Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented By: Ahmed ALSUM PhD Student CS 895:.Net Security Old Dominion University College of Science Department of Computer Science.

Published byIsaac Ray Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented By: Ahmed ALSUM PhD Student CS 895:.Net Security Old Dominion University College of Science Department of Computer Science."— Presentation transcript:

1 Presented By: Ahmed ALSUM PhD Student CS 895:.Net Security Old Dominion University College of Science Department of Computer Science

2 Outline

3 What’s a Permission Permissions limit what an assembly can do ◦ –run if code not verifiable? ◦ –access file system? ◦ –access the network? ◦ –access certain environment variables? ◦ –call native code (COM objects, DLLs)? ◦ –access files or printers without asking user?

4 Security Code Access Security Code may require permissions to run Security policy determines what code is allowed to run ◦ By machine  Where did this code come from?  Who authored it? ◦ By user If no permission then a SecurityException is thrown

5 Security Code Access Security Can specify the permissions needed by code ◦ Declarative, with attributes ◦ Imperative  Create a permission object, then call Demand() By default, the CLR will ensure that all code in call chain has the necessary permissions

6 Security Code Access Security Security check Varying levels of trust Behavior constrained by least trustworthy component Assembly A1 Assembly A2 Assembly A3 Assembly A4 G1 G4 G3 G2 P P P Call Chain

7 Security Code Access Security Can override security checks ◦ Assert() lets you and the code you call perform actions that you have permission to do, but your callers may not. ◦ Deny() lets you prevent downstream code from performing certain actions ◦ PermitOnly() is like Deny(), but you specify the only permissions the downstream code will have.

8 Security Permissions Code access permissions ◦ Protect resources and operations ◦ Ex. DnsPermission, EnvironmentPermission, WebPermission Identity permissions ◦ Characteristics of an assembly‘s identity ◦ Ex. URLIdentityPermission, ZoneIdentityPermission Role-based permissions ◦ Discover a user‘s role or identity ◦ Ex. PrincipalPermission Custom permissions ◦ Design and implement your own classes

9 Permissions classes Resources AccessedRequired Permissions DPAPI encryptionDataProtectionPermission DNS directoryDnsPermission Environment variablesEnvironmentPermission Event logEventLogPermission File dialogFileDialogPermission File systemFileIOPermission Isolated file storageIsolatedStoragePermission Key containersKeyContainerPermission Message queuesMessageQueuePermission Network information and traffic statisticsNetworkInformationPermission OLE DB data sourcesOleDbPermission Performance countersPerformanceCounterPermission

10 Permissions classes Resources Accessed Required Permissions PrintersPrintingPermission ReflectionReflectionPermission RegistryRegistryPermission SecuritySecurityPermission SMTP serversSmtpPermission SocketsSocketsPermission SQL Server notificationsSqlNotificationPermission SQL ServerSqlClientPermission Stores containing X.509 certificatesStorePermission User interfaces and clipboardUIPermission Web services (and other HTTP Internet resources)WebPermission

11 Namespace: System.Security CodeAccessPermission Defines the underlying structure of all code access permissions  When you inherit from CodeAccessPermission, you must also implement the IUnrestrictedPermission interface.  The following CodeAccessPermission members must be overridden: Copy, Intersect, IsSubsetOf, ToXml, FromXml, and Union.  You must also define a constructor that takes a PermissionState as its only parameter.  You must apply the SerializableAttribute attribute to a class that inherits from CodeAccessPermission. Custom Permission Example

12 Namespace: System.Security.Permissions CodeAccessSecurityAttribute The security information declared by a security attribute is stored in the metadata of the attribute target and is accessed by the system at run time. Security attributes are used only for declarative security. All permission attributes derived from this class must have only a single constructor that takes a SecurityAction as its only parameter. Custom Attribute Example

13 Namespace: System.Security.Permissions PermissionState Enumeration Specifies whether a permission should have all or no access to resources at creation.  Unrestricted: Full access to the resource protected by the permission.  None: No access to the resource protected by the permission. Ex, the file permission constructor could create an object representing either no access to any files or all access to all files. Intermediate states can be set according to the specific permission semantics.

