Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Now all of the project landing pages for the Samples 2009 group on CodePlex have nice “inline” screenshots. That way, if you’re looking for reusable XAML, you know what you can get from these projects. Here are the five project URLs:

Permalink | Comments (0)

Check out our logo-certified Secure Password Storage project (hosted on CodePlex), currently featured on the Build a Better App site.

Permalink | Comments (0)

Our Secure Password Storage sample on CodePlex has just hit full maturity!

  • It’s been officially “Certified for Windows Vista”
  • A complete set of Japanese and English strings is included, and the implementation is fully locale aware and string table-based.
  • A help file is included (see the “?” button in the GUI) which includes great tips for WPF developers.

Now, how many code samples can make those claims? ;)

Permalink | Comments (2)

See the CodePlex site for this project, which now includes:

  • A screenshot and whitepaper draft on the Home tab
  • A digitally signed MSI installer with signed binaries at the Releases tab, which we’ve also dropped to the certification testing lab.
  • The latest source code (and WiX script for the installer) at the Source Code tab. A few more changes will probably be required before we’re done with certification, but the application is solid at this point.
Permalink | Comments (0)

As we prepare for the main development phase of the Secure Password Storage project, the primary purpose of which is to serve as a guide for Windows logo testing, an excellent question was raised: what exactly does logo testing entail?

Mainly, logo testing is a question of designing and implementing the target software, as well as its installer package, so that it passes a list of official test cases. We’ll be pursuing the Certified for Windows Vista logo for this project. The test case list for that logo is here. There’s a higher-level rationale document here.

If you write software for Windows, and you read nothing else about the logo program, I recommend at least skimming that test case list, because it raises several important points. These are points that apply to all Windows software and can have a considerable effect on usability.

For example, test case 3, “Verify Least-Privilege user is not able to save files to Windows System directory.” In other words, does your software introduce a potential elevation of privilege security bug? Lots of products use a thin client application to interface with the user, mated with an NT service to perform heavy lifting. But does the service expose functionality that might allow regular user accounts to do things that they wouldn’t be able to do directly (after all, that’s generally why the service is introduced in the first place)?

Another example - test case 23 - “Verify the application rolls back the install and restores machine back to previous state.” Don’t you hate it when you un-install a software package and it leaves behind data in the registry and files on disk?

In the Vista list linked above, there are 32 test cases total, each of which includes detailed instructions on how to perform the test. Again, it’s a useful document, and once you give it a quick scan, you’ll know exactly what you’re getting into. But, more importantly, you’ll have a better idea of the bar for the highest quality software.

Back to the other original question - what does Windows logo testing entail - the certification process is actually more than just the test cases. In order to obtain the “Certified” logo, you have to engage with a 3rd party test lab, and you have to follow the WHQL submission process. But if you’ve confirmed in advance that you pass all of the test cases (which you should do if you want to save time and money), then the rest is really just a question of waiting for the gears to turn.

Permalink | Comments (0)

For an introduction to the Secure Password Storage (SPS) project, see this post.

The latest specification document for SPS is available here. It now includes a GUI (graphical user interface) mock-up for the SPS client.

Some comments about that mock-up:

  1. It’s relatively simple. It includes the interface controls and a sample layout for what I expect will be the “main” screen of the SPS client.
  2. It was done using Visio. While that’s generally not the tool of choice for graphic designers, it’s one of the best tools for software designers. Once you’ve done a couple of component diagrams, and, yes, GUI mock-ups, it becomes natural and convenient.
  3. It uses the Win32 GUI templates from Visio. I did that just because it’s what I’m used to and it’s what Visio has to offer. Since we’re using WPF, and will be paying professional designers, I’ll expect them to come up with something more attractive.

Given how low-tech the GUI mock-up is, why is it worthwhile to do it? In my experience, it will pay for itself many times over, since it reduces the initial communication burden from requirements gathering, graphic design, and implementation. The same applies to the component graphic included in the spec.

Permalink | Comments (0)

Introduction

I introduced the “Samples 2009″ project series in this post. This - Secure Password Storage (SPS) - is the first project of the series. An introduction to SPS, and some of the initial design considerations, follows.

Before that, though, it’s important to note that the primary requirement for this project is that it must complete the Certified for Windows Vista logo process. We will document everything we do to prepare for and accomplish the logo certification.

Why should we do a sample project for logo certification? Well, we’re doing it because the Windows logo program is important, both to Microsoft and to the Windows ISV (Independent Software Vendors) community. First, the logo program helps to solidify the bond between Microsoft and the ISVs. Second, the program helps steer ISVs into the Microsoft Partner Program (and vice-versa). Speaking from personal experience, ISVs can benefit from these programs just as much as Microsoft does.

The third reason for undergoing logo certification is the most important: it improves the end-user experience by testing for common mistakes. On Vista, those mistakes tend to be related to UAC (User Account Control), both at install time (MSI) and run-time (elevation).

Fourth: as critical as the logo program is, it can be a complex process, with a steep learning curve for first-time users. First-timers tend to be small companies with significant time and budget sensitivity.

Thus, this project will demystify the logo program by completing it and documenting each step in detail.

In addition to the certification requirement, we need to build a sample that’s interesting and useful in its own right. As stated in the introductory post above, we’ll be including a professionally designed WPF user interface.

Secure Password Storage

With those requirements in mind, SPS is the software that we’ll be developing for this project. SPS will allow companies, or teams, to securely store website passwords for accounts that must be accessible to multiple people. Examples include MSDN (for a software team) or an online business checking account (for management or an accounting team).

SPS will use a three-tier architecture: there’s a WPF client that allows access to and management of the stored passwords, there’s a web service that exposes the data and enforces access control, and there’s a SQL database that stores the user data and encrypted passwords.

As an aside, I’d like to thank fellow Enterprise Security MVP Dana Epp for the idea of SPS.

The current developer specification draft can be found here.

Per-Password Security for SPS

As early as we are in the design phase for SPS, we’ve already identified what I believe will be the primary architectural question for the application: namely, how to control per-user access to each stored password. We’ve researched a few alternatives:

AzMan: For an introduction to the use of the Windows Authorization Manager feature in .NET, see this article. It’s not clear that AzMan, which is primarily for role-based access control, is the best solution for WPS, though, because we really only have two roles: regular users and the application administrator. The problem we face is a proliferation of data items, each of which requires its own ACL (Access Control List).

SQL row security: There’s a good article here about how this can be done. This approach involves creating a view for the sensitive table that consists only of rows for which the requesting user is listed as a reader (for example in a “Readers” column, or elsewhere). This introduces complexity in the form of SQL programming. It may be the way to go, but we need to do more research.

Enforcement via the web service: Finally, we could implement basically what SQL does, but instead process the approved lists of per-row readers and writers “manually” in the web service. This is a common approach and would move the complexity out of the SQL stored procedures and into ASP.NET. But it’s still nasty to have to roll your own access control. Again, more research is needed.

Additional SPS Project Notes

Since we’re still in the design phase, and don’t have any source code to publish yet, I haven’t created the CodePlex site for the SPS project. However, again, a link to the current dev spec is above, and comments are welcome.

The tag for blog posts relating to SPS is “Secure Password Storage”.

Permalink | Comments (1)