DevDays 2001 Keynote

1
.Net Security
2
Agenda highlights

• Public enemy 1 for developers
• Top Five Things you MUST do!
• KERBEROS and .NET

3
Public Enemy 1 The Buffer Overrun

• Attempting to copy gtn bytes into an n-byte
  buffer
• If youre lucky you get an AV
• If youre unlucky you get instability
• If youre really unlucky the attacker injects
  code into your application
• And executes it!
• And everyones an admin -(

4
How Does It Work?
Gotcha!
5
Buffer Overrun Solutions

• You MUST fix buffer overruns
• Be wary of dangerous C-Runtime and Windows APIs
• strcpy, strcat, sprintf(,s,)
• UNICODE vs ANSI size mismatches,
• eg MultiByteToWideChar
• VC.NET GS flag
• On by default for new VS.NET C projects
• Inserts random canary into stack frame
• Catches the most common exploitable buffer overrun

6
Other Mistake di Make

• Lame crypto XOR is not your friend!
• Storing secrets in code
• NULL DACLs

7
The Top 5 things you must do!

• 5 - Ship a secure default!
• 4 - Ship a secure default!
• 3 - Ship a secure default!
• 2 - Ship a secure default!
• 1 - Ship a secure default!

Lame Excuse 1 But the admin can turn it
off! Lame Excuse 2 Well document the risks
8
KERBEROS and .NET

• Protocol Advantages
• Domain logon
• KERBEROS delegation, a developers heaven.

9
Kerberos Protocol Advantages

• Faster connection authentication
• Server scalability for high-volume connections
• Reuse session tickets from cache
• Mutual authentication of both client, server
• Delegation of authentication
• Impersonation in three-tier client/server
  architectures
• Transitive trust between domains
• Simplify inter-domain trust management
• Mature IETF standard for interoperability
• Testing with MIT Kerberos V5 Release

10
Kerberos Logon to server
11
The use of proxy tickets
1. TGS_REQ for proxy ticket for Server2
Valid Addresses x.x.x.5, x.x.x.10
Kerberos
KDC
Client
2. TGS_REP Proxy ticket for Server2
(TGS)
x.x.x.5
Valid from x.x.x.5, x.x.x.10
Session key for Server2
3. KRB_CRED Proxy ticket and
session key for Server2
4. AP_REQ Server2 ticket with Client credentials
and authenticator encrypted with Client/Server2
Server1
session key
Server2
x.x.x.10


12
Ticket Forwarding Delegation
1. AS_REQ and AS_REP for TGT
Valid Addresses x.x.x.5, x.x.x.10
Kerberos
KDC
Client
2. TGS_REQ and TGS_REP for ticket to Server1
(AS/TGS)
x.x.x.5
3. AP_REQ Ticket and authenticator for Server1
4. KRB_CRED Clients TGT
and session key for TGS
5. TGS_REQ and TGS_REP for ticket to Server2
Includes Clients TGT and authenticator
encrypted in Client/TGS session key
Server1
Server2
x.x.x.10
6. AP_REQ Server2 ticket with Client credentials
and authenticator encrypted with Client/Server2
session key

13
Constrained Delegation

• Makes multi-tier applications truly possible
• Windows 2000 Trusted for Delegation
• Eliminates security concerns with unconstrained
  delegation
• Enables backend delegation for other
  authentication protocols in the frontend
• Secured through administrative controls

14
Connection Oriented AppsProtocol Transition
Constrained Delegation
Domain Controller
Passport
(KDC)
Trust
Verify Policy Allowed- To-Delegate-To
Kerberos
Ticket
Internet
Data Server
Kerberos
Passport
Basic
Ticket
Digest
SSL
Webserver
LogonUser(UserName), simply impersonate and call
backend server
15
Who will survive ?
Not the Strongest
Not the most intelligent
Those most responsive to change
Charles Darwin