© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in...
-
Upload
owen-walton -
Category
Documents
-
view
215 -
download
0
Transcript of © 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in...
© 2003 School of Computing, University of Leeds© 2003 School of Computing, University of LeedsSY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Secure Coding inSecure Coding inJava and .NETJava and .NET
Part 2: Code Access ControlPart 2: Code Access Control
22SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
OutlineOutline
• IntroductionIntroduction
• Role-based access controlRole-based access control Implementation in .NETImplementation in .NET
• Code-based access controlCode-based access control General conceptsGeneral concepts Implementation in .NET and JavaImplementation in .NET and Java
33SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
IntroductionIntroduction
• Two things to decide:Two things to decide: Do we allow code to execute?Do we allow code to execute? What permissions should code be granted?What permissions should code be granted?
• Decisions can be based onDecisions can be based on Identity of user wishing to run the codeIdentity of user wishing to run the code Identity of the code itselfIdentity of the code itself
• How do we enforce these decisions?How do we enforce these decisions?
• How do we administer the system?How do we administer the system?
44SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Role-Based Access ControlRole-Based Access Control
• Decisions are based on user identityDecisions are based on user identity Analogous to security at OS levelAnalogous to security at OS level Not a replacement for OS security decisions!Not a replacement for OS security decisions!
• Implementation in .NET:Implementation in .NET: Uses concept of a Uses concept of a principalprincipal: an object encapsulating : an object encapsulating
user’s identity and rolesuser’s identity and roles Classes are provided to represent identities and Classes are provided to represent identities and
principals derived from Windows accountsprincipals derived from Windows accounts Code indicates requirement for a particular principal Code indicates requirement for a particular principal
by making a by making a security demandsecurity demand
55SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
.NET Example.NET Example
WindowsIdentity id = WindowsIdentity.GetCurrent();Thread.CurrentPrincipal = new WindowsPrincipal(id);
[PrincipalPermission(SecurityAction.Demand,Name="Bob")]public void doSomething(){ ...}
Activate role-based access control in current thread…
…elsewhere in code, mark a method with an attribute that makes a security demand for a principal—in this case, user “Bob”
66SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Code-Based Access ControlCode-Based Access Control
• Decisions are based on identity of codeDecisions are based on identity of code
• Identity of code derives fromIdentity of code derives from Point of originPoint of origin Identity of signer(s)Identity of signer(s)
• Code identity maps onto a set of Code identity maps onto a set of permissionspermissions
• Collection of these mappings constitutes Collection of these mappings constitutes code code access security (CAS) policyaccess security (CAS) policy
77SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
CAS Policy Resolution in .NETCAS Policy Resolution in .NET
Evidence
CASpolicy
Permissionrequests
Policyevaluator
Grant setfor assembly
Host Assembly
88SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
EvidenceEvidence
• Standard set of classes provided to represent Standard set of classes provided to represent various kinds of evidencevarious kinds of evidence HashHash (hash code of assembly's bytes) (hash code of assembly's bytes) PublisherPublisher (Authenticode signature of publisher) (Authenticode signature of publisher) SiteSite (domain name of source of assembly) (domain name of source of assembly) StrongNameStrongName (digital signature computed from name, (digital signature computed from name,
version number and hash code)version number and hash code) URLURL (URL of assembly) (URL of assembly) ZoneZone (IE security zone to which assembly belongs) (IE security zone to which assembly belongs)
99SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Elements of CAS PolicyElements of CAS Policy
• Assembly can belong to various Assembly can belong to various code groupscode groups
• Each code group has Each code group has membership conditionsmembership conditions and a set of permissionsand a set of permissions
• Evidence is matched against code group Evidence is matched against code group membership conditions hierarchicallymembership conditions hierarchically
• Initial set of permissions granted to an assembly Initial set of permissions granted to an assembly is the union of the permission sets of its code is the union of the permission sets of its code groupsgroups
1010SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Policy Resolution: Example 1Policy Resolution: Example 1
All_CodeCond: NonePerm: Nothing
My_Computer_ZoneCond: Zone = MyComputerPerm: FullTrust
LocalIntranet_ZoneCond: Zone = LocalIntranetPerm: LocalIntranet
Xyz_SiteCond: Site = www.xyz.comPerm: XyzPermissions
Internet_ZoneCond: Zone = InternetPerm: Internet
Resulting permissions:
Nothing U FullTrust
.NET assembly is loadedfrom local disk...
1111SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Policy Resolution: Example 2Policy Resolution: Example 2
All_CodeCond: NonePerm: Nothing
My_Computer_ZoneCond: Zone = MyComputerPerm: FullTrust
LocalIntranet_ZoneCond: Zone = LocalIntranetPerm: LocalIntranet
Xyz_SiteCond: Site = www.xyz.comPerm: XyzPermissions
Internet_ZoneCond: Zone = InternetPerm: Internet
Resulting permissions:
Nothing U Internet U XyzPermissions
.NET assembly is loadedfrom www.xyz.com...
1212SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Policy LevelsPolicy Levels
• Four different CAS policy levels in .NETFour different CAS policy levels in .NET Enterprise (Enterprise (enterprisesec.configenterprisesec.config)) Machine (Machine (security.configsecurity.config)) User (User (security.configsecurity.config in user profile) in user profile) Application domain (programmed)Application domain (programmed)
• Policy resolution happens independently at each Policy resolution happens independently at each level and results are level and results are intersectedintersected
• Why is this complexity required?...Why is this complexity required?...
