Security and the.NET Framework. Code Access Security Enforces security policy on code  Regardless of user running the code  Regardless of whether the.

Slides:



Advertisements
Similar presentations
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.
Advertisements

New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Henrico Dolfing Business Segment Partners. Océ Document Technologies GmbH2 June, NET Framework Version 3.0.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
System and Network Security Practices COEN 351 E-Commerce Security.
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.
Website Development with PHP and MySQL Introduction.
Lesson 18: Configuring Application Restriction Policies
Introducing the Common Language Runtime. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution engine.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Module 15 Configuring and Deploying Windows Client Applications.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
.NET, and Service Gateways Group members: Andre Tran, Priyanka Gangishetty, Irena Mao, Wileen Chiu.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Smart Client Applications for Developers Davin Mickelson, MCT, MCSD New Horizons of MN.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
Introduction to ASP.NET. Prehistory of ASP.NET Original Internet – text based WWW – static graphical content  HTML (client-side) Need for interactive.
DEV290 Building Office Solutions with Visual Studio Eric Carter Lead Developer Developer Platform & Evangelism Microsoft Corporation.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
.NET Framework Danish Sami UG Lead.NetFoundry
Basic Security: Java vs.NET Master Seminar Advanced Software Engineering Topics Prof. Jacques Pasquier-Rocha Software Engineering Group Department of Informatics.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholder to insert your own image. WEB.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
.Net Security and performance
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
Module 5: Configuring Internet Explorer and Supporting Applications.
Code Access Security CS 795. Terminology--CLR Common Language Runtime: –The.NET Framework provides a runtime environment which runs the code and provides.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Presented By: Ahmed ALSUM PhD Student CS 895:.Net Security Old Dominion University College of Science Department of Computer Science.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
Module 8 : Configuration II Jong S. Bok
1 Mobile Code l Java Review –Java code is platform independent and runs within a “sandbox”, or a set of restrictions that keep downloaded applets from.
PRIOR TO WEB SERVICES THE OTHER TECHNOLOGIES ARE:.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
DEV396 Windows Forms: No Touch Deployment Tips and Tricks Jamie Cool Program Manager.NET Client Microsoft Corporation.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Wireless and Mobile Security
1 MSTE Visual SourceSafe For more information, see:
Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
Understanding.NET Framework Security David LeBlanc Microsoft Office.
The Execution System1. 2 Introduction Managed code and managed data qualify code or data that executes in cooperation with the execution engine The execution.
Customizing.NET Security Permissions Nageswari Vallabhaneni.
Chapter 7. Permissions Programming.Net Security, O’Reilly Publishers.
Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
ClickOnce Deployment (One-click Deployment)
Containers as a Service with Docker to Extend an Open Platform
Netscape Application Server
HARDENING CLIENT COMPUTERS
SAP Enterprise Digital Rights Management by NextLabs
Security mechanisms and vulnerabilities in .NET
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
All data occupies physical space, even if we don't think of it as such.
Security & .NET 12/1/2018.
ClickOnce Deployment (One-click Deployment)
Presentation transcript:

Security and the.NET Framework

Code Access Security Enforces security policy on code  Regardless of user running the code  Regardless of whether the code is in the same application with other code Other code can be more, less, or equally privileged  When code attempts a restricted action the system throws a SecurityException Code Access Security is the cornerstone of security on the Framework Much of the Framework infrastructure is necessary for CAS to work  Managed heap, JIT compilation, Assemblies, etc.

The Idea Behind CAS Assembly == Code in Code Access Security  Unit of versioning, deployment and execution  Assembly is also a unit of security  All code in a single assembly share the same permissions Applications are always comprised of code from multiple assemblies  The.exe assembly  Assemblies in the Framework Class Library  Custom libraries, mobile code, etc. When a thread crosses an assembly boundary, it also crosses a security boundary Before a sensitive action is performed, the CLR walks up the call-stack  Assures each assembly in the stack-walk has necessary permissions  This stack-walk is called a Demand

Demand Demand must be satisfied by all callers  Ensures all code in causal chain is authorized  Code cannot exploit other code with more privilege Code B Code C Code A MethodCall MethodCall Code C Initiates a Demand Code B Has Permission? Code A Has Permission?

