1 / 61

.NET Framework Application Security Overview

.NET Framework Application Security Overview. Gunther Beersaerts guntherb@microsoft.com Microsoft Corporation. Agenda. Security 101 .NET Framework Security Features Code Access Security Role-Based Security Cryptography Securing ASP.NET Web Applications Securing ASP.NET Web Services.

Download Presentation

.NET Framework Application Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. .NET Framework Application Security Overview Gunther Beersaerts guntherb@microsoft.com Microsoft Corporation

  2. Agenda • Security 101 • .NET Framework Security Features • Code Access Security • Role-Based Security • Cryptography • Securing ASP.NET Web Applications • Securing ASP.NET Web Services

  3. Agenda • Security 101 • .NET Framework Security Features • Code Access Security • Role-Based Security • Cryptography • Securing ASP.NET Web Applications • Securing ASP.NET Web Services

  4. Security 101Overview of Security Technologies • Developers need to understand, use and apply: • Encryption • Hashing • Digital signatures • Digital certificates • Secure communication • Authentication • Authorization • Firewalls • Auditing • Service packs and updates

  5. Security 101Encryption • Encryption is the process of encoding data • To protect a user’s identity or data from being read • To protect data from being altered • To verify that data originates from a particular user • Encryption can be: • Asymmetric • Symmetric

  6. Security 101Symmetric vs Asymmetric Encryption

  7. User B User A Data Data Data Hash Algorithm Hash Value If hash values match, data is valid Hash Algorithm Hash Value Hash Value User A sends data and hash value to User B Security 101Verifying Data Integrity with Hashes

  8. User B User A Hash Algorithm Data Data Hash Algorithm User A Public Key Hash Value Hash Value Hash Value User A Private key Security 101Digital Signatures If hash values match, data came from the owner of the private key and is valid

  9. Security 101How Digital Certificates work? Private Key User Private/Public Key Pair Computer Public Key Service Application Certification Authority Certified Administrator

  10. Security 101Secure Communication Technologies • Technologies include: • IPSec • SSL • TLS • RPC encryption IPSec RPC Encryption SSL/TLS

  11. Agenda • Security 101 • .NET Framework Security Features • Code Access Security • Role-Based Security • Cryptography • Securing ASP.NET Web Applications • Securing ASP.NET Web Services

  12. .NET Framework SecurityIn General • .NET CLR controls execution of managed code • .NET Framework Security is part of the CLR • .NET Framework Security includes many features: • Managed Execution • Type-Safe System • Buffer Overrun Protection • Arithmetic Error Trapping • Strong-Named Assemblies • Isolated Storage • ... • Important: Complements Windows Security

  13. .NET Framework SecurityType Safety System • Type-safe code: • Prevents buffer overruns • Restricts access to authorized memory locations • Allows multiple assemblies to run in same process • App Domains provide: • Increased performance • Increased code security

  14. .NET Framework SecurityBuffer Overrun Protection • Managed Code does not deal with raw pointers (char *,…) • Instead, .NET CLR uses Framework Classes • System.String • .NET System.String objects are immutable • System.Text.StringBuilder • System.Text.StringBuilder class checks buffer bounds • Throws exception if attempts to overwrite internal buffer • Type-verification prevents arbitrary memory overwrites void CopyString (string src) { stringDest = src; }

  15. .NET Framework SecurityArithmetic Error Trapping • Arithmetic error trapping is achieved by using: • The checked keyword • Project settings byte b=0; while (true) { Console.WriteLine (b); checked { b++; } }

  16. Type Safety System Investigating .NET Data-Type Safety Using the checked keyword

  17. .NET Framework SecurityStrong Named Assemblies • Strong names are: • Unique identifiers (containing a public key) • Used to digitally sign assemblies • Why strong-named assemblies? • Prevent tampering • Confirm the identity of the assembly’s publisher • Allow side-by-side components sn –k MyFullKey.snk

  18. .NET Framework SecurityIsolated Storage • Provides a virtual file system • Allows quotas • Implements file system isolation based on: • Application identity • User identity IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly();

  19. .NET Framework SecurityWhat did we learn? • Use managed code ! • Type-Safe System • Buffer Overrun Protection • Arithmetic Error Trapping • Strong-Named Assemblies • Isolated Storage

  20. Agenda • Security 101 • .NET Framework Security Features • Code Access Security • Role-Based Security • Cryptography • Securing ASP.NET Web Applications • Securing ASP.NET Web Services

  21. Code Access SecurityEvidence-Based Security • Evidence works on top of Win32 security • .NET Framework • Collects info about an Assembly • Presents info to the Security system • CLR decides if code is allowed to execute • Evidence • Assessed when assembly is loaded • Determines permissions for assembly • Evidence can include assembly’s: • Strong name information • URL • Zone • Authenticode signature

  22. Code Access Security Security Policies

  23. Call to ReadFile Call to ReadFile Code Access Security Security Check Stack Walk 1. An assembly requests access to a method in your assembly 2. Your assembly passes the request to a .NET Framework assembly 3. The security system ensures that all callers in the stack have the required permissions 4. The security system grants access or throws an exception Call Stack SomeAssembly Grant: Execute YourAssembly Grant: ReadFile Permission Demand Security System .NET Framework Assembly Security exceptionAccess denied Grant access? Grant: ReadFile

  24. Code Access Security Types of Security Checks • Imperative security checks • Create Permission objects • Call Permission methods (Demand,…) • Declarative security checks • Use Permission attributes • Apply to methods or classes • Overriding security checks • Use the Assert method • Prevent the stack walk

  25. Code Access Security Permissions Requests • Used by developers to state required permissions • Implemented by attributes • Prevents an assembly from loading • When minimum permissions are not available • Rather than wait for unauthorized operation //I will only run if I can call unmanaged code [assembly:SecurityPermission (SecurityAction.RequestMinimum, UnmanagedCode=true)]

