NET Framework Application Security Overview Gunther Beersaerts [email protected] Microsoft Corporation

.NET Framework .NET Framework Application Security Application Security Overview Overview

.NET Framework .NET Framework Application Security Application Security Overview Overview

Gunther BeersaertsGunther [email protected]@microsoft.com Microsoft CorporationMicrosoft Corporation

AgendaAgenda

Security 101Security 101

.NET Framework Security Features.NET Framework Security Features

Code Access SecurityCode Access Security

Role-Based SecurityRole-Based Security

CryptographyCryptography

Securing ASP.NET Web ApplicationsSecuring ASP.NET Web Applications

Securing ASP.NET Web ServicesSecuring ASP.NET Web Services

AgendaAgenda








Developers need to understand, use and Developers need to understand, use and apply:apply:

EncryptionEncryptionHashingHashingDigital signaturesDigital signaturesDigital certificatesDigital certificatesSecure communication Secure communication AuthenticationAuthenticationAuthorizationAuthorizationFirewallsFirewallsAuditingAuditingService packs and updatesService packs and updates

Security 101Security 101Overview of Security TechnologiesOverview of Security Technologies

Encryption is the process of encoding Encryption is the process of encoding datadata

To protect a user’s identity or data from being readTo protect a user’s identity or data from being read

To protect data from being alteredTo protect data from being altered

To verify that data originates from a particular userTo verify that data originates from a particular user

Encryption can be:Encryption can be:AsymmetricAsymmetric

SymmetricSymmetric

Security 101Security 101EncryptionEncryption

Algorithm Type Description

Symmetric

Uses one key to:Encrypt the dataDecrypt the data

Is fast and efficient

Asymmetric

Uses two mathematically related keys:Public key to encrypt the dataPrivate key to decrypt the data

Is more secure than symmetric encryptionIs slower than symmetric encryption

Security 101Security 101Symmetric vs Asymmetric EncryptionSymmetric vs Asymmetric Encryption

User A User B

Data

Data

Hash Value

Hash Algorithm

Data

Hash Value

Hash Value

Hash AlgorithmIf hash values

match, data is valid

User A sends data and hash value to User B

Security 101Security 101Verifying Data Integrity with HashesVerifying Data Integrity with Hashes

User A User B

Data

Hash Value

Hash Algorithm

User A Private

key

Data

Hash Value

User A Public

Key

Hash Algorithm

Hash Value

If hash values match, data came from the owner of the private

key and is valid

Security 101Security 101Digital SignaturesDigital Signatures

Private Key Private/Public

Key PairUser

Application

Computer

Service

Certified Administrator

Certification Authority

Public Key

Security 101Security 101How Digital Certificates work?How Digital Certificates work?

Technologies include:Technologies include:IPSecIPSec

SSLSSL

TLSTLS

RPC encryptionRPC encryption

SSL/TLS IPSec RPC Encryption

Security 101Security 101Secure Communication TechnologiesSecure Communication Technologies

AgendaAgenda








.NET Framework Security.NET Framework SecurityIn GeneralIn General

.NET CLR controls execution of managed code.NET CLR controls execution of managed code

.NET Framework Security is part of the CLR.NET Framework Security is part of the CLR

.NET Framework Security includes many .NET Framework Security includes many features:features:

Managed ExecutionManaged Execution

Type-Safe SystemType-Safe System

Buffer Overrun ProtectionBuffer Overrun Protection

Arithmetic Error TrappingArithmetic Error Trapping

Strong-Named AssembliesStrong-Named Assemblies

Isolated StorageIsolated Storage

......

Important: Complements Windows SecurityImportant: Complements Windows Security

Type-safe code:Type-safe code:Prevents buffer overrunsPrevents buffer overruns

Restricts access to authorized memory locationsRestricts access to authorized memory locations

Allows multiple assemblies to run in same processAllows multiple assemblies to run in same process

App Domains provide:App Domains provide:Increased performanceIncreased performance

Increased code securityIncreased code security

.NET Framework Security.NET Framework SecurityType Safety SystemType Safety System

Managed Code does not deal with raw pointers Managed Code does not deal with raw pointers (char *,…) (char *,…)

Instead, .NET CLR uses Framework ClassesInstead, .NET CLR uses Framework ClassesSystem.StringSystem.String

