3A01:.Net Framework Security

Transcription

1 3A01:.Net Framework Security Wolfgang Werner HP Decus Bonn Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Agenda Introduction to the Common Language Runtime Windows Security and Code Access Security Security Policy Evidence, Membership Conditions, Permission Sets, Code Groups, Policy Levels Misc. 1

2 Common Language Runtime (CLR) Core of the.net platform Runtime execution environment Uses the Intermediate Language Code that requires the CLR is called managed code Uses garbage collection Common Language Runtime (CLR) The runtime loads and runs code written in any CLR-aware programming language Compilers translates code into Intermediate Language (IL) When the code is executed it is compiled into native code 2

3 Assemblies The logical unit that contains IL code Can de stored across multiple files Same structure is used for executable code and libraries Contain metadata that describe the assembly (manifest) ILDASM can be used to inspect the content and the metadata Assemblies The assembly manifest contains Name, version Identity information Name, version, culture, public key Exported types Dependencies to other assemblies... 3

4 Assemblies Agenda Introduction to the Common Language Runtime Windows Security and Code Access Security Security Policy Evidence, Membership Conditions, Permission Sets, Code Groups, Policy Levels Misc. 4

5 Windows Security Based on user identity Authentication for a particular user Authorization to access resources based on user credentials All code will run with the same access rights Windows Security It is ok for an admin to add new users, but <OBJECT CODETYPE="application/x-oleobject" CLASSID= "clsid:f935dc22-1cf0-11d0-adb9-00c04fd58a0b WIDTH=1 HEIGHT=1 ID="WShell"> </OBJECT> <!-- Initialize and script ActiveX controls not marked as safe must be enabled --> <SCRIPT LANGUAGE="Javascript"> runcmd="net user newuser /add"; WShell.Run(runcmd); </SCRIPT> 5

6 Code Access Security (CAS) Applies to the Common Language Runtime Managed code only Based on code identity Code running on behalf of a specific user is not considered equal Code "authentication" is based on the origin of code (evidence) Code Access Security (CAS) Authenticate assemblies By collecting evidence Authorize assemblies By granting a set of permissions Enforce authorization decisions By checking ALL assemblies have the appropriate permissions 6

7 Code Access Security (CAS) CAS complements Windows security CAS settings will NOT supercede Windows access restrictions Agenda Introduction to the Common Language Runtime Windows Security and Code Access Security Security Policy Evidence, Membership Conditions, Permission Sets, Code Groups, Policy Levels Misc. 7

8 Security Policy Code Access Security maps evidence to resource access permissions based on security policy settings A security policy consists of Membership conditions Code groups Policy levels Security Policy Default Security Policy All assemblies running in the My Computer zone have access to all resources Assemblies from the intranet zone are allowed to read some environment variables, do unlimited user interface intercation, have no access to the registry, All assemblies from then internet zone are prevented from running by default 8

9 Security Policy: Evidence Information about the origin of an assembly Authentication in CAS Applies only to running code Not precomputed or cached Independend of the user With exceptions Code Access Security: Evidence The CLR uses evidence to Determine which code groups the code belongs Evaluate enterprise, machine, and user policy membership condition Return the set of permissions to grant to the assembly or application domain 9

10 Code Access Security: Evidence Evidence is provided by By the loader (CLR) Application domain hosts that start the CLR Application domain host Browser host (Internet Explorer) HREF to managed EXE <object > refers to a managed type Server host (ASP.NET) Shell host (Explorer) Security Policy: Evidence Assembly provided evidence An assembly is permitted to provide evidence about itself Cannot overwrite evidence provided by a host Per default, assembly provided evidence is ignored by the CLR Implement custom membership conditions 10

11 Security Policy: Evidence ApplicationDirectory Directory that contains the primary executing code All assemblies in the application's root and child directories C:\appdir => file://c:\appdir\test.dll Security Policy: Evidence Hash Hash (MD5, SHA1) Multifile assemblies: hash of the assembly that contains the manifest Publisher Authenticode signatures (certificates) 11

12 Security Policy: Evidence Site Origination from a specified site URL URL including final wildcard ftp://ftp.microsoft.com/pub/* Security Policy: Evidence Zone The zone where the assembly originates My Computer, Intranet, Internet, Trusted Zones, Untrusted Zones Same as in Internet Explorer security zones Evidence may be different to different users 12

13 Security Policy: Evidence If an assembly is downloaded from a site/url/zone and run locally the original information is lost Security Policy: Evidence Strong Name Adds public key encryption to make sure code has not been altered Strongly-named assemblies contain the signer's public key and a signature embedded in the assembly Also used to distinguish similarly named assemblies from different publishers (shared assemblies only) 13

14 Security Policy: Evidence Computing a strong name Verifying a strong name Assembly Assembly Hash + Private Key Hash =? Org. Hash Signature Signature Signature + Public Key Security Policy: Evidence Strong Name Tool SN.EXE Generate private/public key pairs SN k tst.snk Sign assemblies with strong names Custom attributes, command line switches, 14

