Security in.NET. What are we to talk about? Security A-B-C Security on the client Evidences ...
-
Upload
paul-mckenzie -
Category
Documents
-
view
222 -
download
2
Transcript of Security in.NET. What are we to talk about? Security A-B-C Security on the client Evidences ...
Security in .NET
What are we to talk about?
Security A-B-C Security on the client
Evidences Policys Permissions
Security on the server ASP.NET
Security on the network Cryptography Web Service security (will be covered in next session)
What are we to talk about?
Security A-B-C Security on the client
Evidences Policys Permissions
Security on the server ASP.NET
Security on the network Cryptography Web Service security (will be covered in next session)
What is security all about?
Identification Authentication Authorization Integrity Confidentiality Non-repudiation
Key Semi-Trust Scenarios
Trusted userTrusted code
Untrusted userUntrusted code
Trusted userUntrusted code
Untrusted userTrusted code
!!
OS security is based on user rights CLR security, layered on OS security, gives
rights to code
Verification
Security enforceable on well-behaved code Without verification, arbitrary code can subvert security
mechanisms Verification rules are safe, may falsely reject
Code is verified to be memory type safe Only access objects via well-defined interfaces No unsafe casts, no access beyond array bounds, etc. No stack underflow/overflow conditions
Verification is great for general code quality Verifiability depends on the compiler/language
Evidence-Based Security
Evidence Inputs to policy about code Extensible by design
Policy Determines what code can do Grants permissions to an assembly
Permissions Specific authorizations Define a level of access to a resource
Evidence Types
Related to where the code was loaded from URL Site Zone Application Directory
Related to who wrote the code Strong Name Publisher
Arithmetic calculation of overall contents Hash
CLR supports multiple, ordered policy levels Enterprise: common policy for organization Machine: policy for all users of given machine User: policy specific to logged in user
A policy contains Code Groups Permission Sets Policy Assemblies
Effective policy is the intersection of all levels
Hierarchical Policy Levels
Enterprise policy
Machine policy
User A User B
Code Group fundamentals
Two linked rules: What assemblies are members? What permissions should they be granted?
Code groups can be composed by unions
CodeGroup
condition? P1 condition? P3condition? P2
condition? P0
Changing Policies
Changing Policy Done by Administrators
Limit what you trust When in doubt omit permissions Trust a particular server or a particular strong name
Policy File locationEnterprise %CLR InstallDir%\config\enterprise.config
Machine %CLR InstallDir%\config\security.config
User %USERPROFILE%\application data\Microsoft\CLR security config\vxx.xx\security.config
Assembly Input To Policy
Assembly may have permission requests Minimum, Optional, Refuse If unspecified, Minimum & Refuse default to the empty set,
Optional defaults to “everything” Load fails if policy does not grant Minimal Assembly is granted: (MaxAllowed (Minimum Optional)) – Refused In the default case (no requests) this reduces to MaxAllowed
Permissions
A permission is a set (or subset) of capabilities The right to interact with a given resource All permissions implement union, intersection, and subset
operations
Load time and run time security checks Declarative security operations are made by annotating source
code, appear in metadata Imperative security operations are performed via object
creation and method invocation
“Stack walks” guards against “Luring attacks” Overridable with Asserts
Method M3
Method M2
Method M1
Method M4
Call StackGrows Down
G2
G1
G3
G4
Each method has a set of corresponding grants
Method M4 demands the permission P
P
P is compared with grants of all callers on the stack above M4
P
P
P
Stack-walking Semantics
G2
G1
G3
G4
Each method has a set of corresponding grants
Method M3
Method M2
Method M1
Method M4
Call StackGrows Down
Method M4 demandsthe permission P
P
P is compared with grants of all callers on the stack above M4
P
P
P
Assert() can modify stack-walks
P.Assert()
FileIO FileDialog IsolatedStorage Environment Registry UI Printing Reflection Security
Socket Web DNS OleDb SQLClient MessageQueue EventLog DirectoryServices … extensible
Execution, Assertion, Skip Verification, Unmanaged code, Control evidence, Control policy, Control principal, Control threads
Permissions Protect Resources
PermissionRequests
G3
Putting It All Together
PolicyEvaluator
Assembly A3
SecurityPolicy
G3
Host
Assembly A2 G2
G1Assembly A1
Assembly A3
Evidence
EXECUTION
Managed Code Execution
public static void Main(String[] args ){ String usr; FileStream f; StreamWriter w; try { usr=Environment.GetEnvironmentVariable("USERNAME"); f=new FileStream(“C:\\test.txt",FileMode.Create); w=new StreamWriter(f); w.WriteLine(usr); w.Close(); } catch (Exception e){ Console.WriteLine("Exception:"+e.ToString()); }} Compiler
DEVELOPMENT
public static void Main(String[] args ){ String usr; FileStream f; StreamWriter w; try { usr=Environment.GetEnvironmentVariable("USERNAME"); f=new FileStream(“C:\\test.txt",FileMode.Create); w=new StreamWriter(f); w.WriteLine(usr); w.Close(); } catch (Exception e){ Console.WriteLine("Exception:"+e.ToString()); }}
