© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in...

© 2003 School of Computing, University of Leeds© 2003 School of Computing, University of LeedsSY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17

Secure Coding inSecure Coding inJava and .NETJava and .NET

Part 2: Code Access ControlPart 2: Code Access Control

22SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17

OutlineOutline

• IntroductionIntroduction

• Role-based access controlRole-based access control Implementation in .NETImplementation in .NET

• Code-based access controlCode-based access control General conceptsGeneral concepts Implementation in .NET and JavaImplementation in .NET and Java


IntroductionIntroduction

• Two things to decide:Two things to decide: Do we allow code to execute?Do we allow code to execute? What permissions should code be granted?What permissions should code be granted?

• Decisions can be based onDecisions can be based on Identity of user wishing to run the codeIdentity of user wishing to run the code Identity of the code itselfIdentity of the code itself

• How do we enforce these decisions?How do we enforce these decisions?

• How do we administer the system?How do we administer the system?


Role-Based Access ControlRole-Based Access Control

• Decisions are based on user identityDecisions are based on user identity Analogous to security at OS levelAnalogous to security at OS level Not a replacement for OS security decisions!Not a replacement for OS security decisions!

• Implementation in .NET:Implementation in .NET: Uses concept of a Uses concept of a principalprincipal: an object encapsulating : an object encapsulating

user’s identity and rolesuser’s identity and roles Classes are provided to represent identities and Classes are provided to represent identities and

principals derived from Windows accountsprincipals derived from Windows accounts Code indicates requirement for a particular principal Code indicates requirement for a particular principal

by making a by making a security demandsecurity demand


.NET Example.NET Example

WindowsIdentity id = WindowsIdentity.GetCurrent();Thread.CurrentPrincipal = new WindowsPrincipal(id);

[PrincipalPermission(SecurityAction.Demand,Name="Bob")]public void doSomething(){ ...}

Activate role-based access control in current thread…

…elsewhere in code, mark a method with an attribute that makes a security demand for a principal—in this case, user “Bob”


Code-Based Access ControlCode-Based Access Control

• Decisions are based on identity of codeDecisions are based on identity of code

• Identity of code derives fromIdentity of code derives from Point of originPoint of origin Identity of signer(s)Identity of signer(s)

• Code identity maps onto a set of Code identity maps onto a set of permissionspermissions

• Collection of these mappings constitutes Collection of these mappings constitutes code code access security (CAS) policyaccess security (CAS) policy


CAS Policy Resolution in .NETCAS Policy Resolution in .NET

Evidence

CASpolicy

Permissionrequests

Policyevaluator

Grant setfor assembly

Host Assembly


EvidenceEvidence

• Standard set of classes provided to represent Standard set of classes provided to represent various kinds of evidencevarious kinds of evidence HashHash (hash code of assembly's bytes) (hash code of assembly's bytes) PublisherPublisher (Authenticode signature of publisher) (Authenticode signature of publisher) SiteSite (domain name of source of assembly) (domain name of source of assembly) StrongNameStrongName (digital signature computed from name, (digital signature computed from name,

version number and hash code)version number and hash code) URLURL (URL of assembly) (URL of assembly) ZoneZone (IE security zone to which assembly belongs) (IE security zone to which assembly belongs)


Elements of CAS PolicyElements of CAS Policy

• Assembly can belong to various Assembly can belong to various code groupscode groups

• Each code group has Each code group has membership conditionsmembership conditions and a set of permissionsand a set of permissions

• Evidence is matched against code group Evidence is matched against code group membership conditions hierarchicallymembership conditions hierarchically

• Initial set of permissions granted to an assembly Initial set of permissions granted to an assembly is the union of the permission sets of its code is the union of the permission sets of its code groupsgroups


Policy Resolution: Example 1Policy Resolution: Example 1

All_CodeCond: NonePerm: Nothing

My_Computer_ZoneCond: Zone = MyComputerPerm: FullTrust

LocalIntranet_ZoneCond: Zone = LocalIntranetPerm: LocalIntranet

Xyz_SiteCond: Site = www.xyz.comPerm: XyzPermissions

Internet_ZoneCond: Zone = InternetPerm: Internet

Resulting permissions:

Nothing U FullTrust

.NET assembly is loadedfrom local disk...


Policy Resolution: Example 2Policy Resolution: Example 2

All_CodeCond: NonePerm: Nothing

My_Computer_ZoneCond: Zone = MyComputerPerm: FullTrust

LocalIntranet_ZoneCond: Zone = LocalIntranetPerm: LocalIntranet

Xyz_SiteCond: Site = www.xyz.comPerm: XyzPermissions

Internet_ZoneCond: Zone = InternetPerm: Internet

Resulting permissions:

Nothing U Internet U XyzPermissions

.NET assembly is loadedfrom www.xyz.com...


Policy LevelsPolicy Levels

• Four different CAS policy levels in .NETFour different CAS policy levels in .NET Enterprise (Enterprise (enterprisesec.configenterprisesec.config)) Machine (Machine (security.configsecurity.config)) User (User (security.configsecurity.config in user profile) in user profile) Application domain (programmed)Application domain (programmed)

• Policy resolution happens independently at each Policy resolution happens independently at each level and results are level and results are intersectedintersected

• Why is this complexity required?...Why is this complexity required?...


