Presentation is loading. Please wait.

Presentation is loading. Please wait.

DEVC02.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation.

Published byShavonne Malone Modified over 9 years ago

Similar presentations

Presentation on theme: "DEVC02.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation."— Presentation transcript:

1 DEVC02.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation

2 Agenda Quick Code Access Security (CAS) Review Building a Secure Shared Library Using Verifiable Code Allowing Partially-trusted Callers Proper use of assert() Protecting Exposed Resources Sealing Access to Methods Common security programming mistakes

3 Terminology.NET Framework Language agnostic programming platform Offers Memory management, Security services Comes with rich class library CLR (Common Language Runtime) Part of.NET framework Implements runtime services JITs code Assembly.exe/.dll that is compiled to run on the.NET Framework Contains Meta Data (MD) Contains Microsoft Intermediate Language (OO Assembly language)

4 CAS Review A New Paradigm Goal : Enable “Partial Trust” Primary Security Identity Code (Assembly) Authentication Information collected about code (Evidence) Authorization Code identity-based policy system grants rights to access resources Enforcement Verification, Validation, and Stackwalks

5 CAS Review Infrastructure Validation Ensures correctness of file format Verification Ensures Type safety Policy System Set of administratively-defined rules that assign trust to assemblies Input: Evidence Output: Granted Permissions Enforcement Developers protect access to resources with Permissions CLR enforces protection through stack walks

6 Creating Secure Libraries Categorize Your Library Decide on your general approach up front Unsafe: Cannot be called in semi-trusted scenarios Security Neutral: Does not need any special permissions to run Uses Native Resources: Uses COM interop or PInvoke internally Exposes security relevant resources Be aware of “Secure Coding Guidelines” Link provided on “Resources” slide

7 Creating Secure Libraries Exposing Security Relevant Resources Exposes a Resource an Administrator may want to control Examples: File system, speakers, screen, and network Most common library type Follow Secure Coding Guidelines #1: Use Permissions to protect access to your resources!

8 Creating Secure Libraries Write Verifiable Code Helps to ensure that CLR can enforce security Helps reduce buffer overruns Verifiability depends on the language compiler and features used Visual Basic.NET verifiable C# verifiable Except “unsafe” keyword C++ is generally not verifiable Addressed in future release

9 The Noise Maker Library Scenario: Secure library that exposes Sound API’s Intranet applications can play Sounds Internet applications cannot

10 Creating Secure Libraries Allowing Partially-Trusted Callers Default: Code that calls your library must have Full Trust Limits use scenarios today, even more in the future AllowPartiallyTrustedCallersAttribute Provides an opt-in mechanism for allowing potentially dangerous code to call library Specified per-assembly Do Security Reviews per Secure Coding Guidelines

11 Allowing Partially Trusted Callers

12 Creating Secure Libraries Using Assert() Asserts() put the burden on you! Demands() put the burden on the system Pairing Asserts() with Demands() reduces your burden Common pattern Note: Demand first, then Assert Demand a more constrained permission Assert what’s needed to access the resource

13 Using Assert()

14 Creating Secure Libraries Protecting Access to Resources Resources Protected with “Demand” for a permission Consideration: Use existing permission or write a new one? Leverage existing permission when appropriate Feature aligns with philosophy of existing permission Don’t overload their use Define a new permission class if needed New Permissions should be sealed

15 Creating Secure Libraries Protecting Access to Resources Consider the Administrator Model What must an Administrator control? Ex: File access to c:\*, speaker access, etc. Always allow permission to be turned off completely What should be in Default Policy? Picture the most conservative Administrator

16 Creating Secure Libraries Protecting Access to Resources Prefer full Demands, not Link Demands All callers checked every call Demand only what is required May be stated either “Declaratively” or “Imperatively”

17 Creating Secure Libraries Declarative Demands Specified using Custom Attributes Stored in the assembly’s metadata Permission State must be known at compile time Can be viewed with PermView SDK Tool [FileIOPermission(SecurityAction.Demand, Write = "c:\\temp")] public void foo() { // class does something with c:\temp }

18 Creating Secure Libraries Imperative Demands Allows security checks to vary by control flow or method state Initiated with call to Demand() public File(String fileName) { //Fully qualify the path for the security check String fullPath = Directory.GetFullPathInternal(fileName); new FileIOPermission(FileIOPermissionAccess.Read, fullPath).Demand(); //The above call will either pass or throw a //SecurityException //[…rest of function…] }

19 Protecting Resources

20 Creating Secure Libraries Sealing Access to Members Use Link Time Demands For cryptographically strong identity Checks only immediate caller Checks only the first call Occurs when method is JITed Specified using Custom Attributes Performs better than a full Demand

21 Creating Secure Libraries Sealing Access to Members Link time demands are great because Seals off access to areas of your library Reduces your security exposure No stack walk = smaller performance impact Link time demands are bad because Vulnerable to luring attacks JIT uses the static type of the caller, not the runtime type Watch out for overrides!