.NET .NET System.StringSystem.String objects are immutable objects are immutable

System.Text.StringBuilderSystem.Text.StringBuilderSystem.Text.StringBuilderSystem.Text.StringBuilder class checks buffer bounds class checks buffer bounds

Throws exception if attempts to overwrite internal bufferThrows exception if attempts to overwrite internal buffer

Type-verification prevents arbitrary memory Type-verification prevents arbitrary memory overwritesoverwrites

void CopyString (string src){

stringDest = src;}

.NET Framework Security.NET Framework SecurityBuffer Overrun ProtectionBuffer Overrun Protection

Arithmetic error trapping is achieved by Arithmetic error trapping is achieved by using:using:

The The checked checked keywordkeyword

Project settingsProject settingsbyte b=0;while (true){

Console.WriteLine (b);

checked{

b++;}

}

.NET Framework Security.NET Framework SecurityArithmetic Error TrappingArithmetic Error Trapping

Type Safety SystemType Safety SystemType Safety SystemType Safety System

Investigating .NET Data-Type SafetyInvestigating .NET Data-Type Safety

Using the checked keywordUsing the checked keyword

Strong names are:Strong names are:Unique identifiers (containing a public key)Unique identifiers (containing a public key)

Used to digitally sign assembliesUsed to digitally sign assemblies

Why strong-named assemblies?Why strong-named assemblies?Prevent tamperingPrevent tampering

Confirm the identity of the assembly’s publisherConfirm the identity of the assembly’s publisher

Allow side-by-side componentsAllow side-by-side components

sn –k MyFullKey.snk

.NET Framework Security.NET Framework SecurityStrong Named AssembliesStrong Named Assemblies

Provides a virtual file systemProvides a virtual file system

Allows quotasAllows quotas

Implements file system isolation Implements file system isolation based on:based on:

Application identityApplication identity

User identityUser identity

IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly();

.NET Framework Security.NET Framework SecurityIsolated StorageIsolated Storage

Use managed code !Use managed code !

Type-Safe SystemType-Safe System

Buffer Overrun ProtectionBuffer Overrun Protection

Arithmetic Error TrappingArithmetic Error Trapping

Strong-Named AssembliesStrong-Named Assemblies

Isolated StorageIsolated Storage

.NET Framework Security.NET Framework SecurityWhat did we learn?What did we learn?

AgendaAgenda








Evidence works on top of Win32 securityEvidence works on top of Win32 security.NET Framework .NET Framework

Collects info about an AssemblyCollects info about an AssemblyPresents info to the Security systemPresents info to the Security systemCLR decides if code is allowed to executeCLR decides if code is allowed to execute

EvidenceEvidenceAssessed when assembly is loaded Assessed when assembly is loaded Determines permissions for assemblyDetermines permissions for assembly

Evidence can include assembly’s:Evidence can include assembly’s:Strong name informationStrong name informationURLURLZoneZoneAuthenticode signatureAuthenticode signature

Code Access SecurityCode Access SecurityEvidence-Based SecurityEvidence-Based Security

Security Entity Description

PolicyPolicy

Is set by administratorsIs enforced at runtimeSimplifies administrationContains permissionsContains code groups

Code GroupCode GroupAssociates similar componentsIs evidence basedIs linked to permission set(s)

Permission SetPermission Set Is a set of granted permissions

Code Access Security Code Access Security Security PoliciesSecurity Policies

Call Stack

Security System

YourAssemblyYourAssembly

SomeAssemblySomeAssembly

.NET Framework Assembly

.NET Framework Assembly

Call to ReadFile

Call to ReadFile

Grant: Execute

1. An assembly requests access to a method in your assembly

2. Your assembly passes the request to a .NET Framework assembly

3. The security system ensures that all callers in the stack have the required permissions

4. The security system grants access or throws an exception

Grant: ReadFileGrant: ReadFile

Grant: ReadFile

Permission Demand

Security exception Access denied

Security exception Access deniedGrant access?Grant access?

