.

NET Framework Security

.NET Framework Security
COSIC Tutorial, Part 2 COSIC Tutorial, Part 2
April 2, 2003 April 2, 2003
Brian A. LaMacchia
Brian A. LaMacchia
Software Architect Software Architect
Windows Trusted Platform Technologies Windows Trusted Platform Technologies
Microsoft Corporation Microsoft Corporation
Agenda
Agenda

Overview of how code is run
Overview of how code is run

Policy evaluation in the CLR
Policy evaluation in the CLR

Permission enforcement
Permission enforcement

Strong names, secure binding and
Strong names, secure binding and
semi
semi
-
-
public APIs
public APIs

Web services security
Web services security
What is the .NET Framework?
What is the .NET Framework?

Microsoft
Microsoft

s new
s new
cross
cross
-
-
language
language
platform for building, deploying and
platform for building, deploying and
running (semi
running (semi
-
-
)trusted applications
)trusted applications

All .NET languages are first class players
All .NET languages are first class players
Any language can use and extend the .NET Any language can use and extend the .NET
Framework Framework
All languages are interoperable All languages are interoperable

Two key components:
Two key components:

Common Language Runtime (CLR)
Common Language Runtime (CLR)

.NET Framework Class Library
.NET Framework Class Library
CLR Security Design Goals
CLR Security Design Goals

Provide a robust security system for
Provide a robust security system for
partially
partially
-
-
trusted, mobile code
trusted, mobile code

Make it easy to:
Make it easy to:

Express fine
Express fine
-
-
grained authorizations
grained authorizations

Extend & customize the system
Extend & customize the system

Perform security checks in user code
Perform security checks in user code

No end
No end
-
-
user UI!
user UI!

Never ask a user to make a security
Never ask a user to make a security
decision
decision

on the fly
on the fly

Key Semi
Key Semi
-
-
Trust Scenarios
Trust Scenarios

OS security is based on user rights
OS security is based on user rights

CLR security, added on top of OS
CLR security, added on top of OS
security, gives rights to code
security, gives rights to code
Trusted user
Trusted user
Trusted code
Trusted code
Untrusted user
Untrusted user
Untrusted code
Untrusted code
Trusted user
Trusted user
Untrusted code
Untrusted code
Untrusted user
Untrusted user
Trusted code
Trusted code
!
!
!
!
Compiler Compiler
Assembly Assembly
Common Language Runtime
Common Language Runtime
DEVELOPMENT DEVELOPMENT
C# C#
J# J#
VB VB
Cobol Cobol

MSIL MSIL
Metadata Metadata
Resources Resources
publ i c st at i c voi d Mai n(St r i ng[ ] ar gs )
{ St r i ng usr ; Fi l eSt r eam f ; St r eamWr i t er w ;
t r y {
usr =Envi r onment .Get Envi r onment Var i abl e(" USERNAME" );
f =new Fi l eSt r eam( C:\\t est .t x t " ,Fi l eMode.Cr eat e);
w =new St r eamWr i t er (f );
w.Wr i t eLi ne(usr );
w.Cl ose();
} c at c h (Ex c ept i on e){
Consol e.Wri t eLi ne(" Ex c ept i on:" +e.ToSt r i ng());
}
}
publ i c st at i c voi d Mai n(St r i ng[ ] ar gs )
{ St r i ng usr ; Fi l eSt r eam f ; St r eamWr i t er w ;
t r y {
usr =Envi r onment .Get Envi r onment Var i abl e(" USERNAME" );
f =new Fi l eSt r eam( C:\\t est .t x t " ,Fi l eMode.Cr eat e);
w =new St r eamWr i t er (f );
w.Wr i t eLi ne(usr );
w.Cl ose();
} c at c h (Ex c ept i on e){
Consol e.Wri t eLi ne(" Ex c ept i on:" +e.ToSt r i ng());
}
}
Source code Source code
Compiler Compiler
Assembly Assembly
DEVELOPMENT DEVELOPMENT
C# C#
J# J#
VB VB
Cobol Cobol

