© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.

Slides:



Advertisements
Similar presentations
Security for Developers Code Access Security Steven Borg & Richard Hundhausen Accentient, Inc.
Advertisements

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Chapter 16 Graphical User Interfaces
Final and Abstract Classes
1 Packages: Putting Classes Together. 2 Introduction The main feature of OOP is its ability to support the reuse of code: Extending the classes (via inheritance)
Chapter 7 Constructors and Other Tools. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 7-2 Learning Objectives Constructors Definitions.
Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 12 Introduction to ASP.NET.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
4 Copyright © 2005, Oracle. All rights reserved. Creating the Web Tier: Servlets.
1 Copyright © 2005, Oracle. All rights reserved. Introducing the Java and Oracle Platforms.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Building Confidence in E-government Services ITU-T Workshop on.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 16 Secure Coding in Java and.NET Part 1: Fundamentals.
View-Based Application Development Lecture 1 1. Flows of Lecture 1 Before Lab Introduction to the Game to be developed in this workshop Comparison between.
Cross-site Request Forgery (CSRF) Attacks
Configuration management
Software change management
Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.
Eiffel: Analysis, Design and Programming Bertrand Meyer (Nadia Polikarpova) Chair of Software Engineering.
1 Kerberos Anita Jones November, Kerberos * : Objective Assumed environment Assumed environment –Open distributed environment –Wireless and Ethernetted.
Database System Concepts and Architecture
Lilian Blot VARIABLE SCOPE EXCEPTIONS FINAL WORD Final Lecture Spring 2014 TPOP 1.
.NET Framework Application Security Overview
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Addition 1’s to 20.
25 seconds left…...
Week 1.
We will resume in: 25 Minutes.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Java security (in a nutshell)
Security CS-328. The need for security In most of the programming classes that we’ve taken the emphasis has always been on getting the “job” done and.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
Lecture 7 Access Control
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
.NET Code security including 4.0 & Tools Jon C. Arce
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
Basic Security: Java vs.NET Master Seminar Advanced Software Engineering Topics Prof. Jacques Pasquier-Rocha Software Engineering Group Department of Informatics.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
.Net Security and performance
JAVA SECURITY BASIC NETWORKING MULTITHREATING Deniz HASTORUN
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
Code Access Security CS 795. Terminology--CLR Common Language Runtime: –The.NET Framework provides a runtime environment which runs the code and provides.
System.Security.Policy namespace Chinmay Lokesh.NET Security CS 795 Summer 2010.
Presented By: Ahmed ALSUM PhD Student CS 895:.Net Security Old Dominion University College of Science Department of Computer Science.
.NET Security and MSIL Tom Roeder CS fa. MSIL Common intermediate language really CIL in ECMA standard MSIL is common name Very close to C# (and.
Csci5931 Web Security1 Java Security Model (GS: Ch. 7)
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
System.Security.Permissions namespace By Venkata Krishna Date: Instructor 06/19/2007 Dr. Ravi Mukkamala.
DEV240 Fundamentals of Code Access Security Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation.
Understanding Security
System.Security.policy Namespace By: Marepalli Gayathri.
Understanding.NET Framework Security David LeBlanc Microsoft Office.
The Execution System1. 2 Introduction Managed code and managed data qualify code or data that executes in cooperation with the execution engine The execution.
Customizing.NET Security Permissions Nageswari Vallabhaneni.
Chapter 7. Permissions Programming.Net Security, O’Reilly Publishers.
Java security (in a nutshell)
Topic: Java Security Models
Chapter 8: Security Policy
Presentation transcript:

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control

2 SY32 Secure Computing, Lecture 17 Outline Introduction Introduction Role-based access control Role-based access control Implementation in.NET Implementation in.NET Code-based access control Code-based access control General concepts General concepts Implementation in.NET and Java Implementation in.NET and Java

3 SY32 Secure Computing, Lecture 17 Introduction Two things to decide: Two things to decide: Do we allow code to execute? Do we allow code to execute? What permissions should code be granted? What permissions should code be granted? Decisions can be based on Decisions can be based on Identity of user wishing to run the code Identity of user wishing to run the code Identity of the code itself Identity of the code itself How do we enforce these decisions? How do we enforce these decisions? How do we administer the system? How do we administer the system?

