Presentation is loading. Please wait.

Presentation is loading. Please wait.

DEV340.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "DEV340.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation."— Presentation transcript:

1 DEV340.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation

2 Agenda Quick Code Access Security (CAS) Review Building a Secure Shared Library Using Verifiable Code Allowing Partially-trusted Callers Proper use of Assert() Protecting Exposed Resources Sealing Access to Methods Common security programming mistakes

3 CAS Review A New Paradigm Goal: Enable “Partial Trust” Primary Security Identity: Code (Assembly) Authentication: Information collected about code (Evidence) Authorization: Code identity based policy system grants rights to access resources Enforcement: Verification, Validation, Stackwalks

4 CAS Review Infrastructure Validation Ensures correctness of file format Verification Ensures Type Safety Policy System Set of admin-defined rules that assign trust to assemblies Input: Evidence Output: Granted Permissions Enforcement Developers protect access to resources with Permissions CLR enforces protection through stack walks

5 Creating Secure Libraries Categorize your Library Decide on your general approach up front Unsafe: Cannot be called in semi-trusted scenarios Security Neutral: Does not need any special permissions to run Uses Native Resources: Uses COM interop or PInvoke internally Exposes Security Relevant Resources Be aware of “Secure Coding Guidelines” Link provided on “Resources” slide

6 Creating Secure Libraries Exposing Security Relevant Resources Exposes a Resource an Admin may want to control Examples: File system, speakers, screen, network Most common library type Follow Secure Coding Guidelines #1: Use Permissions to protect access to your resources!

7 Creating Secure Libraries Write Verifiable Code Helps to ensure that CLR can enforce security Helps reduce buffer overruns Verifiability depends on the language compiler and features used Visual Basic®.NET verifiable C# verifiable Except “unsafe” keyword C++ is generally not verifiable Addressed in future release

8 The NoiseMaker Library demo demo Scenario: Secure library that exposes Sound API’s Intranet Apps can play Sounds Internet Apps cannot

9 Creating Secure Libraries Allowing Partially-trusted Callers Default: Code that calls your library must have Full Trust Limits use scenarios today, even more in the future AllowPartiallyTrustedCallersAttribute Provides an opt-in mechanism for allowing potentially dangerous code to call library Specified per-assembly Do Security Reviews per Secure Coding Guidelines

10 Allowing Partially Trusted Callers demo demo

11 Creating Secure Libraries Using Assert() Asserts() put the burden on you! Demands() put the burden on the system Pairing Asserts() with Demands() reduces your burden Common pattern Note: Demand first, then Assert Demand a more constrained permission Assert what’s needed to access the resource

12 Using Assert() demo demo

13 Creating Secure Libraries Protecting Access to Resources Resources Protected with “Demand” for a Permission Consideration: Use existing permission or write a new one? Leverage existing permission when appropriate Feature aligns with philosophy of existing permission Don’t overload their use Define a new permission class if needed New Permissions should be sealed

14 Creating Secure Libraries Protecting Access to Resources Consider the Admin Model: What must an Admin control? Ex: File access to c:\*, speaker access, etc. Always allow permission to be turned off completely What should be in Default Policy? Picture the most conservative Admin

15 Creating Secure Libraries Protecting Access to Resources Prefer full Demands, not Link Demands All callers checked every call Demand only what is required May be stated either “Declaratively” or “Imperatively”

16 Creating Secure Libraries Declarative Demands Specified using Custom Attributes Stored in the assembly’s metadata Permission State must be known at compile time Can be viewed with PermView SDK Tool [FileIOPermission(SecurityAction.Demand, Write = "c:\\temp")] public void foo() { // class does something with c:\temp }

17 Creating Secure Libraries Imperative Demands Allows Security Checks to Vary by Control Flow or Method State Initiated with call to Demand() public File(String fileName) { //Fully qualify the path for the security check String fullPath = Directory.GetFullPathInternal(fileName); new FileIOPermission(FileIOPermissionAccess.Read, fullPath).Demand(); //The above call will either pass or throw a //SecurityException //[…rest of function…] }

18 Protecting Resources demo demo

19 Creating Secure Libraries Sealing Access to Members Use Link Time Demands For cryptographically strong identity Checks only immediate caller Checks only the first call Occurs when method is JIT’ed Specified using Custom Attributes Performs better than a full Demand

20 Creating Secure Libraries Sealing Access to Members Link time demands are great because: Seals off access to areas of your library Reduces your security exposure No stack walk = smaller perf impact Link time demands are bad because: Vulnerable to luring attacks JIT uses the static type of the caller, not the runtime type Watch out for overrides!