MSIL MSIL
Metadata Metadata
Resources Resources
publ i c st at i c voi d Mai n(St r i ng[ ] ar gs )
{ St r i ng usr ; Fi l eSt r eam f ; St r eamWr i t er w ;
t r y {
usr =Envi r onment .Get Envi r onment Var i abl e(" USERNAME" );
f =new Fi l eSt r eam( C:\\t est .t x t " ,Fi l eMode.Cr eat e);
w =new St r eamWr i t er (f );
w.Wr i t eLi ne(usr );
w.Cl ose();
} c at c h (Ex c ept i on e){
Consol e.Wri t eLi ne(" Ex c ept i on:" +e.ToSt r i ng());
}
}
publ i c st at i c voi d Mai n(St r i ng[ ] ar gs )
{ St r i ng usr ; Fi l eSt r eam f ; St r eamWr i t er w ;
t r y {
usr =Envi r onment .Get Envi r onment Var i abl e(" USERNAME" );
f =new Fi l eSt r eam( C:\\t est .t x t " ,Fi l eMode.Cr eat e);
w =new St r eamWr i t er (f );
w.Wr i t eLi ne(usr );
w.Cl ose();
} c at c h (Ex c ept i on e){
Consol e.Wri t eLi ne(" Ex c ept i on:" +e.ToSt r i ng());
}
}
Source code Source code
Application Application
Directory Directory
Global Global
Assembly Assembly
Cache (GAC) Cache (GAC)
Common Language Runtime
Common Language Runtime
Assembly Assembly
DEVELOPMENT DEVELOPMENT
DEPLOYMENT DEPLOYMENT
Setup Setup
Copy Copy
Browser Browser
Download Download
Cache Cache
Install Install
Debug Engine Debug Engine
JIT Compiler JIT Compiler
& Verification & Verification
Application Application
Directory Directory
Setup Setup
Copy Copy
Browser Browser
Download Download
Cache Cache
Global Global
Assembly Assembly
Cache (GAC) Cache (GAC)
Assembly Assembly
on Target on Target
Machine Machine
Common Language Runtime
Common Language Runtime
Assembly Assembly
DEVELOPMENT DEVELOPMENT
DEPLOYMENT DEPLOYMENT
Install Install
EXECUTION EXECUTION
Assembly Assembly
Loader Loader
Policy Policy
Manager Manager
Class Class
Loader Loader
Native Native
code code
Code Code
Manager Manager
Garbage Collection Garbage Collection
Exception Manager Exception Manager
Thread Support Thread Support
Security Permission Security Permission
Enforcement Enforcement
Policy
<?x ml ver si on=" 1.0" enc odi ng=" ut f -8" ?>
<c onf i gur at i on>
<msc or l i b>
<sec ur i t y>
<pol i c y>
<Pol i c yLevel ver si on=" 1" >
<CodeGr oup c l ass=" Uni onCodeGr oup"
ver si on=" 1"
Per mi ssi onSet Name=" Not hi ng"
Name=" Al l _Code"
Desc r i pt i on=" Code gr oup
gr ant s no per mi ssi o
ns and f or ms t he r oot of t he c ode gr oup t r ee." >
<I Member shi pCondi t i on c l as
s=" Al l Member shi pCondi t i on"
ver si on=" 1" />
<CodeGr oup c l ass=" Uni onCodeGr oup"
ver si on=" 1"
Per mi ssi onSet Name=" Ful l Tr ust "
Agenda
Agenda

Overview of how code is run
Overview of how code is run

Policy evaluation in the CLR
Policy evaluation in the CLR

Permission enforcement
Permission enforcement

Strong names, secure binding and
Strong names, secure binding and
semi
semi
-
-
public APIs
public APIs

Web services security
Web services security
Policy Evaluation in the CLR
Policy Evaluation in the CLR

Policy evaluation
Policy evaluation
is the process of
is the process of
determining the set of
determining the set of
permissions
permissions
to
to
grant to code based on
grant to code based on
evidence
evidence
known about that code
known about that code

We call this
We call this

evidence
evidence
-
-
based security
based security

Draws on administrator
Draws on administrator

s prior
s prior
experience managing user accounts
experience managing user accounts

We assign rights (permissions) to
We assign rights (permissions) to
assemblies in the CLR, just as we assign
assemblies in the CLR, just as we assign
rights to groups of users.
rights to groups of users.

Compositional model where the
Compositional model where the
primitive unit is a
primitive unit is a
code group
code group
Code Group
Code Group

Two linked rules:
Two linked rules:
What assemblies are a member? What assemblies are a member?
What permissions should they be granted? What permissions should they be granted?
Organized into a hierarchy Organized into a hierarchy

Membership in the group is decided by a
Membership in the group is decided by a
Boolean function that evaluates sets of
Boolean function that evaluates sets of
Evidence
Evidence
Membership conditions can do whatever Membership conditions can do whatever
computation they wish (e.g., independent computation they wish (e.g., independent
validation of Evidence objects) validation of Evidence objects)
condition?
P
Code group
One simple way to use
One simple way to use
Code Groups (the 97%
Code Groups (the 97%
case)...
case)...
Policy Levels
Policy Levels
A tree of code groups is a A tree of code groups is a policy level policy level
The permissions granted by a policy level for a given set The permissions granted by a policy level for a given set
of evidence are determined by evaluating the root code of evidence are determined by evaluating the root code
group of the tree group of the tree
All Code All Code
Publisher: Publisher:
Microsoft Microsoft
Zone: Zone:
Internet Internet
Zone: Zone:
Local Intranet Local Intranet
Site: Site:
XYZ.COM XYZ.COM
Name: Name:
MS.Office MS.Office
Name: Name:
MS.Money MS.Money
Site: Site:
localweb localweb
P P
P P
Publisher: Publisher:
Corp. Admin Corp. Admin
P P P P P P
P P P P P P
P P
Sample Policy Level
Sample Policy Level