Code Access Security Code Access Security Security Check Stack WalkSecurity Check Stack Walk

ImperativeImperative security checks security checksCreate Create PermissionPermission objects objects

Call Call PermissionPermission methods (Demand,…) methods (Demand,…)

DeclarativeDeclarative security checks security checksUse Use PermissionPermission attributes attributes

Apply to methods or classesApply to methods or classes

OverridingOverriding security checks security checksUse the Use the AssertAssert method method

Prevent the stack walkPrevent the stack walk

Code Access Security Code Access Security Types of Security ChecksTypes of Security Checks

Used by developers to state required Used by developers to state required permissionspermissions

Implemented by attributesImplemented by attributes

Prevents an assembly from loadingPrevents an assembly from loadingWhen minimum permissions are not availableWhen minimum permissions are not available

Rather than wait for unauthorized operationRather than wait for unauthorized operation

//I will only run if I can call unmanaged code[assembly:SecurityPermission (SecurityAction.RequestMinimum, UnmanagedCode=true)]

Code Access Security Code Access Security Permissions RequestsPermissions Requests

Code Access SecurityCode Access SecurityCode Access SecurityCode Access Security

Using the .NET Framework Configuration Using the .NET Framework Configuration ToolTool

Performing Security ChecksPerforming Security Checks

Requesting PermissionsRequesting Permissions

.NET Framework 1.0.NET Framework 1.0All ASP.NET web applications ran with full trust All ASP.NET web applications ran with full trust No CAS could be appliedNo CAS could be applied

.NET Framework 1.1 .NET Framework 1.1 Provides partial trust levels to ASP.NET Provides partial trust levels to ASP.NET

FullFull

HighHigh

MediumMedium

LowLow

MinimalMinimal

Code Access Security Code Access Security Partial Trust ApplicationsPartial Trust Applications

Partial Trust Web Application

Wrapper Assembly Secured Resource

Sandboxed Code<trust level_”Medium”originUri_--/>

Permissions Demanded / Asserted

AllowPartiallyTrustedCallers attribute added

Assembly installed into the Global Assembly Cache

Resource Access

Code Access Security Code Access Security Sandboxing Privileged CodeSandboxing Privileged Code


Evidence is Assembly basedEvidence is Assembly based

Security Stack WalkSecurity Stack Walk

Types of Security ChecksTypes of Security ChecksImperative, Declarative, Overridable Imperative, Declarative, Overridable

Partially Trusted ApplicationsPartially Trusted Applications

Code Access SecurityCode Access SecurityWhat did we learn?What did we learn?

AgendaAgenda








Authentication asks:Authentication asks:"Who are you?""Who are you?""Am I sure you are who you say you are?“"Am I sure you are who you say you are?“

Authorization asks:Authorization asks:"Are you allowed to … ?""Are you allowed to … ?"

Role-Based SecurityRole-Based SecurityAuthentication & AuthorizationAuthentication & Authorization

IdentityIdentity Contains information about a userContains information about a user

Example: Logon nameExample: Logon name

PrincipalPrincipal Contains role information about a user or computerContains role information about a user or computer

.NET Framework.NET Framework provides: provides:WindowsIdentityWindowsIdentity and and WindowsPrincipalWindowsPrincipal objects objects

GenericIdentityGenericIdentity and and GenericPrincipalGenericPrincipal objects objects

Role-Based Security Role-Based Security Identities and PrincipalsIdentities and Principals

Use Use WindowsIdentityWindowsIdentity and and

WindowsPrincipalWindowsPrincipal

For Single validationFor Single validationWindowsIdentity myIdent = WindowsIdentity.GetCurrent();WindowsPrincipal myPrin = new WindowsPrincipal(myIdent);

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);WindowsPrincipal myPrin = System.Threading.Thread.CurrentPrincipal;

Role-Based Security Role-Based Security Creating Windows Identities and Creating Windows Identities and PrincipalsPrincipals

For Repeated validationFor Repeated validation

Create a Create a GenericIdentityGenericIdentity and a and a GenericPrincipalGenericPrincipal

GenericIdentity myIdent = new GenericIdentity("User1");string[] roles = {"Manager", "Teller"};GenericPrincipal myPrin = new GenericPrincipal(myIdent, roles);

System.Threading.Thread.CurrentPrincipal = myPrin;

Role-Based Security Role-Based Security Creating Generic Identities and PrincipalsCreating Generic Identities and Principals

Attach the Attach the GenericPrincipalGenericPrincipal to the current to the current threadthread

