UTF-8 Encoding

cisg — Thu, 28 Aug 2008 15:53:59 GMT

Hello there!

My name is Andreas Fuchsberger, I am a developer in the CISG team based in Germany. I joined CISG after a short stint with Assessment, Consulting and Engineering (ACE) Team part of the InfoSec in Microsoft IT. I am a relatively new to Microsoft having joined only 6 months ago coming from academia where I was full-time academic in the internationally renowned Information Security Group at Royal Holloway, University of London. In fact I still teach there on the excellent Masters (MSc) degree programme in Information Security, I teach the optional modules on Software Security.

The Software Security module was developed in response to the industry need to develop more secure software and is strongly based Michael Howard‘s must-read book Writing Secure Code 2^nd Edition and its update Writing Secure Code for Windows Vista®. It received part-funding from the Microsoft Research and the syllabus was constructed in consultation with Fabien Peticolas who headed the then university relations programme and Dieter Gollmann, who was also Microsoft Research at the time. Since designing and teaching the course I have become quite passionate about secure coding and the need to educate all kinds of software developers to learn to code securely from early on their careers. I am a true believer that security is not just a bolt-on that can be added at the end of a project. Expect to see more this one of my favorite topics in the future.

Speaking of secure coding, I note from a recent entry from Michael’s blog that Apache Tomcat has a UTF-8 encoding security bug and its related to the implementation of a standard (RFC 3629). Security standards are another of my favourite topics as I actively participate in a number of SC27 working groups (home of the ISO 27000 series) covering IT Security Technique for the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). I will be posting updates to the happenings of the working groups in the future.

Just in case you are interested, the Tomcat vulnerability comes about from using an invalid but possible UTF-8 encoding of ‘.’ character, this bug is often called “overlong UTF-8 escape". BTW the definitive place for UTF-8 encoding is Section 2.5 “Encoding Forms” and Section 3.9 “ Unicode Encoding Forms ” in the Unicode Standard, a great read if you interested in typesetting, character sets, encoding an similar. This particular problem comes about through the desire create a solution that provides some form of compatibility for legacy systems, a source of many security problems. It also goes to show that using blacklists is not the safest way to check for invalid input. Hackers always seem to be able to find new ways around blacklists that the original designers could not envisage. This is one the many things we are currently contemplating in the design of our new Anti-XSS library. Watch this space for an announcement.

Welcome to the CISG Blog

cisg — Mon, 25 Aug 2008 13:49:12 GMT

Mark Curphey here......

I am the Product Unit Manager (or "PUM" in MSFT speak) for the Connected Information Security Group or CISG. Welcome to our new team blog. We are a software development team of about 35 developers, program managers and testers that supports Microsoft's corporate information security program; itself part of Microsoft IT and I manage the team. We are responsible for designing and building software to support the information security program, a lot of which is or will be released to our customers and the public in general as well as being deployed for our own use. We have built and support a broad portfolio of technology ranging from identity management solutions, security scanning tools, threat modelling tools and development libraries and will be focusing on the security management space in FY09.

You will be hearing a lot more about what we think will be "the next big thing" and about big projects we are working on over the coming months but for the first month or so we plan to share our thoughts and plans to update the Anti-XSS library (and probably some associated tools).

This week well be posting introductions from the team working on Anti-XSS including developers, program managers and a UX designer. From next week onwards well launch into detailed posts on the project that will generally fit into three main categories;

Team and Program Management
Technical Design and Development
User Experience (UX)

Myself and the program managers will share information about how we organize projects, set up Visual Studio Team System to support our development, how we use AGILE and SCRUMM and other program management techniques to track our work as well as discussing the high level project design ideas and industry challenges. The developers themselves will share deep technical and code level thoughts and ideas on the problems they are tackling and our UX guy will explain our thoughts and plans around user experience including developing personas, UI and documentation.

In keeping with the introductions that will follow from other members of the Anti-XSS project team this week here is a short bio about me.

I graduated from Royal Holloway, University of London with a Masters degree in Information Security in the mid-nineties as a mature student; a little late to the party after a "misspent youth"! Royal Holloway is most recently famous as the cryptography school where the cryptographer Sophie Neveu was educated in the best selling novel “The Da’Vinci Code”. After spending several years working at various investment banks in the City of London working on a variety of technical projects including PKI design, Windows NT security, policy development and single sign-on systems, I moved to Atlanta to run a consulting team performing security assessments at Internet Security Systems (now IBM). In late 2000 I took a job at Charles Schwab to create and manage the software security program, essentially creating the equivalent of the SDL program. It was during this period of my life that I started OWASP, the Open Web Application Project which now has over 10,000 members globally and is recommended reading by the Federal Trade Commission and the National Institute for Standards (NIST). In 2003 I joined a small startup called Foundstone to take the experience learnt at Schwab to other Fortune 1000 companies. The company was sold to McAfee in October 2004 and I joined the McAfee executive team reporting directly to the President continuing to run the consulting business. I was awarded the Microsoft MVP for Visual Developer Security in 2005.

In late 2006 I left Foundstone and the States, moved back to Europe and took some timeout to think seriously about designing and developing an information security management platform, work that is continuing in CISG today. I enjoy speaking at conferences, have contributed to several MS Press security books and have worked with the Patterns and Architecture Group (PAG) on threat modelling and code review guidance. I am currently writing a chapter for the O'Reilly book Beautiful Security on designing and building the next generation of security management technology. I have a personal security blog at http://www.securitybuddha.com and am a recent "mid-life crisis" convert to jogging and kite flying.

The Connected Information Security Group : Royal Holloway

UTF-8 Encoding

Welcome to the CISG Blog