Security in.NET. What are we to talk about? Security A-B-C Security on the client Evidences ...

Security in .NET

What are we to talk about?

Security A-B-C Security on the client

Evidences Policys Permissions

Security on the server ASP.NET

Security on the network Cryptography Web Service security (will be covered in next session)

What is security all about?

Identification Authentication Authorization Integrity Confidentiality Non-repudiation

Key Semi-Trust Scenarios

Trusted userTrusted code

Untrusted userUntrusted code

Trusted userUntrusted code

Untrusted userTrusted code

!!

OS security is based on user rights CLR security, layered on OS security, gives

rights to code

Verification

Security enforceable on well-behaved code Without verification, arbitrary code can subvert security

mechanisms Verification rules are safe, may falsely reject

Code is verified to be memory type safe Only access objects via well-defined interfaces No unsafe casts, no access beyond array bounds, etc. No stack underflow/overflow conditions

Verification is great for general code quality Verifiability depends on the compiler/language

Evidence-Based Security

Evidence Inputs to policy about code Extensible by design

Policy Determines what code can do Grants permissions to an assembly

Permissions Specific authorizations Define a level of access to a resource

Evidence Types

Related to where the code was loaded from URL Site Zone Application Directory

Related to who wrote the code Strong Name Publisher

Arithmetic calculation of overall contents Hash

CLR supports multiple, ordered policy levels Enterprise: common policy for organization Machine: policy for all users of given machine User: policy specific to logged in user

A policy contains Code Groups Permission Sets Policy Assemblies

Effective policy is the intersection of all levels

Hierarchical Policy Levels

Enterprise policy

Machine policy

User A User B

Code Group fundamentals

Two linked rules: What assemblies are members? What permissions should they be granted?

Code groups can be composed by unions

CodeGroup

condition? P1 condition? P3condition? P2

condition? P0

Changing Policies

Changing Policy Done by Administrators

Limit what you trust When in doubt omit permissions Trust a particular server or a particular strong name

Policy File locationEnterprise %CLR InstallDir%\config\enterprise.config

Machine %CLR InstallDir%\config\security.config

User %USERPROFILE%\application data\Microsoft\CLR security config\vxx.xx\security.config

Assembly Input To Policy

Assembly may have permission requests Minimum, Optional, Refuse If unspecified, Minimum & Refuse default to the empty set,

Optional defaults to “everything” Load fails if policy does not grant Minimal Assembly is granted: (MaxAllowed (Minimum Optional)) – Refused In the default case (no requests) this reduces to MaxAllowed

Permissions

A permission is a set (or subset) of capabilities The right to interact with a given resource All permissions implement union, intersection, and subset

operations

Load time and run time security checks Declarative security operations are made by annotating source

code, appear in metadata Imperative security operations are performed via object

creation and method invocation

“Stack walks” guards against “Luring attacks” Overridable with Asserts

Method M3

Method M2

Method M1

Method M4

Call StackGrows Down

G2

G1

G3

G4

Each method has a set of corresponding grants

Method M4 demands the permission P

P

P is compared with grants of all callers on the stack above M4

P

P

P

Stack-walking Semantics

G2

G1

G3

G4

Each method has a set of corresponding grants

Method M3

Method M2

Method M1

Method M4

Call StackGrows Down

Method M4 demandsthe permission P

P

P is compared with grants of all callers on the stack above M4

P

P

P

Assert() can modify stack-walks

P.Assert()

FileIO FileDialog IsolatedStorage Environment Registry UI Printing Reflection Security

Socket Web DNS OleDb SQLClient MessageQueue EventLog DirectoryServices … extensible

Execution, Assertion, Skip Verification, Unmanaged code, Control evidence, Control policy, Control principal, Control threads

Permissions Protect Resources

PermissionRequests

G3

Putting It All Together

PolicyEvaluator

Assembly A3

SecurityPolicy

G3

Host

Assembly A2 G2

G1Assembly A1

Assembly A3

Evidence

EXECUTION

Managed Code Execution

public static void Main(String[] args ){ String usr; FileStream f; StreamWriter w; try { usr=Environment.GetEnvironmentVariable("USERNAME"); f=new FileStream(“C:\\test.txt",FileMode.Create); w=new StreamWriter(f); w.WriteLine(usr); w.Close(); } catch (Exception e){ Console.WriteLine("Exception:"+e.ToString()); }} Compiler