Use Use IdentityIdentity and and PrincipalPrincipal members in code members in codeFor example, using the For example, using the NameName property of the Identity object property of the Identity object to check the user’s logon nameto check the user’s logon name

if (String.Compare(myPrin.Identity.Name, "DOMAIN\\Gerd", true)==0){ // Perform some action}

if (myPrin.IsInRole("BUILTIN\\Administrators")){ // Perform some action}

Role-Based Security Role-Based Security Performing Security ChecksPerforming Security Checks

Example: using IsInRole method of the Principal object to Example: using IsInRole method of the Principal object to checkcheck role membership role membership

Use permissions to make role-based security Use permissions to make role-based security checkschecks

Imperative checksImperative checksPrincipalPermission prinPerm = new PrincipalPermission("Teller",

“Manager”, true);try{ prinPerm.Demand(); //Does the above match the active principal?}

[PrincipalPermission(SecurityAction.Demand, Role="Teller", Authenticated=true)]

Declarative checksDeclarative checks

Role-Based Security Role-Based Security Imperative and Declarative Security Imperative and Declarative Security ChecksChecks

Role-Based SecurityRole-Based SecurityRole-Based SecurityRole-Based Security

Using Windows Role-Based Security Using Windows Role-Based Security

Using Generic Role-Based SecurityUsing Generic Role-Based Security


Authentication vs AuthorizationAuthentication vs Authorization

Identities vs PrincipalsIdentities vs Principals

WindowsIdentity vs GenericIdentityWindowsIdentity vs GenericIdentity

WindowsPrincipal vs WindowsPrincipal vs GenericPrincipalGenericPrincipal

Role-Based SecurityRole-Based SecurityWhat did we learn?What did we learn?

AgendaAgenda








Cryptography Term

Description

Symmetric Symmetric EncryptionEncryption

Encrypting and decrypting data with a secret key

Asymmetric Asymmetric EncryptionEncryption

Encrypting and decrypting data with a public/private key pair

HashingHashing Mapping a long string of data to a short, fixed-size string of data

Digital SigningDigital Signing Hashing data and encrypting the hash value with a private key

The .NET Framework providesThe .NET Framework providesclasses that implement these classes that implement these

operationsoperations

CryptographyCryptographyReviewReview

Choose an Choose an algorithmalgorithmTripleDESCryptoServiceProviderTripleDESCryptoServiceProvider

RijndaelManagedRijndaelManaged

Generate a Generate a secret keysecret key

Use secret key to Use secret key to encryptencrypt and and decryptdecrypt data:data:

FileStreamFileStream

MemoryStreamMemoryStream

NetworkStreamNetworkStream

CryptographyCryptographyUsing Symmetric AlgorithmsUsing Symmetric Algorithms

Choose an Choose an algorithmalgorithmRSACryptoServiceProviderRSACryptoServiceProvider

DSACryptoServiceProviderDSACryptoServiceProvider

Generate a Generate a privateprivate and and publicpublic key pairkey pair

EncryptEncrypt or or decryptdecrypt data data

CryptographyCryptographyUsing Asymmetric AlgorithmsUsing Asymmetric Algorithms

Action Steps

Signing DataSigning DataHash the dataEncrypt the hash value with a private key

Verifying SignaturesVerifying Signatures

Decrypt the signature by using sender’s public keyHash the dataCompare the decrypted signature to the hash value

CryptographyCryptographySigning Data and Verifying SignaturesSigning Data and Verifying Signatures

.NET Framework .NET Framework EncryptionEncryption.NET Framework .NET Framework EncryptionEncryption

Performing Symmetric EncryptionPerforming Symmetric Encryption

Signing DataSigning Data


Symmetric EncryptionSymmetric Encryption

Assymmetric EncryptionAssymmetric Encryption

Data Signing & VerificationData Signing & Verification

CryptographyCryptographyWhat did we learn?What did we learn?

