3A01: .Net Framework Security

scatteredneedlessSoftware and s/w Development

Nov 2, 2013 (3 years and 10 months ago)

86 views

1
© 2003 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without
notice
3A01: .Net Framework
Security
Wolfgang Werner
HP
Decus Bonn 2003
Agenda

Introduction to the Common Language Runtime

Windows Security and Code Access Security

Security Policy

Evidence, Membership Conditions, Permission Sets, Code
Groups, Policy Levels

Misc.
2
Common Language Runtime (CLR)

Core of the .NET platform

Runtime execution environment

Uses the Intermediate Language

Code that requires the CLR is called managed code

Uses garbage collection
Common Language Runtime (CLR)

The runtime loads and runs code written in any
CLR-aware programming language

Compilers translates code into Intermediate
Language (IL)

When the code is executed it is compiled into
native code
3
Assemblies

The logical unit that contains IL code

Can de stored across multiple files

Same structure is used for executable code and
libraries

Contain metadata that describe the assembly
(manifest)

ILDASM can be used to inspect the content and the
metadata
Assemblies

The assembly manifest contains

Name, version

Identity information

Name, version, culture, public key

Exported types

Dependencies to other assemblies

...
4
Assemblies
Agenda

Introduction to the Common Language Runtime

Windows Security and Code Access Security

Security Policy

Evidence, Membership Conditions, Permission Sets, Code
Groups, Policy Levels

Misc.
5
Windows Security

Based on user identity

Authentication for a particular user

Authorization to access resources based on user
credentials

All code will run with the same access rights
Windows Security

It is ok for an admin to add new users, but…
<OBJECT CODETYPE="application/x-oleobject"
CLASSID=
"clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B“
WIDTH=1 HEIGHT=1 ID="WShell">
</OBJECT>
<!-- Initialize and script ActiveX controls not marked as safe must
be enabled -->
<SCRIPT LANGUAGE="Javascript">
runcmd="net user newuser/add";
WShell.Run(runcmd);
</SCRIPT>
6
Code Access Security (CAS)

Applies to the Common Language Runtime

Managed code only

Based on code identity

Code running on behalf of a specific user is not
considered equal

Code "authentication" is based on the origin of code
(evidence)
Code Access Security (CAS)

Authenticate assemblies

By collecting evidence

Authorize assemblies

By granting a set of permissions

Enforce authorization decisions

By checking ALL assemblies have the appropriate
permissions
7
Code Access Security (CAS)

CAS complements Windows security

CAS settings will NOT supercede Windows access
restrictions
Agenda

Introduction to the Common Language Runtime

Windows Security and Code Access Security

Security Policy

Evidence, Membership Conditions, Permission Sets, Code
Groups, Policy Levels

Misc.
8
Security Policy

Code Access Security maps evidence to resource
access permissions based on security policy settings

A security policy consists of

Membership conditions

Code groups

Policy levels
Security Policy

Default Security Policy

All assemblies running in the My Computer zone have
access to all resources

Assemblies from the intranet zone are allowed to read
some environment variables, do unlimited user interface
intercation, have no access to the registry,…

All assemblies from then internet zone are prevented from
running by default


9
Security Policy:
Evidence

Information about the origin of an assembly

Authentication in CAS

Applies only to running code

Not precomputed or cached

Independend of the user

With exceptions
Code Access Security:
Evidence

The CLR uses evidence to

Determine which code groups the code belongs

Evaluate enterprise, machine, and user policy
membership condition

Return the set of permissions to grant to the assembly or
application domain
10
Code Access Security:
Evidence

Evidence is provided by

By the loader (CLR)

Application domain hosts that start the CLR

Application domain host

Browser host (Internet Explorer)

HREF to managed EXE

<object…> refers to a managed type

Server host (ASP.NET)

Shell host (Explorer)
Security Policy:
Evidence

Assembly provided evidence

An assembly is permitted to provide evidence about itself

Cannot overwrite evidence provided by a host

Per default, assembly provided evidence is ignored by the
CLR

Implement custom membership conditions
11
Security Policy:
Evidence

ApplicationDirectory

Directory that contains the primary executing code

All assemblies in the application's root and child
directories

C:\appdir => file://C:\appdir\test.dll
Security Policy:
Evidence

Hash

Hash (MD5, SHA1)

Multifile assemblies: hash of the assembly that contains
the manifest

Publisher

Authenticode signatures (certificates)
12
Security Policy:
Evidence

Site

Origination from a specified site

www.microsoft.com

URL

URL including final wildcard

ftp://ftp.microsoft.com/pub/*
Security Policy:
Evidence

Zone

The zone where the assembly originates

My Computer, Intranet, Internet, Trusted Zones, Untrusted
Zones

Same as in Internet Explorer security zones

Evidence may be different to different users
13
Security Policy:
Evidence

If an assembly is downloaded from a site/URL/zone
and run locally the original information is lost
Security Policy:
Evidence

Strong Name

Adds public key encryption to make sure code has not
been altered

Strongly-named assemblies contain the signer's public key
and a signature embedded in the assembly

Also used to distinguish similarly named assemblies from
different publishers (shared assemblies only)
14
Security Policy:
Evidence
Computing a strong name Verifying a strong name
+
Signature
Private
Key
Hash
Signature
Assembly
Signature
Assembly
Hash
Public
Key
Org.
Hash
+
= ?
Security Policy:
Evidence

