Introduction to Evidence-based security in.NET Framework Brad Merrill Program Manager.NET Frameworks...
-
date post
20-Jan-2016 -
Category
Documents
-
view
221 -
download
0
Transcript of Introduction to Evidence-based security in.NET Framework Brad Merrill Program Manager.NET Frameworks...
Introduction to Evidence-based Introduction to Evidence-based security in .NET Frameworksecurity in .NET Framework
Brad MerrillBrad Merrill
Program ManagerProgram Manager
.NET Frameworks Integration.NET Frameworks Integration
AgendaAgenda
The Problem: Customer ScenariosThe Problem: Customer Scenarios The Solution: .NET SecurityThe Solution: .NET Security Role-based SecurityRole-based Security Evidence-based SecurityEvidence-based Security DemosDemos
Defining the Problem:Defining the Problem:Customer ScenariosCustomer Scenarios
Scenario #1 – Active ContentScenario #1 – Active Content
Word Macro (In-process)
WordDoc.
E-Mail attachment(Out-of-process)
OutlookNew
ProcessE-Mail message
Scenario #2 – App ExtensibilityScenario #2 – App Extensibility
SQL Process
XSQL Code
UDF code
SQL server: UDFs (user defined functions)
Safe shared components
Unsafe components in SQL Environment
Scenario #3 – Controlled SharingScenario #3 – Controlled Sharing
Hostile AppMyApp1
MyShared Component
MyApp2
X
Signed by ‘My Corp.’
Scenario #4 – Rich Web AppsScenario #4 – Rich Web Apps
Rich control in web browser
IE Process
Local Disk
Transmit data
Web Script
Chart Ctrl
Web Server
IE Window
?
Scenario #5 – Off-Line ApplicationScenario #5 – Off-Line Application
IE
Shop.com
HTTP
Offline copy of catalog + App code
Local Disk
Off-line browse/shop
Scenario #6 – Web HostingScenario #6 – Web HostingService provider hosting 3rd party apps
System Resources
1
Thread Pool
Shared Components
Web Server
2 3Applications
The Solution:The Solution:.NET Security.NET Security
BackgroundBackground
.NET Security model is a .NET Security model is a combination of 2 elementscombination of 2 elements Role-based securityRole-based security Evidence-based securityEvidence-based security
Role-based SecurityRole-based Security
Common TermsCommon Terms Role-based SecurityRole-based Security
Making Authorization decisions based on the Making Authorization decisions based on the identity and/or role(s) of the entity on whose identity and/or role(s) of the entity on whose behalf an application is executing.behalf an application is executing.
IdentityIdentity Distinguishing characteristic of the entity on Distinguishing characteristic of the entity on
whose behalf an application is executing. whose behalf an application is executing. Commonly a user or account name.Commonly a user or account name.
PrincipalPrincipal The encapsulation of Identity and role The encapsulation of Identity and role
information—everything you need to know information—everything you need to know about an entity in order to make Authorization about an entity in order to make Authorization decisions.decisions.