Example: MS.Money on Local Intranet
Example: MS.Money on Local Intranet

Member of four groups (highlighted)
Member of four groups (highlighted)

Granted permissions = P1
Granted permissions = P1

P2
P2

P7
P7

P4
P4
All Code All Code
Publisher: Publisher:
Microsoft Microsoft
Zone: Zone:
Internet Internet
Zone: Zone:
Local Intranet Local Intranet
Site: Site:
XYZ.COM XYZ.COM
Name: Name:
MS.Office MS.Office
Name: Name:
MS.Money MS.Money
Site: Site:
localweb localweb
Publisher: Publisher:
Corp. Admin Corp. Admin
P8 P8 P9 P9
P5 P5 P3 P3
P6 P6
All Code All Code
P1 P1
Publisher: Publisher:
Microsoft Microsoft
P2 P2
Name: Name:
MS.Money MS.Money
P7 P7
Zone: Zone:
Local Intranet Local Intranet
P4 P4
Hierarchical Policy Levels
Hierarchical Policy Levels

CLR supports multiple, ordered policy
CLR supports multiple, ordered policy
levels for administration
levels for administration
Enterprise: common policy throughout an org. Enterprise: common policy throughout an org.
Machine: policy for all users of given machine Machine: policy for all users of given machine
User: policy specific to logged in user User: policy specific to logged in user
Effective policy is the Effective policy is the intersection intersection of all levels of all levels
Enterprise policy
Machine1 policy
Machine2 policy
User A User B User C User D
But Code Groups are
But Code Groups are
much more powerful...
much more powerful...
Code Group Operation
Code Group Operation

Once an assembly has proven membership
Once an assembly has proven membership
in a Code Group, the Code Group gets to
in a Code Group, the Code Group gets to
determine
determine
What permissions to award, and What permissions to award, and
How those permission should be combined with How those permission should be combined with
any awarded by its child Code Groups (if any) any awarded by its child Code Groups (if any)

Simplest case: UnionCodeGroup
Simplest case: UnionCodeGroup
Static set of permission to award, just union with Static set of permission to award, just union with
whatever the child Code Groups return whatever the child Code Groups return

But more complicated (and interesting!)
But more complicated (and interesting!)
CodeGroups are possible
CodeGroups are possible

Code Group Types

Code Group Types

UnionCodeGroup
UnionCodeGroup
Union with matching child c.g. permission sets Union with matching child c.g. permission sets

FirstMatchCodeGroup
FirstMatchCodeGroup
(switch statement)
(switch statement)
Return permissions granted by first matching Return permissions granted by first matching
child code group (P1) child code group (P1)
If no matches, return default permission set (P0) If no matches, return default permission set (P0)
condition?
P0
condition?
P1
condition?
P3
condition?
P2

Code Group Operation (2)
Code Group Operation (2)

Example: NetCodeGroup
Example: NetCodeGroup

Grants an assembly the right to connect
Grants an assembly the right to connect
back over the network to the server it
back over the network to the server it
came from
came from

Like a UnionCodeGroup, except the
Like a UnionCodeGroup, except the
granted permissions are dynamically
granted permissions are dynamically
computed from the Evidence received
computed from the Evidence received

CodeGroups are programs, so they can
CodeGroups are programs, so they can
do whatever computation they want to
do whatever computation they want to
compute their grant sets
compute their grant sets

Ex: database lookups, referrals to trusted
Ex: database lookups, referrals to trusted
services
services
Code Group Operation (3)
Code Group Operation (3)

Code Groups have inspection &
Code Groups have inspection &
approval rights over the grants made
approval rights over the grants made
by their children Code Groups.
by their children Code Groups.

Even with all this flexibility, the policy
Even with all this flexibility, the policy
system is still monotonic unless a
system is still monotonic unless a
Code Group behaves non
Code Group behaves non
-
-
monotonically
monotonically

More evidence cannot remove
More evidence cannot remove
permissions
permissions
Code Group Attributes
Code Group Attributes

We had two problems we could not easily
We had two problems we could not easily
solve with the model as it stood...
solve with the model as it stood...
Administrators of a Administrators of a higher higher policy level (e.g. policy level (e.g.
Enterprise policy) could not prevent Enterprise policy) could not prevent lower lower
policy levels from interfering with their decisions policy levels from interfering with their decisions
If we blindly intersect the results of each level, If we blindly intersect the results of each level,
all levels have equal weight all levels have equal weight
Since we didn Since we didn t have negative evidence, there t have negative evidence, there
was no way to say, was no way to say, Give this type of assembly Give this type of assembly
exactly these permissions exactly these permissions
Other portions of policy on the same level Other portions of policy on the same level
could always add to the grants could always add to the grants

Solution: LevelFinal and Exclusive attributes
Solution: LevelFinal and Exclusive attributes
Code Group Attributes (2)
Code Group Attributes (2)

