Introduction to Evidence-based security in.NET Framework Brad Merrill Program Manager.NET Frameworks...

Introduction to Evidence-based Introduction to Evidence-based security in .NET Frameworksecurity in .NET Framework

Brad MerrillBrad Merrill

Program ManagerProgram Manager

.NET Frameworks Integration.NET Frameworks Integration

AgendaAgenda

The Problem: Customer ScenariosThe Problem: Customer Scenarios The Solution: .NET SecurityThe Solution: .NET Security Role-based SecurityRole-based Security Evidence-based SecurityEvidence-based Security DemosDemos

Defining the Problem:Defining the Problem:Customer ScenariosCustomer Scenarios

Scenario #1 – Active ContentScenario #1 – Active Content

Word Macro (In-process)

WordDoc.

E-Mail attachment(Out-of-process)

OutlookNew

ProcessE-Mail message

Scenario #2 – App ExtensibilityScenario #2 – App Extensibility

SQL Process

XSQL Code

UDF code

SQL server: UDFs (user defined functions)

Safe shared components

Unsafe components in SQL Environment

Scenario #3 – Controlled SharingScenario #3 – Controlled Sharing

Hostile AppMyApp1

MyShared Component

MyApp2

X

Signed by ‘My Corp.’

Scenario #4 – Rich Web AppsScenario #4 – Rich Web Apps

Rich control in web browser

IE Process

Local Disk

Transmit data

Web Script

Chart Ctrl

Web Server

IE Window

?

Scenario #5 – Off-Line ApplicationScenario #5 – Off-Line Application

IE

Shop.com

HTTP

Offline copy of catalog + App code

Local Disk

Off-line browse/shop

Scenario #6 – Web HostingScenario #6 – Web HostingService provider hosting 3rd party apps

System Resources

1

Thread Pool

Shared Components

Web Server

2 3Applications

The Solution:The Solution:.NET Security.NET Security

BackgroundBackground

.NET Security model is a .NET Security model is a combination of 2 elementscombination of 2 elements Role-based securityRole-based security Evidence-based securityEvidence-based security

Role-based SecurityRole-based Security

Common TermsCommon Terms Role-based SecurityRole-based Security

Making Authorization decisions based on the Making Authorization decisions based on the identity and/or role(s) of the entity on whose identity and/or role(s) of the entity on whose behalf an application is executing.behalf an application is executing.

IdentityIdentity Distinguishing characteristic of the entity on Distinguishing characteristic of the entity on

whose behalf an application is executing. whose behalf an application is executing. Commonly a user or account name.Commonly a user or account name.

PrincipalPrincipal The encapsulation of Identity and role The encapsulation of Identity and role

information—everything you need to know information—everything you need to know about an entity in order to make Authorization about an entity in order to make Authorization decisions.decisions.

Role-based Security Role-based Security InfrastructureInfrastructure

The CLR provides an infrastructure for The CLR provides an infrastructure for managing identity and role information.managing identity and role information. A Host authenticates the user and A Host authenticates the user and

provides the identity and role information provides the identity and role information to the CLRto the CLR

The CLR makes that information available The CLR makes that information available to code via APIs and permission demands to code via APIs and permission demands (both imperative and declarative)(both imperative and declarative)

Example: Example: ASP.NETASP.NET

Using the Role-based APIsUsing the Role-based APIs Example: checking a user’s NT group membershipExample: checking a user’s NT group membership

Must specify Windows authentication (requires Must specify Windows authentication (requires SecurityPermission)SecurityPermission)

Principal is accessed from the Thread objectPrincipal is accessed from the Thread object

public bool IsAdministrator() {

//Default principal is unauthenticated

//We must tell the system we want to use Windows auth

AppDomain.CurrentDomain.SetPrincipalPolicy

(PrincipalPolicy.WindowsPrincipal);

WindowsPrincipal user =

Thread.CurrentPrincipal as WindowsPrincipal;

return user.IsInRole("Administrators");

