Upload
trace-howton
View
217
Download
1
Embed Size (px)
Citation preview
.NET Framework .NET Framework Application Security Application Security Overview Overview
.NET Framework .NET Framework Application Security Application Security Overview Overview
Gunther BeersaertsGunther [email protected]@microsoft.com Microsoft CorporationMicrosoft Corporation
AgendaAgenda
Security 101Security 101
.NET Framework Security Features.NET Framework Security Features
Code Access SecurityCode Access Security
Role-Based SecurityRole-Based Security
CryptographyCryptography
Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications
Securing ASP.NET Web ServicesSecuring ASP.NET Web Services
AgendaAgenda
Security 101Security 101
.NET Framework Security Features.NET Framework Security Features
Code Access SecurityCode Access Security
Role-Based SecurityRole-Based Security
CryptographyCryptography
Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications
Securing ASP.NET Web ServicesSecuring ASP.NET Web Services
Developers need to understand, use and Developers need to understand, use and apply:apply:
EncryptionEncryptionHashingHashingDigital signaturesDigital signaturesDigital certificatesDigital certificatesSecure communication Secure communication AuthenticationAuthenticationAuthorizationAuthorizationFirewallsFirewallsAuditingAuditingService packs and updatesService packs and updates
Security 101Security 101Overview of Security TechnologiesOverview of Security Technologies
Encryption is the process of encoding Encryption is the process of encoding datadata
To protect a user’s identity or data from being readTo protect a user’s identity or data from being read
To protect data from being alteredTo protect data from being altered
To verify that data originates from a particular userTo verify that data originates from a particular user
Encryption can be:Encryption can be:AsymmetricAsymmetric
SymmetricSymmetric
Security 101Security 101EncryptionEncryption
Algorithm Type Description
Symmetric
Uses one key to:Encrypt the dataDecrypt the data
Is fast and efficient
Asymmetric
Uses two mathematically related keys:Public key to encrypt the dataPrivate key to decrypt the data
Is more secure than symmetric encryptionIs slower than symmetric encryption
Security 101Security 101Symmetric vs Asymmetric EncryptionSymmetric vs Asymmetric Encryption
User A User B
Data
Data
Hash Value
Hash Algorithm
Data
Hash Value
Hash Value
Hash AlgorithmIf hash values
match, data is valid
User A sends data and hash value to User B
Security 101Security 101Verifying Data Integrity with HashesVerifying Data Integrity with Hashes
User A User B
Data
Hash Value
Hash Algorithm
User A Private
key
Data
Hash Value
User A Public
Key
Hash Algorithm
Hash Value
If hash values match, data came from the owner of the private
key and is valid
Security 101Security 101Digital SignaturesDigital Signatures
Private Key Private/Public
Key PairUser
Application
Computer
Service
Certified Administrator
Certification Authority
Public Key
Security 101Security 101How Digital Certificates work?How Digital Certificates work?
Technologies include:Technologies include:IPSecIPSec
SSLSSL
TLSTLS
RPC encryptionRPC encryption
SSL/TLS IPSec RPC Encryption
Security 101Security 101Secure Communication TechnologiesSecure Communication Technologies
AgendaAgenda
Security 101Security 101
.NET Framework Security Features.NET Framework Security Features
Code Access SecurityCode Access Security
Role-Based SecurityRole-Based Security
CryptographyCryptography
Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications
Securing ASP.NET Web ServicesSecuring ASP.NET Web Services
.NET Framework Security.NET Framework SecurityIn GeneralIn General
.NET CLR controls execution of managed code.NET CLR controls execution of managed code
.NET Framework Security is part of the CLR.NET Framework Security is part of the CLR
.NET Framework Security includes many .NET Framework Security includes many features:features:
Managed ExecutionManaged Execution
Type-Safe SystemType-Safe System
Buffer Overrun ProtectionBuffer Overrun Protection
Arithmetic Error TrappingArithmetic Error Trapping
Strong-Named AssembliesStrong-Named Assemblies
Isolated StorageIsolated Storage
......