22 Creating Secure Libraries Sealing Access to Members For public sealed classes For public classes, abstract classes and interfaces [StrongNameIdentity(SecurityAction.LinkDemand, Name=“A1”, PublicKey=“0x…………”)] public sealed class Foo {} [StrongNameIdentity(SecurityAction.InheritanceDemand, Name=“A1”, PublicKey=“0x…………”)] [StrongNameIdentity(SecurityAction.LinkDemand, Name=“A1”, PublicKey=“0x………”)] public class Foo {}

23 Security Programming Gotcha’s Check your arguments Code generation bugs Think about race conditions Watch out for readonly Pass evidence when dynamically generating code

24 Argument Checking Ex: Malicious WSDL that uses special characters to insert extra method calls base.ConfigureProxy(this.GetType(), "http://server/proxyinjection.dll? Handler=Default"); SomeClass.SomeMethod("Some Params here"); < soap:address location= 'http://server/proxyinjection.dll? Handler=Default"); SomeClass.SomeMethod(" Some Params here'/>

25 Race Conditions public unsafe int ReadByte() { if (!_isOpen) __Error.StreamIsClosed(); if (_position >= _length) return -1; return _mem[_position++]; } Thread1 Thread2 Thread1

26 Race Conditions Solution public unsafe int ReadByte() { if (!_isOpen) __Error.StreamIsClosed(); int pos = _position; if (pos >= _length) return -1; _position = pos + 1; return _mem[pos]; }

27 When readonly Isn’t Read Only The readonly keyword applies to locations, not instances Can be changed using Prints: “BooBar” Never use readonly instances of mutable types public static readonly StringBuilder Value = new StringBuilder ("Boo"); MyClass.Value.Append("Bar"); Console.WriteLine(MyClass.Value);

28 Dynamic Code Generation Without care, dynamically generated code gets the permissions of YOUR library Carefully scrutinize all usages of AppDomain.DefineDynamicAssembly Assembly.Load(Byte[], …) Always use the overloads that allow you to pass Evidence Pass the minimum Evidence possible

29 Key Takeaways CAS is based on code identity Augments Windows Security Model Partial trust scenarios will continue to get more prevalent Always use Permissions to protect your resources Remember the Administrator when designing new permissions Be familiar with Secure Coding Guidelines Common Security Programming Mistakes

30 Additional Resources “Secure Coding Guidelines” http://www.msdn.microsoft.com/security/ securecode/bestpractices/default.aspx?p ull=/library/en- us/dnnetsec/html/seccodeguide.asp http://www.msdn.microsoft.com/security/ securecode/bestpractices/default.aspx?p ull=/library/en- us/dnnetsec/html/seccodeguide.asp “.NET Framework Security,” Addison-Wesley MSDN Security Site www.msdn.microsoft.com/security

31 Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ http://www.mvp.support.microsoft.com/Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/ default.mspx http://www.microsoft.com/communities/newsgroups/ default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/d efault.mspx http://www.microsoft.com/communities/usergroups/d efault.mspx

32 Q1:Overall satisfaction with the session Q2:Usefulness of the information Q3:Presenter’s knowledge of the subject Q4:Presenter’s presentation skills Q5:Effectiveness of the presentation Please fill out a session evaluation on CommNet

33 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "DEVC02.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation."

Similar presentations

WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.

WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.
.NET Framework Overview Pingping Ma Nov 16 th, 2006.

.NET Framework Overview Pingping Ma Nov 16 th, 2006.
DEV340.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation.

DEV340.NET Framework Security Best Practices Sebastian Lange Program Manager Common Language Runtime Microsoft Corporation.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security and the.NET Framework. Code Access Security Enforces security policy on code  Regardless of user running the code  Regardless of whether the.

Security and the.NET Framework. Code Access Security Enforces security policy on code  Regardless of user running the code  Regardless of whether the.
Introduction to the C# Programming Language for the VB Programmer.

Introduction to the C# Programming Language for the VB Programmer.
Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.

Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.
Creating and Running Your First C# Program Svetlin Nakov Telerik Corporation www.telerik.com.

Creating and Running Your First C# Program Svetlin Nakov Telerik Corporation
Differences between C# and C++ Dr. Catherine Stringfellow Dr. Stewart Carpenter.

Differences between C# and C++ Dr. Catherine Stringfellow Dr. Stewart Carpenter.
1 Developing Rules Driven Workflows in Windows Workflow Foundation Jurgen Willis COM318 Program Manager Microsoft Corporation.

1 Developing Rules Driven Workflows in Windows Workflow Foundation Jurgen Willis COM318 Program Manager Microsoft Corporation.
OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.

OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.
S ECURITY T OOLS F OR S OFTWARE D EVELOPMENT F X C OP 10.0 David Angulo Rubio.

S ECURITY T OOLS F OR S OFTWARE D EVELOPMENT F X C OP 10.0 David Angulo Rubio.
OFC 322 Building Office Research Web Services: Exposing Corporate Data Through Office Brian Jones Program Manager Authoring Services Martin Sawicki Lead.

OFC 322 Building Office Research Web Services: Exposing Corporate Data Through Office Brian Jones Program Manager Authoring Services Martin Sawicki Lead.
DEV334 Creating Application Starting Points & Sharing Best Practices with Enterprise Templates Marc Gusmano Director of Emerging Technologies The Information.

DEV334 Creating Application Starting Points & Sharing Best Practices with Enterprise Templates Marc Gusmano Director of Emerging Technologies The Information.
Introduction to .Net Framework

Introduction to .Net Framework
DEV302 - Visual Studio Team System Building Robust and Reliable Software Eric Lee Program Manager Microsoft Corporation.

DEV302 - Visual Studio Team System Building Robust and Reliable Software Eric Lee Program Manager Microsoft Corporation.
Module 1: Introduction to C# Module 2: Variables and Data Types

Module 1: Introduction to C# Module 2: Variables and Data Types
Understanding Code Compilation and Deployment Lesson 4.

Understanding Code Compilation and Deployment Lesson 4.

Similar presentations

Ads by Google