Role-based Security Role-based Security InfrastructureInfrastructure
The CLR provides an infrastructure for The CLR provides an infrastructure for managing identity and role information.managing identity and role information. A Host authenticates the user and A Host authenticates the user and
provides the identity and role information provides the identity and role information to the CLRto the CLR
The CLR makes that information available The CLR makes that information available to code via APIs and permission demands to code via APIs and permission demands (both imperative and declarative)(both imperative and declarative)
Example: Example: ASP.NETASP.NET
Using the Role-based APIsUsing the Role-based APIs Example: checking a user’s NT group membershipExample: checking a user’s NT group membership
Must specify Windows authentication (requires Must specify Windows authentication (requires SecurityPermission)SecurityPermission)
Principal is accessed from the Thread objectPrincipal is accessed from the Thread object
public bool IsAdministrator() {
//Default principal is unauthenticated
//We must tell the system we want to use Windows auth
AppDomain.CurrentDomain.SetPrincipalPolicy
(PrincipalPolicy.WindowsPrincipal);
WindowsPrincipal user =
Thread.CurrentPrincipal as WindowsPrincipal;
return user.IsInRole("Administrators");
}
C#C#
Using the Principal permissionUsing the Principal permission
Example: a declarative demand to ensure the user is Example: a declarative demand to ensure the user is in the Administrator groupin the Administrator group Must specify Windows authentication (requires Must specify Windows authentication (requires
SecurityPermission)SecurityPermission) Like demands for other permissions, a principal permission Like demands for other permissions, a principal permission
demand will throw an exception if it failsdemand will throw an exception if it fails Name, Role, or both can be supplied as named parametersName, Role, or both can be supplied as named parameters
[PrincipalPermission
(SecurityAction.Demand, Role="Administrators")]
public void ProtectedMethod() {
//does some operation reserved for Administrators
}
C#C#
ConsiderationsConsiderations
Lazy authentication: we don’t create a Lazy authentication: we don’t create a principal object until you ask for it.principal object until you ask for it.
The role-based security functionality in the The role-based security functionality in the CLR does not replace COM+ 1.0 Services CLR does not replace COM+ 1.0 Services security.security. If your application contains both managed and If your application contains both managed and
unmanaged (COM) components, consider using unmanaged (COM) components, consider using COM+ 1.0 Services role-based security via the COM+ 1.0 Services role-based security via the managed wrappers.managed wrappers.
If your application is entirely managed, CLR If your application is entirely managed, CLR role-based security may be just what you need.role-based security may be just what you need.
Common TermsCommon Terms AuthenticationAuthentication
Determining the identity of the party/entity making a Determining the identity of the party/entity making a request.request. User authentication is generally by means of name/password User authentication is generally by means of name/password
verification.verification. Code authentication can be done by collecting evidence about Code authentication can be done by collecting evidence about
the code: location of origin, digital signature, hash, etc.the code: location of origin, digital signature, hash, etc.
AuthorizationAuthorization Determining whether to honor a request made by an Determining whether to honor a request made by an
identified party/entity.identified party/entity. User authorization is generally done by business logic or by the User authorization is generally done by business logic or by the
system (NTFS access control lists, IIS security settings, etc.)system (NTFS access control lists, IIS security settings, etc.) Code authorization is achieved via policy—analyzing evidence in Code authorization is achieved via policy—analyzing evidence in
order to grant appropriate permissions.order to grant appropriate permissions.
Evidence-based SecurityEvidence-based Security
Evidence-Based SecurityEvidence-Based Security
PermissionsPermissions Objects that represent specific authorizationsObjects that represent specific authorizations
PolicyPolicy Determines what code is permitted to do:Determines what code is permitted to do:
set of permissions to grant to an assemblyset of permissions to grant to an assembly EvidenceEvidence
Inputs to policy about code, from multiple Inputs to policy about code, from multiple sourcessources
All three are fully extensibleAll three are fully extensible
PermissionsPermissions
A A permissionpermission object object represents a specific represents a specific authorization, such as access to a resourceauthorization, such as access to a resource ““permission to do something”permission to do something”
A A permission permission grantgrant is an authorization given to is an authorization given to an assembly (code)an assembly (code) ““this code is authorized to do something”this code is authorized to do something”
A A permission permission demanddemand is a security check for is a security check for corresponding grantscorresponding grants ““is something allowed?” (else, raise exception)is something allowed?” (else, raise exception)
Standard .NET permissionsStandard .NET permissions Permissions for Framework resourcesPermissions for Framework resources
These permissions represent access to These permissions represent access to protected resources.protected resources.
DataData Directory ServicesDirectory Services DNSDNS
Environment Environment VariablesVariables
Event LogEvent Log File DialogFile Dialog
File IOFile IO WebWeb Isolated StorageIsolated Storage
Message Message QueueQueue
Performance Performance CountersCounters
PrintingPrinting
ReflectionReflection RegistryRegistry Security SystemSecurity System
SocketSocket UIUI ……(Italicized permission are Beta 2)
Standard .NET permissionsStandard .NET permissions Identity permissionsIdentity permissions
These permissions represent code identity. These permissions represent code identity. They are granted to code based on its They are granted to code based on its corresponding evidence.corresponding evidence.