Important: Complements Windows SecurityImportant: Complements Windows Security
Type-safe code:Type-safe code:Prevents buffer overrunsPrevents buffer overruns
Restricts access to authorized memory locationsRestricts access to authorized memory locations
Allows multiple assemblies to run in same processAllows multiple assemblies to run in same process
App Domains provide:App Domains provide:Increased performanceIncreased performance
Increased code securityIncreased code security
.NET Framework Security.NET Framework SecurityType Safety SystemType Safety System
Managed Code does not deal with raw pointers Managed Code does not deal with raw pointers (char *,…) (char *,…)
Instead, .NET CLR uses Framework ClassesInstead, .NET CLR uses Framework ClassesSystem.StringSystem.String
.NET .NET System.StringSystem.String objects are immutable objects are immutable
System.Text.StringBuilderSystem.Text.StringBuilderSystem.Text.StringBuilderSystem.Text.StringBuilder class checks buffer bounds class checks buffer bounds
Throws exception if attempts to overwrite internal bufferThrows exception if attempts to overwrite internal buffer
Type-verification prevents arbitrary memory Type-verification prevents arbitrary memory overwritesoverwrites
void CopyString (string src){
stringDest = src;}
.NET Framework Security.NET Framework SecurityBuffer Overrun ProtectionBuffer Overrun Protection
Arithmetic error trapping is achieved by Arithmetic error trapping is achieved by using:using:
The The checked checked keywordkeyword
Project settingsProject settingsbyte b=0;while (true){
Console.WriteLine (b);
checked{
b++;}
}
.NET Framework Security.NET Framework SecurityArithmetic Error TrappingArithmetic Error Trapping
Type Safety SystemType Safety SystemType Safety SystemType Safety System
Investigating .NET Data-Type SafetyInvestigating .NET Data-Type Safety
Using the checked keywordUsing the checked keyword
Strong names are:Strong names are:Unique identifiers (containing a public key)Unique identifiers (containing a public key)
Used to digitally sign assembliesUsed to digitally sign assemblies
Why strong-named assemblies?Why strong-named assemblies?Prevent tamperingPrevent tampering
Confirm the identity of the assembly’s publisherConfirm the identity of the assembly’s publisher
Allow side-by-side componentsAllow side-by-side components
sn –k MyFullKey.snk
.NET Framework Security.NET Framework SecurityStrong Named AssembliesStrong Named Assemblies
Provides a virtual file systemProvides a virtual file system
Allows quotasAllows quotas
Implements file system isolation Implements file system isolation based on:based on:
Application identityApplication identity
User identityUser identity
IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly();
.NET Framework Security.NET Framework SecurityIsolated StorageIsolated Storage
Use managed code !Use managed code !
Type-Safe SystemType-Safe System
Buffer Overrun ProtectionBuffer Overrun Protection
Arithmetic Error TrappingArithmetic Error Trapping
Strong-Named AssembliesStrong-Named Assemblies
Isolated StorageIsolated Storage
.NET Framework Security.NET Framework SecurityWhat did we learn?What did we learn?
