Download presentation
Presentation is loading. Please wait.
1
Shawn Wildermuth President, AgiliTrain Microsoft MVP (Data) Knowing the Enemy
2
Securing Silverlight: Knowing the Enemy
5
Users/Hackers (Reflector, Silverlight Spy, Debuggers, Memory Profilers) Users/Hackers (Reflector, Silverlight Spy, Debuggers, Memory Profilers) Hackers/Personnel (Intrusion and Physical Security) Hackers/Personnel Eavesdroppers (Packet Sniffers, etc.) Eavesdroppers
6
Securing Silverlight: Knowing the Enemy YourApp.xap Main Assembly CodeCode Embedded XAMLEmbedded XAML Other ResourcesOther Resources SDK Assemblies Optionally deployed ControlsOptionally deployed Controls Other.dll Your LibrariesYour Libraries Other Assets ImagesImages FontsFonts YourApp.zip Main Assembly CodeCode Embedded XAMLEmbedded XAML Other ResourcesOther Resources SDK Assemblies Optionally deployed ControlsOptionally deployed Controls Other.dll Your LibrariesYour Libraries Other Assets ImagesImages FontsFonts
7
Securing Silverlight: Knowing the Enemy Client Security Considerations ◦ Code ◦ XAML ◦ Assets ◦ Secrets ◦ Isolated Storage ◦ Data
8
Securing Silverlight: Knowing the Enemy Code ◦ Limited Protection ◦ Even with Obfuscation XAML ◦ Almost No Protection ◦ Stored as Text Assets ◦ Almost No Protection
9
Securing Silverlight: Knowing the Enemy Secrets ◦ Obfuscation Helps ◦ Not Complete – Must Be Loaded Into Memory Isolated Storage ◦ No Protection ◦ Accessible to Users – Keep Your Secrets Out of Here Data ◦ Limit Surface Area ◦ Send Summary Data ◦ Data Services’ Projections Are Helpful
10
Securing Silverlight: Knowing the Enemy Silverlight does not protect your Algorithms ◦ Unlike.NET: Obfuscation only protects against decompilation Code runs in the client Client must be able to download assemblies
11
Securing Silverlight: Knowing the Enemy What is worth protecting? ◦ Labor? No… ◦ Unique implementations? Yes… ◦ Sensitive data? Yes…
12
Securing Silverlight: Knowing the Enemy Hide it on the Server ◦ Generate the XAML on the Server ◦ Send only summary data to the client
13
Securing Silverlight: Knowing the Enemy Silverlight Apps Are Just Files ◦ Protect like any other web file Forms Authentication Windows Authentication Etc.
14
Securing Silverlight: Knowing the Enemy For Apps with Login ◦ XAP needs to be anonymous accessed ◦ Compose at Runtime Bootstrapper App or Composition (Prism, MEF, etc.)
15
Securing Silverlight: Knowing the Enemy Only Secure Methods in Silverlight ◦ Token Based ◦ Cookie Based ◦ NTLM Based
16
Securing Silverlight: Knowing the Enemy BrowserBrowser SilverlightAppSilverlightApp Network Call with Browser State (cookies, Session ID, NTLM) Network Call with Browser State (cookies, Session ID, NTLM)
17
Securing Silverlight: Knowing the Enemy Why Not Basic Auth? ◦ Insecure across the wire (though could secure with SSL) ◦ Uses Headers Specifically forbidden using the HTTP Stacks
18
Securing Silverlight: Knowing the Enemy Integrated Windows Authentication ◦ Just Works ◦ Assumes NTLM on the Platform OSX is Problematic
19
Securing Silverlight: Knowing the Enemy Cookie Based Auth ◦ ASP.NET’s Forms Based Auth ◦ Custom Encrypted Cookies Never decrypt on client Expire Cookies Frequently
20
Securing Silverlight: Knowing the Enemy Token-based Security ◦ Can use expiring tokens ◦ Pass them in on web services ◦ Not fool proof or ‘secure’ ◦ Must also expire
21
Securing Silverlight: Knowing the Enemy Add Service Reference Problem ◦ Doesn’t play well with security ◦ Must disable security when adding/refreshing ◦ Trouble for building references at build-time
22
Securing Silverlight: Knowing the Enemy ClientCredentials MyServiceClient client = new MyServiceClient(); client.ClientCredentials.UserName.UserName = "Frank"; client.ClientCredentials.UserName.Password = "P2ssw0rd"; client.GetNameCompleted += (s, args) => { theText.Text = args.Result; }; client.GetNameAsync(); MyServiceClient client = new MyServiceClient(); client.ClientCredentials.UserName.UserName = "Frank"; client.ClientCredentials.UserName.Password = "P2ssw0rd"; client.GetNameCompleted += (s, args) => { theText.Text = args.Result; }; client.GetNameAsync();