}

C#C#

Using the Principal permissionUsing the Principal permission

Example: a declarative demand to ensure the user is Example: a declarative demand to ensure the user is in the Administrator groupin the Administrator group Must specify Windows authentication (requires Must specify Windows authentication (requires

SecurityPermission)SecurityPermission) Like demands for other permissions, a principal permission Like demands for other permissions, a principal permission

demand will throw an exception if it failsdemand will throw an exception if it fails Name, Role, or both can be supplied as named parametersName, Role, or both can be supplied as named parameters

[PrincipalPermission

(SecurityAction.Demand, Role="Administrators")]

public void ProtectedMethod() {

//does some operation reserved for Administrators

}

C#C#

ConsiderationsConsiderations

Lazy authentication: we don’t create a Lazy authentication: we don’t create a principal object until you ask for it.principal object until you ask for it.

The role-based security functionality in the The role-based security functionality in the CLR does not replace COM+ 1.0 Services CLR does not replace COM+ 1.0 Services security.security. If your application contains both managed and If your application contains both managed and

unmanaged (COM) components, consider using unmanaged (COM) components, consider using COM+ 1.0 Services role-based security via the COM+ 1.0 Services role-based security via the managed wrappers.managed wrappers.

If your application is entirely managed, CLR If your application is entirely managed, CLR role-based security may be just what you need.role-based security may be just what you need.

Common TermsCommon Terms AuthenticationAuthentication

Determining the identity of the party/entity making a Determining the identity of the party/entity making a request.request. User authentication is generally by means of name/password User authentication is generally by means of name/password

verification.verification. Code authentication can be done by collecting evidence about Code authentication can be done by collecting evidence about

the code: location of origin, digital signature, hash, etc.the code: location of origin, digital signature, hash, etc.

AuthorizationAuthorization Determining whether to honor a request made by an Determining whether to honor a request made by an

identified party/entity.identified party/entity. User authorization is generally done by business logic or by the User authorization is generally done by business logic or by the

system (NTFS access control lists, IIS security settings, etc.)system (NTFS access control lists, IIS security settings, etc.) Code authorization is achieved via policy—analyzing evidence in Code authorization is achieved via policy—analyzing evidence in

order to grant appropriate permissions.order to grant appropriate permissions.

Evidence-based SecurityEvidence-based Security

Evidence-Based SecurityEvidence-Based Security

PermissionsPermissions Objects that represent specific authorizationsObjects that represent specific authorizations

PolicyPolicy Determines what code is permitted to do:Determines what code is permitted to do:

set of permissions to grant to an assemblyset of permissions to grant to an assembly EvidenceEvidence

Inputs to policy about code, from multiple Inputs to policy about code, from multiple sourcessources

All three are fully extensibleAll three are fully extensible

PermissionsPermissions

A A permissionpermission object object represents a specific represents a specific authorization, such as access to a resourceauthorization, such as access to a resource ““permission to do something”permission to do something”

A A permission permission grantgrant is an authorization given to is an authorization given to an assembly (code)an assembly (code) ““this code is authorized to do something”this code is authorized to do something”

A A permission permission demanddemand is a security check for is a security check for corresponding grantscorresponding grants ““is something allowed?” (else, raise exception)is something allowed?” (else, raise exception)

Standard .NET permissionsStandard .NET permissions Permissions for Framework resourcesPermissions for Framework resources

These permissions represent access to These permissions represent access to protected resources.protected resources.

DataData Directory ServicesDirectory Services DNSDNS

Environment Environment VariablesVariables

Event LogEvent Log File DialogFile Dialog

File IOFile IO WebWeb Isolated StorageIsolated Storage

Message Message QueueQueue

Performance Performance CountersCounters

PrintingPrinting

ReflectionReflection RegistryRegistry Security SystemSecurity System

SocketSocket UIUI ……(Italicized permission are Beta 2)

Standard .NET permissionsStandard .NET permissions Identity permissionsIdentity permissions

These permissions represent code identity. These permissions represent code identity. They are granted to code based on its They are granted to code based on its corresponding evidence.corresponding evidence.