Source codeAssemblyMetadata
and IL
AssemblyMetadata
and IL
PEVerify
NGEN
DEPLOYMENT
Install to: GAC, app. directory,
download cache
Install to: GAC, app. directory,
download cacheAssemblyLoader
Assembly infoModule
+ Class list
Assembly infoModule
+ Class list
Policy Manager
Policy<?xml version="1.0" encoding="utf-8" ?><configuration> <mscorlib> <security> <policy> <PolicyLevel version="1"> <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="Nothing" Name="All_Code" Description="Code group grants no permissions and forms the root of the code group tree."> <IMembershipCondition class="AllMembershipCondition" version="1"/> <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust"
ClassLoader
Granted permissions
Granted permissions
Classinfo
Classinfo
JIT +verification
Nativecode
Nativecode
CLR ServicesGCExceptionClass initSecurity
HostEvidence
Permission requests(assembly)(class) (method)
Extending the Policy System
Custom Permissions App defined authorization for a resource Easy integration with policy
Custom Code Groups & Membership Conditions Implement new Code Group logic Dynamic permission set computation Alter default combining logic
Custom Evidence Create embedded evidence (e.g. certifications) Evidence from trusted hosts
What are we to talk about?
Security A-B-C Security on the client
Evidences Policys Permissions
Security on the server ASP.NET
Security on the network Cryptography Web Service security (will be covered in next session)
Security on the server
Authentication and authorization Extensible and customizable Authentication scheme transparency Simple deployment model
Support for granular declarative and imperative authorizations
Supports application layer security
ASP Architecture
Internet Information ServerISAPI Extensions
ASP.DLL
ASPScript Engine
Script Execution
Script CodeScript Engine
Cache
.ASP file
Requests
1
2 3
4
5
Responses67
8
9
10
ISAPI Filters
ASP.NET Architecture
ASP.NET HTTP Runtime
ASPXEngine
ClassInstance
ASP.NET page
Requests
1
3
Responses67
Modules
Page Class
54
9
Page Handlers
82
Process Identity
Windows® 2000: Default is ASPNET (local service account) Can also run as System or configured account using
<processModel>
Windows .NET Server Uses IIS 6 process model Default is NetworkService App Pools are configurable, identity is configurable
Request identity
<system.web> <identity impersonate="true" /></system.web>
“Impersonation” Running under the security context of the request entity Configurable in ASP.NET Enable for ASP compatible behavior
Application
Host (IIS)
ASP.NETPage
ASP.NET Runtime
ASP.NETService
HTTPHandler
HTTP Module
Global.asax
HTTP Module
HttpContext
Per Request Events: BeginRequest AuthenticateRequest AuthorizeRequest ResolveRequestCache AcquireRequestState PreRequestHandlerExecute <handler executes here> PostRequestHandlerExecute ReleaseRequestState UpdateRequestCache EndRequest
ASP .NET Request Processing
Authentication
ASP.NET is an ISAPI extension Only receives requests for mapped content
Windows Authentication (via IIS) Basic, Digest, NTLM, Kerberos, Certificate Support Leverages platform authentication
Forms-based (Cookie) Authentication Application credential verification
Supports Microsoft® Passport Authentication Custom Authentication
Microsoft Passport
Single sign-in across member sites Integrated into ASP.NET authentication
Requires Passport SDK installation ASP.NET wraps:
IPassportManager IPassportManager2 IPassportCrypt
More details at http://www.passport.com
Passport support built into IIS 6
Forms-Based Auth
Easy to implement ASP.NET provides redirection
Steps Configure IIS to allow anonymous users (typically) Use SSL! Configure ASP.NET cookie authentication Write your login page
Forms authentication
11
1.1. GET default.aspx HTTP/1.1GET default.aspx HTTP/1.1
22
2. 302 Redirect2. 302 RedirectLocation: login.aspxLocation: login.aspx
33
3. POST login.aspx HTTP/1.13. POST login.aspx HTTP/1.1<form data containing credentials><form data containing credentials>
55
5. 200 OK5. 200 OKSet-Cookie: .ASPXAUTH Auth TicketSet-Cookie: .ASPXAUTH Auth Ticket
66
6. GET default.aspx HTTP/1.16. GET default.aspx HTTP/1.1Cookie: .ASPXAUTH Auth TicketCookie: .ASPXAUTH Auth Ticket
4. App 4. App authenticationauthentication
Forms Auth Configuration
<authentication mode= "Forms"> <forms
name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/"
/></authentication>
Authorization Strategies
Windows Security and ACLs ACLs checked for Windows auth Independent of impersonation
COM+ Roles URL Authorization Custom Authorization Windows .NET AuthZ Framework Explicit imperative/declarative checks
Using URL Authorization
<!-- * is all users, ? is anonymous users --><authorization> <allow verbs="POST" Roles="Admins" /> <allow Roles="WebServiceUsers"/> <deny users="*" /></authorization>
<authorization> <deny users="?" /></authorization>
Example: allow “Admins” or “WebServiceUsers” and deny all others
Example: deny anonymous users
Custom security
Handle appropriate event Application level (global.asax) or Http Module (implement IHttpModule)
Authentication – AuthenticateRequest Custom SOAP authentication
Authorization – AuthorizeRequest Implement per-request billing system Restrict access based on business rules
What are we to talk about?