21 Creating Secure Libraries Sealing Access to Members For public sealed classes: For public classes, abstract classes and interfaces: [StrongNameIdentity(SecurityAction.LinkDemand, Name=“A1”, PublicKey=“0x…………”)] public sealed class Foo {} [StrongNameIdentity(SecurityAction.InheritanceDemand, Name=“A1”, PublicKey=“0x…………”)] [StrongNameIdentity(SecurityAction.LinkDemand, Name=“A1”, PublicKey=“0x………”)] public class Foo {} [StrongNameIdentity(SecurityAction.InheritanceDemand, Name=“A1”, PublicKey=“0x…………”)] [StrongNameIdentity(SecurityAction.LinkDemand, Name=“A1”, PublicKey=“0x………”)] public class Foo {}

22 Security Programming Gotcha’s Check your arguments Code generation bugs Think about race conditions Watch out for readonly Pass Evidence when dynamically generating code

23 Argument Checking Ex: Malicious WSDL that uses special characters to insert extra method calls base.ConfigureProxy(this.GetType(), "http://server/proxyinjection.dll? Handler=Default"); SomeClass.SomeMethod("Some Params here"); base.ConfigureProxy(this.GetType(), "http://server/proxyinjection.dll? Handler=Default"); SomeClass.SomeMethod("Some Params here"); < soap:address location= 'http://server/proxyinjection.dll? Handler=Default"); SomeClass.SomeMethod(" Some Params here'/> < soap:address location= 'http://server/proxyinjection.dll? Handler=Default"); SomeClass.SomeMethod(" Some Params here'/>

24 Race Conditions public unsafe int ReadByte() { if (!_isOpen) __Error.StreamIsClosed(); if (_position >= _length) return -1; return _mem[_position++]; } public unsafe int ReadByte() { if (!_isOpen) __Error.StreamIsClosed(); if (_position >= _length) return -1; return _mem[_position++]; } Thread1 Thread2 Thread1

25 Race Conditions Solution public unsafe int ReadByte() { if (!_isOpen) __Error.StreamIsClosed(); int pos = _position; if (pos >= _length) return -1; _position = pos + 1; return _mem[pos]; } public unsafe int ReadByte() { if (!_isOpen) __Error.StreamIsClosed(); int pos = _position; if (pos >= _length) return -1; _position = pos + 1; return _mem[pos]; }

26 When readonly isn’t read only The readonly keyword applies to locations, not instances Can be changed using: Prints: “BooBar” Never use readonly instances of mutable types public static readonly StringBuilder Value = new StringBuilder ("Boo"); MyClass.Value.Append("Bar"); Console.WriteLine(MyClass.Value);

27 Dynamic Code Generation Without care, dynamically generated code gets the permissions of YOUR library Carefully scrutinize all usages of: AppDomain.DefineDynamicAssembly Assembly.Load(Byte[], …) Always use the overloads that allow you to pass Evidence Pass the minimum Evidence possible

28 Key Takeaways CAS is based on code identity Augments Windows Security Model Partial trust scenarios will continue to get more prevalent Always use Permissions to protect your resources Remember the Admin when designing new permissions Be familiar with: Secure Coding Guidelines Common Security Programming Mistakes

29 Additional Resources “Secure Coding Guidelines” http://www.msdn.microsoft.com/security/secu recode/bestpractices/default.aspx?pull=/libra ry/en-us/dnnetsec/html/seccodeguide.asp “.NET Framework Security”, Addison- Wesley MSDN Security Site www.msdn.microsoft.com/security DEV240 “Fundamentals of Code Access Security”

