WCF security: patterns & practices

ante.gulam[at]ri-ing.net

Overview

• Intro [Service-Oriented Architecture, MS WCF]• Defining Web Service Threats• Overview of WCF Security Basics• Configuration - Starting Point and Ending Point • Bindings In Depth • Securing Transport Channel - Integrity and Auth.• Messages - What I Send is What You Get?• Few Code-Based WCF Security Best Practices• Outro [conclusion]

Intro• SOA in general (discovery, description, messaging)– UDDI XML Hierarchy– UDDI Discovery (automated scanning tools)– WSDL and XSD Descriptions– SOAP vs. REST XML Protocols

• SOA Security Issues (ASMX, WCF, Java ...)• WCF (Indigo/2006)- .NET Web Service Technology• Endpoints (Transport & Bindings)– ABC (Address/Binding/Contract)– HTTP, TCP, named pipes, MSMQ ...– MEX – Metadata Exchange

Defining Web Service Threats• Attractive target

• Open to the World (rare filtering access scheme)• Direct connection to core application• Direct connection to core data

• Discovering and Attacking Web Services• WS-discovery (service behaviorConfiguration="serviceDiscoverable”) probe: 3702

– WSScanner• Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool

• WCF Test Harness – flexible tool for quick service tests• Common WApp vulns: SQL injection, session theft, XML DoS ...

• XML/SOAP Manipulation (abusing the protocol)– Eavesdropping Message Exchange– Message Protection Methods

• Configuration Data Injection (tampering .conf)• Local/UDDI XML Processing attack

Overview of WCF Security Basics• Logging and Auditing

• Debbuging and Attack Detection

• Authentication• Identify Clients

» Users, Services, Processes, Machines ...» MiTM Attack Mitigation

• Transport Security Mode (cert, NTLM, basic ...)• Message Security Mode (cert, token, username ...)

• Authorization• Role-based• Identity-based• Resource-based

• Confidentiality• Encryption of Traffic client WCF service

• Integrity

Configuration - Starting Point and Ending Point

• Web.config start-up• Web-config encryption• section.SectionInformation.ProtectSection

• <system.ServiceModel>• Services

» Defining Service Endpoints

• Bindings» Basic, WS, WSDual, NetTcp ... ...

• Behaviors» <throttling> and other custom behaviors

• <Credentials /> Stored in Config<credentials passwordFormat="Clear"> <user name="user1" password="pass1"/></credentials>

• Max Message Size ???? (avoid 2147483647)• Encrypting configuration files (CL tools, code-based...)

Bindings in Depth

• System.ServiceModel.Channels.Binding class• Binding types and Security Modes– WSHttpBinding b = new WSHttpBinding(); b.Security.Mode =

SecurityMode.?????:• Transport Security• Mixed-Mode Security• Message Security

• Considering Scenarios for the right Bindings• Clients accessing through the Internet (wshttp)• Legacy clients (http)• Intranet (netTCP)• Local Machine Clients (netNamedPipeBinding)• Disconnected queued calls support (netMsmqBinding)• bidirectional communication support (wsDualHttp)

• System-Provided bindings

– BasicHttpBinding: An HTTP protocol binding suitable for connecting to Web services that conforms to the WS-I Basic Profile specification (for example, ASP.NET Web services-based services)

– WSHttpBinding: An interoperable binding suitable for connecting to endpoints that conform to the WS-* protocols.

– NetNamedPipeBinding: Uses the .NET Framework to connect to other WCF endpoints on the same machine.

– NetMsmqBinding: Uses the .NET Framework to create queued message connections with other WCF endpoints.

• Custom Bindings– Meet Requirements of Your Service

Securing Transport Channel

• SSL tunneling on WS transport channel• Choosing secure binding or SSL transport??– More and more on security (end-to-end, part encrypt)– Performances on Message/Transport level– Combining Message and Transport security

• Custom Binding and Custom Validator• public override void Validate(string uname, string pass)• <bindingname="CustomBinding“>

<securityauthenticationMode="UserNameOverTransport“> </security>

Messages - What I Send is What You Get?

• Message integrity check• Ability to detect and manage invalid data• Imposition of complete transactions• Rollbacks

• [Service Behavior] attrib: Transaction Isolation - Serializable transaction– protection for consistent data

• Hash calculation on message: xml/json messages (HMAC, SHA1..)

• ETag (base64 encoding of the md5sum)• Distributed Transaction Controller

– Single Transaction building• ‘Global’ Rollback (whole call chain rollback)

– transactionFlow="true"

Few Code-Based WCF Security Best Practices

• using() and try/finally keywords in WCF ?• Why to Avoid Them???– IL almost identical– So, where is the problem!?!?

• During Disposal the Channel is NEVER closed!• Control the catch of Exceptions• Use a global exception handler to catch unhandled

exceptions• FaultContract

• FaultContract(typeof(CustomException))] – throw new FaultException<MathFault>(mf);

• using()• IL_0000: newobj instance void

[System.Windows.Forms]System.Windows.Forms.Form::.ctor() IL_0005: stloc.0 .try { IL_0006: leave.s IL_0012 } // end .try finally { IL_0008: ldloc.0 IL_0009: brfalse.s IL_0011 IL_000b: ldloc.0 IL_000c: callvirt instance void [mscorlib]System.IDisposable::Dispose() IL_0011: endfinally } // end handler

• try/finally block• IL_0012: ldnull

IL_0013: stloc.1 .try { IL_0014: newobj instance void [System.Windows.Forms]System.Windows.Forms.Form::.ctor() IL_0019: stloc.1 IL_001a: leave.s IL_0026 } // end .try finally { IL_001c: ldloc.1 IL_001d: brfalse.s IL_0025 IL_001f: ldloc.1 IL_0020: callvirt instance void [System]System.ComponentModel.Component::Dispose() IL_0025: endfinally } // end handler

• CAS in WCF services– [assembly: AllowPartiallyTrustedCallers]– [PermissionSet(SecurityAction.Assert,Name =

"FullTrust")] – Calling out from the Restricted client Environment• Security breach – bypass direct connection

– PartialTrustClientBase<T> ??– GAC on the client side?• Proxy Assembly Installation

– Raw WCF Demands

• ChannelFactory class– Used in advanced scenarios– Creation of Multiple Channels for Communication• ChannelFactory<xx> myChannelFactory = new

ChannelFactory<xx>(myBinding, myEndpoint); xx wcfClient1 = myChannelFactory.CreateChannel();

– channelFactory.Credentials (username/password)– Avoid Creation of ChannelFactory on each page

call (overhead)

• Make a port scanner out of WCF – WSDualHttpBinding – “CreateSequence” SOAP request– “ReplyTo” address

• https://github.com/GDSSecurity/WCF-WSDualHttpBinding-Port-Scanner

Outro [conclusion]

• What have we remembered to make our WS more secure?– Best practice – combine technologies and techniques to get

security on higher level!!!• Combine Smart Coding with Good Configuration

• Test your WCF’s on various attack techniques• ServiceThrottlingBehavior class

– MaxConcurrentCalls (default = 16) [Per-message] – MaxConcurrentInstances (default = Int32.Max)

• InstanceContextMode ServiceBehaviorAttribute PerCalls / Sessions

– MaxConcurrentSessions (default = 10) [Per-channel]• Stay in touch with Recent Security Discoveries Related to

Technologies you are using!• Platforms, OS services, dev technologies, transport/protocol

technologies, encryption algorithms etc.

thank you for your attentionquestions and comments

?