Académique Documents
Professionnel Documents
Culture Documents
s new
s new
cross
cross
-
-
language
language
platform for building, deploying and
platform for building, deploying and
running (semi
running (semi
-
-
)trusted applications
)trusted applications
All .NET languages are first class players
All .NET languages are first class players
Any language can use and extend the .NET Any language can use and extend the .NET
Framework Framework
All languages are interoperable All languages are interoperable
Two key components:
Two key components:
Common Language Runtime (CLR)
Common Language Runtime (CLR)
.NET Framework Class Library
.NET Framework Class Library
CLR Security Design Goals
CLR Security Design Goals
Provide a robust security system for
Provide a robust security system for
partially
partially
-
-
trusted, mobile code
trusted, mobile code
Make it easy to:
Make it easy to:
Express fine
Express fine
-
-
grained authorizations
grained authorizations
Extend & customize the system
Extend & customize the system
Perform security checks in user code
Perform security checks in user code
No end
No end
-
-
user UI!
user UI!
Never ask a user to make a security
Never ask a user to make a security
decision
decision
on the fly
on the fly
Key Semi
Key Semi
-
-
Trust Scenarios
Trust Scenarios
OS security is based on user rights
OS security is based on user rights
CLR security, added on top of OS
CLR security, added on top of OS
security, gives rights to code
security, gives rights to code
Trusted user
Trusted user
Trusted code
Trusted code
Untrusted user
Untrusted user
Untrusted code
Untrusted code
Trusted user
Trusted user
Untrusted code
Untrusted code
Untrusted user
Untrusted user
Trusted code
Trusted code
!
!
!
!
Compiler Compiler
Assembly Assembly
Common Language Runtime
Common Language Runtime
DEVELOPMENT DEVELOPMENT
C# C#
J# J#
VB VB
Cobol Cobol
MSIL MSIL
Metadata Metadata
Resources Resources
publ i c st at i c voi d Mai n(St r i ng[ ] ar gs )
{ St r i ng usr ; Fi l eSt r eam f ; St r eamWr i t er w ;
t r y {
usr =Envi r onment .Get Envi r onment Var i abl e(" USERNAME" );
f =new Fi l eSt r eam( C:\\t est .t x t " ,Fi l eMode.Cr eat e);
w =new St r eamWr i t er (f );
w.Wr i t eLi ne(usr );
w.Cl ose();
} c at c h (Ex c ept i on e){
Consol e.Wri t eLi ne(" Ex c ept i on:" +e.ToSt r i ng());
}
}
publ i c st at i c voi d Mai n(St r i ng[ ] ar gs )
{ St r i ng usr ; Fi l eSt r eam f ; St r eamWr i t er w ;
t r y {
usr =Envi r onment .Get Envi r onment Var i abl e(" USERNAME" );
f =new Fi l eSt r eam( C:\\t est .t x t " ,Fi l eMode.Cr eat e);
w =new St r eamWr i t er (f );
w.Wr i t eLi ne(usr );
w.Cl ose();
} c at c h (Ex c ept i on e){
Consol e.Wri t eLi ne(" Ex c ept i on:" +e.ToSt r i ng());
}
}
Source code Source code
Compiler Compiler
Assembly Assembly
DEVELOPMENT DEVELOPMENT
C# C#
J# J#
VB VB
Cobol Cobol
MSIL MSIL
Metadata Metadata
Resources Resources
publ i c st at i c voi d Mai n(St r i ng[ ] ar gs )
{ St r i ng usr ; Fi l eSt r eam f ; St r eamWr i t er w ;
t r y {
usr =Envi r onment .Get Envi r onment Var i abl e(" USERNAME" );
f =new Fi l eSt r eam( C:\\t est .t x t " ,Fi l eMode.Cr eat e);
w =new St r eamWr i t er (f );
w.Wr i t eLi ne(usr );
w.Cl ose();
} c at c h (Ex c ept i on e){
Consol e.Wri t eLi ne(" Ex c ept i on:" +e.ToSt r i ng());
}
}
publ i c st at i c voi d Mai n(St r i ng[ ] ar gs )
{ St r i ng usr ; Fi l eSt r eam f ; St r eamWr i t er w ;
t r y {
usr =Envi r onment .Get Envi r onment Var i abl e(" USERNAME" );
f =new Fi l eSt r eam( C:\\t est .t x t " ,Fi l eMode.Cr eat e);
w =new St r eamWr i t er (f );
w.Wr i t eLi ne(usr );
w.Cl ose();
} c at c h (Ex c ept i on e){
