Security mechanisms and vulnerabilities in .NET Team Members: Sarvesh Kapre Anurag Dwivedy

Content 1.) What is .NET Framework ? 2.) Inbuilt Security mechanisms in .NET . 3.) Exploit vulnerabilities in .NET with an example ! 4.) Countermeasures to combat them.

Content 1.) What is .NET Framework ? 2.) Inbuilt Security mechanisms in .NET . 3.) Exploit vulnerabilities in .NET with an example ! 4.) Countermeasures to combat them.

ASP.NET (Active Server Project) Developed by MICROSOFT. Open Source Server Side Web Application Framework. Designed for Web Development to produce Dynamic Web Pages. Allow programmers to build dynamic web sites, web applications and web services. .NET is a code execution environment . Safe execution of code. VISUAL STUDIO – IDE.

Components of .NET CLR (Common Language Runtime) – Provides virtual environment for application to run. Common Language Specification like VB.NET , C# , C++ allows the application that will build or run in CLR. .NET class Library – Embedded in the library are security functions.

Content 1.) What is .NET Framework ? 2.) Inbuilt Security mechanisms in .NET . 3.) Exploit vulnerabilities in .NET with an example ! 4.) Countermeasures to combat them.

Understanding Security Framework Model in .NET Why security is important for web applications? Security is important part of any web application development which is necessary to protect assets from unauthorized actions. This can encapsulates verifying users, granting or denying access to sensitive information, or protecting data stored on the server.

How ASP.NET implement security model ? Gatekeepers. ASP.NET implements many components that enforce security for application. Gatekeepers are conceptual patterns that apply a pipelining model to a security infrastructure. In this pipeline, security mechanism is implemented by the gatekeeper

What is this pipeline and gatekeeper in ASP.NET? This pipeline is HTTP pipeline and ASP.NET implements the concept of gatekeepers through HTTP modules. These modules are just classes which are implementing the interface IHttpModule. Although HTTP module are of multiple use, but most of them are dedicated to security level.

How ASP.NET HTTP Modules acts as security gatekeepers ? Web applications communication is based on HTTP which is stateless. It becomes important and necessary to authenticate and authorize the user at the beginning of each request. ASP.NET fires global application event that handles the HTTP modules to perform authentication and authorization jobs.

a) Windows Authentication: The WindowsAuthenticationModule works in conjunction with IIS to perform Windows authentication. This module is active when the <authentication> element in the web.config file is set as follows: <authentication mode="Windows" /> b) Forms Authentication: The FormsAuthenticationModule uses forms authentication, which allows you to design your own login pages. <authentication mode="Forms" /> c) Passport Authentication PassportAuthenticationModule is active when the <authentication> element in the web.config file is set as follows: <authentication mode="Passport" />

.NET /GS option /GS – Buffer Security Check /GS – ON by default __declspec(safebuffers) - suppress security checks for a function How /GS works ? Compiler allocates space in the stack of vulnerable functions. On function entry, the space in stack is loaded with security cookie that is computed once. On function exit, helper function is called to check the value of security cookie.

/GS – Prevented Stack Smashing Register attack – Overwrite “ebp” pointer /GS – Exploited Pointer subterfuge VTable hijacking Heap overruns

.NET Framework CAS Today’s highly connected computer systems are frequently exposed to code originating from various unknown sources. Most commonly used security mechanisms give rights to user based on logon credentials. This approach however fails to address different issues. Code Access Security (CAS) is Microsoft’s solution to prevent untrusted code from performing privileged actions.

Defines permissions and permission sets that represent the right to access various system resources. Enables administrators to configure security policy by associating sets of permissions with groups of code (code groups). Enables code to request the permissions it requires in order to run, as well as the permissions that would be useful to have, and specifies which permissions the code must never have.

Grants permissions to each assembly that is loaded, based on the permissions requested by the code and on the operations permitted by security policy. Enables code to demand that its callers have specific permissions. Enforces restrictions on code at run time by comparing the granted permissions of every caller on the call stack to the permissions that callers must have. http://www.codeproject.com/Articles/5724/Understanding-NET-Code- Access-Security

Content 1.) What is .NET Framework ? 2.) Inbuilt Security mechanisms in .NET 3.) Exploit vulnerabilities in .NET with an example ! 4.) Countermeasures to combat them.

SECURITY MISCONFIGURATIONS Missing custom error handling What is web.config file ? Web.config is the main settings and configuration file for an ASP.NET web application. It is an XML document that resides in the root directory of the site or application and contains data about how the web application will act. Custom errors and stack traces <customErrors mode =“off”> 67% of ASP.NET websites have serious configuration related security vulnerabilities.

Facts Source: AsafaWeb Results (Automated Security Analyser for ASP.NET) link

How To: Protect From SQL Injection in ASP.NET ASP.NET applications should constrain and sanitize input data before passing it to a query and always use type-safe SQL parameters for data access, whether with stored procedures or dynamic SQL.

To protect your application from SQL injection Step 1. Constrain input – use the RegularExpressionValidator and Range Validator controls to constrain input. Step 2. Use parameters with dynamic SQL - use parameters when constructing dynamic SQL statements. Step 3. Use parameters with stored procedures - Using stored procedures does not necessarily prevent SQL injection. The important thing to do is use parameters with stored procedures. If you do not use parameters, your stored procedures can be susceptible to SQL injection if they use unfiltered input.

Job Interview Highlights 1.) What is Code Access Security in .NET ? 2.) What are the two inbuilt security mechanisms in .NET ? 3.) How will you make your code more secure ? 4.) How to prevent SQL Injection ? 5.) What is the difference between Windows and Form Authentication ?

Own perspective/ideas 1.) Code reviews must be done. 2.) Use safer SQL query and sanitize user input before using it in a query. 3.) Double check web configuration settings before deploying it on production. 4.) Use the latest available version of .NET Framework.

Questions ?