Overview of .NET Security

1
Overview of .NET Security

• Li-Yan Zhang
• Dev Support SR. Engineer
• MSFT GTEC

2
Agenda

• MS Trustworthy Computing Initiative
• Security Fundamentals
• Authentication, Authorization, Access Check
• Secure channel
• Privacy, Integrity
• .NET Security Infrastructure
• Buffer Overrun--1 public enemy
• Authentication
• CAS (Code Access Security) Evidence Based
  Security
• Role Based Security
• Cryptography
• QA

3
MS Trustworthy Computing Initiative

• Trustworthy Computing" Is Job 1 at Microsoft
• Trustworthy Computing whitepaper
• http//www.microsoft.com/presspass/exec/craig/05-0
  1trustworthywp.asp
• Security features ! Secure features

4
Agenda

• MS Trustworthy Computing Initiative
• Security Fundamentals
• Authentication, Authorization, Access Check
• Secure channel
• Privacy, Integrity
• .NET Security Infrastructure
• Buffer Overrun--1 public enemy
• Authentication
• CAS (Code Access Security) Evidence Based
  Security
• Role Based Security
• Cryptography
• QA

5
Fundamentals of Security

• Process Flow
• Authentication
• Authorization
• Access Check
• Secure Channels
• NTLM,SSL, Kerberos, Basic, Digest etc.
• Privacy, Integrity, Nonrepudiation
• Crypto APIs, Digital certificates

6
Agenda

• MS Trustworthy Computing Initiative
• Security Fundamentals
• Authentication, Authorization, Access Check
• Secure channel
• Privacy, Integrity
• .NET Security Infrastructure
• Buffer Overrun--1 public enemy
• Authentication
• CAS (Code Access Security) Evidence Based
  Security
• Role Based Security
• Cryptography
• QA

7
Public Enemy 1 The Buffer Overrun

• What is Buffer Overrun ?
• Static buffer run
• Heap overrun
• Format string bugs
• Array indexing errors
• Demoa static buffer overrun exploit
• Countermeasures
• Developers applying best code practice
• Tools System
• VC7 /GS flag
• CLR type verification

8
The VC7 /GS Option for "Buffer Security Check"
9
A Simplified Stack Layout and inserting a canary
into a stack
10
CLR type verification

• Security enforceable on well-behaved code
• Arbitrary code can subvert security mechanisms
• Verification rules are safe, may falsely reject
• Code is verified to be memory type safe
• Only access objects via well-defined interfaces
• Well-formed metadata and instructions
• No stack underflow/overflow conditions
• Verifiability depends on the compiler/language
• Visual Basic .NET
• C verifiable (except C unsafe keyword)
• C is generally not verifiable
• SecurityPermissionAttribute.SkipVerification

11
Authentication

• Basic, Digest
• Operating system (such as NTLM or Kerberos)
• Passport
• SSL
• Application-defined mechanisms, such as
  Form-based in ASP.NET

12
Form-based security

• ASP.NET security IIS security
• Form-based security
• Demo

13
Passport Authentication

• SSI (Single Sign In)
• Passport is irrelevant to authorization
• Sample sites MSN, Ebay, Monster.com.
• Technologies
• Cookies
• HTTP Redirect
• GET and POST
• Query String
• Development
• SDK
• Whitepaper

14
.NET Passport SSI process
15
Code Access Security (CAS)

• Why CAS?
• Partial trust environment mobile code, WinForm
  Controls
• Luring attack
• CAS
• Permissions
• Overrides Stack walks
• Evidence Based Security
• Evidence
• Policy assemblies
• Code groups
• Security Policy evidences ?permissions
• Declarative vs. Imperative security

16
Code Access Security Permissions

• Permissions
• To limit access to system resources. For example,
  EnvironmentPermission class for environment
  variables access permission.
• Types (System.Security.Permissions)
• Environment
• File Access
• Etc.
• SecurityException
• Thrown when code attempts to access a protected
  resource without having the needed permission

17
Code Access Security Stack Walk

• Permissions are kept in a Stack Frame
• Demand LinkDemand
• Causes the CLR to walk the stack evaluating each
  frames permissions
• Modify the stack walk
• Assert, Deny, PermitOnly
• The more requests for protected resources, the
  more system overhead

18
Code Access Security Stack walk (cont.)

• Demand EnvironmentPermission ()
• Each frame demand permission ? grant?
• If all frames pass Succeed, allow operation
• Otherwise SecurityException()

?
STACK
Demand EnvironmentPermission(read, USERNAME)
19
Code Access Security Stack walk with overrides

