Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/14/ :03 PM Session Code: arc340

Published byΠάνθηρας Διοκλῆς Βλαστός Modified over 5 years ago

Similar presentations

Presentation on theme: "1/14/ :03 PM Session Code: arc340"— Presentation transcript:

1 1/14/ :03 PM Session Code: arc340 .Net Framework Application Security And Other New .Net Framework Security Technologies Sebastian Lange – Program Manager Ivan Medvedev - QA Lead Microsoft Corporation © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2 Agenda Review: What’s already in the Box?
1/14/ :03 PM Agenda Review: What’s already in the Box? Security Themes for this Release New Security Technologies! Application Identity Based Security Improved Security Error Information Improved Protection scheme for public APIs Tool for determining security needs of an app PKI integration XML Encryption Summary © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 Starting Points - v1.0,1.1 CAS and Security APIs in .Net Framework
1/14/ :03 PM Starting Points - v1.0,1.1 CAS and Security APIs in .Net Framework Goal: Enable “Partial Trust” Primary Security Identity: Code (Assembly) Authentication: Information collected about code (Evidence) Authorization: Code identity based policy system grants rights to access resources Enforcement: Verification, Validation, Stackwalks Crypto, PKI, XMLDsig APIs © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 Security Themes Make it easier to develop secure applications
1/14/ :03 PM Security Themes Make it easier to develop secure applications Improve integration with existing security technologies © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5 1/14/ :03 PM Feedback “There is no easy way to write and deploy semi-trusted applications for home end users.” © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6 Application Identity Based Security
1/14/ :03 PM Application Identity Based Security Supports ClickOnce Application Programming Model Visit CLI 370! Applications are self-describing! Security Requirements persisted in manifest Applications are run in sandbox by default Sometimes applications require more trust User consent or pre-configured security policy © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7 Application Identity Based Security - Architecture
1/14/ :03 PM Application Identity Based Security - Architecture Application Trust Decisions Deployment Manifest Application ID RUN User Consent Not Known RUN Don’t Run Don’t Run © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8 Application Identity Based Security - Benefits
1/14/ :03 PM Application Identity Based Security - Benefits Admins Administration at application, not assembly scope Better Risk assessment – applications state security requirements (for each assembly) Developers Easier deployment on end user machines Reduced attack surface End Users Better install experience Trust decisions are persisted and version independent Applications more secure – run just with what they need © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

9 1/14/ :03 PM Feedback “When I get a security exception it does not really tell me what went wrong!” © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

10 Better Security Error Information
1/14/ :03 PM Better Security Error Information Expanded SecurityException Type Now possible to tell precisely what failed and why Includes Failed Assembly information Including failed assemblies’ permission set grant Security Action that failed The permission set that was checked Deeply integrated into the VS IDE (Debug in Zones) © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

11 1/14/ :03 PM COOL © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

12 1/14/ :03 PM Feedback “Why can’t I protect my API with multiple cryptographically strong identities?” © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

13 Improved Protection of Public APIs
1/14/ :03 PM Improved Protection of Public APIs Was possible in V1.0/1.1 to limit access to public APIs Link Demand for a cryptographically strong type of identity permission Was not possible to use more than one set of identity information in security checks New security actions (DemandChoice, LinkDemandChoice) that allow use of multiple permission sets Use of new type: PermissionSetCollection © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

14 Improved Protection of Public APIs
1/14/ :03 PM Improved Protection of Public APIs DemandChoice All stack frames are checked for meeting one of the permission sets in the permission set collection [ method: StrongNameIdentityPermissionAttribute( SecurityAction.LinkDemandChoice, PublicKey = Key 1)] SecurityAction.LinkDemandChoice, PublicKey = Key 2)] public static int ProductInternalMethod() { // code that should only be accessed //by assemblies signed with key 1 or 2 } © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

15 1/14/ :03 PM Feedback “I have a complex application. Why is there no tool that helps me find out the security requirements of my application?” © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 Determining Security Permission Requirements of your code
1/14/ :03 PM Determining Security Permission Requirements of your code Click-once Applications require that applications state the permissions they need in order to run Developer needs to fill this information into application manifest Very important for Doing security reviews of all other kinds of applications Doing security reviews of APIs on shared library code Understanding why your code does not run under some security restrictions © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