Consol e.Wri t eLi ne(" Ex c ept i on:" +e.ToSt r i ng());
}
}
Source code Source code
Application Application
Directory Directory
Global Global
Assembly Assembly
Cache (GAC) Cache (GAC)
Common Language Runtime
Common Language Runtime
Assembly Assembly
DEVELOPMENT DEVELOPMENT
DEPLOYMENT DEPLOYMENT
Setup Setup
Copy Copy
Browser Browser
Download Download
Cache Cache
Install Install
Debug Engine Debug Engine
JIT Compiler JIT Compiler
& Verification & Verification
Application Application
Directory Directory
Setup Setup
Copy Copy
Browser Browser
Download Download
Cache Cache
Global Global
Assembly Assembly
Cache (GAC) Cache (GAC)
Assembly Assembly
on Target on Target
Machine Machine
Common Language Runtime
Common Language Runtime
Assembly Assembly
DEVELOPMENT DEVELOPMENT
DEPLOYMENT DEPLOYMENT
Install Install
EXECUTION EXECUTION
Assembly Assembly
Loader Loader
Policy Policy
Manager Manager
Class Class
Loader Loader
Native Native
code code
Code Code
Manager Manager
Garbage Collection Garbage Collection
Exception Manager Exception Manager
Thread Support Thread Support
Security Permission Security Permission
Enforcement Enforcement
Policy
<?x ml ver si on=" 1.0" enc odi ng=" ut f -8" ?>
<c onf i gur at i on>
<msc or l i b>
<sec ur i t y>
<pol i c y>
<Pol i c yLevel ver si on=" 1" >
<CodeGr oup c l ass=" Uni onCodeGr oup"
ver si on=" 1"
Per mi ssi onSet Name=" Not hi ng"
Name=" Al l _Code"
Desc r i pt i on=" Code gr oup
gr ant s no per mi ssi o
ns and f or ms t he r oot of t he c ode gr oup t r ee." >
<I Member shi pCondi t i on c l as
s=" Al l Member shi pCondi t i on"
ver si on=" 1" />
<CodeGr oup c l ass=" Uni onCodeGr oup"
ver si on=" 1"
Per mi ssi onSet Name=" Ful l Tr ust "
Agenda
Agenda
Overview of how code is run
Overview of how code is run
Policy evaluation in the CLR
Policy evaluation in the CLR
Permission enforcement
Permission enforcement
Strong names, secure binding and
Strong names, secure binding and
semi
semi
-
-
public APIs
public APIs
Web services security
Web services security
Policy Evaluation in the CLR
Policy Evaluation in the CLR
Policy evaluation
Policy evaluation
is the process of
is the process of
determining the set of
determining the set of
permissions
permissions
to
to
grant to code based on
grant to code based on
evidence
evidence
known about that code
known about that code
We call this
We call this
evidence
evidence
-
-
based security
based security
Draws on administrator
Draws on administrator
s prior
s prior
experience managing user accounts
experience managing user accounts
We assign rights (permissions) to
We assign rights (permissions) to
assemblies in the CLR, just as we assign
assemblies in the CLR, just as we assign
rights to groups of users.
rights to groups of users.
Compositional model where the
Compositional model where the
primitive unit is a
primitive unit is a
code group
code group
Code Group
Code Group
Two linked rules:
Two linked rules:
What assemblies are a member? What assemblies are a member?
What permissions should they be granted? What permissions should they be granted?
Organized into a hierarchy Organized into a hierarchy
Membership in the group is decided by a
Membership in the group is decided by a
Boolean function that evaluates sets of
Boolean function that evaluates sets of
Evidence
Evidence
Membership conditions can do whatever Membership conditions can do whatever
computation they wish (e.g., independent computation they wish (e.g., independent
validation of Evidence objects) validation of Evidence objects)
condition?
P
Code group
One simple way to use
One simple way to use
Code Groups (the 97%
Code Groups (the 97%
case)...
case)...