DEVELOPMENT

public static void Main(String[] args ){ String usr; FileStream f; StreamWriter w; try { usr=Environment.GetEnvironmentVariable("USERNAME"); f=new FileStream(“C:\\test.txt",FileMode.Create); w=new StreamWriter(f); w.WriteLine(usr); w.Close(); } catch (Exception e){ Console.WriteLine("Exception:"+e.ToString()); }}

Source codeAssemblyMetadata

and IL

AssemblyMetadata

and IL

PEVerify

NGEN

DEPLOYMENT

Install to: GAC, app. directory,

download cache

Install to: GAC, app. directory,

download cacheAssemblyLoader

Assembly infoModule

+ Class list

Assembly infoModule

+ Class list

Policy Manager

Policy<?xml version="1.0" encoding="utf-8" ?><configuration> <mscorlib> <security> <policy> <PolicyLevel version="1"> <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="Nothing" Name="All_Code" Description="Code group grants no permissions and forms the root of the code group tree."> <IMembershipCondition class="AllMembershipCondition" version="1"/> <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust"

ClassLoader

Granted permissions

Granted permissions

Classinfo

Classinfo

JIT +verification

Nativecode

Nativecode

CLR ServicesGCExceptionClass initSecurity

HostEvidence

Permission requests(assembly)(class) (method)

Extending the Policy System

Custom Permissions App defined authorization for a resource Easy integration with policy

Custom Code Groups & Membership Conditions Implement new Code Group logic Dynamic permission set computation Alter default combining logic

Custom Evidence Create embedded evidence (e.g. certifications) Evidence from trusted hosts

Security on the server

Authentication and authorization Extensible and customizable Authentication scheme transparency Simple deployment model

Support for granular declarative and imperative authorizations

Supports application layer security

ASP Architecture

Internet Information ServerISAPI Extensions

ASP.DLL

ASPScript Engine

Script Execution

Script CodeScript Engine

Cache

.ASP file

Requests

1

2 3

4

5

Responses67

8

9

10

ISAPI Filters

ASP.NET Architecture

ASP.NET HTTP Runtime

ASPXEngine

ClassInstance

ASP.NET page

Requests

1

3

Responses67

Modules

Page Class

54

9

Page Handlers

82

Process Identity

Windows® 2000: Default is ASPNET (local service account) Can also run as System or configured account using

<processModel>

Windows .NET Server Uses IIS 6 process model Default is NetworkService App Pools are configurable, identity is configurable

Request identity

<system.web> <identity impersonate="true" /></system.web>

“Impersonation” Running under the security context of the request entity Configurable in ASP.NET Enable for ASP compatible behavior

Application

Host (IIS)

ASP.NETPage

ASP.NET Runtime

ASP.NETService

HTTPHandler

HTTP Module

Global.asax

HTTP Module

HttpContext

Per Request Events: BeginRequest AuthenticateRequest AuthorizeRequest ResolveRequestCache AcquireRequestState PreRequestHandlerExecute <handler executes here> PostRequestHandlerExecute ReleaseRequestState UpdateRequestCache EndRequest

ASP .NET Request Processing

Authentication

ASP.NET is an ISAPI extension Only receives requests for mapped content

Windows Authentication (via IIS) Basic, Digest, NTLM, Kerberos, Certificate Support Leverages platform authentication

Forms-based (Cookie) Authentication Application credential verification

Supports Microsoft® Passport Authentication Custom Authentication

Microsoft Passport

Single sign-in across member sites Integrated into ASP.NET authentication

Requires Passport SDK installation ASP.NET wraps:

IPassportManager IPassportManager2 IPassportCrypt

More details at http://www.passport.com

Passport support built into IIS 6

Forms-Based Auth

Easy to implement ASP.NET provides redirection

Steps Configure IIS to allow anonymous users (typically) Use SSL! Configure ASP.NET cookie authentication Write your login page

Forms authentication

11

1.1. GET default.aspx HTTP/1.1GET default.aspx HTTP/1.1

22

2. 302 Redirect2. 302 RedirectLocation: login.aspxLocation: login.aspx

33

3. POST login.aspx HTTP/1.13. POST login.aspx HTTP/1.1<form data containing credentials><form data containing credentials>

55

5. 200 OK5. 200 OKSet-Cookie: .ASPXAUTH Auth TicketSet-Cookie: .ASPXAUTH Auth Ticket

66

6. GET default.aspx HTTP/1.16. GET default.aspx HTTP/1.1Cookie: .ASPXAUTH Auth TicketCookie: .ASPXAUTH Auth Ticket

4. App 4. App authenticationauthentication

Forms Auth Configuration

<authentication mode= "Forms"> <forms

name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/"

