Upload
alexandrina-briggs
View
223
Download
1
Embed Size (px)
Citation preview
Subverting WCF SecuritySubverting WCF Security[starting points][starting points]
Marc SchönefeldMarc Schönefeld
University of BambergUniversity of Bamberg
PACSEC
The speakerThe speaker
• Marc Schönefeld, Diplom-Wirtschaftsinformatiker– For Science: External doctoral student @
Lehrstuhl für praktische Informatik at University of Bamberg, Bavaria, Germany• Thesis project:
REFACTORING OF SECURITY ANTIPATTERNS IN DISTRIBUTED JAVA COMPONENTS
– For Living: Security Management for large financial group in Germany
WCF is part of NET 3.0WCF is part of NET 3.0
• NET 3.0 is– is the former WinFX ( Windows
Framework Extension)– According to Microsoft Arithmetics, it is
NET 2.0 plus• WPF (Presentation) aka Avalon• WCF (Communication) aka Indigo• WWF (Workflow)
– available for Windows XP SP2, Windows Server 2003 and Windows Vista
WCF as part of NET 3.0WCF as part of NET 3.0
.NET-Framework 3.0
CLR 2.0.50727 (Common Language Runtime)
BCL 2.0.50727 (Base Class Library)
Forms 2.0 ASP 2.0 WCF WPFCard-space
Windows Plattform (Vista, XP, 2K3)
WF
VB C# J#Iron-
python...
NET 3.0 is not a new .NETNET 3.0 is not a new .NET
• .NET 3.0 is just a set of additional assemblies on top of .NET 2.0
WCF unifies Communication WCF unifies Communication handlinghandling
• Communication – WCF supports various existing
communications and hosting runtime models• ASP.NET• COM+• WSE• NET-Remoting• Pipes and Queues
WCF …WCF …
• allows to publish .NET classes as services
• import from services into .NET classes.
• includes interoperability code to handle service protocols, type conversion and value marshaling.
• Allows developers to easily connect their applications to web services.
WCF …WCF …
• supports non-functional requirements (reliable calls, asynchronisity, transactionality, security)
• comes with predefined adapters• can be extended with custom handlers
for non-standard scenarios.• classes reside mostly in the System.ServiceModel namespace
• is physically located in the System.ServiceModel.dll assembly.
WCF termsWCF terms
• SOA (Service oriented architectures) help the infrastructure to host local or remote services that can be used with clients.
• Clients do not need to know the language, platform or version of the service.
• Services provide functionality, can be newly written code or a decorated COM+ service
• Clients use functionality provided by services, can be an ASP.NET page, Windows Form
• Proxies decouple Services from Clients.
WCF supports local scenariosWCF supports local scenarios
Process Space -1-
Application -1-
ProxyClient Code
Application -2-
ServiceProxyClient Code
Process Space -2-
Application -3-
ProxyClient Code
IPC/MSMQ/TCP
WCF supports remote WCF supports remote scenariosscenarios
Local Domain
Process Space -1-
Application -1-
ProxyClient Code
Process Space -1-Application -2-
ServiceProxyClient Code
Remote Domain
Application -3-
ProxyClient Code
Internet
WCF authentication and WCF authentication and authenticationauthentication
• Authentication is about to determine the identity of the service caller:– Noauth Anonymous access is allowed– Windows Kerberos for Windows Domain or NTLM for
workgroup (this is default)– UID+PWD Checks credentials against Windows accounts or
database entries– X509 cert In a PKI environment the client authenticates with a
known certificate– Secure Token Support a federated trust environment (WS-
Trust)– Custom authentication Roll your authentication, in most
cases not a good idea• WCF Authorization determines permissions of service caller
by using – Windows Groups– ASP.NET provider (such as a databases)
Transports: Securing the wireTransports: Securing the wire
– The goal is to maintain integrity and privacy of the message while in transit. Staged options available:
– Transport Security • uses secure transport layer over TCP, HTTP, IPC, MSMQ
– Message Security • encrypts the message
– Mixed Transport and Message , • transport security secures privacy and integrity, message
security secures client credentials, near to overkill– Both
• First the message content secured by message security mechanisms additionally a secure transport is used. Almost always overkill
WCF separates Where, What WCF separates Where, What and How and How
Client Server
A
B
C
Service A
A
B
C
Address (Where)
Binding (How)
Contract (What)
Service B
A
B
C
Service EndpointsService Endpoints
• Clients and Servers use Service Endpoints for WCF communication– Client communicates to 1-n server endpoints– Client may open an endpoint for duplex
message exchange (DualHttpBinding)
• Service Endpoints specify– Endpoint address: Where is the service – Binding: How to attach to the service– Contract: What is exchanged between client
and server– Behavior: Extension of binding behavior
Endpoint address (WHERE)Endpoint address (WHERE)
• The Physical address of the Endpoint (like an URI)
• Headers (Optional), needed when multiple servers share an URI
• Identity information
Endpoint
Headers
Header
Identity Information
URI
Binding Binding settings (HOW)settings (HOW)
• Name and namespace identify a service
• Binding elements adjust communication details (reliability, SOAP message security, TCP layer protection)
• Many presets
Binding
Binding Elements
Bindings Element
Namespace
Name
WCF Contracts (WHAT)WCF Contracts (WHAT)
• Name and namespace again identify a service
• Operation Description determine the type (send/forget, request/reply)
• Duplex operations talk back to the client
Contract
Operation Description Set
Operation Descr.