4 SY32 Secure Computing, Lecture 17 Role-Based Access Control Decisions are based on user identity Decisions are based on user identity Analogous to security at OS level Analogous to security at OS level Not a replacement for OS security decisions! Not a replacement for OS security decisions! Implementation in.NET: Implementation in.NET: Uses concept of a principal: an object encapsulating users identity and roles Uses concept of a principal: an object encapsulating users identity and roles Classes are provided to represent identities and principals derived from Windows accounts Classes are provided to represent identities and principals derived from Windows accounts Code indicates requirement for a particular principal by making a security demand Code indicates requirement for a particular principal by making a security demand

5 SY32 Secure Computing, Lecture 17.NET Example WindowsIdentity id = WindowsIdentity.GetCurrent(); Thread.CurrentPrincipal = new WindowsPrincipal(id); [PrincipalPermission(SecurityAction.Demand,Name="Bob " )] public void doSomething() {... } Activate role-based access control in current thread… …elsewhere in code, mark a method with an attribute that makes a security demand for a principalin this case, user Bob

6 SY32 Secure Computing, Lecture 17 Code-Based Access Control Decisions are based on identity of code Decisions are based on identity of code Identity of code derives from Identity of code derives from Point of origin Point of origin Identity of signer(s) Identity of signer(s) Code identity maps onto a set of permissions Code identity maps onto a set of permissions Collection of these mappings constitutes code access security (CAS) policy Collection of these mappings constitutes code access security (CAS) policy

7 SY32 Secure Computing, Lecture 17 CAS Policy Resolution in.NET Evidence CAS policy Permission requests Policy evaluator Grant set for assembly HostAssembly

8 SY32 Secure Computing, Lecture 17 Evidence Standard set of classes provided to represent various kinds of evidence Standard set of classes provided to represent various kinds of evidence Hash (hash code of assembly's bytes) Hash (hash code of assembly's bytes) Publisher (Authenticode signature of publisher) Publisher (Authenticode signature of publisher) Site (domain name of source of assembly) Site (domain name of source of assembly) StrongName (digital signature computed from name, version number and hash code) StrongName (digital signature computed from name, version number and hash code) URL (URL of assembly) URL (URL of assembly) Zone (IE security zone to which assembly belongs) Zone (IE security zone to which assembly belongs)

9 SY32 Secure Computing, Lecture 17 Elements of CAS Policy Assembly can belong to various code groups Assembly can belong to various code groups Each code group has membership conditions and a set of permissions Each code group has membership conditions and a set of permissions Evidence is matched against code group membership conditions hierarchically Evidence is matched against code group membership conditions hierarchically Initial set of permissions granted to an assembly is the union of the permission sets of its code groups Initial set of permissions granted to an assembly is the union of the permission sets of its code groups

10 SY32 Secure Computing, Lecture 17 Policy Resolution: Example 1 All_Code Cond: None Perm: Nothing My_Computer_Zone Cond: Zone = MyComputer Perm: FullTrust LocalIntranet_Zone Cond: Zone = LocalIntranet Perm: LocalIntranet Xyz_Site Cond: Site = Perm: XyzPermissions Internet_Zone Cond: Zone = Internet Perm: Internet Resulting permissions: Nothing U FullTrust.NET assembly is loaded from local disk...

11 SY32 Secure Computing, Lecture 17 Policy Resolution: Example 2 All_Code Cond: None Perm: Nothing My_Computer_Zone Cond: Zone = MyComputer Perm: FullTrust LocalIntranet_Zone Cond: Zone = LocalIntranet Perm: LocalIntranet Xyz_Site Cond: Site = Perm: XyzPermissions Internet_Zone Cond: Zone = Internet Perm: Internet Resulting permissions: Nothing U Internet U XyzPermissions.NET assembly is loaded from

12 SY32 Secure Computing, Lecture 17 Policy Levels Four different CAS policy levels in.NET Four different CAS policy levels in.NET Enterprise ( enterprisesec.config ) Enterprise ( enterprisesec.config ) Machine ( security.config ) Machine ( security.config ) User ( security.config in user profile) User ( security.config in user profile) Application domain (programmed) Application domain (programmed) Policy resolution happens independently at each level and results are intersected Policy resolution happens independently at each level and results are intersected Why is this complexity required?... Why is this complexity required?...