30 Community Resources MS Community Sites http://msdn.microsoft.com/netframework/community/ http://microsoft.com/communities/default.mspx List of newsgroups microsoft.public.dotnet.general microsoft.public.dotnet.framework microsoft.public.dotnet.clr microsoft.public.dotnet.security http://microsoft.com/communities/newsgroups/default.mspx ListServs http://discuss.develop.com ADVANCED-DOTNET DOTNET-CLR DOTNET-ROTOR Attend a free chat or webcast http://microsoft.com/communities/chats/default.mspx http://microsoft.com/usa/webcasts/default.asp Locate a local user groups http://microsoft.com/communities/usergroups/default.mspx Community sites http://microsoft.com/communities/related/default.mspx

31 Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

32 evaluations evaluations

33 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "DEV340.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation."

Similar presentations

11-Jun-14 The assert statement. 2 About the assert statement The purpose of the assert statement is to give you a way to catch program errors early The.

11-Jun-14 The assert statement. 2 About the assert statement The purpose of the assert statement is to give you a way to catch program errors early The.
DEV351 ADO.NET Performance Pablo Castro Program Manager – ADO.NET Team Microsoft Corporation.

DEV351 ADO.NET Performance Pablo Castro Program Manager – ADO.NET Team Microsoft Corporation.
WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.

WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
Introduction to Evidence-based security in.NET Framework Brad Merrill Program Manager.NET Frameworks Integration.

Introduction to Evidence-based security in.NET Framework Brad Merrill Program Manager.NET Frameworks Integration.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security and the.NET Framework. Code Access Security Enforces security policy on code  Regardless of user running the code  Regardless of whether the.

Security and the.NET Framework. Code Access Security Enforces security policy on code  Regardless of user running the code  Regardless of whether the.
Understanding Active Directory

Understanding Active Directory
Differences between C# and C++ Dr. Catherine Stringfellow Dr. Stewart Carpenter.

Differences between C# and C++ Dr. Catherine Stringfellow Dr. Stewart Carpenter.
1 Developing Rules Driven Workflows in Windows Workflow Foundation Jurgen Willis COM318 Program Manager Microsoft Corporation.

1 Developing Rules Driven Workflows in Windows Workflow Foundation Jurgen Willis COM318 Program Manager Microsoft Corporation.
OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.

OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.
S ECURITY T OOLS F OR S OFTWARE D EVELOPMENT F X C OP 10.0 David Angulo Rubio.

S ECURITY T OOLS F OR S OFTWARE D EVELOPMENT F X C OP 10.0 David Angulo Rubio.
OFC 322 Building Office Research Web Services: Exposing Corporate Data Through Office Brian Jones Program Manager Authoring Services Martin Sawicki Lead.

OFC 322 Building Office Research Web Services: Exposing Corporate Data Through Office Brian Jones Program Manager Authoring Services Martin Sawicki Lead.
DEV334 Creating Application Starting Points & Sharing Best Practices with Enterprise Templates Marc Gusmano Director of Emerging Technologies The Information.

DEV334 Creating Application Starting Points & Sharing Best Practices with Enterprise Templates Marc Gusmano Director of Emerging Technologies The Information.
Introduction to .Net Framework

Introduction to .Net Framework
DEV302 - Visual Studio Team System Building Robust and Reliable Software Eric Lee Program Manager Microsoft Corporation.

DEV302 - Visual Studio Team System Building Robust and Reliable Software Eric Lee Program Manager Microsoft Corporation.
Module 1: Introduction to C# Module 2: Variables and Data Types

Module 1: Introduction to C# Module 2: Variables and Data Types
DEV343.NET Application and Library Versioning Juval Löwy www.idesign.net.

DEV343.NET Application and Library Versioning Juval Löwy
OFC304 Excel 2003 Overview: XML Support Joseph Chirilov Program Manager.

OFC304 Excel 2003 Overview: XML Support Joseph Chirilov Program Manager.

Similar presentations

Ads by Google