• Permission added to stack as assertion
• To assert SecurityPermission.Assertion
• Must have the permission being asserted
• Assert stops stack walk for permission

STOP! DemandSUCCEED
STACK
?
AssertUnmanaged-Code
Demand SecurityPermission (UnmanagedCode)
20
Declarative vs. Imperative

• Declarative
• FileIOPermission(SecurityAction.Demand, Read
  c\\temp)
• public void foo()
• // class does something with c\temp
• Imperative
• FileIOPermission p new FileIOPermission(
• FileIOPermissionAccess.Write, f)
• p.Demand()
• Demo
• testStackWalk

21
Evidence-Based Security Evidence

• Where those PSets come from?
• Evidence
• Presented by an assembly at load time
• Location based or identity based
• Origin of the assembly, assembly publisher,
  digital signature.
• Evidence is the input to policy
• Hash hash of the assembly
• Publisher AuthentiCode signer
• StrongName public keynameversion
• Site Web site of code origin
• Url URL of code origin
• Zone zone (IE) of code origin
• Extensible for new kinds of evidence

22
Evidence For The Assembly

• Get evidence location, from assembly
• Put evidence on Assembly security descriptor
• Evidence cannot be viewed/modified by code
• Ready to begin security policy resolution

file//kohnfelder/ share/app.exe

• Evidence
• URL(file//kohnfelder/share/app.exe)
• Zone(Intranet)

app.exe
23
Evidence-Based Security Code Groups

• A code group has two attributes Membership
  condition, PermissionSet
• Code groups tests evidence against membership
  condition
• If fails, ignore the code group and its
  children
• If match permission set and children
  apply

24
Evidence-Based SecurityPolicy Assembly

• Policy Assemblies
• The pre-trusted assemblies for evaluation other
  assemblies in the policy evaluation process.
• Configured in Mscorcfg.msc

25
Evidence Based SecurityPolicy Evaluation

• Test evidence against this code group
• IMembershipCondition tests evidence set
• If code group matches evidence
• Accumulate these permission sets by level
• Evaluate all child code groups (as above)
• Stop at non-matching code groups
• Children are ignored, have no impact

?
?
?
?
26
Managed Code Execution
27
Role Based Security

• Identity, Principal and Role
• User, user token and groups.
• .NET applications grant rights to the principal
  based on its identity or, more commonly, its role
  membership.
• Three namespaces
• System.Security.Principal
• System.Security.Permissions
• System.Web.Security

28
The runtime structure of the objects
29
Role Based Security (cont.)

• Four ways to implement Role-Based Security
• Windows authentication
• WindowsIdentity, IsInRole
• Application customized
• GenericIdentity objGenericIdentity new
  GenericIdentity(Page.User.Identity.Name)
• GenericPrincipal objGenericPrincipal new
  GenericPrincipal(objGenericIdentity, userRoles)
• objGenericPrincipal.IsInRole(allRolesi)
• Declarative
• PrincipalPermissionAttribute(SecurityAction.De
  mand, User John, Role "Assembly Line
  Coordinator")
• Imperative
• PrincipalPermission objPrincipalPermission
  new PrincipalPermission("John", "Assembly Line
  Coordinator")
• objPrincipalPermission.Demand()

30
Cryptography

• System.Security.Cryptography Namespace
• asymmetric encryption - RSA and DSA
• symmetric encryption - DES, TripleDES, RC2,
  Rijndael

31
Cryptography (Cont.)

• Hashes - MD5, SHA1,SHA256,SHA384,SHA512
• Digital Certificates
• System.Security.Cryptography.X509Certificates
  namespace

32
References

• BOOKs
• Writing Secure Code Michael Howard
• Designing Secure Web-Based Applications for
  Microsoft Windows 2000 Michael Howard
• Programming Windows Security Keith Brown
• Hacking Exposed Network Security Secrets and
  Solutions, Third Edition Joel Scambray
• URLs
• http//www.gotdotnet.com/team/clr/about_security.a
  spx lt.NET securitygt
• http//msdn.microsoft.com/library/default.asp?url
  /nhp/default.asp?contentid28001191 ltSecurity for
  all platformsgt
• Track SecBugs
• SecurityFocus for our competitors security
  vulnerabilities
• http//www.securityfocus.com/
• Microsoft Security Bulletin Service 
• http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/security/current.asp

33
Summary

• Trustworthy Computing" Is Job 1 at Microsoft
• .NET Security (for mobile code and partial trust
  environment)
• Code Access Security
• Evidence Based security
• Role based security
• Cryptography

34
Questions?
If you have any questions about this session,
please go to Microsoft Chinese Newsgroup to
discuss. Thank You for Coming! -)
35
(No Transcript)