15 Security Policy: Evidence using System; using System.IO; [assembly: System.Reflection.AssemblyKeyFile("tst.snk")] namespace myassembly.fkr.cpqcorp.net { class myassembly { static void Main(String [] args) { StreamReader stream= File.OpenText(args[0]); String str; while ((str=stream.readline())!= null) Console.WriteLine(str); } } } Security Policy: Membership Condition Membership conditions Match evidence against specified criteria Are closely linked to evidence Are extensible (IMembershipCondition) 15

16 Security Policy: Membership Condition Default membership conditions All Code Application Directory Hash Publisher Strong Name Site URL Zone Security Policy: Permission Sets Permission sets are comprised of zero or more permissions FileIOPermission, SocketPermission, RegistryPermission Predefined Permission Sets Full Trust LocalIntranet Internet,.. 16

17 Security Policy: Code Groups Code Groups define bindings between membership conditions and permission sets If code matches the membership condition it is included in the group and is granted a permission set If code matches more than one code groups the permissions are combined in a union Security Policy: Code Groups Code Groups are arranged in hierarchies Code Group: All Code Permission Set: Nothing Membership Condition: AllCode Code Group: Internet Permission Set: Internet Membership Condition: Zone Code Group: My Computer Permission: Full Trust Membership Condition: Zone... Code Group: Microsoft Permission: FullTrust Membership Condition: Publisher 17

18 Security Policy: Code Groups Security Policy: Policy Levels A policy level has three pieces Permission set list Code group hierarchy A list of policy assemblies To implement custom security objects (custom permissions, membership conditions,..) To address the need of different parties multiple policy levels are defined 18

19 Security Policy: Policy Levels Administrators configure security policy by managing code groups and their associated permission sets in different policy levels Each policy level contains its own hierarchy of code groups and permission sets Policy levels are a hierarchy Lower policy levels cannot increase permissions granted at a higher levels Security Policy: Policy Levels Four security policy levels are provided Enterprise Controlled by the domain administrator Anything restricted here will define the total default restrictions Machine Controlled by the machine administrator User Controlled by the user Application Domain Controlled by the application developer 19

20 Security Policy: Policy Levels Enterprise Policy Machine1 Policy User1 Policy AppDom1 Policy User2 Policy AppDom3 Policy Machine2 Policy User3 Policy AppDom5 Policy User4 Policy AppDom7 Policy AppDom2 Policy AppDom4 Policy AppDom6 Policy Security Policy: Policy Levels Enterprise Applies to all managed code in an enterprise where an enterprise configuration file is distributed %windir%\microsoft.net\framework\<version>\config\ enterprisesec.config Machine Applies to all managed code on the computer %windir%\microsoft.net\framework\<version>\config\ security.config 20

21 Security Policy: Policy Levels User Applies to all managed Code in all the processes user %userprofile%\application Data\Microsoft\ CLR Security Config\<version>\security.config Application domain Specified by application domain host code Application domain level cannot be administratively configured, but can be programmatically set Security Policy: Policy Levels To compute the allowed permission set for the application domain or assembly: For each policy level the matching code groups are determined using evidence The permissions of the matching code groups are combined in a union The permission sets for each policy level are intersected 21

22 Agenda Introduction to the Common Language Runtime Windows Security and Code Access Security Security Policy Evidence, Membership Conditions, Permission Sets, Code Groups, Policy Levels Misc. Misc. Disable/enable.NET Framework security C:\> caspol security off C:\> caspol security on 22

23 Misc..NET Framework Configuration Snap-in (mscorcfg.msc) Windows Server 2003: Start -> Programs -> Administrative Tools Windows 2000: available in the.net Framework SDK Misc. Increase Assembly Trust Use the Trust Wizard to increase the the level of trust for a specific assembly quickly Example: an assembly installed on the intranet requires access to the local file system (prohibited by the default security policy) 23

24 Misc. Evaluate Assembly Wizard to test What permissions are granted to a specific assembly What code groups apply to a specific assembly Code Access Security: Deployment Security policy are deployed in a Windows Installer (.msi) files Run from local disk or from a share. Using Group Policy Using SMS Right-click the Runtime Security Policy node and click Create a Deployment Package 24

25 Isolated Storage Keep persisting state on client machines no access to the file system Isolated by user context Written to the user profile %userprofile%\application Data Cannot be shared between users Isolated Storage List the content of the Isolated Storage Storeadm (/Roaming) /List Storeadm.exe:.Net Framework SDK Removing the content of isolated storage Storeadm (/Roaming) /Remove All data displayed is particular to the user context storeadm is run Other tasks: Isolated Storage API 25

26 Agenda Introduction to the Common Language Runtime Windows Security and Code Access Security Security Policy Evidence, Membership Conditions, Permission Sets, Code Groups, Policy Levels Misc. Further Reading 26