PublisherPublisher URLURL
SiteSite ZoneZone
Strong NameStrong Name
Other permissionsOther permissions A user identity permission is also A user identity permission is also
supported. This is the only non-code supported. This is the only non-code access permission in the Framework.access permission in the Framework.
Principal (User Identity/Role)Principal (User Identity/Role)
Code Access SecurityCode Access Security
Most permissions are Most permissions are code access code access permissionspermissions Demanding a permission performs a Demanding a permission performs a stack stack
walk walk checking for related grants checking for related grants of all of all callerscallers
Support dynamic stack modifiersSupport dynamic stack modifiers Two ways to make checks:Two ways to make checks:
Imperatively (method implementation)Imperatively (method implementation) Declaratively (method metadata)Declaratively (method metadata)
Normal application code view of Normal application code view of security enforcementsecurity enforcement
Most applications get security Most applications get security enforcement simply by calling the enforcement simply by calling the class librariesclass libraries
try {
Environment.GetEnvironmentVariable ("USERNAME") ;
}
catch ( SecurityException se ) {
Console.WriteLine ("SECURITY EXCEPTION:" + se.ToString()) ;
}
C#C#
Stack Walk BehaviorStack Walk Behavior
Assembly A3Assembly A3
Assembly A2Assembly A2
Assembly A1Assembly A1
Assembly A4Assembly A4
Call StackCall StackGrows DownGrows Down
G2G2
G1G1
G3G3
G4G4
Each assembly has a set Each assembly has a set of corresponding grantsof corresponding grants
Method in AssemblyMethod in AssemblyA4 demands a A4 demands a permission Ppermission P
PP
P is compared P is compared with grants of all with grants of all callers on the callers on the stack above A4stack above A4
PP
PP
PP
Stack Walk ModifiersStack Walk Modifiers Modifiers provide fine-grained, Modifiers provide fine-grained,
dynamic control over state of grants dynamic control over state of grants on the stackon the stack
AssertionAssertion ““I vouch for my callers; checks for I vouch for my callers; checks for permperm
can stop at this frame”can stop at this frame” Example: “Gatekeeper” classesExample: “Gatekeeper” classes
Managed wrappers for unmanaged Managed wrappers for unmanaged resourcesresources DemandDemand appropriate permission from caller appropriate permission from caller AssertAssert permission to call unmanaged code permission to call unmanaged code Make the unmanaged callMake the unmanaged call
Imperative Security ChecksImperative Security Checks
Example: the File object constructorExample: the File object constructor Requires read access to the corresponding fileRequires read access to the corresponding file
public File(String fileName) {
// Must fully qualify the path for the security check
String fullPath = Directory.GetFullPathInternal(fileName);
new FileIOPermission(FileIOPermissionAccess.Read, fullPath) .Demand();
//[… read the specified file at behest of caller(s) …]
}
C#C#
Declarative Security ChecksDeclarative Security Checks
Declarative security isDeclarative security is Part of a method’s metadataPart of a method’s metadata Implemented with custom attributesImplemented with custom attributes Processed by JITProcessed by JIT
[FileIOPermission(SecurityAction.Demand, Read = ”c:\\temp”)]
public void foo() {
// class does something with c:\temp
} C#C#
ControllingControlling access to code access to code
Identity permissions allow the same Identity permissions allow the same security checks on identity of codesecurity checks on identity of code Digital signature, location (URL, site), etc.Digital signature, location (URL, site), etc.
Declarative security checks by JIT Declarative security checks by JIT instead of (most costly) runtime instead of (most costly) runtime checkschecks LinkDemand: code reference by a callerLinkDemand: code reference by a caller InheritanceDemand: subclass/overridingInheritanceDemand: subclass/overriding
Combination provides a tool for Combination provides a tool for developers to control who uses code developers to control who uses code
Controlling access to code Controlling access to code (cont.)(cont.)