Policy Management in .NETPolicy Management in .NET

• Use Use caspolcaspol command-line tool command-line tool

• Use MS management console snap-in for .NETUse MS management console snap-in for .NET


CAS Policy in JavaCAS Policy in Java

• URL of code and public key(s) of its signer(s) URL of code and public key(s) of its signer(s) are used as evidenceare used as evidence

• Mapping of code identity onto permissions is Mapping of code identity onto permissions is termed a termed a protection domainprotection domain

• Protection domains are specified in policy filesProtection domains are specified in policy files $JAVA_HOME/lib/security/java.policy$JAVA_HOME/lib/security/java.policy $HOME/.java.policy$HOME/.java.policy

• Policy files do not correspond to .NET policy Policy files do not correspond to .NET policy levels; grants do not intersect!levels; grants do not intersect!


A Java Security Policy FileA Java Security Policy File

grant codeBase "http://www.xyz.com/", signedBy "nick" {

permission java.io.FilePermission "/tmp/*", "write";

permission java.net.SocketPermission "*:1024-", "connect";

};

• Code from Code from http://www.xyz.comhttp://www.xyz.com, signed by a , signed by a public key with keystore alias public key with keystore alias ‘nick’…‘nick’…

• ……has permission to write to any file in has permission to write to any file in /tmp/tmp……

• ……and permission to connect to any site using a and permission to connect to any site using a non-privileged portnon-privileged port


Enforcing Policy: Java ExampleEnforcing Policy: Java Example

What if a trusted caller is itself invoked byuntrusted, malicious code?... (luring attack)

public class Socket {

public Socket(String host, int port) { SocketPermission perm = new SocketPermission(host + ":" + port, "connect"); AccessController.checkPermission(perm); ... } ...}


Walking The Stack in .NETWalking The Stack in .NET

Socket.Connect

Method D

Method C

Method B

Method A

Call stack

Assembly X

Assembly Y

Assembly Z

System.dllSocketPermission

demanded

SocketPermission granted

SocketPermission granted

SecurityException


Initiating a Stack WalkInitiating a Stack Walk

• In .NET, call the appropriate permission object's In .NET, call the appropriate permission object's DemandDemand method method

• In Java, call In Java, call checkPermissioncheckPermission method of method of AccessControllerAccessController class, with demanded class, with demanded permission as an argumentpermission as an argument

• Demands are typically made within trusted Demands are typically made within trusted library code; it usually isn't necessary to make library code; it usually isn't necessary to make them explicitly yourselfthem explicitly yourself


Controlling Stack Walks in .NETControlling Stack Walks in .NET

• Security action Security action AssertAssert terminates stack walk terminates stack walk without triggering a without triggering a SecurityExceptionSecurityException Making an assertion = vouching for callersMaking an assertion = vouching for callers Need to be Need to be veryvery sure that callers can't wreak havoc! sure that callers can't wreak havoc!

• Security action Security action DenyDeny forces termination of a forces termination of a stack walk with a stack walk with a SecurityExceptionSecurityException

• Assertions or denials can be cancelled via calls Assertions or denials can be cancelled via calls to to RevertAssertRevertAssert or or RevertDenyRevertDeny


ExampleExample

• How can we make sure that a method needing How can we make sure that a method needing to log data to a file can always do so, regardless to log data to a file can always do so, regardless of caller permissions?of caller permissions?

• Answer: use Answer: use AssertAssert security action security action

• Which style of action?Which style of action? ImperativeImperative DeclarativeDeclarative


ImplementationsImplementations

public void UpdateLog(string text){ const string logfile = "C:\\MyApp.log"; FileIOPermission perm = new FileIOPermission(FileIOPermission.Append, logfile); perm.Assert(); ...}

[FileIOPermission( SecurityAction.Assert,Append="C:\\MyApp.log")]public void UpdateLog(string text){ ...}

Imperative

Declarative


Imperative & Declarative StylesImperative & Declarative Styles

• Imperative security actionsImperative security actions Can use information available only at run timeCan use information available only at run time Cannot be discovered without running codeCannot be discovered without running code

• Declarative security actionsDeclarative security actions Are fixed at compile timeAre fixed at compile time Can be discovered without running code (reflection)Can be discovered without running code (reflection)


SummarySummary

• Access given to code can be determined from Access given to code can be determined from user identity or from code identityuser identity or from code identity

• Code access security policy specifies mapping Code access security policy specifies mapping of code identities onto sets of permissionsof code identities onto sets of permissions .NET resolves multiple policies and intersects results.NET resolves multiple policies and intersects results

• Policy is enforced by a stack walk, to prevent Policy is enforced by a stack walk, to prevent malicious code from luring trusted codemalicious code from luring trusted code

• Stack walks can be controlled, e.g., using Stack walks can be controlled, e.g., using AssertAssert and and DenyDeny in .NET in .NET

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in...

Documents

Transcript of © 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in...