LevelFinal attribute
LevelFinal attribute
Policy levels are evaluated in order from most Policy levels are evaluated in order from most
general (Enterprise) to most specific general (Enterprise) to most specific
If an assembly is a member of a CodeGroup If an assembly is a member of a CodeGroup
marked LevelFinal, then policy evaluation marked LevelFinal, then policy evaluation
terminates at the current level terminates at the current level

Exclusive attribute
Exclusive attribute
If an assembly is a member of a single If an assembly is a member of a single
CodeGroup marked Exclusive within a level, then CodeGroup marked Exclusive within a level, then
the grant for the entire level is exactly the grant the grant for the entire level is exactly the grant
from that group. from that group.
In v1, it is invalid for an assembly to match In v1, it is invalid for an assembly to match
multiple Exclusive groups within a single policy multiple Exclusive groups within a single policy
level level
Evidence
Evidence

Evidence
Evidence
is the input to policy
is the input to policy

Example: Info about a code assembly
Example: Info about a code assembly

Strong names
Strong names

Publisher identity
Publisher identity

Hash
Hash

Location of origin (URL, zone, site)
Location of origin (URL, zone, site)

Evidence is completely extensible
Evidence is completely extensible

Any object can be a piece of evidence
Any object can be a piece of evidence

Only impacts grants if there is a code
Only impacts grants if there is a code
group membership condition that cares
group membership condition that cares
about it!
about it!
cryptographically
computed/validated
}
Assembly Input To Policy
Assembly Input To Policy

Assemblies may contain
Assemblies may contain
permission
permission
requests
requests

Minimum (
Minimum (

what I must have to run

what I must have to run

)
)

Optional (
Optional (

what I
what I

d like to have
d like to have

)
)

Refuse (
Refuse (

what I never need

what I never need

)
)

Permission requests are assembly
Permission requests are assembly
-
-
level
level
attributes (metadata declarations)
attributes (metadata declarations)
Assembly
Assembly
-
-
provided Evidence
provided Evidence

Assemblies can carry evidence
Assemblies can carry evidence
objects, too
objects, too

Initially
Initially
-
-
untrusted
untrusted

evidence
evidence

must be
must be
validated by the policy system
validated by the policy system

No policy components ship in V1 that use
No policy components ship in V1 that use
assembly
assembly
-
-
provided evidence, but it
provided evidence, but it

s
s
available to custom Membership
available to custom Membership
Conditions & Code Groups
Conditions & Code Groups

Example: third
Example: third
-
-
party certifications
party certifications
Putting It All Together
Putting It All Together
Policy Policy
Evaluator Evaluator
Assembly A3
Assembly A3
Permission Permission
Requests Requests
Security Security
Policy Policy
Evidence Evidence
G3 G3 G3 G3
Host
Host
Assembly A2
Assembly A2
G2 G2
G1 G1
Assembly A1
Assembly A1
Assembly A3
Assembly A3
Extending the Policy System
Extending the Policy System

Custom Permissions
Custom Permissions
App defined authorization for a resource App defined authorization for a resource
Easy integration with policy Easy integration with policy

Custom Code Groups & Membership
Custom Code Groups & Membership
Conditions
Conditions
Implement new Code Group logic Implement new Code Group logic
Dynamic permission set computation Dynamic permission set computation
Alter default combining logic Alter default combining logic

Custom Evidence
Custom Evidence
Create embedded evidence (e.g. certifications) Create embedded evidence (e.g. certifications)
Evidence from trusted hosts Evidence from trusted hosts
Agenda
Agenda

Overview of how code is run
Overview of how code is run

Policy evaluation in the CLR
Policy evaluation in the CLR

Permission enforcement
Permission enforcement

Strong names, secure binding and
Strong names, secure binding and
semi
semi
-
-
public APIs
public APIs

Web services security
Web services security
Permissions
Permissions

A permission is a set (or subset) of
A permission is a set (or subset) of
capabilities
capabilities

All permissions implement union,
All permissions implement union,
intersection, and subset operations
intersection, and subset operations

Requiring full
Requiring full

set mathematics
set mathematics

has
has
some drawbacks
some drawbacks

Ex.: Implementing regular expression
Ex.: Implementing regular expression
semantics is hard
semantics is hard

Permission types are orthogonal
Permission types are orthogonal

A demand for a permission of type A must
A demand for a permission of type A must
be satisfied with a grant of a permission
be satisfied with a grant of a permission
of type A
of type A
Permissions Protect Resources
Permissions Protect Resources