Example: controlling access with a Strong Example: controlling access with a Strong Name identity link demand.Name identity link demand. Ensures that the immediate caller is signed with Ensures that the immediate caller is signed with
the given key and has the correct name and the given key and has the correct name and version.version.
[StrongNameIdentityPermissionAttribute(SecurityAction.LinkDemand,
PublicKey="00240000048000009400000006020000…",
Name=“MyApp", Version="0.0.0.0")]
// Only MyApp can use this class
public class MyClass {
…
}
C#C#
Controlling access to code Controlling access to code (cont.)(cont.)
Example: calling code that is restricted by a Example: calling code that is restricted by a Strong Name check.Strong Name check. Calling code must be signed with the private key Calling code must be signed with the private key
corresponding to the public key used in the corresponding to the public key used in the previous example.previous example.
[assembly: AssemblyKeyFileAttribute ("keypair.dat")]
[assembly: AssemblyVersionAttribute ("0.0.0.0")]
public class MyApp {
…
} C#C#
PolicyPolicy
PolicyPolicy is the process of determining the is the process of determining the permissions to grant to codepermissions to grant to code Permissions granted to code, not userPermissions granted to code, not user Grants are on a per-assembly basisGrants are on a per-assembly basis
Multiple levels of policyMultiple levels of policy Machine-wide, User-specific Machine-wide, User-specific Enterprise support: Group Policy Enterprise support: Group Policy (Beta 2)(Beta 2) Further policy restrictions allowed on a per-Further policy restrictions allowed on a per-
application domain basisapplication domain basis
Inside policyInside policy A policy level is a collection of A policy level is a collection of code groupscode groups
Code has identity in the runtime, just like users have Code has identity in the runtime, just like users have identity in Windows NTidentity in Windows NT®®
Permissions are associated with each code groupPermissions are associated with each code group
Evidence determines group membershipEvidence determines group membership In the group, get granted the related permissions In the group, get granted the related permissions
All CodeAll Code
Publisher:Publisher:MicrosoftMicrosoft
Zone:Zone:InternetInternet
Zone:Zone:Local IntranetLocal Intranet
Site:Site:XYZ.COMXYZ.COM
Strong Name:Strong Name:MS.OfficeMS.Office
Strong Name:Strong Name:MS.MoneyMS.Money
Site:Site:localweblocalweb
PP
PP
Publisher:Publisher:Corp. AdminCorp. Admin
PP PPPP
PPPPPP
PP
All CodeAll Code
Zone:Zone:Local IntranetLocal Intranet
Zone:Zone:Local IntranetLocal Intranet
All CodeAll Code
Sample Policy LevelSample Policy Level Example: MS.Money on Local IntranetExample: MS.Money on Local Intranet
Member of four groups (highlighted)Member of four groups (highlighted) Granted permissions = P1 Granted permissions = P1 P2 P2 P7 P7 P4 P4
Publisher:Publisher:MicrosoftMicrosoft
Zone:Zone:InternetInternet
Site:Site:XYZ.COMXYZ.COM
Strong Name:Strong Name:MS.OfficeMS.Office
Strong Name:Strong Name:MS.MoneyMS.Money
Site:Site:infowebinfoweb
Publisher:Publisher:Corp. AdminCorp. Admin
P8P8 P9P9
P5P5P3P3
P6P6
P1P1
P4P4
Strong Name:Strong Name:MS.MoneyMS.Money
Publisher:Publisher:MicrosoftMicrosoft
P2P2
P7P7
EvidenceEvidence EvidenceEvidence is the input to policy is the input to policy Example: Info about a code assemblyExample: Info about a code assembly
Shared namesShared names Publisher identityPublisher identity Location of origin (URL, zone, site)Location of origin (URL, zone, site)
Evidence is completely extensibleEvidence is completely extensible Any object can be a piece of evidenceAny object can be a piece of evidence Only impacts grants if there is a code Only impacts grants if there is a code
group membership condition that cares group membership condition that cares about it!about it!