Namespace
Name
Message Descr. Set
Msg. Description
Contract Behavior Set
Contract Behavior
A Service description A Service description is the server configis the server config
• A service is typed and has several behavior settings,
• It can be reached on multiple endpoints (one on plain TCP, another one over HTTP, …)
Service Description
Set of Service endpoints
Service Endpoints
ServiceType
Endpoint address
Service Behavior Set
Service Behavior
Binding
Contract
A Channel description A Channel description is the client configis the client config
• A channel is used by the client and has several behavior settings,
• It has one endpoint (one on plain TCP, another one over HTTP, …)
Channel Description
Service Endpoints
Endpoint address
Channel Behavior Set
Channel Behavior
Binding
Contract
WCF WCF runtime environment runtime environment conceptsconcepts
• Messages– Represented as a SOAP infoset, the message is the core
part of information in WCF– its serialization format can be XML text, binary (for
WCF2WCF) or a customizable format (JSON, XML-RPC)
• Channels– Path to send a message send from Endpoint to endpoint,
channels are layered– A Transport channel defines the media to send the
physical data (UDP, MQ, Pipe, TCP)– A Protocol channels defines how to manipulate the data
(like the SOAP protocol)– A security channel defines how to protect the message
WCF startup procedureWCF startup procedure
– The server initializes a ServiceHost object and opens the endpoints (XML config or hardcoded )
– The client initializes a ChannelFactory object (also in config or In code)
XML Config Coding<bindings>
<basicHttpBinding>
<binding name= "Secured">
<security mode= "Message"/>
</binding>
</basicHttpBinding>
</bindings>
BasicHttpBinding b2 = new BasicHttpBinding();
b2.Security.Mode=
BasicHttpSecurityMode.Message;
Intranet bindingsIntranet bindings
• BasicHttpBinding– For ASMX-based Web services and clients and
other services that conform to the WS-I Basic Profile 1.1
– Security is turned off by default – Text encoding, UTF-8
• NetTcpBinding– For secure for cross-machine communication – transport security – binary message encoding
Intranet bindingsIntranet bindings
• NetPeerTcpBinding– Peer-2-Peer communication over TCP– Input, Output and Duplex channels– Transport security by default
• NetNamedPipe– for on-machine communication – Transport security on by default– Pipename is Base64 encoded
servicename
Internet bindingsInternet bindings
• WSHttpBinding– http binding for Web services features– message security– transactions, reliable messaging, and WS-
Addressing secure and reliable binding
• WSFederationHttp– Like WSHttpBinding but with SSO capabilities – Ideal choice for secure tokens (
http://weblogs.asp.net/cibrax/archive/2006/03/14/440222.aspx)
Internet bindingsInternet bindings
• WSDualHttpBinding– Usable for service contracts in duplex mode allowing
both services and clients to send and receive messages– supports only SOAP security and requires reliable
messaging
• NetMsmqBinding– support for transport on top of Microsoft Message
Queuing (MSMQ)– For designing loosely coupled applications, failure
isolation, load leveling and disconnected operations– In early versions there were DOS problems with msgs
larger than 64K
Threat modeling: Integrity WCF Threat modeling: Integrity WCF & & OWASPOWASP
A1 Unvalidated ParametersA2 Broken Access ControlA3 Broken Account and Session ManagementA4 Cross-Site Scripting (XSS) FlawsA5 Buffer OverflowsA6 Command Injection FlawsA7 Error Handling ProblemsA8 Insecure Use of CryptographyA9 Remote Administration FlawsA10 Server Misconfiguration
WWCF & OWASPCF & OWASP
– A1: Unvalidated parameters : • There is no protection against unvalidated parameters,
there is no tainting model in .NET 3.0– A4: XSS:
• Therefore no support against XSS– A5: Buffer overflows
• COM+ legacy code (in C/C++) can be overflowed, although connected via WCF
– A6: Command injection: • Depends on how the application handles and propagates
data flow of untrusted values into SQL parms– A10: Server Misconfiguration
• Hard coded configurations in applications may lead to flaws, deployer personnel may be confused by the many options to choose from (where to set ciphersuite?)