FileIO
FileIO

FileDialog
FileDialog

IsolatedStorage
IsolatedStorage

Environment
Environment

Registry
Registry

UI
UI

Printing
Printing

Reflection
Reflection

Security
Security

Socket
Socket

Web
Web

DNS
DNS

OleDb
OleDb

SQLClient
SQLClient

MessageQueue
MessageQueue

EventLog
EventLog

DirectoryServices
DirectoryServices

extensible
extensible
Execution, Assertion, Skip Verification, Execution, Assertion, Skip Verification,
Unmanaged code, Control evidence, Control Unmanaged code, Control evidence, Control
policy, Control principal, Control threads policy, Control principal, Control threads
Permission Enforcement
Permission Enforcement

Most permissions are
Most permissions are
code
code
-
-
access
access
permissions
permissions
and have stack
and have stack
-
-
walking
walking
semantics
semantics

A demand for a code
A demand for a code
-
-
access permission
access permission
must be satisfied by grants to every stack
must be satisfied by grants to every stack
frame above the demanding frame
frame above the demanding frame

Stack
Stack
-
-
walking is a defense against
walking is a defense against
luring attacks
luring attacks

Less
Less
-
-
trusted code tricking more
trusted code tricking more
-
-
trusted
trusted
code into performing protected operations
code into performing protected operations

Stack walk modifiers
Stack walk modifiers
can change the
can change the
default semantics
default semantics
Stack
Stack
-
-
walking Semantics
walking Semantics
Method M3
Method M3
Method M2
Method M2
Method M1
Method M1
Method M4
Method M4
Call Stack Call Stack
Grows Down Grows Down
G2 G2
G1 G1
G3 G3
G4 G4
Each method has a set of Each method has a set of
corresponding grants corresponding grants
Method M4 Method M4
demands a demands a
permission P permission P
P P
P is compared P is compared
with grants of all with grants of all
callers on the callers on the
stack above M4 stack above M4
P P
P P
P P
Stack Walk Modifiers
Stack Walk Modifiers

Modifiers provide fine
Modifiers provide fine
-
-
grained, dynamic
grained, dynamic
control over state of grants on the stack
control over state of grants on the stack

Most common modifier is
Most common modifier is Assert Assert
I vouch for my callers; checks for this I vouch for my callers; checks for this
permission can stop at my frame permission can stop at my frame

Example:
Example:

Gatekeeper
Gatekeeper

classes
classes
Managed wrappers for unmanaged resources Managed wrappers for unmanaged resources
Demand appropriate permission from caller Demand appropriate permission from caller
Assert permission to call unmanaged code Assert permission to call unmanaged code
Make the unmanaged call Make the unmanaged call
Modifiers in Action
Modifiers in Action

Assert()
Assert()
Call Stack Call Stack
Grows Down Grows Down
G2 G2
G3 G3
G4 G4
Each method has a set of Each method has a set of
corresponding grants corresponding grants
Method M4 Method M4
demands a demands a
permission P permission P
P P
P is compared P is compared
with grants of all with grants of all
callers on the callers on the
stack above M4 stack above M4
P P
P P
P P G1 G1
P.Assert()
Method M3
Method M3
Method M2
Method M2
Method M1
Method M1
Method M4
Method M4
Stack Walk Modifiers (2)
Stack Walk Modifiers (2)

Three types of modifiers: Assert, Deny,
Three types of modifiers: Assert, Deny,
PermitOnly
PermitOnly
Deny() fails any stack walk that reaches it & Deny() fails any stack walk that reaches it &
matches matches
PermitOnly() fails any non PermitOnly() fails any non- -matching stack walk matching stack walk

Assert, Deny & PermitOnly work by
Assert, Deny & PermitOnly work by
dynamically modifying the stack
dynamically modifying the stack
Methods that call these methods have an extra Methods that call these methods have an extra
slot in their stack frames reserved for this slot in their stack frames reserved for this
information information
We detect the need to reserve stack space at JIT We detect the need to reserve stack space at JIT- -
time. Dynamic methods themselves are marked time. Dynamic methods themselves are marked
with a special attribute with a special attribute
Permission Enforcement
Permission Enforcement

Programmers may ask the security
Programmers may ask the security
system to perform permission checks
system to perform permission checks
either imperatively or declaratively
either imperatively or declaratively

Imperative
Imperative
security operations are
security operations are
performed by the programmer via
performed by the programmer via
object creation and method invocation
object creation and method invocation

Declarative
Declarative
security operations are
security operations are
made by annotating source code with
made by annotating source code with
metadata declarations
metadata declarations

Also used for permission requests
Also used for permission requests
Imperative Security Actions
Imperative Security Actions
Actions occur at runtime as part of a method body, Actions occur at runtime as part of a method body,
just like any other call just like any other call
All permission objects have a Demand() method to invoke a All permission objects have a Demand() method to invoke a
security check for that permission. security check for that permission.
Example: Frameworks File object constructor Example: Frameworks File object constructor
Requires Requires read read access to the corresponding file access to the corresponding file
public File(String fileName) { public File(String fileName) {
// Must fully qualify the path for the security check // Must fully qualify the path for the security check
String fullPath = Directory.GetFullPathInternal(fileName); String fullPath = Directory.GetFullPathInternal(fileName);
new FileIOPermission(FileIOPermissionAccess.Read, new FileIOPermission(FileIOPermissionAccess.Read,
fullPath).Demand(); fullPath).Demand();
//[ //[ rest of function rest of function ] ]
} }
Design Philosophy for
Design Philosophy for
Declarative Security
Declarative Security