cryptographicallystrong}
Host Control of PolicyHost Control of Policy
Hosts can influence policyHosts can influence policy Hosts specify “implicitly trusted” evidence Hosts specify “implicitly trusted” evidence Custom membership conditions can Custom membership conditions can
interface with other authorization systemsinterface with other authorization systems Example: ASP.NET/ISP application hostingExample: ASP.NET/ISP application hosting Semi-trusted hosting cannot provide Semi-trusted hosting cannot provide
evidenceevidence Hosts can limit policy for application Hosts can limit policy for application
domains they createdomains they create Example: SQL ServerExample: SQL Server™™ user-defined user-defined
assembliesassemblies
Assembly Input To Policy Assembly Input To Policy
Assemblies can Assemblies can requestrequest permissions permissions Three types of request: Minimal, Optional, RefuseThree types of request: Minimal, Optional, Refuse If policy does not grant everything in the “Minimal” If policy does not grant everything in the “Minimal”
set, assembly fails to loadset, assembly fails to load Assembly is granted: Assembly is granted:
(MaxAllowed (MaxAllowed (Minimal (Minimal Optional)) – Refused Optional)) – Refused Assemblies can carry evidence, tooAssemblies can carry evidence, too
Assembly evidence is “initially untrusted”Assembly evidence is “initially untrusted” Policy evaluates assembly evidence and decides Policy evaluates assembly evidence and decides
whether to use itwhether to use it Example: third-party certificationsExample: third-party certifications
[assembly:UIPermissionAttribute
(SecurityAction.RequestMinimum,
Window=UIPermissionWindow.SafeSubWindows)]
[assembly:FileIOPermissionAttribute
(SecurityAction.RequestOptional,All="C:\\")]
[assembly:SecurityPermissionAttribute
(SecurityAction.RequestRefused,UnmanagedCode=true)]
Sample Permission RequestSample Permission Request
Request (minimum,optional,refused)Request (minimum,optional,refused) If none, code gets maximum policy If none, code gets maximum policy
givesgives
C#C#
Run-time SecurityRun-time Security
Evidence
Component 3 IL
Component 1
Component 2
G1
G2
Trusted Host Code
Policy to
Apply
Policy Mgr
Perm Reques
t
Sec. Policy
+
=
Component 3 G3
Inheritance,LinkDemand?
JIT/Verify
Typesafe?
SummarySummary
Great Customer ExperienceGreat Customer Experience
End-userEnd-user Managed apps just run, consistent experience for Managed apps just run, consistent experience for
scripts, exes, controlsscripts, exes, controls Safe defaults, no runtime trust decisions for usersSafe defaults, no runtime trust decisions for users
AdministratorAdministrator All settings in one place, easy to customize All settings in one place, easy to customize Understandable policy model (need Beta feedback)Understandable policy model (need Beta feedback) Security administration tool coming in Beta 2Security administration tool coming in Beta 2
DeveloperDeveloper Can focus on app logic, security comes for freeCan focus on app logic, security comes for free But, easy to use and extend when necessary But, easy to use and extend when necessary
(i.e., protecting a new shared resource)(i.e., protecting a new shared resource)
Minimizing Security FlawsMinimizing Security Flaws
Typesafe codeTypesafe code Managed code verified for typesafety at runtimeManaged code verified for typesafety at runtime Eliminates most common security problemsEliminates most common security problems
Buffer overrun attacksBuffer overrun attacks Reading private state or uninitialized memoryReading private state or uninitialized memory Access arbitrary memory in process spaceAccess arbitrary memory in process space Transfer execution to arbitrary location in Transfer execution to arbitrary location in
processprocess Developers can use ‘least privilege’ Developers can use ‘least privilege’ Code access security blocks most ‘luring’ Code access security blocks most ‘luring’
attacksattacks
Questions?Questions?