CAS in Action: A First Look Creates StreamReader object  StreamReader reads file internally access file  Potentially protected resources using System; using System.IO; using System.Security; class App{ public static void Main(string[] args){ StreamReader reader = new StreamReader(args[0]); Console.WriteLine(reader.ReadToEnd()); }

Rational for CAS No longer is all code running in a single user session awarded the same rights  Example: User launches a word-processor and it has access to the file system The word-processor loads and runs a script downloaded from a network/Internet -- the script’s file system access is limited  In this example all code is running natively in the same system process Increase granularity of security  User-logon no longer the smallest unit of security  User does not want to switch logon sessions simply to run partially trusted code

Important Scenarios Mobile Code  Browser-hosted forms, network installs, distributed applications  Network scripts run locally  embedded macros and scripts  Code downloaded and executed locally ISP Scenario  ISP sells web-hosting to many parties  Web code executes natively on ISP machines  Code does not require security review

Scenario #1: Mobile Code Advantages of mobile code  Executes locally for performance and rich features  Not restricted to the limitations of markup or scripts Rich features like animations and drag-and-drop Why Code Access Security is necessary  Without managed code and CAS mobile code must be scripted or fully trusted Scripted code is slow, limited features Fully trusted code (ActiveX)  Bothers users with dialog boxes requesting trust  Once established, full trust can be exploited by rogue web-sites  CAS enables partial trust of mobile code No dialogs, less exploitable Rich access to GUI API, high performance Best of both worlds

Scenario #2: ISP Scenario Advantages of active server code (CGI, ISAPI, ASP.NET)  High performance (improved features/speed over scripted solutions)  Dynamic generation of HTML (not restricted to static content) With unmanaged code active servers are fully trusted by host (ISP)  CGI.exe’s or ISAPI DLL’s have full access to the system or process  One site can undermine the functions of another site Maliciously, or through code error Potentially the whole server can be undermined  Security management at the process level is problematic Difficult to administer Doesn’t perform well with a minimum of one process per site  Result: ISP’s disallow active server code CAS enables partial trust  ASP.NET page can run in proc with other sites  Page object for one sight cannot gain access to objects or resources of other sites  System resources are not generally available ASP.NET applications can be given access to subsets of system resources such as a directory or registry tree

Understanding Security Zones The system establishes a zone for code (assembly)  Happens before code is executed  Zones are based on the source location of code  Zones are a subset of an advanced CAS feature called evidence ZoneDescription LocalCode executed from the local system. Code in this zone has full trust. IntranetCode executed from a share or URL on the enterprise network. Limited access to local resources. InternetCode downloaded from the Internet. Minimal access to local resources. RestrictedCode in the restricted zone is not allowed to execute.

Practical Zones Programming Common.NET developer experience  Create an application, test it, fix bugs, code works fine  Developer then gives the app to someone who runs it from a network share Application begins crashing inexplicably Reason: The Intranet zone has fewer permissions than the Local zone.  Solution: Test your software in different zones Running managed software in different zones  If your software is an.exe then it is sure to be run in at least two zones Local and Intranet  Your software should at least recover gracefully if a security exception is thrown  If your software is a reusable control, then it could feasibly be run from any of the zones

Testing Zones You should test your software from the relevant zones  Run your software locally  Run it from a share  Run it from a URL on the internet Your software will almost certainly throw some exceptions when first tested in a more restricted zone  Handle the exceptions and gracefully shut down  Handle the exceptions and work around with restricted features  Don’t just let security exceptions crash your software!

Demo Pad.exe zoner Pad.exezoner /z:MyComputer Pad.execaspol -rsp Pad.exe

Permissions Permissions are objects that the CLR references when performing a demand Permissions are granted to your assembly based on its zone (in addition to other assembly evidence) Permission objects themselves play an integral role in the demand process  The Demand() method calls virtual functions on the permission object when checking for a match  This involvement at the permission level makes the kinds of available permissions very flexible It is possible to design custom permissions for your code libraries  More on this in the advanced CAS session

Some Frameworks Permissions FileIOPermission FileDialogPermission IsolatedStoragePermission UIPermission PrintingPermission WebPermission SocketPermission These are Just examples, the FCL defines many permissions

Your Assembly is Loaded The system gathers evidence for your assembly  Digital signatures, Realm information  Zone information From evidence, your assembly is assigned one or more code groups Code groups define the permission sets to apply to your assembly  Permission sets are collections of permissions Once loaded, the system has a permission grant associated with your assembly

Your Assembly’s Code Executes Your code executes, and uses reusable objects  FCL, custom objects, etc Eventually, a method or constructor of an object will demand a security permission  Each assembly in call stack is checked for permission  If the demand reaches your assembly, your assembly’s grant is checked for permission If you have it, the demand continues up the stack If you do not have the permission in your grant, a SecurityException is thrown  If the demand reaches the top of the stack, the demand has succeeded The restricted action is performed

CAS Applies to All Assemblies All assemblies get a grant upon loading All assemblies’ grants are checked upon demand CAS is always aware of who initiates an action

Rational for CAS: Summary Managed code makes CAS possible  Unmanaged code, impossible to implement CAS CAS enables local execution of code  Safe, even if code is not trusted  Opens the door to rich features  Removes the need for rigid code review Third party code Your software must still be reviewed for security CAS permissions based on  Code authentication  Call stack

Security and the.NET Framework

The slides following this one contain the figure graphics for the tutorial that goes with this presentation.

Code B Code C Code A MethodCall MethodCall Code C Initiates a Demand Code B Has Permission? Code A Has Permission? Code == Assembly