Policy Levels
Policy Levels
A tree of code groups is a A tree of code groups is a policy level policy level
The permissions granted by a policy level for a given set The permissions granted by a policy level for a given set
of evidence are determined by evaluating the root code of evidence are determined by evaluating the root code
group of the tree group of the tree
All Code All Code
Publisher: Publisher:
Microsoft Microsoft
Zone: Zone:
Internet Internet
Zone: Zone:
Local Intranet Local Intranet
Site: Site:
XYZ.COM XYZ.COM
Name: Name:
MS.Office MS.Office
Name: Name:
MS.Money MS.Money
Site: Site:
localweb localweb
P P
P P
Publisher: Publisher:
Corp. Admin Corp. Admin
P P P P P P
P P P P P P
P P
Sample Policy Level
Sample Policy Level
Example: MS.Money on Local Intranet
Example: MS.Money on Local Intranet
Member of four groups (highlighted)
Member of four groups (highlighted)
Granted permissions = P1
Granted permissions = P1
P2
P2
P7
P7
P4
P4
All Code All Code
Publisher: Publisher:
Microsoft Microsoft
Zone: Zone:
Internet Internet
Zone: Zone:
Local Intranet Local Intranet
Site: Site:
XYZ.COM XYZ.COM
Name: Name:
MS.Office MS.Office
Name: Name:
MS.Money MS.Money
Site: Site:
localweb localweb
Publisher: Publisher:
Corp. Admin Corp. Admin
P8 P8 P9 P9
P5 P5 P3 P3
P6 P6
All Code All Code
P1 P1
Publisher: Publisher:
Microsoft Microsoft
P2 P2
Name: Name:
MS.Money MS.Money
P7 P7
Zone: Zone:
Local Intranet Local Intranet
P4 P4
Hierarchical Policy Levels
Hierarchical Policy Levels
CLR supports multiple, ordered policy
CLR supports multiple, ordered policy
levels for administration
levels for administration
Enterprise: common policy throughout an org. Enterprise: common policy throughout an org.
Machine: policy for all users of given machine Machine: policy for all users of given machine
User: policy specific to logged in user User: policy specific to logged in user
Effective policy is the Effective policy is the intersection intersection of all levels of all levels
Enterprise policy
Machine1 policy
Machine2 policy
User A User B User C User D
But Code Groups are
But Code Groups are
much more powerful...
much more powerful...
Code Group Operation
Code Group Operation
Once an assembly has proven membership
Once an assembly has proven membership
in a Code Group, the Code Group gets to
in a Code Group, the Code Group gets to
determine
determine
What permissions to award, and What permissions to award, and
How those permission should be combined with How those permission should be combined with
any awarded by its child Code Groups (if any) any awarded by its child Code Groups (if any)
Simplest case: UnionCodeGroup
Simplest case: UnionCodeGroup
Static set of permission to award, just union with Static set of permission to award, just union with
whatever the child Code Groups return whatever the child Code Groups return
But more complicated (and interesting!)
But more complicated (and interesting!)
CodeGroups are possible
CodeGroups are possible
Code Group Operation (2)
Code Group Operation (2)
Example: NetCodeGroup
Example: NetCodeGroup
Grants an assembly the right to connect
Grants an assembly the right to connect
back over the network to the server it
back over the network to the server it
came from
came from
Like a UnionCodeGroup, except the
Like a UnionCodeGroup, except the
granted permissions are dynamically
granted permissions are dynamically
computed from the Evidence received
computed from the Evidence received
CodeGroups are programs, so they can
CodeGroups are programs, so they can
do whatever computation they want to
do whatever computation they want to
compute their grant sets
compute their grant sets
Ex: database lookups, referrals to trusted
Ex: database lookups, referrals to trusted
services
services
Code Group Operation (3)
Code Group Operation (3)
Code Groups have inspection &
Code Groups have inspection &
approval rights over the grants made
approval rights over the grants made
by their children Code Groups.
by their children Code Groups.
Even with all this flexibility, the policy
Even with all this flexibility, the policy
system is still monotonic unless a
system is still monotonic unless a
Code Group behaves non
Code Group behaves non
-
-
monotonically
monotonically
More evidence cannot remove
More evidence cannot remove
permissions
permissions
Code Group Attributes
Code Group Attributes
We had two problems we could not easily
We had two problems we could not easily
solve with the model as it stood...
solve with the model as it stood...