17 PermCalc Tool Command Line Tool
1/14/ :03 PM PermCalc Tool Command Line Tool Using dll that can be accessed programmatically Checks the security requirements of an application Outputs estimate of minimum set of permissions required to run application Checks the security requirements of APIs of a shared library For each library API a permission set is returned Tool technology integrated into VS IDE (trust determination feature, intellisense in zones) See TLS 344! © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

18 1/14/ :03 PM © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

19 Determining the minimum set of permissions of an application
1/14/ :03 PM Determining the minimum set of permissions of an application Ivan Medvedev Test Lead CLR Team © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

20 More on PermCalc Static assembly introspection
1/14/ :03 PM More on PermCalc Static assembly introspection Dataflow / Control Flow analysis Emulates execution of all code paths Application Required permissions: P2 An entry point (Main, etc.) Assembly 1 Method A Method E Assert P1 Method B Method C Method F Demand P1 Assembly 2 Method D Demand P2 © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

21 Why is PermCalc cool? Tells you if your app fits into SEE
1/14/ :03 PM Why is PermCalc cool? Tells you if your app fits into SEE More about SEE - CLI 411 Makes it easy to develop for semi-trust XML output that can be processed or shipped with your library © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

22 1/14/ :03 PM Feedback “Why is there no full integration with PKI? I need to validate a certificate, and I can’t do that with your current APIs.” © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

23 Public Key Infrastructure Integration
1/14/ :03 PM Public Key Infrastructure Integration Exposure of PKI APIs shipped on Windows Platform X509 PKCS7 (signed and enveloped) Allows Validation of Certificates Retrieval of Certificate information Integrated together and with other technologies (Xml Dsig, Xml Encryption) © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

24 PKI (continued) X509 PKCS7 New class X509CertificateEx
1/14/ :03 PM PKI (continued) X509 New class X509CertificateEx Access to all certificate properties Validation and chain building System.Security.Cryptography.X509Certificates PKCS7 New classes EnvelopedCms, SignedCms System.Security.Cryptography.Pkcs © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 PKI Integration with XML Digital Signatures
1/14/ :03 PM PKI Integration with XML Digital Signatures Ivan Medvedev Test Lead CLR Team © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 1/14/ :03 PM Feedback “If XML is such an important technology, why don’t you have an API that helps me encrypt XML?” © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 XML Encryption W3C Compliant Implementation XML Output
1/14/ :03 PM XML Encryption W3C Compliant Implementation Will be able to exchange data with other implementations XML Output Does not have to be XML Input Can encrypt portions of an XML document Can encrypt different portions of the same document with different keys © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 XML Encryption Several types of encryption Driven through
1/14/ :03 PM XML Encryption Several types of encryption Triple DES AES 128 AES 192 AES 256 RSA X509CertificateEx Driven through System.Security.Cryptography.Xml.EncryptedXml Class Integration with XML Digital Signature XmlDecryptionTransform © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 Sample Input <PurchaseOrder> <Items>
1/14/ :03 PM Sample Input <PurchaseOrder> <Items> <Item Code=" " Quantity="1“> Inside C#, Second Edition </Item> </Items> <ShippingAddress> One Redmond Way, Redmond, WA 98052 </ShippingAddress> <PaymentInfo> <CreditCard type="Visa" expiration="09/15/05"> </CreditCard> </PaymentInfo> </PurchaseOrder> © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

30 Encryption Code EncryptedXml exml = new EncryptedXml(xmlDoc);
1/14/ :03 PM Encryption Code EncryptedXml exml = new EncryptedXml(xmlDoc); // encrypt the credit card element using AES-256 object ccKey exml.AddKeyNameMapping(“ccKey”, ccKey); EncryptedData ccEncrypted = exml.Encrypt(ccElem, “ccKey”); EncryptedXml.ReplaceElement(ccElem, ccEncrypted, true); // encrypt the customer element using AES-256 object customerKey exml.AddKeyNameMapping(“customerKey”, customerKey); EncrypteData customerEncrypted = exml.Encrypt(customerElem, “customerKey”); EncryptedXml.ReplaceElement(customerElem, customerEncrypted, true); © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31 Resulting XML <PurchaseOrder> <Items>
1/14/ :03 PM Resulting XML <PurchaseOrder> <Items> <Item Code=" " Quantity="1“>Inside C#, Second Edition</Item> </Items> <EncryptedData Type=“ xmlns=…> <EncryptionMethod Algorithm=" /> <KeyInfo xmlns=…><KeyName>customerKey</KeyName></KeyInfo> CipherData><CipherValue>pdDtiyd7XQ.....</CipherValue></CipherData> </EncryptedData> <EncryptedData Type=“ xmlns=….> <KeyInfo xmlns=…..><KeyName>ccKey</KeyName></KeyInfo> <CipherData><CipherValue>bJlsW+q04...</CipherValue></CipherData> </PurchaseOrder> © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