23
Securing Silverlight: Knowing the Enemy Using Forms Authentication Service ◦ AuthenticationService (pre-built WCF) ◦ Simple SOAP call to authenticate <%@ ServiceHost Language="C#" Service="System.Web.ApplicationServices.AuthenticationService" %> <%@ ServiceHost Language="C#" Service="System.Web.ApplicationServices.AuthenticationService" %> var proxy = new AuthenticationServiceClient(); proxy.LoginCompleted += (s, args) => { if (args.Result) { // Succeeded } }; proxy.LoginAsync("Frank", "P2ssw0rd", null, false); var proxy = new AuthenticationServiceClient(); proxy.LoginCompleted += (s, args) => { if (args.Result) { // Succeeded } }; proxy.LoginAsync("Frank", "P2ssw0rd", null, false);
24
Securing Silverlight: Knowing the Enemy Standard network stack goes through Browser ◦ Good: Uses cookies and NTLM Looks and feels like the browser ◦ Bad: Only GET/POST are supported Typically limited to two outbound requests
25
Securing Silverlight: Knowing the Enemy Alternative: Client HTTP Stack ◦ For specific scenarios: Need PUT/DELETE Need Custom Cookies Need more control status codes, bodies and headers
26
Securing Silverlight: Knowing the Enemy Create New Request ◦ Use WebRequestCreator’s ClientHttp property: ◦ Non-event-based, APM style WebRequest req = WebRequestCreator.ClientHttp.Create(new Uri("http://api.search.live.net/qson.aspx?query=Silverlight", UriKind.Absolute)); WebRequest req = WebRequestCreator.ClientHttp.Create(new Uri("http://api.search.live.net/qson.aspx?query=Silverlight", UriKind.Absolute)); req.BeginGetResponse(new AsyncCallback(r => { var res = req.EndGetResponse(r); var strm = res.GetResponseStream(); }), null); req.BeginGetResponse(new AsyncCallback(r => { var res = req.EndGetResponse(r); var strm = res.GetResponseStream(); }), null);
27
Securing Silverlight: Knowing the Enemy Specify all Client HTTP Stack ◦ Call WebRequest’s RegisterPrefix to specify: ◦ Then all calls become client, even WebClient: bool httpResult = WebRequest.RegisterPrefix("http://", WebRequestCreator.ClientHttp); bool httpResult = WebRequest.RegisterPrefix("http://", WebRequestCreator.ClientHttp); WebClient client = new WebClient(); client.DownloadStringCompleted += new DownloadStringCompletedEventHandler(OnDlComplete); client.DownloadStringAsync(new Uri("/template.xaml", UriKind.Relative)); WebClient client = new WebClient(); client.DownloadStringCompleted += new DownloadStringCompletedEventHandler(OnDlComplete); client.DownloadStringAsync(new Uri("/template.xaml", UriKind.Relative));
28
Securing Silverlight: Knowing the Enemy WebRequests Credentials Supported ◦ For ClientHttp stack only, adds Authentication header var request = WebRequestCreator.ClientHttp.Create( new Uri("http://wildermuth.com", UriKind.Relative)); request.Credentials = new NetworkCredential("shawn", "p@ssw0rd"); request.UseDefaultCredentials = false; var request = WebRequestCreator.ClientHttp.Create( new Uri("http://wildermuth.com", UriKind.Relative)); request.Credentials = new NetworkCredential("shawn", "p@ssw0rd"); request.UseDefaultCredentials = false; WebRequest.RegisterPrefix("http", WebRequestCreator.ClientHttp); var client = new WebClient(); client.Credentials = new NetworkCredential("shawn", "p@ssw0rd"); client.UseDefaultCredentials = false; client.DownloadStringCompleted += (s, a) => a.Result.ToArray(); client.DownloadStringAsync( new Uri("http://wildermuth.com", UriKind.Relative)); WebRequest.RegisterPrefix("http", WebRequestCreator.ClientHttp); var client = new WebClient(); client.Credentials = new NetworkCredential("shawn", "p@ssw0rd"); client.UseDefaultCredentials = false; client.DownloadStringCompleted += (s, a) => a.Result.ToArray(); client.DownloadStringAsync( new Uri("http://wildermuth.com", UriKind.Relative));
Similar presentations