Administrators of a Administrators of a higher higher policy level (e.g. policy level (e.g.
Enterprise policy) could not prevent Enterprise policy) could not prevent lower lower
policy levels from interfering with their decisions policy levels from interfering with their decisions
If we blindly intersect the results of each level, If we blindly intersect the results of each level,
all levels have equal weight all levels have equal weight
Since we didn Since we didn t have negative evidence, there t have negative evidence, there
was no way to say, was no way to say, Give this type of assembly Give this type of assembly
exactly these permissions exactly these permissions
Other portions of policy on the same level Other portions of policy on the same level
could always add to the grants could always add to the grants
Solution: LevelFinal and Exclusive attributes
Solution: LevelFinal and Exclusive attributes
Code Group Attributes (2)
Code Group Attributes (2)
LevelFinal attribute
LevelFinal attribute
Policy levels are evaluated in order from most Policy levels are evaluated in order from most
general (Enterprise) to most specific general (Enterprise) to most specific
If an assembly is a member of a CodeGroup If an assembly is a member of a CodeGroup
marked LevelFinal, then policy evaluation marked LevelFinal, then policy evaluation
terminates at the current level terminates at the current level
Exclusive attribute
Exclusive attribute
If an assembly is a member of a single If an assembly is a member of a single
CodeGroup marked Exclusive within a level, then CodeGroup marked Exclusive within a level, then
the grant for the entire level is exactly the grant the grant for the entire level is exactly the grant
from that group. from that group.
In v1, it is invalid for an assembly to match In v1, it is invalid for an assembly to match
multiple Exclusive groups within a single policy multiple Exclusive groups within a single policy
level level
Evidence
Evidence
Evidence
Evidence
is the input to policy
is the input to policy
Example: Info about a code assembly
Example: Info about a code assembly
Strong names
Strong names
Publisher identity
Publisher identity
Hash
Hash
Location of origin (URL, zone, site)
Location of origin (URL, zone, site)
Evidence is completely extensible
Evidence is completely extensible
Any object can be a piece of evidence
Any object can be a piece of evidence
Only impacts grants if there is a code
Only impacts grants if there is a code
group membership condition that cares
group membership condition that cares
about it!
about it!
cryptographically
computed/validated
}
Assembly Input To Policy
Assembly Input To Policy
Assemblies may contain
Assemblies may contain
permission
permission
requests
requests
Minimum (
Minimum (
)
)
Optional (
Optional (
what I
what I
d like to have
d like to have
)
)
Refuse (
Refuse (
)
)
Permission requests are assembly
Permission requests are assembly
-
-
level
level
attributes (metadata declarations)
attributes (metadata declarations)
Assembly
Assembly
-
-
provided Evidence
provided Evidence
Assemblies can carry evidence
Assemblies can carry evidence
objects, too
objects, too
Initially
Initially
-
-
untrusted
untrusted
evidence
evidence
must be
must be
validated by the policy system
validated by the policy system
No policy components ship in V1 that use
No policy components ship in V1 that use
assembly
assembly
-
-
provided evidence, but it
provided evidence, but it
s
s
available to custom Membership
available to custom Membership
Conditions & Code Groups
Conditions & Code Groups
Example: third
Example: third
-
-
party certifications
party certifications
Putting It All Together
Putting It All Together
Policy Policy
Evaluator Evaluator
Assembly A3
Assembly A3
Permission Permission
Requests Requests
Security Security
Policy Policy
Evidence Evidence
G3 G3 G3 G3
Host
Host
Assembly A2
Assembly A2
G2 G2
G1 G1
Assembly A1
Assembly A1
Assembly A3
Assembly A3
Extending the Policy System
Extending the Policy System
Custom Permissions
Custom Permissions
App defined authorization for a resource App defined authorization for a resource
Easy integration with policy Easy integration with policy
Custom Code Groups & Membership
Custom Code Groups & Membership
Conditions
Conditions
Implement new Code Group logic Implement new Code Group logic
Dynamic permission set computation Dynamic permission set computation
Alter default combining logic Alter default combining logic
Custom Evidence
Custom Evidence
Create embedded evidence (e.g. certifications) Create embedded evidence (e.g. certifications)
Evidence from trusted hosts Evidence from trusted hosts