  26. Code Access Security Using the .NET Framework Configuration Tool Performing Security Checks Requesting Permissions

  27. Code Access Security Partial Trust Applications • .NET Framework 1.0 • All ASP.NET web applications ran with full trust  • No CAS could be applied • .NET Framework 1.1 • Provides partial trust levels to ASP.NET  • Full • High • Medium • Low • Minimal

  28. Code Access Security Sandboxing Privileged Code Permissions Demanded / Asserted AllowPartiallyTrustedCallers attribute added Assembly installed into the Global Assembly Cache Resource Access Secured Resource Partial Trust Web Application Wrapper Assembly Sandboxed Code <trust level_”Medium” originUri_--/>

  29. Code Access SecurityWhat did we learn? • Use managed code ! • Evidence is Assembly based • Security Stack Walk • Types of Security Checks • Imperative, Declarative, Overridable • Partially Trusted Applications

  30. Agenda • Security 101 • .NET Framework Security Features • Code Access Security • Role-Based Security • Cryptography • Securing ASP.NET Web Applications • Securing ASP.NET Web Services

  31. Role-Based SecurityAuthentication & Authorization • Authentication asks:"Who are you?""Am I sure you are who you say you are?“ • Authorization asks:"Are you allowed to … ?"

  32. Role-Based Security Identities and Principals • Identity • Contains information about a user • Example: Logon name • Principal • Contains role information about a user or computer • .NET Framework provides: • WindowsIdentity and WindowsPrincipal objects • GenericIdentity and GenericPrincipal objects

  33. Role-Based Security Creating Windows Identities and Principals • Use WindowsIdentity and WindowsPrincipal • For Single validation WindowsIdentity myIdent = WindowsIdentity.GetCurrent(); WindowsPrincipal myPrin = new WindowsPrincipal(myIdent); For Repeated validation AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); WindowsPrincipal myPrin = System.Threading.Thread.CurrentPrincipal;

  34. Role-Based Security Creating Generic Identities and Principals • Create a GenericIdentity and a GenericPrincipal GenericIdentity myIdent = new GenericIdentity("User1"); string[] roles = {"Manager", "Teller"}; GenericPrincipal myPrin = new GenericPrincipal(myIdent, roles); Attach the GenericPrincipal to the current thread System.Threading.Thread.CurrentPrincipal = myPrin;

  35. Role-Based Security Performing Security Checks • Use Identity and Principal members in code • For example, using the Name property of the Identity object to check the user’s logon name if (String.Compare(myPrin.Identity.Name, "DOMAIN\\Gerd", true)==0) { // Perform some action } • Example: using IsInRole method of the Principal object to check role membership if (myPrin.IsInRole("BUILTIN\\Administrators")) { // Perform some action }

  36. Role-Based Security Imperative and Declarative Security Checks • Use permissions to make role-based security checks • Imperative checks PrincipalPermission prinPerm = new PrincipalPermission("Teller", “Manager”, true); try { prinPerm.Demand(); //Does the above match the active principal? } • Declarative checks [PrincipalPermission(SecurityAction.Demand, Role="Teller", Authenticated=true)]

  37. Role-Based Security Using Windows Role-Based Security Using Generic Role-Based Security

  38. Role-Based SecurityWhat did we learn? • Use managed code ! • Authentication vs Authorization • Identities vs Principals • WindowsIdentity vs GenericIdentity • WindowsPrincipal vs GenericPrincipal

  39. Agenda • Security 101 • .NET Framework Security Features • Code Access Security • Role-Based Security • Cryptography • Securing ASP.NET Web Applications • Securing ASP.NET Web Services

  40. CryptographyReview The .NET Framework providesclasses that implement these operations

  41. CryptographyUsing Symmetric Algorithms • Choose an algorithm • TripleDESCryptoServiceProvider • RijndaelManaged • Generate a secret key • Use secret key to encrypt and decrypt data: • FileStream • MemoryStream • NetworkStream

  42. CryptographyUsing Asymmetric Algorithms • Choose an algorithm • RSACryptoServiceProvider • DSACryptoServiceProvider • Generate a private and publickey pair • Encrypt or decrypt data

  43. CryptographySigning Data and Verifying Signatures

  44. .NET Framework Encryption Performing Symmetric Encryption Signing Data

  45. CryptographyWhat did we learn? • Use managed code ! • Symmetric Encryption • Assymmetric Encryption • Data Signing & Verification

  46. Agenda • Security 101 • .NET Framework Security Features • Code Access Security • Role-Based Security • Cryptography • Securing ASP.NET Web Applications • Securing ASP.NET Web Services

  47. Securing ASP.NETASP.NET Authentication Types

  48. Configure IIS to use Anonymous authentication Set forms-based authentication in Web.config Set up authorization in Web.config Build a logon form Securing ASP.NETConfiguring Form-Based Authentication <system.web> <authentication mode="Forms"> <forms loginUrl="WebForm1.aspx"/> </authentication> <authorization> <deny users="?"/> </authorization> </system.web>

  49. Securing ASP.NETForm-Based Authentication Enhancements • Developers can require secure cookies <authentication mode="Forms"> <forms loginUrl="login.aspx" protection="All" requireSSL="true" timeout="10" name="AppNameCookie" path="/FormsAuth" slidingExpiration="true" </forms> </authentication> Developer can create application-specific keys

  50. User Enters Data Error Message No Valid? Valid? Yes Client Server No Yes Web ApplicationProcessed Securing ASP.NETValidation Controls • Client-side validation • Provides instant feedback • Reduces postback cycles • Server-side validation • Repeats all client-side validation • Validates against stored data, if required

More Related