Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.

Similar presentations


Presentation on theme: "© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control."— Presentation transcript:

1 © 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control

2 2 SY32 Secure Computing, Lecture 17 Outline Introduction Introduction Role-based access control Role-based access control Implementation in.NET Implementation in.NET Code-based access control Code-based access control General concepts General concepts Implementation in.NET and Java Implementation in.NET and Java

3 3 SY32 Secure Computing, Lecture 17 Introduction Two things to decide: Two things to decide: Do we allow code to execute? Do we allow code to execute? What permissions should code be granted? What permissions should code be granted? Decisions can be based on Decisions can be based on Identity of user wishing to run the code Identity of user wishing to run the code Identity of the code itself Identity of the code itself How do we enforce these decisions? How do we enforce these decisions? How do we administer the system? How do we administer the system?

4 4 SY32 Secure Computing, Lecture 17 Role-Based Access Control Decisions are based on user identity Decisions are based on user identity Analogous to security at OS level Analogous to security at OS level Not a replacement for OS security decisions! Not a replacement for OS security decisions! Implementation in.NET: Implementation in.NET: Uses concept of a principal: an object encapsulating users identity and roles Uses concept of a principal: an object encapsulating users identity and roles Classes are provided to represent identities and principals derived from Windows accounts Classes are provided to represent identities and principals derived from Windows accounts Code indicates requirement for a particular principal by making a security demand Code indicates requirement for a particular principal by making a security demand

5 5 SY32 Secure Computing, Lecture 17.NET Example WindowsIdentity id = WindowsIdentity.GetCurrent(); Thread.CurrentPrincipal = new WindowsPrincipal(id); [PrincipalPermission(SecurityAction.Demand,Name="Bob " )] public void doSomething() {... } Activate role-based access control in current thread… …elsewhere in code, mark a method with an attribute that makes a security demand for a principalin this case, user Bob

6 6 SY32 Secure Computing, Lecture 17 Code-Based Access Control Decisions are based on identity of code Decisions are based on identity of code Identity of code derives from Identity of code derives from Point of origin Point of origin Identity of signer(s) Identity of signer(s) Code identity maps onto a set of permissions Code identity maps onto a set of permissions Collection of these mappings constitutes code access security (CAS) policy Collection of these mappings constitutes code access security (CAS) policy

7 7 SY32 Secure Computing, Lecture 17 CAS Policy Resolution in.NET Evidence CAS policy Permission requests Policy evaluator Grant set for assembly HostAssembly

8 8 SY32 Secure Computing, Lecture 17 Evidence Standard set of classes provided to represent various kinds of evidence Standard set of classes provided to represent various kinds of evidence Hash (hash code of assembly's bytes) Hash (hash code of assembly's bytes) Publisher (Authenticode signature of publisher) Publisher (Authenticode signature of publisher) Site (domain name of source of assembly) Site (domain name of source of assembly) StrongName (digital signature computed from name, version number and hash code) StrongName (digital signature computed from name, version number and hash code) URL (URL of assembly) URL (URL of assembly) Zone (IE security zone to which assembly belongs) Zone (IE security zone to which assembly belongs)

9 9 SY32 Secure Computing, Lecture 17 Elements of CAS Policy Assembly can belong to various code groups Assembly can belong to various code groups Each code group has membership conditions and a set of permissions Each code group has membership conditions and a set of permissions Evidence is matched against code group membership conditions hierarchically Evidence is matched against code group membership conditions hierarchically Initial set of permissions granted to an assembly is the union of the permission sets of its code groups Initial set of permissions granted to an assembly is the union of the permission sets of its code groups

10 10 SY32 Secure Computing, Lecture 17 Policy Resolution: Example 1 All_Code Cond: None Perm: Nothing My_Computer_Zone Cond: Zone = MyComputer Perm: FullTrust LocalIntranet_Zone Cond: Zone = LocalIntranet Perm: LocalIntranet Xyz_Site Cond: Site = Perm: XyzPermissions Internet_Zone Cond: Zone = Internet Perm: Internet Resulting permissions: Nothing U FullTrust.NET assembly is loaded from local disk...

11 11 SY32 Secure Computing, Lecture 17 Policy Resolution: Example 2 All_Code Cond: None Perm: Nothing My_Computer_Zone Cond: Zone = MyComputer Perm: FullTrust LocalIntranet_Zone Cond: Zone = LocalIntranet Perm: LocalIntranet Xyz_Site Cond: Site = Perm: XyzPermissions Internet_Zone Cond: Zone = Internet Perm: Internet Resulting permissions: Nothing U Internet U XyzPermissions.NET assembly is loaded from

12 12 SY32 Secure Computing, Lecture 17 Policy Levels Four different CAS policy levels in.NET Four different CAS policy levels in.NET Enterprise ( enterprisesec.config ) Enterprise ( enterprisesec.config ) Machine ( security.config ) Machine ( security.config ) User ( security.config in user profile) User ( security.config in user profile) Application domain (programmed) Application domain (programmed) Policy resolution happens independently at each level and results are intersected Policy resolution happens independently at each level and results are intersected Why is this complexity required?... Why is this complexity required?...