Agenda
Agenda
Overview of how code is run
Overview of how code is run
Policy evaluation in the CLR
Policy evaluation in the CLR
Permission enforcement
Permission enforcement
Strong names, secure binding and
Strong names, secure binding and
semi
semi
-
-
public APIs
public APIs
Web services security
Web services security
Permissions
Permissions
A permission is a set (or subset) of
A permission is a set (or subset) of
capabilities
capabilities
All permissions implement union,
All permissions implement union,
intersection, and subset operations
intersection, and subset operations
Requiring full
Requiring full
set mathematics
set mathematics
has
has
some drawbacks
some drawbacks
Ex.: Implementing regular expression
Ex.: Implementing regular expression
semantics is hard
semantics is hard
Permission types are orthogonal
Permission types are orthogonal
A demand for a permission of type A must
A demand for a permission of type A must
be satisfied with a grant of a permission
be satisfied with a grant of a permission
of type A
of type A
Permissions Protect Resources
Permissions Protect Resources
FileIO
FileIO
FileDialog
FileDialog
IsolatedStorage
IsolatedStorage
Environment
Environment
Registry
Registry
UI
UI
Printing
Printing
Reflection
Reflection
Security
Security
Socket
Socket
Web
Web
DNS
DNS
OleDb
OleDb
SQLClient
SQLClient
MessageQueue
MessageQueue
EventLog
EventLog
DirectoryServices
DirectoryServices
extensible
extensible
Execution, Assertion, Skip Verification, Execution, Assertion, Skip Verification,
Unmanaged code, Control evidence, Control Unmanaged code, Control evidence, Control
policy, Control principal, Control threads policy, Control principal, Control threads
Permission Enforcement
Permission Enforcement
Most permissions are
Most permissions are
code
code
-
-
access
access
permissions
permissions
and have stack
and have stack
-
-
walking
walking
semantics
semantics
A demand for a code
A demand for a code
-
-
access permission
access permission
must be satisfied by grants to every stack
must be satisfied by grants to every stack
frame above the demanding frame
frame above the demanding frame
Stack
Stack
-
-
walking is a defense against
walking is a defense against
luring attacks
luring attacks
Less
Less
-
-
trusted code tricking more
trusted code tricking more
-
-
trusted
trusted
code into performing protected operations
code into performing protected operations
Stack walk modifiers
Stack walk modifiers
can change the
can change the
default semantics
default semantics
Stack
Stack
-
-
walking Semantics
walking Semantics
Method M3
Method M3
Method M2
Method M2
Method M1
Method M1
Method M4
Method M4
Call Stack Call Stack
Grows Down Grows Down
G2 G2
G1 G1
G3 G3
G4 G4
Each method has a set of Each method has a set of
corresponding grants corresponding grants
Method M4 Method M4
demands a demands a
permission P permission P
P P
P is compared P is compared
with grants of all with grants of all
callers on the callers on the
stack above M4 stack above M4
P P
P P
P P
Stack Walk Modifiers
Stack Walk Modifiers
Modifiers provide fine
Modifiers provide fine
-
-
grained, dynamic
grained, dynamic
control over state of grants on the stack
control over state of grants on the stack
Most common modifier is
Most common modifier is Assert Assert
I vouch for my callers; checks for this I vouch for my callers; checks for this
permission can stop at my frame permission can stop at my frame
Example:
Example:
Gatekeeper
Gatekeeper
classes
classes
Managed wrappers for unmanaged resources Managed wrappers for unmanaged resources
Demand appropriate permission from caller Demand appropriate permission from caller
Assert permission to call unmanaged code Assert permission to call unmanaged code
Make the unmanaged call Make the unmanaged call
Modifiers in Action
Modifiers in Action
Assert()
Assert()
Call Stack Call Stack
Grows Down Grows Down
G2 G2
G3 G3
G4 G4
Each method has a set of Each method has a set of
corresponding grants corresponding grants
Method M4 Method M4
demands a demands a
permission P permission P
P P
P is compared P is compared
with grants of all with grants of all
callers on the callers on the
stack above M4 stack above M4
P P
P P
P P G1 G1
P.Assert()
Method M3
Method M3
Method M2
Method M2
Method M1
Method M1
Method M4
Method M4
Stack Walk Modifiers (2)
Stack Walk Modifiers (2)
Three types of modifiers: Assert, Deny,
Three types of modifiers: Assert, Deny,
PermitOnly
PermitOnly
Deny() fails any stack walk that reaches it & Deny() fails any stack walk that reaches it &
matches matches
PermitOnly() fails any non PermitOnly() fails any non- -matching stack walk matching stack walk