PublisherPublisher URLURL

SiteSite ZoneZone

Strong NameStrong Name

Other permissionsOther permissions A user identity permission is also A user identity permission is also

supported. This is the only non-code supported. This is the only non-code access permission in the Framework.access permission in the Framework.

Principal (User Identity/Role)Principal (User Identity/Role)

Code Access SecurityCode Access Security

Most permissions are Most permissions are code access code access permissionspermissions Demanding a permission performs a Demanding a permission performs a stack stack

walk walk checking for related grants checking for related grants of all of all callerscallers

Support dynamic stack modifiersSupport dynamic stack modifiers Two ways to make checks:Two ways to make checks:

Imperatively (method implementation)Imperatively (method implementation) Declaratively (method metadata)Declaratively (method metadata)

Normal application code view of Normal application code view of security enforcementsecurity enforcement

Most applications get security Most applications get security enforcement simply by calling the enforcement simply by calling the class librariesclass libraries

try {

Environment.GetEnvironmentVariable ("USERNAME") ;

}

catch ( SecurityException se ) {

Console.WriteLine ("SECURITY EXCEPTION:" + se.ToString()) ;

}

C#C#

Stack Walk BehaviorStack Walk Behavior

Assembly A3Assembly A3




Call StackCall StackGrows DownGrows Down

G2G2

G1G1

G3G3

G4G4

Each assembly has a set Each assembly has a set of corresponding grantsof corresponding grants

Method in AssemblyMethod in AssemblyA4 demands a A4 demands a permission Ppermission P

PP

P is compared P is compared with grants of all with grants of all callers on the callers on the stack above A4stack above A4

PP

PP

PP

Stack Walk ModifiersStack Walk Modifiers Modifiers provide fine-grained, Modifiers provide fine-grained,

dynamic control over state of grants dynamic control over state of grants on the stackon the stack

AssertionAssertion ““I vouch for my callers; checks for I vouch for my callers; checks for permperm

can stop at this frame”can stop at this frame” Example: “Gatekeeper” classesExample: “Gatekeeper” classes

Managed wrappers for unmanaged Managed wrappers for unmanaged resourcesresources DemandDemand appropriate permission from caller appropriate permission from caller AssertAssert permission to call unmanaged code permission to call unmanaged code Make the unmanaged callMake the unmanaged call

Imperative Security ChecksImperative Security Checks

Example: the File object constructorExample: the File object constructor Requires read access to the corresponding fileRequires read access to the corresponding file

public File(String fileName) {

// Must fully qualify the path for the security check

String fullPath = Directory.GetFullPathInternal(fileName);

new FileIOPermission(FileIOPermissionAccess.Read, fullPath) .Demand();

//[… read the specified file at behest of caller(s) …]

}

C#C#

Declarative Security ChecksDeclarative Security Checks

Declarative security isDeclarative security is Part of a method’s metadataPart of a method’s metadata Implemented with custom attributesImplemented with custom attributes Processed by JITProcessed by JIT

[FileIOPermission(SecurityAction.Demand, Read = ”c:\\temp”)]

public void foo() {

// class does something with c:\temp

} C#C#

ControllingControlling access to code access to code

Identity permissions allow the same Identity permissions allow the same security checks on identity of codesecurity checks on identity of code Digital signature, location (URL, site), etc.Digital signature, location (URL, site), etc.

Declarative security checks by JIT Declarative security checks by JIT instead of (most costly) runtime instead of (most costly) runtime checkschecks LinkDemand: code reference by a callerLinkDemand: code reference by a caller InheritanceDemand: subclass/overridingInheritanceDemand: subclass/overriding

Combination provides a tool for Combination provides a tool for developers to control who uses code developers to control who uses code

Controlling access to code Controlling access to code (cont.)(cont.)