13 SY32 Secure Computing, Lecture 17 Policy Management in.NET Use caspol command-line tool Use caspol command-line tool Use MS management console snap-in for.NET Use MS management console snap-in for.NET

14 SY32 Secure Computing, Lecture 17 CAS Policy in Java URL of code and public key(s) of its signer(s) are used as evidence URL of code and public key(s) of its signer(s) are used as evidence Mapping of code identity onto permissions is termed a protection domain Mapping of code identity onto permissions is termed a protection domain Protection domains are specified in policy files Protection domains are specified in policy files $JAVA_HOME/lib/security/java.policy $JAVA_HOME/lib/security/java.policy $HOME/.java.policy $HOME/.java.policy Policy files do not correspond to.NET policy levels; grants do not intersect! Policy files do not correspond to.NET policy levels; grants do not intersect!

15 SY32 Secure Computing, Lecture 17 A Java Security Policy File grant codeBase " signedBy "nick" { permission java.io.FilePermission "/tmp/*", "write"; permission java.net.SocketPermission "*:1024-", "connect"; }; Code from signed by a public key with keystore alias nick… Code from signed by a public key with keystore alias nick… …has permission to write to any file in /tmp … …has permission to write to any file in /tmp … …and permission to connect to any site using a non-privileged port …and permission to connect to any site using a non-privileged port

16 SY32 Secure Computing, Lecture 17 Enforcing Policy: Java Example What if a trusted caller is itself invoked by untrusted, malicious code?... (luring attack) public class Socket { public Socket(String host, int port) { SocketPermission perm = new SocketPermission(host + ":" + port, "connect"); AccessController.checkPermission(perm);... }... }

17 SY32 Secure Computing, Lecture 17 Walking The Stack in.NET Socket.Connect Method D Method C Method B Method A Call stack Assembly X Assembly Y Assembly Z System.dll SocketPermission demanded SocketPermission granted SecurityException

18 SY32 Secure Computing, Lecture 17 Initiating a Stack Walk In.NET, call the appropriate permission object's Demand method In.NET, call the appropriate permission object's Demand method In Java, call checkPermission method of AccessController class, with demanded permission as an argument In Java, call checkPermission method of AccessController class, with demanded permission as an argument Demands are typically made within trusted library code; it usually isn't necessary to make them explicitly yourself Demands are typically made within trusted library code; it usually isn't necessary to make them explicitly yourself

19 SY32 Secure Computing, Lecture 17 Controlling Stack Walks in.NET Security action Assert terminates stack walk without triggering a SecurityException Security action Assert terminates stack walk without triggering a SecurityException Making an assertion = vouching for callers Making an assertion = vouching for callers Need to be very sure that callers can't wreak havoc! Need to be very sure that callers can't wreak havoc! Security action Deny forces termination of a stack walk with a SecurityException Security action Deny forces termination of a stack walk with a SecurityException Assertions or denials can be cancelled via calls to RevertAssert or RevertDeny Assertions or denials can be cancelled via calls to RevertAssert or RevertDeny

20 SY32 Secure Computing, Lecture 17 Example How can we make sure that a method needing to log data to a file can always do so, regardless of caller permissions? How can we make sure that a method needing to log data to a file can always do so, regardless of caller permissions? Answer: use Assert security action Answer: use Assert security action Which style of action? Which style of action? Imperative Imperative Declarative Declarative

21 SY32 Secure Computing, Lecture 17 Implementations public void UpdateLog(string text) { const string logfile = "C:\\MyApp.log"; FileIOPermission perm = new FileIOPermission(FileIOPermission.Append, logfile); perm.Assert();... } [FileIOPermission( SecurityAction.Assert,Append="C:\\MyApp.log")] public void UpdateLog(string text) {... } Imperative Declarative

22 SY32 Secure Computing, Lecture 17 Imperative & Declarative Styles Imperative security actions Imperative security actions Can use information available only at run time Can use information available only at run time Cannot be discovered without running code Cannot be discovered without running code Declarative security actions Declarative security actions Are fixed at compile time Are fixed at compile time Can be discovered without running code (reflection) Can be discovered without running code (reflection)

23 SY32 Secure Computing, Lecture 17 Summary Access given to code can be determined from user identity or from code identity Access given to code can be determined from user identity or from code identity Code access security policy specifies mapping of code identities onto sets of permissions Code access security policy specifies mapping of code identities onto sets of permissions.NET resolves multiple policies and intersects results.NET resolves multiple policies and intersects results Policy is enforced by a stack walk, to prevent malicious code from luring trusted code Policy is enforced by a stack walk, to prevent malicious code from luring trusted code Stack walks can be controlled, e.g., using Assert and Deny in.NET Stack walks can be controlled, e.g., using Assert and Deny in.NET

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.