Assert, Deny & PermitOnly work by
Assert, Deny & PermitOnly work by
dynamically modifying the stack
dynamically modifying the stack
Methods that call these methods have an extra Methods that call these methods have an extra
slot in their stack frames reserved for this slot in their stack frames reserved for this
information information
We detect the need to reserve stack space at JIT We detect the need to reserve stack space at JIT- -
time. Dynamic methods themselves are marked time. Dynamic methods themselves are marked
with a special attribute with a special attribute
Permission Enforcement
Permission Enforcement
Programmers may ask the security
Programmers may ask the security
system to perform permission checks
system to perform permission checks
either imperatively or declaratively
either imperatively or declaratively
Imperative
Imperative
security operations are
security operations are
performed by the programmer via
performed by the programmer via
object creation and method invocation
object creation and method invocation
Declarative
Declarative
security operations are
security operations are
made by annotating source code with
made by annotating source code with
metadata declarations
metadata declarations
Also used for permission requests
Also used for permission requests
Imperative Security Actions
Imperative Security Actions
Actions occur at runtime as part of a method body, Actions occur at runtime as part of a method body,
just like any other call just like any other call
All permission objects have a Demand() method to invoke a All permission objects have a Demand() method to invoke a
security check for that permission. security check for that permission.
Example: Frameworks File object constructor Example: Frameworks File object constructor
Requires Requires read read access to the corresponding file access to the corresponding file
public File(String fileName) { public File(String fileName) {
// Must fully qualify the path for the security check // Must fully qualify the path for the security check
String fullPath = Directory.GetFullPathInternal(fileName); String fullPath = Directory.GetFullPathInternal(fileName);
new FileIOPermission(FileIOPermissionAccess.Read, new FileIOPermission(FileIOPermissionAccess.Read,
fullPath).Demand(); fullPath).Demand();
//[ //[ rest of function rest of function ] ]
} }
Design Philosophy for
Design Philosophy for
Declarative Security
Declarative Security
Make it easy for
Make it easy for
Developers to make security checks in
Developers to make security checks in
their own programs at the method or
their own programs at the method or
class level
class level
Code auditors, reviewers & automated
Code auditors, reviewers & automated
tools to see where security
tools to see where security
-
-
related
related
actions are taking place
actions are taking place
Assembly authors to state their
Assembly authors to state their
requirements to the policy system, so
requirements to the policy system, so
policy can fail them early if it refuses to
policy can fail them early if it refuses to
meet their requirements
meet their requirements
Declarative Security Demand
Declarative Security Demand
An example declaration (C#):
An example declaration (C#):
[FileIOPermission(SecurityAction.Demand,
[FileIOPermission(SecurityAction.Demand,
Write =
Write =
c:
c:
\
\
\
\
temp
temp
)]
)]
public void foo() {
public void foo() {
// class does something with c:
// class does something with c:
\
\
temp
temp
}
}
In v1 of the CLR, security declarations
In v1 of the CLR, security declarations
cannot contain runtime variables
cannot contain runtime variables
Permission state must be completely
Permission state must be completely
specified at compile
specified at compile
-
-
time
time
Some compiler support required to
Some compiler support required to
enable declarative security
enable declarative security
Declarative Security Actions
Declarative Security Actions
Actions are declared as part of the metadata
Actions are declared as part of the metadata
via a custom attribute
via a custom attribute
May occur at run
May occur at run
-
-
time or bind
time or bind
-
-
time
time
depending on the particular action
depending on the particular action
Demand() occurs at runtime Demand() occurs at runtime
LinkDemand(), InheritanceDemand() occur at LinkDemand(), InheritanceDemand() occur at
bind bind- -time time
Bind
Bind
-
-
time actions are automatically invoked
time actions are automatically invoked
by the JIT compiler when the caller is
by the JIT compiler when the caller is
compiled or the subclass is loaded