AgendaAgenda
Security 101Security 101
.NET Framework Security Features.NET Framework Security Features
Code Access SecurityCode Access Security
Role-Based SecurityRole-Based Security
CryptographyCryptography
Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications
Securing ASP.NET Web ServicesSecuring ASP.NET Web Services
Evidence works on top of Win32 securityEvidence works on top of Win32 security.NET Framework .NET Framework
Collects info about an AssemblyCollects info about an AssemblyPresents info to the Security systemPresents info to the Security systemCLR decides if code is allowed to executeCLR decides if code is allowed to execute
EvidenceEvidenceAssessed when assembly is loaded Assessed when assembly is loaded Determines permissions for assemblyDetermines permissions for assembly
Evidence can include assembly’s:Evidence can include assembly’s:Strong name informationStrong name informationURLURLZoneZoneAuthenticode signatureAuthenticode signature
Code Access SecurityCode Access SecurityEvidence-Based SecurityEvidence-Based Security
Security Entity Description
PolicyPolicy
Is set by administratorsIs enforced at runtimeSimplifies administrationContains permissionsContains code groups
Code GroupCode GroupAssociates similar componentsIs evidence basedIs linked to permission set(s)
Permission SetPermission Set Is a set of granted permissions
Code Access Security Code Access Security Security PoliciesSecurity Policies
Call Stack
Security System
YourAssemblyYourAssembly
SomeAssemblySomeAssembly
.NET Framework Assembly
.NET Framework Assembly
Call to ReadFile
Call to ReadFile
Grant: Execute
1. An assembly requests access to a method in your assembly
2. Your assembly passes the request to a .NET Framework assembly
3. The security system ensures that all callers in the stack have the required permissions
4. The security system grants access or throws an exception
Grant: ReadFileGrant: ReadFile
Grant: ReadFile
Permission Demand
Security exception Access denied
Security exception Access deniedGrant access?Grant access?
Code Access Security Code Access Security Security Check Stack WalkSecurity Check Stack Walk
ImperativeImperative security checks security checksCreate Create PermissionPermission objects objects
Call Call PermissionPermission methods (Demand,…) methods (Demand,…)
DeclarativeDeclarative security checks security checksUse Use PermissionPermission attributes attributes
Apply to methods or classesApply to methods or classes
OverridingOverriding security checks security checksUse the Use the AssertAssert method method
Prevent the stack walkPrevent the stack walk
Code Access Security Code Access Security Types of Security ChecksTypes of Security Checks
Used by developers to state required Used by developers to state required permissionspermissions
Implemented by attributesImplemented by attributes
Prevents an assembly from loadingPrevents an assembly from loadingWhen minimum permissions are not availableWhen minimum permissions are not available
Rather than wait for unauthorized operationRather than wait for unauthorized operation
//I will only run if I can call unmanaged code[assembly:SecurityPermission (SecurityAction.RequestMinimum, UnmanagedCode=true)]
Code Access Security Code Access Security Permissions RequestsPermissions Requests
Code Access SecurityCode Access SecurityCode Access SecurityCode Access Security
Using the .NET Framework Configuration Using the .NET Framework Configuration ToolTool
Performing Security ChecksPerforming Security Checks
Requesting PermissionsRequesting Permissions
.NET Framework 1.0.NET Framework 1.0All ASP.NET web applications ran with full trust All ASP.NET web applications ran with full trust No CAS could be appliedNo CAS could be applied
.NET Framework 1.1 .NET Framework 1.1 Provides partial trust levels to ASP.NET Provides partial trust levels to ASP.NET
FullFull
HighHigh
MediumMedium
LowLow
MinimalMinimal
Code Access Security Code Access Security Partial Trust ApplicationsPartial Trust Applications
Partial Trust Web Application
Wrapper Assembly Secured Resource
Sandboxed Code<trust level_”Medium”originUri_--/>
Permissions Demanded / Asserted
AllowPartiallyTrustedCallers attribute added
Assembly installed into the Global Assembly Cache
Resource Access
Code Access Security Code Access Security Sandboxing Privileged CodeSandboxing Privileged Code
Use managed code !Use managed code !
Evidence is Assembly basedEvidence is Assembly based
Security Stack WalkSecurity Stack Walk
Types of Security ChecksTypes of Security ChecksImperative, Declarative, Overridable Imperative, Declarative, Overridable
Partially Trusted ApplicationsPartially Trusted Applications
Code Access SecurityCode Access SecurityWhat did we learn?What did we learn?
AgendaAgenda
Security 101Security 101
.NET Framework Security Features.NET Framework Security Features
Code Access SecurityCode Access Security
Role-Based SecurityRole-Based Security
CryptographyCryptography
Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications
Securing ASP.NET Web ServicesSecuring ASP.NET Web Services
Authentication asks:Authentication asks:"Who are you?""Who are you?""Am I sure you are who you say you are?“"Am I sure you are who you say you are?“
Authorization asks:Authorization asks:"Are you allowed to … ?""Are you allowed to … ?"