Security A-B-C Security on the client
Evidences Policys Permissions
Security on the server ASP.NET
Security on the network Cryptography Web Service security (will be covered in next session)
Terminology
Plaintext The stuff you want to secure, typically readable by humans
(email) or computers (software, order) Ciphertext
Unreadable, secure data that must be decrypted Key
You must have it to encrypt or decrypt (or do both) Crypto-analysis
Hacking it by using science Complexity Theory
How hard is it and how long will it take to run a program
Cryptographic Ciphers
Symmetric Cipher = 1 Key Used for encryption and decryption Key is vulnerable if transmitted Does not support repudiation Examples
Triple DES (64bit) AES (variable key size)
A XX
Text Ciphertext
Cryptography Ciphers
Asymmetric Cipher = non-matching keys One key for encryption One key for decryption Does not require exchange of keys Examples
RSA (variable key size)
A XXText Ciphertext
AText
Digital Signatures
Enables integrity and non-repudiation RSA, DSA or HMAC (symmetric key) Relies on Hashing
Secure Hash Algorithm (SHA) SHA1 creates a 20 byte digest of any binary data (2160)
AText Signed DigestSHA
xsd….
Digest
RSAPrivate Key
xsd….
A
xsd….
Public Key
Cryptographic APIs
Comprehensive cryptographic library Easy, unified, stream-based architecture System.Security.Cryptography
Common algorithms: Hashing: SHA-1, SHA-256/-384/-512, MD5 Asymmetric: RSA, DSA Symmetric: AES, TripleDES, DES, RC2 MAC: HMAC-SHA1, MACTripleDES Open & extensible model (new algorithms)
SymmetricAlgorithm
TripleDES Rijndael
TripleDESCryptoServiceProvider
(CryptoAPI)
RijndaelManaged
(C#)
RC2
RC2CryptoServiceProvider
AbstractAlgorithm Classes
Algorithm Implementation Classes
AbstractBase Classes(only one shown)
Crypto Object Model
Dim rng As RandomNumberGenerator = RandomNumberGenerator.Create()Dim bytes As Byte() = new Byte(128) {}rng.GetBytes(bytes)
Dim hash As SHA256 = SHA256.Create()Dim digest As Byte() = hash.ComputeHash(inputData)
Sample: Hashing & RNGs
Simple programming model Common functions accessible as single method calls on
algorithm objects
Runtime adaptation based on config system You choose the “default implementation”
Encryption
Instantiate the algorithmSymmetricAlgorithm alg = SymmetricAlgorithm.Create(“DES”);
Generate a keybyte[] myNewKey = alg.Key;
Encode your datastring message = "Top secret data...";
byte[] plain = Encoding.UTF8.GetBytes(message);
Perform the encryptionICryptoTransform enc = alg.CreateEncryptor();
byte[] cipher;
cipher = enc.TransformFinalBlock(plain, 0, plain.Length);
Decryption
Instantiate the algorithmSymmetricAlgorithm alg = SymmetricAlgorithm.Create(“DES”);
Obtain the keyalg.Key = theKey;
Perform the decryptionICryptoTransform dec = alg.CreateDecryptor();
byte[] plain;
plain = dec.TransformFinalBlock(cipher, 0, cipher.Length);
Decode the datastring plainText = Encoding.UTF8.GetString(plain);
What have we talked about?
Security A-B-C Security on the client
Evidences Policys Permissions
Security on the server ASP.NET
Security on the network Cryptography
Recommended reading
Applied Cryptography Bruce Schneier ISBN: 0-4711-1709-9
Writing Secure Code Michael Howard, David Leblanc ISBN: 0-7356-1588-8
The Code Book Simon Singh ISBN: 0-3854-9532-3