32 Feedback “I want to view and set ACLs on File and Registry objects!”
1/14/ :03 PM Feedback “I want to view and set ACLs on File and Registry objects!” © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

33 ACL Integration Raw ACL/ACE arithmetics
1/14/ :03 PM ACL Integration Raw ACL/ACE arithmetics System.Security.AccessControl namespace Integration into file and registry classes FileSecurity fs = new FileSecurity(); fs.AddAccess( new FileAccessTrustee(“REDMOND\Mort”, AccessControlType.Deny, AclAccess.View | AclAccess.Change, FileAccess.ReadWrite ); using (FileStream file = new FileStream(“foo.txt”, FileMode.Create, FileAccess.Write, FileShare.None, 4096, false, FileActions.None, fs ) ) { // write to the file… } © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

34 Summary Easier to develop Secure Code Better Security Integration
1/14/ :03 PM Summary Easier to develop Secure Code Easier to find out security requirements of your code Easier to deploy and author semi-trusted rich client applications for home end users Easier to find out what went wrong when a security error occurs Easier to allow access to Public APIs to multiple cryptographically strong identities Better Security Integration Now possible to perform all PKI tasks in managed code MACL integration XML Encryption © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

35 Resources msdn.microsoft.com/net/security www.gotdotnet.com
1/14/ :03 PM Resources msdn.microsoft.com/net/security GotDotNet blogs “.Net Framework Security” book microsoft.public.dotnet.security newsgroup © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

36 © 2003-2004 Microsoft Corporation. All rights reserved.
1/14/ :03 PM © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "1/14/ :03 PM Session Code: arc340"

Similar presentations

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.
Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India.

Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
Windows Forms 2.0 – ClickOnce Stephen Turner Software Design Engineer

Windows Forms 2.0 – ClickOnce Stephen Turner Software Design Engineer
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
Visual Studio Whidbey: Deploying Applications Using ClickOnce Sean Draine Program Manager Microsoft Corporation Sean Draine Program Manager Microsoft Corporation.

Visual Studio Whidbey: Deploying Applications Using ClickOnce Sean Draine Program Manager Microsoft Corporation Sean Draine Program Manager Microsoft Corporation.
1 ClickOnce: Advanced Topics in Web Based Application Deployment for Windows Forms and Avalon Jamie Cool Program Manager Microsoft Corporation Jamie Cool.

1 ClickOnce: Advanced Topics in Web Based Application Deployment for Windows Forms and Avalon Jamie Cool Program Manager Microsoft Corporation Jamie Cool.
Windows Vista: Volume Activation 2.0

Windows Vista: Volume Activation 2.0
OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.

OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.
Understanding Code Compilation and Deployment Lesson 4.

Understanding Code Compilation and Deployment Lesson 4.
DEV290 Building Office Solutions with Visual Studio Eric Carter Lead Developer Developer Platform & Evangelism Microsoft Corporation.

DEV290 Building Office Solutions with Visual Studio Eric Carter Lead Developer Developer Platform & Evangelism Microsoft Corporation.
Virtual techdays INDIA │ 22-24 Nov 2010 Developing Office Biz Application using WPF on Windows 7 Sarang Datye │ Sr. Consultant, Microsoft Sridhar Poduri.

Virtual techdays INDIA │ Nov 2010 Developing Office Biz Application using WPF on Windows 7 Sarang Datye │ Sr. Consultant, Microsoft Sridhar Poduri.
Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security

Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security
Java Security Pingping Ma Nov 2 nd, 2006. Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
.NET Framework Danish Sami UG Lead.NetFoundry

.NET Framework Danish Sami UG Lead.NetFoundry
DEV325 Deploying Visual Studio.NET Applications Billy Hollis Author / Consultant.

DEV325 Deploying Visual Studio.NET Applications Billy Hollis Author / Consultant.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
X.509 Certificate Support In The .NET Framework

X.509 Certificate Support In The .NET Framework
James Akrigg Microsoft Ltd Integrating InfoPath Forms Into Workflow Solutions And Business Processes.

James Akrigg Microsoft Ltd Integrating InfoPath Forms Into Workflow Solutions And Business Processes.

Similar presentations

Ads by Google