Make it easy for
Make it easy for

Developers to make security checks in
Developers to make security checks in
their own programs at the method or
their own programs at the method or
class level
class level

Code auditors, reviewers & automated
Code auditors, reviewers & automated
tools to see where security
tools to see where security
-
-
related
related
actions are taking place
actions are taking place

Assembly authors to state their
Assembly authors to state their
requirements to the policy system, so
requirements to the policy system, so
policy can fail them early if it refuses to
policy can fail them early if it refuses to
meet their requirements
meet their requirements
Declarative Security Demand
Declarative Security Demand

An example declaration (C#):
An example declaration (C#):
[FileIOPermission(SecurityAction.Demand,
[FileIOPermission(SecurityAction.Demand,
Write =
Write =

c:
c:
\
\
\
\
temp
temp

)]
)]
public void foo() {
public void foo() {
// class does something with c:
// class does something with c:
\
\
temp
temp
}
}

In v1 of the CLR, security declarations
In v1 of the CLR, security declarations
cannot contain runtime variables
cannot contain runtime variables

Permission state must be completely
Permission state must be completely
specified at compile
specified at compile
-
-
time
time

Some compiler support required to
Some compiler support required to
enable declarative security
enable declarative security
Declarative Security Actions
Declarative Security Actions

Actions are declared as part of the metadata
Actions are declared as part of the metadata
via a custom attribute
via a custom attribute

May occur at run
May occur at run
-
-
time or bind
time or bind
-
-
time
time
depending on the particular action
depending on the particular action
Demand() occurs at runtime Demand() occurs at runtime
LinkDemand(), InheritanceDemand() occur at LinkDemand(), InheritanceDemand() occur at
bind bind- -time time

Bind
Bind
-
-
time actions are automatically invoked
time actions are automatically invoked
by the JIT compiler when the caller is
by the JIT compiler when the caller is
compiled or the subclass is loaded
compiled or the subclass is loaded

For run
For run
-
-
time declarations, the JIT compiler
time declarations, the JIT compiler
emits code performing the security check
emits code performing the security check
into an interceptor stub wrapped around the
into an interceptor stub wrapped around the
method body
method body
Declarative Security & Compilers
Declarative Security & Compilers

Declarative security requires compiler
Declarative security requires compiler
support as well as presence of the CLR
support as well as presence of the CLR

Security custom attributes could
Security custom attributes could
reference external data (e.g. an X.509
reference external data (e.g. an X.509
certificate in a
certificate in a
PublisherIdentityPermission declaration)
PublisherIdentityPermission declaration)

Thus, at compile time we have to de
Thus, at compile time we have to de
-
-
reference any external entities & serialize
reference any external entities & serialize
them into metadata
them into metadata

We also compact multiple declarations of
We also compact multiple declarations of
the same action type into a single
the same action type into a single
permission set for efficiency reasons
permission set for efficiency reasons
Agenda
Agenda

Overview of how code is run
Overview of how code is run

Policy evaluation in the CLR
Policy evaluation in the CLR

Permission enforcement
Permission enforcement

Strong names, secure binding and
Strong names, secure binding and
semi
semi
-
-
public APIs
public APIs

Web services security
Web services security
Class Loading & Binding to Types
Class Loading & Binding to Types

Inter
Inter
-
-
assembly binding (dynamic linking)
assembly binding (dynamic linking)
Assembly A2
Assembly A2 Assembly A1
Assembly A1

Intra
Intra
-
-
assembly binding (multi
assembly binding (multi
-
-
file
file
assemblies)
assemblies)
Assembly A1
Assembly A1
File F1
File F1
File F2
File F2
File F3
File F3
File F4
File F4
Manifest
Manifest
Class Loading & Binding (2)
Class Loading & Binding (2)

Problem Definition:
Problem Definition:
With shared libraries/dynamic linking, there With shared libraries/dynamic linking, there s a s a
general risk of code spoofing ( general risk of code spoofing ( DLL hell DLL hell ). ).
We We ve seen numerous attacks in past systems ve seen numerous attacks in past systems
where where system libraries system libraries are replaced. are replaced.
In the CLR, there are two main attack vectors In the CLR, there are two main attack vectors
Spoof the implementation of a type or Spoof the implementation of a type or
assembly assembly
Replace part of a multi Replace part of a multi- -file assembly file assembly

Cryptographically
Cryptographically
-
-
strong binding can defend
strong binding can defend
against this class of attack
against this class of attack
Strong Names
Strong Names