compiled or the subclass is loaded
For run
For run
-
-
time declarations, the JIT compiler
time declarations, the JIT compiler
emits code performing the security check
emits code performing the security check
into an interceptor stub wrapped around the
into an interceptor stub wrapped around the
method body
method body
Declarative Security & Compilers
Declarative Security & Compilers
Declarative security requires compiler
Declarative security requires compiler
support as well as presence of the CLR
support as well as presence of the CLR
Security custom attributes could
Security custom attributes could
reference external data (e.g. an X.509
reference external data (e.g. an X.509
certificate in a
certificate in a
PublisherIdentityPermission declaration)
PublisherIdentityPermission declaration)
Thus, at compile time we have to de
Thus, at compile time we have to de
-
-
reference any external entities & serialize
reference any external entities & serialize
them into metadata
them into metadata
We also compact multiple declarations of
We also compact multiple declarations of
the same action type into a single
the same action type into a single
permission set for efficiency reasons
permission set for efficiency reasons
Agenda
Agenda
Overview of how code is run
Overview of how code is run
Policy evaluation in the CLR
Policy evaluation in the CLR
Permission enforcement
Permission enforcement
Strong names, secure binding and
Strong names, secure binding and
semi
semi
-
-
public APIs
public APIs
Web services security
Web services security
Class Loading & Binding to Types
Class Loading & Binding to Types
Inter
Inter
-
-
assembly binding (dynamic linking)
assembly binding (dynamic linking)
Assembly A2
Assembly A2 Assembly A1
Assembly A1
Intra
Intra
-
-
assembly binding (multi
assembly binding (multi
-
-
file
file
assemblies)
assemblies)
Assembly A1
Assembly A1
File F1
File F1
File F2
File F2
File F3
File F3
File F4
File F4
Manifest
Manifest
Class Loading & Binding (2)
Class Loading & Binding (2)
Problem Definition:
Problem Definition:
With shared libraries/dynamic linking, there With shared libraries/dynamic linking, there s a s a
general risk of code spoofing ( general risk of code spoofing ( DLL hell DLL hell ). ).
We We ve seen numerous attacks in past systems ve seen numerous attacks in past systems
where where system libraries system libraries are replaced. are replaced.
In the CLR, there are two main attack vectors In the CLR, there are two main attack vectors
Spoof the implementation of a type or Spoof the implementation of a type or
assembly assembly
Replace part of a multi Replace part of a multi- -file assembly file assembly
Cryptographically
Cryptographically
-
-
strong binding can defend
strong binding can defend
against this class of attack
against this class of attack
Strong Names
Strong Names
Every public/private key pair defines the root
Every public/private key pair defines the root
of a
of a
cryptographically
cryptographically
-
-
sealed
sealed
namespace
namespace
Any developer can define their own namespace Any developer can define their own namespace
by generating a random key pair by generating a random key pair
A
A
strong name
strong name
s no implied trust
s no implied trust
Strong Names (2)
Strong Names (2)
In v1, all strong names use 1024
In v1, all strong names use 1024
-
-
bit RSA key
bit RSA key
pairs, and the signature algorithm is always
pairs, and the signature algorithm is always
RSA
RSA
-
-
SHA1.
SHA1.
An assembly must have a strong name to be
An assembly must have a strong name to be
shared across multiple applications
shared across multiple applications
(included in the Global Assembly Cache)
(included in the Global Assembly Cache)
Multi
Multi
-
-
file assemblies are always hash
file assemblies are always hash
-
-
referenced.
referenced.
Strong names give us side
Strong names give us side
-
-
by
by
-
-
side support
side support
(multiple versions of an assembly can co
(multiple versions of an assembly can co
-
-
exist on a single machine)
exist on a single machine)
Strong Names and Revocation
Strong Names and Revocation
Strong names are a self
Strong names are a self
-
-
identification
identification
technology, not a certification or third
technology, not a certification or third
-
-
party trust mechanism
party trust mechanism
You could build a certification scheme on
You could build a certification scheme on
top of strong names if you wanted to
top of strong names if you wanted to
Strong names cannot be
Strong names cannot be
revoked
revoked
,
,
since there
since there
s no certification to be
s no certification to be
undone.
undone.