13 13 SY32 Secure Computing, Lecture 17 Policy Management in.NET Use caspol command-line tool Use caspol command-line tool Use MS management console snap-in for.NET Use MS management console snap-in for.NET

14 14 SY32 Secure Computing, Lecture 17 CAS Policy in Java URL of code and public key(s) of its signer(s) are used as evidence URL of code and public key(s) of its signer(s) are used as evidence Mapping of code identity onto permissions is termed a protection domain Mapping of code identity onto permissions is termed a protection domain Protection domains are specified in policy files Protection domains are specified in policy files $JAVA_HOME/lib/security/java.policy $JAVA_HOME/lib/security/java.policy $HOME/.java.policy $HOME/.java.policy Policy files do not correspond to.NET policy levels; grants do not intersect! Policy files do not correspond to.NET policy levels; grants do not intersect!

15 15 SY32 Secure Computing, Lecture 17 A Java Security Policy File grant codeBase "http://www.xyz.com/", signedBy "nick" { permission java.io.FilePermission "/tmp/*", "write"; permission java.net.SocketPermission "*:1024-", "connect"; }; Code from signed by a public key with keystore alias nick… Code from signed by a public key with keystore alias nick… …has permission to write to any file in /tmp … …has permission to write to any file in /tmp … …and permission to connect to any site using a non-privileged port …and permission to connect to any site using a non-privileged port

16 16 SY32 Secure Computing, Lecture 17 Enforcing Policy: Java Example What if a trusted caller is itself invoked by untrusted, malicious code?... (luring attack) public class Socket { public Socket(String host, int port) { SocketPermission perm = new SocketPermission(host + ":" + port, "connect"); AccessController.checkPermission(perm);... }... }

17 17 SY32 Secure Computing, Lecture 17 Walking The Stack in.NET Socket.Connect Method D Method C Method B Method A Call stack Assembly X Assembly Y Assembly Z System.dll SocketPermission demanded SocketPermission granted SecurityException

18 18 SY32 Secure Computing, Lecture 17 Initiating a Stack Walk In.NET, call the appropriate permission object's Demand method In.NET, call the appropriate permission object's Demand method In Java, call checkPermission method of AccessController class, with demanded permission as an argument In Java, call checkPermission method of AccessController class, with demanded permission as an argument Demands are typically made within trusted library code; it usually isn't necessary to make them explicitly yourself Demands are typically made within trusted library code; it usually isn't necessary to make them explicitly yourself

19 19 SY32 Secure Computing, Lecture 17 Controlling Stack Walks in.NET Security action Assert terminates stack walk without triggering a SecurityException Security action Assert terminates stack walk without triggering a SecurityException Making an assertion = vouching for callers Making an assertion = vouching for callers Need to be very sure that callers can't wreak havoc! Need to be very sure that callers can't wreak havoc! Security action Deny forces termination of a stack walk with a SecurityException Security action Deny forces termination of a stack walk with a SecurityException Assertions or denials can be cancelled via calls to RevertAssert or RevertDeny Assertions or denials can be cancelled via calls to RevertAssert or RevertDeny

20 20 SY32 Secure Computing, Lecture 17 Example How can we make sure that a method needing to log data to a file can always do so, regardless of caller permissions? How can we make sure that a method needing to log data to a file can always do so, regardless of caller permissions? Answer: use Assert security action Answer: use Assert security action Which style of action? Which style of action? Imperative Imperative Declarative Declarative

21 21 SY32 Secure Computing, Lecture 17 Implementations public void UpdateLog(string text) { const string logfile = "C:\\MyApp.log"; FileIOPermission perm = new FileIOPermission(FileIOPermission.Append, logfile); perm.Assert();... } [FileIOPermission( SecurityAction.Assert,Append="C:\\MyApp.log")] public void UpdateLog(string text) {... } Imperative Declarative

22 22 SY32 Secure Computing, Lecture 17 Imperative & Declarative Styles Imperative security actions Imperative security actions Can use information available only at run time Can use information available only at run time Cannot be discovered without running code Cannot be discovered without running code Declarative security actions Declarative security actions Are fixed at compile time Are fixed at compile time Can be discovered without running code (reflection) Can be discovered without running code (reflection)

23 23 SY32 Secure Computing, Lecture 17 Summary Access given to code can be determined from user identity or from code identity Access given to code can be determined from user identity or from code identity Code access security policy specifies mapping of code identities onto sets of permissions Code access security policy specifies mapping of code identities onto sets of permissions.NET resolves multiple policies and intersects results.NET resolves multiple policies and intersects results Policy is enforced by a stack walk, to prevent malicious code from luring trusted code Policy is enforced by a stack walk, to prevent malicious code from luring trusted code Stack walks can be controlled, e.g., using Assert and Deny in.NET Stack walks can be controlled, e.g., using Assert and Deny in.NET


Download ppt "© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control."

Similar presentations


Ads by Google