Every public/private key pair defines the root
Every public/private key pair defines the root
of a
of a

cryptographically
cryptographically
-
-
sealed
sealed

namespace
namespace
Any developer can define their own namespace Any developer can define their own namespace
by generating a random key pair by generating a random key pair

A
A

strong name
strong name

is a tuple of the form:

is a tuple of the form:
(public key, name, version, culture/locale) (public key, name, version, culture/locale)
Strong names are valid only when accompanied Strong names are valid only when accompanied
by a corresponding signature over the assembly by a corresponding signature over the assembly
manifest manifest
Similar to SDSI names Similar to SDSI names

Strong names are intended only to be
Strong names are intended only to be
unspoofable names; there
unspoofable names; there

s no implied trust
s no implied trust
Strong Names (2)
Strong Names (2)

In v1, all strong names use 1024
In v1, all strong names use 1024
-
-
bit RSA key
bit RSA key
pairs, and the signature algorithm is always
pairs, and the signature algorithm is always
RSA
RSA
-
-
SHA1.
SHA1.

An assembly must have a strong name to be
An assembly must have a strong name to be
shared across multiple applications
shared across multiple applications
(included in the Global Assembly Cache)
(included in the Global Assembly Cache)

Multi
Multi
-
-
file assemblies are always hash
file assemblies are always hash
-
-
referenced.
referenced.

Strong names give us side
Strong names give us side
-
-
by
by
-
-
side support
side support
(multiple versions of an assembly can co
(multiple versions of an assembly can co
-
-
exist on a single machine)
exist on a single machine)
Strong Names and Revocation
Strong Names and Revocation

Strong names are a self
Strong names are a self
-
-
identification
identification
technology, not a certification or third
technology, not a certification or third
-
-
party trust mechanism
party trust mechanism

You could build a certification scheme on
You could build a certification scheme on
top of strong names if you wanted to
top of strong names if you wanted to

Strong names cannot be
Strong names cannot be

revoked
revoked

,
,
since there
since there

s no certification to be
s no certification to be
undone.
undone.

But one could combine strong names with
But one could combine strong names with
an on
an on
-
-
line validity check to create positive
line validity check to create positive
evidence for a more complex trust
evidence for a more complex trust
policy
policy

Strong Names and Binding Policy

Strong Names and Binding Policy

By default, CLR binding policy for
By default, CLR binding policy for
strong name references is
strong name references is

exact
exact
version match
version match

You get the version of an assembly you
You get the version of an assembly you
were compiled against, even if a later
were compiled against, even if a later
version exists on the system.
version exists on the system.

Default binding policy may be
Default binding policy may be
overridden via
overridden via
config
config
files
files

Application
Application
-
-
, assembly
, assembly
-
-
& runtime
& runtime
-
-
level
level
overrides are possible
overrides are possible

Useful for
Useful for

hotfix
hotfix

& upgrade scenarios,

& upgrade scenarios,
but under the control of the application
but under the control of the application
author
author
Semi
Semi
-
-
Public APIs
Public APIs

Goal: private interfaces between DLLs
Goal: private interfaces between DLLs

Identity permissions restrict API access
Identity permissions restrict API access
Can also be done with any permission Can also be done with any permission

Best to restrict by digital signatures
Best to restrict by digital signatures
Also can be used with web site etc. Also can be used with web site etc.

Either JIT
Either JIT
-
-
time link check, or full demand
time link check, or full demand
JIT JIT- -time only checks direct caller time only checks direct caller caution caution
[StrongNameIdentityPermission
(SecurityAction.LinkDemand, parameters ]
[ZoneIdentityPermission
(SecurityAction.Demand,
Zone= SecurityZone.Intranet)]
public class Class1
Semi
Semi
-
-
Public APIs (2)
Public APIs (2)

Restrict subclassing
Restrict subclassing
[StrongNameIdentityPermission( [StrongNameIdentityPermission(
SecurityAction.InheritanceDemand, SecurityAction.InheritanceDemand,
PublicKey={0,127,8, 32, 8, PublicKey={0,127,8, 32, 8, )] )]
public class Foo { ... } public class Foo { ... }
[ZoneIdentityPermission(
[ZoneIdentityPermission(
SecurityAction.LinkDemand,
SecurityAction.LinkDemand,
Zone=SecurityZone.MyComputer)]
Zone=SecurityZone.MyComputer)]
public class Foo {...}
public class Foo {...}

Restrict callers
Restrict callers
Agenda
Agenda

Overview of how code is run
Overview of how code is run

Policy evaluation in the CLR
Policy evaluation in the CLR

Permission enforcement
Permission enforcement

Strong names, secure binding and
Strong names, secure binding and
semi
semi
-
-
public APIs
public APIs

Web services security
Web services security
Securing XML Web Services
Securing XML Web Services

A secure Web services can be built
A secure Web services can be built
on well known technologies today
on well known technologies today

Today
Today

Secure the infrastructure
Secure the infrastructure

Secure the transport (HTTP)
Secure the transport (HTTP)