ThreaThreat modeling: t modeling: WCF & WCF & COM+ COM+
– WCF allows to integrate COM+ with the ComSvcConfig tool
– Two hosting modes available for COM+• COM+ default: The Component runs within
DLLHOST• Web based: The component runs within IIS,
activation with request
– Beware that you don’t resurrect some old vulnerable components
– Before deploying check the component!
Threat modeling: Threat modeling: ConfConfidentialityidentiality
– In a threat modeling setup about communication we have
• Alice wants to communicate with Bob, • Mallory wants to interfere
– WCF protects us very good against wiretapping• Mallory sitting on the transport wire
– WCF does not protect against interfering• Mallory sitting between Alice and her endpoint or Bob
and his endpoint (like a patched CLR, application)– WCF does not protect against stolen
credentials• Once Mallory has stolen/leaked the key and code
from Alice she has full access
Threat modeling: Threat modeling: Code securityCode security
– WCF protects us against type confusion• by the use of strong contracts • Big advantage over Java serialisation
– .NET protects against integer overflows• In contrast to java it alarms the flipping sign
– XML parser seems to be quite stable • Against large message attacks• Against several XML anomalies attacks
Secure coding in WCFSecure coding in WCF
• Static code checking helps to find problem areas in own and third party code
• Not all code is immediately accessible – Third party libraries may be encrypted or otherwise
protected, so often a free tool from salamander helps to get the code out
– http://www.remotesoft.com/deprotector/
• No Sourcecode is no Prob: MSIL binary has it all!– Despite a lot of false positives static MSIL checkers may
help– FXCop is a good starting point, is free at
http://www.gotdotnet.com/Team/FxCop– Comes with a set of predefined security rules !
Secure coding in WCFSecure coding in WCF
• Some Relevant FXCop secure coding guidelines, which are helpful when coding with WCF– Review imperative security– Review sql queries for security vulnerabilities – Pointers should not be visible – Do not indirectly expose methods with link demands – Do not declare read only mutable reference types – Aptca methods should only call aptca methods – Aptca types should only extend aptca base types
• Code your own rules and alter existing ones:– http://weblogs.asp.net/pglavich/archive/2005/07/19/419
869.aspx
– http://www.futureware.biz/blog/index.php?title=writing_your_own_fxcop_rules_library
The wishlistThe wishlist
• Better performance– WCF over XML is slow – WCF over XML + security is d**n slow (even on 3Ghz
machine) – Remember: Availability is a security aspect !
• Home phoning issues– WCF wants to validate certificates and sends HTTP
request to Microsoft• Better usage of Secure string implementation
– Credentials are stored insecure in normal strings– It would be helpful to advise .NET to store directly data
directly in SecureString fields after reception from a service
• No patterns available, Developers are left alone – with finding the relevant mix of options– With adjusting protection level and performance
SummarySummary
– WCF delivers a new baseline security model.
– Various deployment and configuration features allow subverting the default security model
– Easiness of legacy (COM+) integration allows vulnerable code to be called in the backend
– Secure coding is still a must, despite a secure transport framework