DCSPM : Develop and Compile Subset of PASCAL Language to MSIL
.NET Security and MSIL Tom Roeder CS215 2006fa. MSIL Common intermediate language really CIL in ECMA...
-
Upload
dale-thornton -
Category
Documents
-
view
219 -
download
3
Transcript of .NET Security and MSIL Tom Roeder CS215 2006fa. MSIL Common intermediate language really CIL in ECMA...
.NET Security and MSIL
Tom Roeder
CS215 2006fa
MSIL
Common intermediate language really CIL in ECMA standard MSIL is common name
Very close to C# (and other OO languages) define classes define methods similar attributes statements look more like assembly
MSIL
No structured control flow use conditional/unconditional branches
Specify calls exactly need to have the right number of parameters eg
[mscorlib]System.Console::WriteLine(string, object, object)
Stack language main operations push and pop from stack call methods in other objects from stack
Stack langauge
Instead of registers, everything is from stack eg
int i = 137; int j = 1;int k = i + j;
all operations take their operands from the stack common intermediate language
like JVM bytecode very close to the high-level language
1371137138
MSIL
why a stack language? consistent for all machines limited but possible everywhere stack construct easy to check
Always implemented by JIT stack construct mostly in theory slower to interpret
MSIL operations
stloc <index> pops and stores in local index (16 bits) some assemblers handle variable names
ldloc <index> pushes contents of local index onto stack
integer operations eg. add, mul, sub, div
box/unbox conv.*
MSIL operations
call static instance uses the static type of the class
callvirt uses dynamic instead of static typing
castclass pop, try to cast, push new reference on stack
MSIL operations
ceq/cgt/clt pop top two elements of stack check =, >, < push 1 if true, 0 if false
br/beq/bgt/blt/bfalse/btrue do the comparison and jump br is an unconditional jump use to implement structured control flow
MSIL structure
.method define methods
.class define any type extends
extend some other type if extend System.ValueType, then value type, and
sealed
.entrypoint
MSIL structure
.locals define names and types for local variables useful if writing straight MSIL
.maxstack say how large the stack will be at most must push onto stack for method calls
must remember to push object being called one reason compilers are useful
MSIL example
Can generate from arbitrary C# use ILDASM can be found in Visual Studio
[ see example in emacs and Visual Studio ]
Brief Security Intro
Lampson’s Gold Standard (Au) Authentication: who’s who Authorization: who can do what Audit: who did what
Need mechanisms for all three need good support libraries eg. built-in crypto
C# security based on Windows security
.NET Security: authentication
Windows security based on principals a user is a principal accounts can be principals (eg. LOCAL SYSTEM) users are members of groups
these groups act as roles system policy specifies rights for different roles
this is the authorization a given principal is assigned the ownership of a
program: its rights come from this principal What is wrong with this model?
.NET Security: authentication
Evidence-based security called “code access security” evidence is taken from many properties of code
url, signature, site, etc system policy can assign different rights
thus authorization is based on this policy can specify access rights to classes/resources
When would this be useful? Somewhat coarse-grained
must be specified in the system defaults based on code group
Code Access Security
Can assign permissions to groups of code grouping made explicitly or on evidence
Code can request permissions Declaratively (using attributes)
happens at compile time (JIT compilation) Imperatively (using calls to subclass of
CodeAccessPermission) happens at runtime
When would you want to use each?
Code Access Security
Can also request permissions for assembly RequestMinimum RequestOptional RequestRefuse
What happens on requests stack walk if any caller in stack doesn’t have permission,
then Security exception is thrown default deny
Code Access Security
Code Access Security
Asserting permissions allows a method to assert that all higher code
already has the permission can short-circuit stack walk must have permission to make this assertion
Is there an attack here? Can lead to luring attacks
get trusted code to use assert then get it to call malicious code
.NET Security: cryptography
Provided in System.Security.Cryptography Provides implementations of all major crypto
eg. RSA (Triple)DES hashes: SHA-1, MD5 AES
Managed and unmanaged implementations why does this matter?