1313SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Policy Management in .NETPolicy Management in .NET
• Use Use caspolcaspol command-line tool command-line tool
• Use MS management console snap-in for .NETUse MS management console snap-in for .NET
1414SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
CAS Policy in JavaCAS Policy in Java
• URL of code and public key(s) of its signer(s) URL of code and public key(s) of its signer(s) are used as evidenceare used as evidence
• Mapping of code identity onto permissions is Mapping of code identity onto permissions is termed a termed a protection domainprotection domain
• Protection domains are specified in policy filesProtection domains are specified in policy files $JAVA_HOME/lib/security/java.policy$JAVA_HOME/lib/security/java.policy $HOME/.java.policy$HOME/.java.policy
• Policy files do not correspond to .NET policy Policy files do not correspond to .NET policy levels; grants do not intersect!levels; grants do not intersect!
1515SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
A Java Security Policy FileA Java Security Policy File
grant codeBase "http://www.xyz.com/", signedBy "nick" {
permission java.io.FilePermission "/tmp/*", "write";
permission java.net.SocketPermission "*:1024-", "connect";
};
• Code from Code from http://www.xyz.comhttp://www.xyz.com, signed by a , signed by a public key with keystore alias public key with keystore alias ‘nick’…‘nick’…
• ……has permission to write to any file in has permission to write to any file in /tmp/tmp……
• ……and permission to connect to any site using a and permission to connect to any site using a non-privileged portnon-privileged port
1616SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Enforcing Policy: Java ExampleEnforcing Policy: Java Example
What if a trusted caller is itself invoked byuntrusted, malicious code?... (luring attack)
public class Socket {
public Socket(String host, int port) { SocketPermission perm = new SocketPermission(host + ":" + port, "connect"); AccessController.checkPermission(perm); ... } ...}
1717SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Walking The Stack in .NETWalking The Stack in .NET
Socket.Connect
Method D
Method C
Method B
Method A
Call stack
Assembly X
Assembly Y
Assembly Z
System.dllSocketPermission
demanded
SocketPermission granted
SocketPermission granted
SecurityException
1818SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Initiating a Stack WalkInitiating a Stack Walk
• In .NET, call the appropriate permission object's In .NET, call the appropriate permission object's DemandDemand method method
• In Java, call In Java, call checkPermissioncheckPermission method of method of AccessControllerAccessController class, with demanded class, with demanded permission as an argumentpermission as an argument
• Demands are typically made within trusted Demands are typically made within trusted library code; it usually isn't necessary to make library code; it usually isn't necessary to make them explicitly yourselfthem explicitly yourself
1919SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Controlling Stack Walks in .NETControlling Stack Walks in .NET
• Security action Security action AssertAssert terminates stack walk terminates stack walk without triggering a without triggering a SecurityExceptionSecurityException Making an assertion = vouching for callersMaking an assertion = vouching for callers Need to be Need to be veryvery sure that callers can't wreak havoc! sure that callers can't wreak havoc!
• Security action Security action DenyDeny forces termination of a forces termination of a stack walk with a stack walk with a SecurityExceptionSecurityException
• Assertions or denials can be cancelled via calls Assertions or denials can be cancelled via calls to to RevertAssertRevertAssert or or RevertDenyRevertDeny
2020SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
ExampleExample
• How can we make sure that a method needing How can we make sure that a method needing to log data to a file can always do so, regardless to log data to a file can always do so, regardless of caller permissions?of caller permissions?
• Answer: use Answer: use AssertAssert security action security action
• Which style of action?Which style of action? ImperativeImperative DeclarativeDeclarative
2121SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
ImplementationsImplementations
public void UpdateLog(string text){ const string logfile = "C:\\MyApp.log"; FileIOPermission perm = new FileIOPermission(FileIOPermission.Append, logfile); perm.Assert(); ...}
[FileIOPermission( SecurityAction.Assert,Append="C:\\MyApp.log")]public void UpdateLog(string text){ ...}
Imperative
Declarative
2222SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
Imperative & Declarative StylesImperative & Declarative Styles
• Imperative security actionsImperative security actions Can use information available only at run timeCan use information available only at run time Cannot be discovered without running codeCannot be discovered without running code
• Declarative security actionsDeclarative security actions Are fixed at compile timeAre fixed at compile time Can be discovered without running code (reflection)Can be discovered without running code (reflection)
2323SY32 Secure Computing, Lecture 17SY32 Secure Computing, Lecture 17
SummarySummary
• Access given to code can be determined from Access given to code can be determined from user identity or from code identityuser identity or from code identity
• Code access security policy specifies mapping Code access security policy specifies mapping of code identities onto sets of permissionsof code identities onto sets of permissions .NET resolves multiple policies and intersects results.NET resolves multiple policies and intersects results
• Policy is enforced by a stack walk, to prevent Policy is enforced by a stack walk, to prevent malicious code from luring trusted codemalicious code from luring trusted code
• Stack walks can be controlled, e.g., using Stack walks can be controlled, e.g., using AssertAssert and and DenyDeny in .NET in .NET