists at Strategic Software program site of the University of Tokyo

New security books from Microsoft security team

Sergey Simakov — Wed, 13 Apr 2005 07:03:00 GMT

As I posted recently Protect Your Windows Network book by Steve Riley and Jesper M. Johansson is available for pre-ordering. Both Michael Howard and Steve Riley posted updated information about preorder (with promo code ;-)

Also yesterday I accidentially found new book by Michael, David LeBlank AND John Viega - 19 Deadly Sins of Software Security due to August 2005. It should be interesting book from authors of Writing of Secure Code and Secure Programming Cookbook.

[Update] This monday Michael Howard officially announced this book on his blog.

Application Verifier Security Tools for Windows

Sergey Simakov — Thu, 17 Mar 2005 07:49:00 GMT

Interesting article about security tools to check for common security issues, including places where your code won't run properly under non-administrative accounts that are included in Application Verifier is posted at TechNet. [via Larkware]

Michael Howard also described SecurityChecks in his Code Secure.