AgendaAgenda








Authentication Type

Advantages Disadvantages

Windows

Uses existing Windows infrastructureControls access to sensitive information

Does not support all client types

FormsSupports all client types

Relies on cookies

Microsoft Passport

Supports single sign-on for many Internet Web sitesAllows developers to customize the appearance of the registration page

Relies on cookiesInvolves fees

Securing ASP.NETSecuring ASP.NETASP.NET Authentication TypesASP.NET Authentication Types

Configure IIS to use Configure IIS to use AnonymousAnonymous authentication authentication

Set Set forms-basedforms-based authentication in Web.config authentication in Web.config

Set up Set up authorizationauthorization in Web.config in Web.config

Build a Build a logon formlogon form

<system.web><authentication mode="Forms">

<forms

loginUrl="WebForm1.aspx"/></authentication>

<authorization> <deny users="?"/></authorization>

</system.web>

Securing ASP.NETSecuring ASP.NETConfiguring Form-Based AuthenticationConfiguring Form-Based Authentication

Developers can require secure cookiesDevelopers can require secure cookies<authentication mode="Forms">

<forms loginUrl="login.aspx"protection="All" requireSSL="true"timeout="10"name="AppNameCookie" path="/FormsAuth" slidingExpiration="true"

</forms></authentication>

Developer can create application-specific keysDeveloper can create application-specific keys

Securing ASP.NETSecuring ASP.NETForm-Based Authentication Form-Based Authentication EnhancementsEnhancements

Client-side validationClient-side validation Provides instant feedbackProvides instant feedbackReduces postback cyclesReduces postback cycles

Server-side validationServer-side validationRepeats all client-side Repeats all client-side validationvalidationValidates against stored Validates against stored data, data, if requiredif required

Error Message

Client

Server

User Enters Data

Valid?

Web ApplicationProcessed

Yes

No

Valid?

Yes

No

Securing ASP.NETSecuring ASP.NETValidation ControlsValidation Controls

Securing ASP.NETSecuring ASP.NETTypes of Validation ControlsTypes of Validation Controls

Securing ASP.NETSecuring ASP.NETSecuring ASP.NETSecuring ASP.NET

Configuring Forms AuthenticationConfiguring Forms Authentication

Using Validation ControlsUsing Validation Controls


Types of AuthenticationTypes of AuthenticationWindows AuthenticationWindows Authentication

Forms-Based AuthenticationForms-Based Authentication

PassPort AuthenticationPassPort Authentication

Forms-Based Auth EnhancementsForms-Based Auth Enhancements

Validation ControlsValidation Controls

Securing ASP.NETSecuring ASP.NETWhat did we learn?What did we learn?

AgendaAgenda








XML messages convey security information

Credentials

Digital signatures

Messages can be encrypted

Client

Transport

Service

TransportAny Transport

XML

XML XML

XMLSecurity is

independent from transport protocol

Securing ASP.NET Web Securing ASP.NET Web ServicesServicesMessage-Level SecurityMessage-Level Security

WSE includes:WSE includes:Authentication with SOAP HeadersAuthentication with SOAP Headers

Message encryptionMessage encryption

Message signingMessage signing

Supports message routingSupports message routing

Supports attachmentsSupports attachments

Implemented in Implemented in Microsoft.Web.Services.dll AssemblyMicrosoft.Web.Services.dll Assembly

Securing ASP.NET Web Securing ASP.NET Web ServicesServicesWeb Service Enhancements (WSE)Web Service Enhancements (WSE)

Securing Web ServicesSecuring Web ServicesSecuring Web ServicesSecuring Web Services

Analyzing SOAP headersAnalyzing SOAP headers


Message-Level SecurityMessage-Level SecurityTransport IndependantTransport Independant

End-to-End SecureEnd-to-End Secure

Check out Web Service Check out Web Service EnhancementsEnhancements

WSE 2.0WSE 2.0

Securing Web ServicesSecuring Web ServicesWhat did we learn?What did we learn?

Session SummarySession Summary








ResourcesResources

MSDN Security Developer CenterMSDN Security Developer Centerhttp://msdn.microsoft.com/securityhttp://msdn.microsoft.com/securitySign up for security bulletins:Sign up for security bulletins:http://www.microsoft.com/security/security_bulletins/alerts2.ahttp://www.microsoft.com/security/security_bulletins/alerts2.aspsp

Security GuidanceSecurity Guidancehttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance

Security Training & BooksSecurity Training & BooksWriting Secure Code (Howard/Leblanc) Writing Secure Code (Howard/Leblanc) ISBN 0-7356-1588-8ISBN 0-7356-1588-8

CTEC Security TrainingsCTEC Security Trainings

Feedback, Questions & TomatoesFeedback, Questions & [email protected]@microsoft.com

Thank You !Thank You !

Documents

NET Framework Application Security Overview Gunther Beersaerts [email protected] Microsoft Corporation