Role-Based SecurityRole-Based SecurityAuthentication & AuthorizationAuthentication & Authorization
IdentityIdentity Contains information about a userContains information about a user
Example: Logon nameExample: Logon name
PrincipalPrincipal Contains role information about a user or computerContains role information about a user or computer
.NET Framework.NET Framework provides: provides:WindowsIdentityWindowsIdentity and and WindowsPrincipalWindowsPrincipal objects objects
GenericIdentityGenericIdentity and and GenericPrincipalGenericPrincipal objects objects
Role-Based Security Role-Based Security Identities and PrincipalsIdentities and Principals
Use Use WindowsIdentityWindowsIdentity and and
WindowsPrincipalWindowsPrincipal
For Single validationFor Single validationWindowsIdentity myIdent = WindowsIdentity.GetCurrent();WindowsPrincipal myPrin = new WindowsPrincipal(myIdent);
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);WindowsPrincipal myPrin = System.Threading.Thread.CurrentPrincipal;
Role-Based Security Role-Based Security Creating Windows Identities and Creating Windows Identities and PrincipalsPrincipals
For Repeated validationFor Repeated validation
Create a Create a GenericIdentityGenericIdentity and a and a GenericPrincipalGenericPrincipal
GenericIdentity myIdent = new GenericIdentity("User1");string[] roles = {"Manager", "Teller"};GenericPrincipal myPrin = new GenericPrincipal(myIdent, roles);
System.Threading.Thread.CurrentPrincipal = myPrin;
Role-Based Security Role-Based Security Creating Generic Identities and PrincipalsCreating Generic Identities and Principals
Attach the Attach the GenericPrincipalGenericPrincipal to the current to the current threadthread
Use Use IdentityIdentity and and PrincipalPrincipal members in code members in codeFor example, using the For example, using the NameName property of the Identity object property of the Identity object to check the user’s logon nameto check the user’s logon name
if (String.Compare(myPrin.Identity.Name, "DOMAIN\\Gerd", true)==0){ // Perform some action}
if (myPrin.IsInRole("BUILTIN\\Administrators")){ // Perform some action}
Role-Based Security Role-Based Security Performing Security ChecksPerforming Security Checks
Example: using IsInRole method of the Principal object to Example: using IsInRole method of the Principal object to checkcheck role membership role membership
Use permissions to make role-based security Use permissions to make role-based security checkschecks
Imperative checksImperative checksPrincipalPermission prinPerm = new PrincipalPermission("Teller",
“Manager”, true);try{ prinPerm.Demand(); //Does the above match the active principal?}
[PrincipalPermission(SecurityAction.Demand, Role="Teller", Authenticated=true)]
Declarative checksDeclarative checks
Role-Based Security Role-Based Security Imperative and Declarative Security Imperative and Declarative Security ChecksChecks
Role-Based SecurityRole-Based SecurityRole-Based SecurityRole-Based Security
Using Windows Role-Based Security Using Windows Role-Based Security
Using Generic Role-Based SecurityUsing Generic Role-Based Security
Use managed code !Use managed code !
Authentication vs AuthorizationAuthentication vs Authorization
Identities vs PrincipalsIdentities vs Principals
WindowsIdentity vs GenericIdentityWindowsIdentity vs GenericIdentity
WindowsPrincipal vs WindowsPrincipal vs GenericPrincipalGenericPrincipal
Role-Based SecurityRole-Based SecurityWhat did we learn?What did we learn?