Example: controlling access with a Strong Example: controlling access with a Strong Name identity link demand.Name identity link demand. Ensures that the immediate caller is signed with Ensures that the immediate caller is signed with

the given key and has the correct name and the given key and has the correct name and version.version.

[StrongNameIdentityPermissionAttribute(SecurityAction.LinkDemand,

PublicKey="00240000048000009400000006020000…",

Name=“MyApp", Version="0.0.0.0")]

// Only MyApp can use this class

public class MyClass {

…

}

C#C#

Controlling access to code Controlling access to code (cont.)(cont.)

Example: calling code that is restricted by a Example: calling code that is restricted by a Strong Name check.Strong Name check. Calling code must be signed with the private key Calling code must be signed with the private key

corresponding to the public key used in the corresponding to the public key used in the previous example.previous example.

[assembly: AssemblyKeyFileAttribute ("keypair.dat")]

[assembly: AssemblyVersionAttribute ("0.0.0.0")]

public class MyApp {

…

} C#C#

PolicyPolicy

PolicyPolicy is the process of determining the is the process of determining the permissions to grant to codepermissions to grant to code Permissions granted to code, not userPermissions granted to code, not user Grants are on a per-assembly basisGrants are on a per-assembly basis

Multiple levels of policyMultiple levels of policy Machine-wide, User-specific Machine-wide, User-specific Enterprise support: Group Policy Enterprise support: Group Policy (Beta 2)(Beta 2) Further policy restrictions allowed on a per-Further policy restrictions allowed on a per-

application domain basisapplication domain basis

Inside policyInside policy A policy level is a collection of A policy level is a collection of code groupscode groups

Code has identity in the runtime, just like users have Code has identity in the runtime, just like users have identity in Windows NTidentity in Windows NT®®

Permissions are associated with each code groupPermissions are associated with each code group

Evidence determines group membershipEvidence determines group membership In the group, get granted the related permissions In the group, get granted the related permissions

All CodeAll Code

Publisher:Publisher:MicrosoftMicrosoft

Zone:Zone:InternetInternet

Zone:Zone:Local IntranetLocal Intranet

Site:Site:XYZ.COMXYZ.COM

Strong Name:Strong Name:MS.OfficeMS.Office

Strong Name:Strong Name:MS.MoneyMS.Money

Site:Site:localweblocalweb

PP

PP

Publisher:Publisher:Corp. AdminCorp. Admin

PP PPPP

PPPPPP

PP

All CodeAll Code



All CodeAll Code

Sample Policy LevelSample Policy Level Example: MS.Money on Local IntranetExample: MS.Money on Local Intranet

Member of four groups (highlighted)Member of four groups (highlighted) Granted permissions = P1 Granted permissions = P1 P2 P2 P7 P7 P4 P4


Zone:Zone:InternetInternet

Site:Site:XYZ.COMXYZ.COM

Strong Name:Strong Name:MS.OfficeMS.Office


Site:Site:infowebinfoweb

Publisher:Publisher:Corp. AdminCorp. Admin

P8P8 P9P9

P5P5P3P3

P6P6

P1P1

P4P4



P2P2

P7P7

EvidenceEvidence EvidenceEvidence is the input to policy is the input to policy Example: Info about a code assemblyExample: Info about a code assembly

Shared namesShared names Publisher identityPublisher identity Location of origin (URL, zone, site)Location of origin (URL, zone, site)

Evidence is completely extensibleEvidence is completely extensible Any object can be a piece of evidenceAny object can be a piece of evidence Only impacts grants if there is a code Only impacts grants if there is a code

group membership condition that cares group membership condition that cares about it!about it!

