1. Securing Microsoft Silverlight
Tech·Ed  North America 2009
12/7/ :40 PM
Securing Microsoft Silverlight
Shawn Wildermuth
Microsoft Corporation
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Silverlight Security Vectors
Users/Hackers
(Reflector, Silverlight Spy, Debuggers,
Memory Profilers)
Eavesdroppers
(Packet Sniffers, etc.)
Hackers/Personnel
(Intrusion and Physical Security)

6. Securing the Client YourApp.zip YourApp.xap Main Assembly
Code
Embedded XAML
Other Resources
SDK Assemblies
Optionally deployed Controls
Other.dll
Your Libraries
Other Assets
Images
Fonts
YourApp.xap
Main Assembly
Code
Embedded XAML
Other Resources
SDK Assemblies
Optionally deployed Controls
Other.dll
Your Libraries
Other Assets
Images
Fonts

7. Securing the Client (2) Client Security Considerations Code XAML
Assets
Secrets
Isolated Storage
Data

8. Securing the Client (3) Code XAML Assets Limited Protection
Even with Obfuscation
XAML
Almost No Protection
Stored as Text
Assets

9. Securing the Client (4) Secrets Isolated Storage Data
Obfuscation Helps
Not Complete – Must Be Loaded Into Memory
Isolated Storage
No Protection
Accessible to Users – Keep Your Secrets Out of Here
Data
Limit Surface Area
Send Summary Data
Data Services’ Projections Are Helpful

10. Protecting You Intellectual Property
Silverlight does not protect your Algorithms
Unlike .NET:
Obfuscation only protects against decompilation
Code runs in the client
Client must be able to download assemblies

11. Protecting You Intellectual Property (2)
What is worth protecting?
Labor? No…
Unique implementations? Yes…
Sensitive data? Yes…

12. Protecting You Intellectual Property (3)
Hide it on the Server
Generate the XAML on the Server
Send only summary data to the client

13. Protecting Your XAP Silverlight Apps Are Just Files
Protect like any other web file
Forms Authentication
Windows Authentication
Etc.

14. Protecting Your XAP (2) For Apps with Login
XAP needs to be anonymous accessed
Compose at Runtime
Bootstrapper App or Composition (Prism, MEF, etc.)

15. Securing Services Only Secure Methods in Silverlight Token Based
Cookie Based
NTLM Based

16. (cookies, Session ID, NTLM)
Securing Services (2)
Browser
Silverlight
App
Network Call
with Browser State
(cookies, Session ID, NTLM)
Network Call

17. Securing Services (3) Why Not Basic Auth? Insecure across the wire
(though could secure with SSL)
Uses Headers
Specifically forbidden using the HTTP Stacks

18. Securing Services (4) Integrated Windows Authentication Just Works
Assumes NTLM on the Platform
OSX is Problematic

19. Securing Services (5) Cookie Based Auth ASP.NET’s Forms Based Auth
Custom Encrypted Cookies
Never decrypt on client
Expire Cookies Frequently

20. Securing Services (6) Token-based Security Can use expiring tokens
Pass them in on web services
Not fool proof or ‘secure’
Must also expire

21. Securing Services (7) Add Service Reference Problem
Doesn’t play well with security
Must disable security when adding/refreshing
Trouble for building references at build-time

22. Securing Services (8) ClientCredentials
MyServiceClient client = new MyServiceClient();
client.ClientCredentials.UserName.UserName = "Frank";
client.ClientCredentials.UserName.Password = "P2ssw0rd";
client.GetNameCompleted += (s, args) => {
theText.Text = args.Result; };
client.GetNameAsync();

23. Securing Services (9) Using Forms Authentication Service
AuthenticationService (pre-built WCF)
Simple SOAP call to authenticate
ServiceHost Language="C#"
Service="System.Web.ApplicationServices.AuthenticationService" %>
var proxy = new AuthenticationServiceClient();
proxy.LoginCompleted += (s, args) => {
if (args.Result)
// Succeeded } };
proxy.LoginAsync("Frank", "P2ssw0rd", null, false);

24. Client HTTP Stack Standard network stack goes through Browser Good:
Uses cookies and NTLM
Looks and feels like the browser
Bad:
Only GET/POST are supported
Typically limited to two outbound requests

25. Client HTTP Stack (2) Alternative: Client HTTP Stack
For specific scenarios:
Need PUT/DELETE
Need Custom Cookies
Need more control
status codes, bodies and headers

26. Client HTTP Stack (3) Create New Request
Use WebRequestCreator’s ClientHttp property:
Non-event-based, APM style
WebRequest req = WebRequestCreator.ClientHttp.Create(new
Uri("
UriKind.Absolute));
req.BeginGetResponse(new AsyncCallback(r => {
var res = req.EndGetResponse(r);
var strm = res.GetResponseStream();
}), null);

27. Client HTTP Stack (4) Specify all Client HTTP Stack
Call WebRequest’s RegisterPrefix to specify:
Then all calls become client, even WebClient:
bool httpResult =
WebRequest.RegisterPrefix("
WebRequestCreator.ClientHttp);
WebClient client = new WebClient();
client.DownloadStringCompleted += new
DownloadStringCompletedEventHandler(OnDlComplete);
client.DownloadStringAsync(new Uri("/template.xaml",
UriKind.Relative));

28. Client HTTP Stack (5) WebRequests Credentials Supported
For ClientHttp stack only, adds Authentication header
var request = WebRequestCreator.ClientHttp.Create(
new Uri(" UriKind.Relative));
request.Credentials = new NetworkCredential("shawn",
request.UseDefaultCredentials = false;
WebRequest.RegisterPrefix("http", WebRequestCreator.ClientHttp);
var client = new WebClient();
client.Credentials = new NetworkCredential("shawn",
client.UseDefaultCredentials = false;
client.DownloadStringCompleted += (s, a) => a.Result.ToArray();
client.DownloadStringAsync(
new Uri(" UriKind.Relative));

29. Questions?

30. Track Resources ASP.NET – http://www.asp.net/
Required Slide
Track PMs will supply the content for this slide, which will be inserted during the final scrub.
Tech Ed North America 2010
12/7/ :40 PM
Track Resources
ASP.NET –
Silverlight –
Expression –
Internet Explorer –
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31. Resources Learning Required Slide www.microsoft.com/teched
Tech Ed North America 2010
12/7/ :40 PM
Required Slide
Resources
Learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
Resources for IT Professionals
Resources for Developers
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32. Complete an evaluation on CommNet and enter to win!
Tech Ed North America 2010
12/7/ :40 PM
Required Slide
Complete an evaluation on CommNet and enter to win!
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

34. Tech Ed North America 2010 12/7/2018 10:40 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35. Required Slide Tech Ed North America 2010 12/7/2018 10:40 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.