/></authentication>

Authorization Strategies

Windows Security and ACLs ACLs checked for Windows auth Independent of impersonation

COM+ Roles URL Authorization Custom Authorization Windows .NET AuthZ Framework Explicit imperative/declarative checks

Using URL Authorization

<authorization> <allow verbs="POST" Roles="Admins" /> <allow Roles="WebServiceUsers"/> <deny users="*" /></authorization>

<authorization> <deny users="?" /></authorization>

Example: allow “Admins” or “WebServiceUsers” and deny all others

Example: deny anonymous users

Custom security

Handle appropriate event Application level (global.asax) or Http Module (implement IHttpModule)

Authentication – AuthenticateRequest Custom SOAP authentication

Authorization – AuthorizeRequest Implement per-request billing system Restrict access based on business rules

Terminology

Plaintext The stuff you want to secure, typically readable by humans

(email) or computers (software, order) Ciphertext

Unreadable, secure data that must be decrypted Key

You must have it to encrypt or decrypt (or do both) Crypto-analysis

Hacking it by using science Complexity Theory

How hard is it and how long will it take to run a program

Cryptographic Ciphers

Symmetric Cipher = 1 Key Used for encryption and decryption Key is vulnerable if transmitted Does not support repudiation Examples

Triple DES (64bit) AES (variable key size)

A XX

Text Ciphertext

Cryptography Ciphers

Asymmetric Cipher = non-matching keys One key for encryption One key for decryption Does not require exchange of keys Examples

RSA (variable key size)

A XXText Ciphertext

AText

Digital Signatures

Enables integrity and non-repudiation RSA, DSA or HMAC (symmetric key) Relies on Hashing

Secure Hash Algorithm (SHA) SHA1 creates a 20 byte digest of any binary data (2160)

AText Signed DigestSHA

xsd….

Digest

RSAPrivate Key

xsd….

A

xsd….

Public Key

Cryptographic APIs

Comprehensive cryptographic library Easy, unified, stream-based architecture System.Security.Cryptography

Common algorithms: Hashing: SHA-1, SHA-256/-384/-512, MD5 Asymmetric: RSA, DSA Symmetric: AES, TripleDES, DES, RC2 MAC: HMAC-SHA1, MACTripleDES Open & extensible model (new algorithms)

SymmetricAlgorithm

TripleDES Rijndael

TripleDESCryptoServiceProvider

(CryptoAPI)

RijndaelManaged

(C#)

RC2

RC2CryptoServiceProvider

AbstractAlgorithm Classes

Algorithm Implementation Classes

AbstractBase Classes(only one shown)

Crypto Object Model

Dim rng As RandomNumberGenerator = RandomNumberGenerator.Create()Dim bytes As Byte() = new Byte(128) {}rng.GetBytes(bytes)

Dim hash As SHA256 = SHA256.Create()Dim digest As Byte() = hash.ComputeHash(inputData)

Sample: Hashing & RNGs

Simple programming model Common functions accessible as single method calls on

algorithm objects

Runtime adaptation based on config system You choose the “default implementation”

Encryption

Instantiate the algorithmSymmetricAlgorithm alg = SymmetricAlgorithm.Create(“DES”);

Generate a keybyte[] myNewKey = alg.Key;

Encode your datastring message = "Top secret data...";

byte[] plain = Encoding.UTF8.GetBytes(message);

Perform the encryptionICryptoTransform enc = alg.CreateEncryptor();

byte[] cipher;

cipher = enc.TransformFinalBlock(plain, 0, plain.Length);

Decryption

Instantiate the algorithmSymmetricAlgorithm alg = SymmetricAlgorithm.Create(“DES”);

Obtain the keyalg.Key = theKey;

Perform the decryptionICryptoTransform dec = alg.CreateDecryptor();

byte[] plain;

plain = dec.TransformFinalBlock(cipher, 0, cipher.Length);

Decode the datastring plainText = Encoding.UTF8.GetString(plain);

What have we talked about?




Security on the network Cryptography

Recommended reading

Applied Cryptography Bruce Schneier ISBN: 0-4711-1709-9

Writing Secure Code Michael Howard, David Leblanc ISBN: 0-7356-1588-8

The Code Book Simon Singh ISBN: 0-3854-9532-3

Security in.NET. What are we to talk about? Security A-B-C Security on the client Evidences ...

Documents

Transcript of Security in.NET. What are we to talk about? Security A-B-C Security on the client Evidences ...