cryptographicallystrong}

Host Control of PolicyHost Control of Policy

Hosts can influence policyHosts can influence policy Hosts specify “implicitly trusted” evidence Hosts specify “implicitly trusted” evidence Custom membership conditions can Custom membership conditions can

interface with other authorization systemsinterface with other authorization systems Example: ASP.NET/ISP application hostingExample: ASP.NET/ISP application hosting Semi-trusted hosting cannot provide Semi-trusted hosting cannot provide

evidenceevidence Hosts can limit policy for application Hosts can limit policy for application

domains they createdomains they create Example: SQL ServerExample: SQL Server™™ user-defined user-defined

assembliesassemblies

Assembly Input To Policy Assembly Input To Policy

Assemblies can Assemblies can requestrequest permissions permissions Three types of request: Minimal, Optional, RefuseThree types of request: Minimal, Optional, Refuse If policy does not grant everything in the “Minimal” If policy does not grant everything in the “Minimal”

set, assembly fails to loadset, assembly fails to load Assembly is granted: Assembly is granted:

(MaxAllowed (MaxAllowed (Minimal (Minimal Optional)) – Refused Optional)) – Refused Assemblies can carry evidence, tooAssemblies can carry evidence, too

Assembly evidence is “initially untrusted”Assembly evidence is “initially untrusted” Policy evaluates assembly evidence and decides Policy evaluates assembly evidence and decides

whether to use itwhether to use it Example: third-party certificationsExample: third-party certifications

[assembly:UIPermissionAttribute

(SecurityAction.RequestMinimum,

Window=UIPermissionWindow.SafeSubWindows)]

[assembly:FileIOPermissionAttribute

(SecurityAction.RequestOptional,All="C:\\")]

[assembly:SecurityPermissionAttribute

(SecurityAction.RequestRefused,UnmanagedCode=true)]

Sample Permission RequestSample Permission Request

Request (minimum,optional,refused)Request (minimum,optional,refused) If none, code gets maximum policy If none, code gets maximum policy

givesgives

C#C#

Run-time SecurityRun-time Security

Evidence

Component 3 IL

Component 1

Component 2

G1

G2

Trusted Host Code

Policy to

Apply

Policy Mgr

Perm Reques

t

Sec. Policy

+

=

Component 3 G3

Inheritance,LinkDemand?

JIT/Verify

Typesafe?

SummarySummary

Great Customer ExperienceGreat Customer Experience

End-userEnd-user Managed apps just run, consistent experience for Managed apps just run, consistent experience for

scripts, exes, controlsscripts, exes, controls Safe defaults, no runtime trust decisions for usersSafe defaults, no runtime trust decisions for users

AdministratorAdministrator All settings in one place, easy to customize All settings in one place, easy to customize Understandable policy model (need Beta feedback)Understandable policy model (need Beta feedback) Security administration tool coming in Beta 2Security administration tool coming in Beta 2

DeveloperDeveloper Can focus on app logic, security comes for freeCan focus on app logic, security comes for free But, easy to use and extend when necessary But, easy to use and extend when necessary

(i.e., protecting a new shared resource)(i.e., protecting a new shared resource)

Minimizing Security FlawsMinimizing Security Flaws

Typesafe codeTypesafe code Managed code verified for typesafety at runtimeManaged code verified for typesafety at runtime Eliminates most common security problemsEliminates most common security problems

Buffer overrun attacksBuffer overrun attacks Reading private state or uninitialized memoryReading private state or uninitialized memory Access arbitrary memory in process spaceAccess arbitrary memory in process space Transfer execution to arbitrary location in Transfer execution to arbitrary location in

processprocess Developers can use ‘least privilege’ Developers can use ‘least privilege’ Code access security blocks most ‘luring’ Code access security blocks most ‘luring’

attacksattacks

Questions?Questions?

Introduction to Evidence-based security in.NET Framework Brad Merrill Program Manager.NET Frameworks...

Documents

Transcript of Introduction to Evidence-based security in.NET Framework Brad Merrill Program Manager.NET Frameworks...