Strong Name Tool SN.EXE

Generate private/public key pairs

SN –k tst.snk

Sign assemblies with strong names

Custom attributes, command line switches,…
15
Security Policy:
Evidence
using System;
using System.IO;
[assembly: System.Reflection.AssemblyKeyFile("tst.snk")]
namespace myAssembly.fkr.cpqcorp.net {
class myAssembly {
static void Main(String [] args) {
StreamReader stream= File.OpenText(args[0]);
String str;
while ((str=stream.ReadLine()) != null)
Console.WriteLine(str);
}
}
}
Security Policy:
Membership Condition

Membership conditions

Match evidence against specified criteria

Are closely linked to evidence

Are extensible (IMembershipCondition)
16
Security Policy:
Membership Condition

Default membership conditions

All Code

Application Directory

Hash

Publisher

Strong Name

Site

URL

Zone
Security Policy:
Permission Sets

Permission sets are comprised of zero or more
permissions

FileIOPermission,SocketPermission,RegistryPermission

Predefined Permission Sets

Full Trust

LocalIntranet

Internet,..
17
Security Policy:
Code Groups

Code Groups define bindings between membership
conditions and permission sets

If code matches the membership condition it is included
in the group and is granted a permission set

If code matches more than one code groups the
permissions are combined in a union
Security Policy:
Code Groups

Code Groups are arranged in hierarchies
Code Group: All Code
Permission Set: Nothing
Membership Condition: AllCode
Code Group: Internet
Permission Set: Internet
Membership Condition: Zone
Code Group: My Computer
Permission: Full Trust
Membership Condition: Zone
Code Group: Microsoft
Permission: FullTrust
Membership Condition: Publisher
...
18
Security Policy:
Code Groups
Security Policy:
Policy Levels

A policy level has three pieces

Permission set list

Code group hierarchy

A list of policy assemblies

To implement custom security objects (custom permissions,
membership conditions,..)

To address the need of different parties multiple policy
levels are defined
19
Security Policy:
Policy Levels

Administrators configure security policy by managing
code groups and their associated permission sets in
different policy levels

Each policy level contains its own hierarchy of code
groups and permission sets

Policy levels are a hierarchy

Lower policy levels cannot increase permissions
granted at a higher levels
Security Policy:
Policy Levels

Four security policy levels are provided

Enterprise
– Controlled by the domain administrator
– Anything restricted here will define the total default restrictions

Machine
– Controlled by the machine administrator

User
– Controlled by the user

Application Domain
– Controlled by the application developer
20
Security Policy:
Policy Levels
AppDom1
Policy
AppDom2
Policy
User2
Policy
Machine1 Policy
Enterprise Policy
AppDom4
Policy
AppDom3
Policy
User1
Policy
Machine2 Policy
User3
Policy
User4
Policy
AppDom5
Policy
AppDom6
Policy
AppDom7
Policy
Security Policy:
Policy Levels

Enterprise

Applies to all managed code in an enterprise where an
enterprise configuration file is distributed

%windir%\Microsoft.NET\Framework\<version>\config\
enterprisesec.config

Machine

Applies to all managed code on the computer

%windir%\Microsoft.NET\Framework\<version>\config\
security.config
21
Security Policy:
Policy Levels

User

Applies to all managed Code in all the processes user

%userprofile%\Application Data\Microsoft\
CLR Security Config\<version>\security.config

Application domain

Specified by application domain host code

Application domain level cannot be administratively
configured, but can be programmatically set
Security Policy:
Policy Levels

To compute the allowed permission set for the
application domain or assembly:

For each policy level the matching code groups are
determined using evidence

The permissions of the matching code groups are
combined in a union

The permission sets for each policy level are intersected
22
Agenda

Introduction to the Common Language Runtime

Windows Security and Code Access Security

Security Policy

Evidence, Membership Conditions, Permission Sets, Code
Groups, Policy Levels

Misc.
Misc.

Disable/enable .NET Framework security

C:\> caspol –security off

C:\> caspol –security on
23
Misc.

.NET Framework Configuration Snap-in (mscorcfg.msc)

Windows Server 2003:
Start -> Programs -> Administrative Tools

Windows 2000: available in the .NET Framework SDK
Misc.

Increase Assembly Trust

Use the Trust Wizard to increase the the level of trust for a
specific assembly quickly

Example: an assembly installed on the intranet requires
access to the local file system (prohibited by the default
security policy)
24
Misc.

Evaluate Assembly Wizard to test

What permissions are granted to a specific assembly

What code groups apply to a specific assembly
Code Access Security:
Deployment

Security policy are deployed in a Windows Installer
(.msi) files

Run from local disk or from a share.

Using Group Policy

Using SMS

Right-click the Runtime Security Policy node and click
Create a Deployment Package
25
Isolated Storage

Keep persisting state on client machines

no access to the file system

Isolated by user context

Written to the user profile

%userprofile%\Application Data

Cannot be shared between users
Isolated Storage

List the content of the Isolated Storage

Storeadm (/Roaming) /List

Storeadm.exe: .Net Framework SDK

Removing the content of isolated storage

Storeadm (/Roaming) /Remove

All data displayed is particular to the user context
storeadm is run

Other tasks: Isolated Storage API
26
Agenda

Introduction to the Common Language Runtime

Windows Security and Code Access Security

Security Policy

Evidence, Membership Conditions, Permission Sets, Code
Groups, Policy Levels

Misc.
Further Reading