Authentication and authorization
Authentication and authorization
Consumer Consumer Server Server
SOAP over HTTP Request SOAP over HTTP Request
HTTP HTTP
HTTP HTTP HTTP Headers HTTP Headers
HTTP Body HTTP Body SOAP Message SOAP Message
SOAP Body SOAP Body
SOAP Headers SOAP Headers
Authentication
Authentication
is part of the
is part of the
HTTP protocol
HTTP protocol
or can be built
or can be built
on top of SOAP
on top of SOAP
ASP.NET Authentication
ASP.NET Authentication

Windows Authentication (via IIS)
Windows Authentication (via IIS)
HTTP Authentication Standards (RFC 2617) HTTP Authentication Standards (RFC 2617)
Basic Basic
Digest Digest
Integrated Windows Authentication Integrated Windows Authentication
NTLM NTLM
Kerberos Kerberos
SSL/TLS with X.509 Client Certificates SSL/TLS with X.509 Client Certificates

Custom Authentication
Custom Authentication
ASP.NET support for application layer security ASP.NET support for application layer security

Unified programming model for all forms of
Unified programming model for all forms of
authentication
authentication
ASP.NET Authorization
ASP.NET Authorization

Windows Security
Windows Security
Access Control Lists Access Control Lists
Option request entity impersonation Option request entity impersonation

URL Authorization
URL Authorization
Flexible XML configuration for access Flexible XML configuration for access
control control

Custom Authorization
Custom Authorization
Business/application logic can be layered on Business/application logic can be layered on
top of other authorization strategies top of other authorization strategies

Explicit imperative or declarative
Explicit imperative or declarative
permission checks
permission checks
ASP.NET URL Authorization
ASP.NET URL Authorization

Example: allow
Example: allow

Admins
Admins

or
or

WebServiceUsers
WebServiceUsers

and deny all others

and deny all others

Roles can be Windows
Roles can be Windows

groups or defined by
groups or defined by
application
application
<! <!-- -- * represents all users, * represents all users,
? represents anonymous users ? represents anonymous users -- --> >
<authorization> <authorization>
<allow verbs="POST" Roles="Admins" /> <allow verbs="POST" Roles="Admins" />
<allow Roles=" <allow Roles="WebServiceUsers WebServiceUsers"/> "/>
<deny users="*" /> <deny users="*" />
</authorization> </authorization>
XML Web Services Security
XML Web Services Security

A secure Web Service can be built on
A secure Web Service can be built on
well
well
-
-
known technologies today
known technologies today

Today
Today

Secure the infrastructure
Secure the infrastructure

Secure the connection
Secure the connection

Authentication & Authorization
Authentication & Authorization

But
But

these don
these don

t offer an integrated
t offer an integrated
and interoperable solution
and interoperable solution

Integrated SOAP/message security
Integrated SOAP/message security

WS
WS
-
-
Security
Security

the heart of the GXA

the heart of the GXA
security model
security model
Global XML Architecture (GXA)
Global XML Architecture (GXA)
SOAP SOAP
HTTP/SMTP HTTP/SMTP XML XML TCP/IP TCP/IP
Directory Directory
Inspection Inspection
Building Block Modules Building Block Modules
Inter Application Protocols Inter Application Protocols
Referral Referral
Routing Routing
Security Security
Coordination Coordination
Eventing Eventing
Reliable Messaging Reliable Messaging
The Internet The Internet
Description Description


WS
WS
-
-
Security Drilldown
Security Drilldown

Enables secure SOAP messaging
Enables secure SOAP messaging
Message integrity (via XMLDSIG) Message integrity (via XMLDSIG)
Message confidentiality (via XMLENC) Message confidentiality (via XMLENC)
Passing credentials (e.g. Passing credentials (e.g. XrML XrML tokens) tokens)

Modular extensions
Modular extensions
Used independently or together Used independently or together
Standalone or with other SOAP extensions Standalone or with other SOAP extensions

Extensible
Extensible

Spec available at:
Spec available at:
http://msdn.microsoft.com/ws/2002/04/Security/ http://msdn.microsoft.com/ws/2002/04/Security/
Summary
Summary

Evidence
Evidence
-
-
based security model and the
based security model and the
CLR trust management engine
CLR trust management engine

For most users, policy evaluation is
For most users, policy evaluation is
performed by a simple, hierarchical
performed by a simple, hierarchical
collection of code groups
collection of code groups

Code
Code
-
-
access security permissions
access security permissions

Dynamic stack
Dynamic stack
-
-
walk modifiers
walk modifiers

Declarative security annotations
Declarative security annotations

Secure binding & controlled
Secure binding & controlled
-
-
access APIs
access APIs

Web services security
Web services security
Additional Resources
Additional Resources

http://msdn.microsoft.com/net/security
http://msdn.microsoft.com/net/security

.NET Framework SDK documentation
.NET Framework SDK documentation

.NET Framework Security
.NET Framework Security
Questions?
Questions?