AgendaAgenda
Security 101Security 101
.NET Framework Security Features.NET Framework Security Features
Code Access SecurityCode Access Security
Role-Based SecurityRole-Based Security
CryptographyCryptography
Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications
Securing ASP.NET Web ServicesSecuring ASP.NET Web Services
Cryptography Term
Description
Symmetric Symmetric EncryptionEncryption
Encrypting and decrypting data with a secret key
Asymmetric Asymmetric EncryptionEncryption
Encrypting and decrypting data with a public/private key pair
HashingHashing Mapping a long string of data to a short, fixed-size string of data
Digital SigningDigital Signing Hashing data and encrypting the hash value with a private key
The .NET Framework providesThe .NET Framework providesclasses that implement these classes that implement these
operationsoperations
CryptographyCryptographyReviewReview
Choose an Choose an algorithmalgorithmTripleDESCryptoServiceProviderTripleDESCryptoServiceProvider
RijndaelManagedRijndaelManaged
Generate a Generate a secret keysecret key
Use secret key to Use secret key to encryptencrypt and and decryptdecrypt data:data:
FileStreamFileStream
MemoryStreamMemoryStream
NetworkStreamNetworkStream
CryptographyCryptographyUsing Symmetric AlgorithmsUsing Symmetric Algorithms
Choose an Choose an algorithmalgorithmRSACryptoServiceProviderRSACryptoServiceProvider
DSACryptoServiceProviderDSACryptoServiceProvider
Generate a Generate a privateprivate and and publicpublic key pairkey pair
EncryptEncrypt or or decryptdecrypt data data
CryptographyCryptographyUsing Asymmetric AlgorithmsUsing Asymmetric Algorithms
Action Steps
Signing DataSigning DataHash the dataEncrypt the hash value with a private key
Verifying SignaturesVerifying Signatures
Decrypt the signature by using sender’s public keyHash the dataCompare the decrypted signature to the hash value
CryptographyCryptographySigning Data and Verifying SignaturesSigning Data and Verifying Signatures
.NET Framework .NET Framework EncryptionEncryption.NET Framework .NET Framework EncryptionEncryption
Performing Symmetric EncryptionPerforming Symmetric Encryption
Signing DataSigning Data
Use managed code !Use managed code !
Symmetric EncryptionSymmetric Encryption
Assymmetric EncryptionAssymmetric Encryption
Data Signing & VerificationData Signing & Verification
CryptographyCryptographyWhat did we learn?What did we learn?
AgendaAgenda
Security 101Security 101
.NET Framework Security Features.NET Framework Security Features
Code Access SecurityCode Access Security
Role-Based SecurityRole-Based Security
CryptographyCryptography
Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications
Securing ASP.NET Web ServicesSecuring ASP.NET Web Services
Authentication Type
Advantages Disadvantages
Windows
Uses existing Windows infrastructureControls access to sensitive information
Does not support all client types
FormsSupports all client types
Relies on cookies
Microsoft Passport
Supports single sign-on for many Internet Web sitesAllows developers to customize the appearance of the registration page
Relies on cookiesInvolves fees
Securing ASP.NETSecuring ASP.NETASP.NET Authentication TypesASP.NET Authentication Types
Configure IIS to use Configure IIS to use AnonymousAnonymous authentication authentication
Set Set forms-basedforms-based authentication in Web.config authentication in Web.config
Set up Set up authorizationauthorization in Web.config in Web.config
Build a Build a logon formlogon form
<system.web><authentication mode="Forms">
<forms
loginUrl="WebForm1.aspx"/></authentication>
<authorization> <deny users="?"/></authorization>
</system.web>
Securing ASP.NETSecuring ASP.NETConfiguring Form-Based AuthenticationConfiguring Form-Based Authentication
Developers can require secure cookiesDevelopers can require secure cookies<authentication mode="Forms">
<forms loginUrl="login.aspx"protection="All" requireSSL="true"timeout="10"name="AppNameCookie" path="/FormsAuth" slidingExpiration="true"
</forms></authentication>
Developer can create application-specific keysDeveloper can create application-specific keys
Securing ASP.NETSecuring ASP.NETForm-Based Authentication Form-Based Authentication EnhancementsEnhancements
Client-side validationClient-side validation Provides instant feedbackProvides instant feedbackReduces postback cyclesReduces postback cycles
Server-side validationServer-side validationRepeats all client-side Repeats all client-side validationvalidationValidates against stored Validates against stored data, data, if requiredif required
Error Message
Client
Server
User Enters Data
Valid?
