.NET Security and MSIL

Tom Roeder

CS215 2006fa

MSIL

Common intermediate language really CIL in ECMA standard MSIL is common name

Very close to C# (and other OO languages) define classes define methods similar attributes statements look more like assembly

MSIL

No structured control flow use conditional/unconditional branches

Specify calls exactly need to have the right number of parameters eg

[mscorlib]System.Console::WriteLine(string, object, object)

Stack language main operations push and pop from stack call methods in other objects from stack

Stack langauge

Instead of registers, everything is from stack eg

int i = 137; int j = 1;int k = i + j;

all operations take their operands from the stack common intermediate language

like JVM bytecode very close to the high-level language

1371137138

MSIL

why a stack language? consistent for all machines limited but possible everywhere stack construct easy to check

Always implemented by JIT stack construct mostly in theory slower to interpret

MSIL operations

stloc <index> pops and stores in local index (16 bits) some assemblers handle variable names

ldloc <index> pushes contents of local index onto stack

integer operations eg. add, mul, sub, div

box/unbox conv.*

MSIL operations

call static instance uses the static type of the class

callvirt uses dynamic instead of static typing

castclass pop, try to cast, push new reference on stack

MSIL operations

ceq/cgt/clt pop top two elements of stack check =, >, < push 1 if true, 0 if false

br/beq/bgt/blt/bfalse/btrue do the comparison and jump br is an unconditional jump use to implement structured control flow

MSIL structure

.method define methods

.class define any type extends

extend some other type if extend System.ValueType, then value type, and

sealed

.entrypoint

MSIL structure

.locals define names and types for local variables useful if writing straight MSIL

.maxstack say how large the stack will be at most must push onto stack for method calls

must remember to push object being called one reason compilers are useful

MSIL example

Can generate from arbitrary C# use ILDASM can be found in Visual Studio

[ see example in emacs and Visual Studio ]

Brief Security Intro

Lampson’s Gold Standard (Au) Authentication: who’s who Authorization: who can do what Audit: who did what

Need mechanisms for all three need good support libraries eg. built-in crypto

C# security based on Windows security

.NET Security: authentication

Windows security based on principals a user is a principal accounts can be principals (eg. LOCAL SYSTEM) users are members of groups

these groups act as roles system policy specifies rights for different roles

this is the authorization a given principal is assigned the ownership of a

program: its rights come from this principal What is wrong with this model?

.NET Security: authentication

Evidence-based security called “code access security” evidence is taken from many properties of code

url, signature, site, etc system policy can assign different rights

thus authorization is based on this policy can specify access rights to classes/resources

When would this be useful? Somewhat coarse-grained

must be specified in the system defaults based on code group

Code Access Security

Can assign permissions to groups of code grouping made explicitly or on evidence

Code can request permissions Declaratively (using attributes)

happens at compile time (JIT compilation) Imperatively (using calls to subclass of

CodeAccessPermission) happens at runtime

When would you want to use each?

Code Access Security

Can also request permissions for assembly RequestMinimum RequestOptional RequestRefuse

What happens on requests stack walk if any caller in stack doesn’t have permission,

then Security exception is thrown default deny

Code Access Security

Code Access Security

Asserting permissions allows a method to assert that all higher code

already has the permission can short-circuit stack walk must have permission to make this assertion

Is there an attack here? Can lead to luring attacks

get trusted code to use assert then get it to call malicious code

.NET Security: cryptography

Provided in System.Security.Cryptography Provides implementations of all major crypto

eg. RSA (Triple)DES hashes: SHA-1, MD5 AES

Managed and unmanaged implementations why does this matter?