But one could combine strong names with
But one could combine strong names with
an on
an on
-
-
line validity check to create positive
line validity check to create positive
evidence for a more complex trust
evidence for a more complex trust
policy
policy
exact
exact
version match
version match
You get the version of an assembly you
You get the version of an assembly you
were compiled against, even if a later
were compiled against, even if a later
version exists on the system.
version exists on the system.
Default binding policy may be
Default binding policy may be
overridden via
overridden via
config
config
files
files
Application
Application
-
-
, assembly
, assembly
-
-
& runtime
& runtime
-
-
level
level
overrides are possible
overrides are possible
Useful for
Useful for
hotfix
hotfix
Restrict subclassing
Restrict subclassing
[StrongNameIdentityPermission( [StrongNameIdentityPermission(
SecurityAction.InheritanceDemand, SecurityAction.InheritanceDemand,
PublicKey={0,127,8, 32, 8, PublicKey={0,127,8, 32, 8, )] )]
public class Foo { ... } public class Foo { ... }
[ZoneIdentityPermission(
[ZoneIdentityPermission(
SecurityAction.LinkDemand,
SecurityAction.LinkDemand,
Zone=SecurityZone.MyComputer)]
Zone=SecurityZone.MyComputer)]
public class Foo {...}
public class Foo {...}
Restrict callers
Restrict callers
Agenda
Agenda
Overview of how code is run
Overview of how code is run
Policy evaluation in the CLR
Policy evaluation in the CLR
Permission enforcement
Permission enforcement
Strong names, secure binding and
Strong names, secure binding and
semi
semi
-
-
public APIs
public APIs
Web services security
Web services security
Securing XML Web Services
Securing XML Web Services
A secure Web services can be built
A secure Web services can be built
on well known technologies today
on well known technologies today
Today
Today
Secure the infrastructure
Secure the infrastructure
Secure the transport (HTTP)
Secure the transport (HTTP)
Authentication and authorization
Authentication and authorization
Consumer Consumer Server Server
SOAP over HTTP Request SOAP over HTTP Request
HTTP HTTP
HTTP HTTP HTTP Headers HTTP Headers
HTTP Body HTTP Body SOAP Message SOAP Message
SOAP Body SOAP Body
SOAP Headers SOAP Headers
Authentication
Authentication
is part of the
is part of the
HTTP protocol
HTTP protocol
or can be built
or can be built
on top of SOAP
on top of SOAP
ASP.NET Authentication
ASP.NET Authentication
Windows Authentication (via IIS)
Windows Authentication (via IIS)
HTTP Authentication Standards (RFC 2617) HTTP Authentication Standards (RFC 2617)
Basic Basic
Digest Digest
Integrated Windows Authentication Integrated Windows Authentication
NTLM NTLM
Kerberos Kerberos
SSL/TLS with X.509 Client Certificates SSL/TLS with X.509 Client Certificates
Custom Authentication
Custom Authentication
ASP.NET support for application layer security ASP.NET support for application layer security
Unified programming model for all forms of
Unified programming model for all forms of
authentication
authentication
ASP.NET Authorization
ASP.NET Authorization
Windows Security
Windows Security
Access Control Lists Access Control Lists
Option request entity impersonation Option request entity impersonation
URL Authorization
URL Authorization
Flexible XML configuration for access Flexible XML configuration for access
control control
Custom Authorization
Custom Authorization
Business/application logic can be layered on Business/application logic can be layered on
top of other authorization strategies top of other authorization strategies
Explicit imperative or declarative
Explicit imperative or declarative
permission checks
permission checks
ASP.NET URL Authorization
ASP.NET URL Authorization
Example: allow
Example: allow
Admins
Admins
or
or
WebServiceUsers
WebServiceUsers
Secure the infrastructure
Secure the infrastructure
Secure the connection
Secure the connection
Authentication & Authorization
Authentication & Authorization
But
But
these don
these don
t offer an integrated
t offer an integrated
and interoperable solution
and interoperable solution
Integrated SOAP/message security
Integrated SOAP/message security
WS
WS
-
-
Security
Security