Web ApplicationProcessed
Yes
No
Valid?
Yes
No
Securing ASP.NETSecuring ASP.NETValidation ControlsValidation Controls
Securing ASP.NETSecuring ASP.NETTypes of Validation ControlsTypes of Validation Controls
Securing ASP.NETSecuring ASP.NETSecuring ASP.NETSecuring ASP.NET
Configuring Forms AuthenticationConfiguring Forms Authentication
Using Validation ControlsUsing Validation Controls
Use managed code !Use managed code !
Types of AuthenticationTypes of AuthenticationWindows AuthenticationWindows Authentication
Forms-Based AuthenticationForms-Based Authentication
PassPort AuthenticationPassPort Authentication
Forms-Based Auth EnhancementsForms-Based Auth Enhancements
Validation ControlsValidation Controls
Securing ASP.NETSecuring ASP.NETWhat did we learn?What did we learn?
AgendaAgenda
Security 101Security 101
.NET Framework Security Features.NET Framework Security Features
Code Access SecurityCode Access Security
Role-Based SecurityRole-Based Security
CryptographyCryptography
Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications
Securing ASP.NET Web ServicesSecuring ASP.NET Web Services
XML messages convey security information
Credentials
Digital signatures
Messages can be encrypted
Client
Transport
Service
TransportAny Transport
XML
XML XML
XMLSecurity is
independent from transport protocol
Securing ASP.NET Web Securing ASP.NET Web ServicesServicesMessage-Level SecurityMessage-Level Security
WSE includes:WSE includes:Authentication with SOAP HeadersAuthentication with SOAP Headers
Message encryptionMessage encryption
Message signingMessage signing
Supports message routingSupports message routing
Supports attachmentsSupports attachments
Implemented in Implemented in Microsoft.Web.Services.dll AssemblyMicrosoft.Web.Services.dll Assembly
Securing ASP.NET Web Securing ASP.NET Web ServicesServicesWeb Service Enhancements (WSE)Web Service Enhancements (WSE)
Securing Web ServicesSecuring Web ServicesSecuring Web ServicesSecuring Web Services
Analyzing SOAP headersAnalyzing SOAP headers
Use managed code !Use managed code !
Message-Level SecurityMessage-Level SecurityTransport IndependantTransport Independant
End-to-End SecureEnd-to-End Secure
Check out Web Service Check out Web Service EnhancementsEnhancements
WSE 2.0WSE 2.0
Securing Web ServicesSecuring Web ServicesWhat did we learn?What did we learn?
Session SummarySession Summary
Security 101Security 101
.NET Framework Security Features.NET Framework Security Features
Code Access SecurityCode Access Security
Role-Based SecurityRole-Based Security
CryptographyCryptography
Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications
Securing ASP.NET Web ServicesSecuring ASP.NET Web Services
ResourcesResources
MSDN Security Developer CenterMSDN Security Developer Centerhttp://msdn.microsoft.com/securityhttp://msdn.microsoft.com/securitySign up for security bulletins:Sign up for security bulletins:http://www.microsoft.com/security/security_bulletins/alerts2.ahttp://www.microsoft.com/security/security_bulletins/alerts2.aspsp
Security GuidanceSecurity Guidancehttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
Security Training & BooksSecurity Training & BooksWriting Secure Code (Howard/Leblanc) Writing Secure Code (Howard/Leblanc) ISBN 0-7356-1588-8ISBN 0-7356-1588-8
CTEC Security TrainingsCTEC Security Trainings
Feedback, Questions & TomatoesFeedback, Questions & [email protected]@microsoft.com
Thank You !Thank You !