14 EnvironmentPermission Environment variable names are designated by one or more case- insensitive name lists separated by semicolons, with separate lists for read and write access to the named variables. EnvironmentPermission class controls access to system and user environment variables. EnvironmentPermission tmpVariable = new EnvironmentPermission( EnvironmentPermissionAccess.Read, "TEMP"); tmpVariable.Deny();

15 FileIOPermission Controls the ability to access files and folders. This permission distinguishes between: Read, Write, Append, and PathDiscovery. All these permissions are independent, meaning that rights to one do not imply rights to another. FileIOPermission fp = new FileIOPermission(PermissionState.None); fp.AllLocalFiles = FileIOPermissionAccess.Read; fp.Demand();

16 WebBrowserPermission It controls the ability to create the WebBrowser control. In the Windows Presentation Foundation (WPF), the Web browser control enables frames to navigate HTML. This permission uses the values of the WebBrowserPermission enumerations. WebBrowserPermission webBrowserPermission = new WebBrowserPermission(WebBrowserPermissionLevel.Unrestricted);

17 MediaPermission The MediaPermission describes a set of security permissions that controls the ability for audio, image, and video media to work in a partial-trust Windows Presentation Foundation (WPF) application.

18 RegistryPermission RegistryPermission describes protected operations on registry variables. Registry variables should not be stored in memory locations where code without RegistryPermission can access them. If the registry object is passed to an untrusted caller it can be misused. RegistryPermission f = new RegistryPermission( RegistryPermissionAccess.Read, "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProces sor\\0");

19 PrincipalPermission By passing identity information (user name and role) to the constructor, PrincipalPermission can be used to demand that the identity of the active principal matches this information. It implements the IPermission interface. This is because PrincipalPermission is not a code access permission; that is, it is not granted based on the identity of the executing assembly. Instead, it allows code to perform actions (Demand, Union, Intersect, and so on) against the current user identity.IPermissionDemandUnionIntersect AppDomain.CurrentDomain.SetPrincipalPolicy( PrincipalPolicy.WindowsPrincipal); PrincipalPermission principalPerm = new PrincipalPermission(null, "Administrators"); principalPerm.Demand();

20 Namespace: System.Net WebPermission WebPermission provides a set of methods and properties to control access to Internet resources. You can use a WebPermission to provide either restricted or unrestricted access to your resource, based on the PermissionState that is set when the WebPermission is created.PermissionState Regex myRegex = new Regex(@"http://www\.microsoft\.com/.*"); WebPermission wp = new WebPermission(NetworkAccess.Connect,myRegex); wp.AddPermission(NetworkAccess.Accept, "http://www.odu.edu/"); wp.Demand();

21 Namespace: System.Data.OleDb OleDbPermission Enables the.NET Framework Data Provider for OLE DB to help make sure that a user has a security level sufficient to access an OLE DB data source

22 Namespace: System.Net DnsPermission Controls rights to access Domain Name System (DNS) servers on the network. The default permissions allow all local and Intranet zone applications to access DNS services, and no DNS permission for Internet zone applications. DnsPermission permission = new DnsPermission(PermissionState.Unrestricted); permission.Demand();

23 References Programming.NET Security, O’Reilly by Adam Freeman, Allen Jones.NET Framework Class Library - System.Security.Permissions Namespace URL: http://msdn.microsoft.com/en-us/library/24ed02w7.aspx.NET Framework Developer's Guide - Key Security Concepts URL: http://msdn.microsoft.com/en-us/library/z164t8hs(v=VS.71).aspx

24 QUESTIONS ?

Download ppt "Presented By: Ahmed ALSUM PhD Student CS 895:.Net Security Old Dominion University College of Science Department of Computer Science."

Similar presentations

Security for Developers Code Access Security Steven Borg & Richard Hundhausen Accentient, Inc.

Security for Developers Code Access Security Steven Borg & Richard Hundhausen Accentient, Inc.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
.NET Framework Overview Pingping Ma Nov 16 th, 2006.

.NET Framework Overview Pingping Ma Nov 16 th, 2006.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,

1 Frameworks. 2 Framework Set of cooperating classes/interfaces –Structure essential mechanisms of a problem domain –Programmer can extend framework classes,
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.

Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.

Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Module 15 Configuring and Deploying Windows Client Applications.

Module 15 Configuring and Deploying Windows Client Applications.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Similar presentations

Ads by Google