DEV240

Fundamentals of Code Access Security

Sebastian Lange

Program Manager

Common Language Runtime

Microsoft Corporation

Agenda

Code Access Security (CAS) Design GoalsRelationship to Windows OS Security

CAS InfrastructureVerification and Validation

Evidence

Policy

Permissions

Enforcement

What is a Security System?

Main Purpose: to protect a resource from illicit access or usePrimary security identity

System grants rights, enforces against specific identities

Authentication Determining who is trying to gain access

AuthorizationGranting rights to access resources

Enforcement SystemEnforces the rights given

Example: Windows Security

Primary Security Identity: User identity (or user role)

Authentication:User supplies login credentials

Authorization:User context is granted rights to access system objects

Enforcement: OS gates access to system objects (File, Registry Key, …). Think ACL’s.

Code Access Security – A New Paradigm

Primary Security Identity: Code (Assembly)

Authentication: Information collected about code (Evidence)

Authorization: Code identity based policy system grants rights to access resources

Enforcement: Verification, Validation, Permission Demands, Stackwalks

Code Access Security Design Goals

Robust security system for partially-trusted, mobile code

Adds on to user-level security from OS

Security out of the boxDefault Policy is conservative

Required for end users and some Admins

All code from Internet, Intranet, File Shares, … runs with restricted privileges

Code Access Security Design Goals

Make it easier for…Developers to write secure libraries and applications

As much burden as possible on the system

Easy to perform security checks in code

Administrators to express their policiesFine-grained authorization model

System is completely extensible

End users to work securelyMinimal run-time security decisions (end-user UI by default)

CAS InfrastructureValidation

Ensures correctness of file format

VerificationEnsures Type Safety

Policy System Assigns trust to an assembly

Enforcement Shared Library authors protect access to resources

CLR enforces protection through stackwalks

Validation

Checks Correctness of the PE fileValidates image against PE spec

Meta Data is checkedMD layout validation: i.e pointers have valid destinations

Semantic checks: i.e. Checking for circular inheritance

IL stream is checked All instructions are valid and well-formed

Semantic checks: i.e JMP’s stay within IL stream

Verification

Enforces rules on code Ensures that Security can be enforced

Verification rules are safe, may falsely reject

Code is verified to be memory type safeOnly access objects via well-defined interfaces

No unsafe casts, no access beyond array bounds

No stack underflow/overflow conditions

Helps reduce buffer overruns

Verification

Occurs during JIT Compilation

Verifiability depends on the language compiler

Visual Basic® .NET

C# verifiable (except C# “unsafe” keyword)

C++ is generally not verifiableAddressed in future release

Evidence

Descriptive data about an assemblyURL of origin, site, zone

Strong Name signature, Authenticode signature, hash

Host-defined

Basis for assigning security rules

Computed at load time of assembly by CLRHosts can add their own evidence

See System.Security.Policy.Evidence

CAS Policy

Set of rules that assign trust to an assemblySpecified by Administrator using .NET Configuration Tool

Input: Data describing an assembly (Evidence)

location, digital signature, hash, “host-defined”

Output: Set of rights to access protected resources (Permissions)

e.g File Permission, Registry Permission

CAS Policy

Composed of “Code Groups”Membership Condition Permission Set

Organized into a Hierarchy

Multiple, Ordered Policy LevelsEnterprise, Machine and User

Final Output: Intersection of permissions granted by each level

Result: Most restrictive wins

Stored as XML files on disk

See System.Security.Policy

CAS Policy System

PolicyPolicyEvaluatorEvaluator

Assembly A2Assembly A2

SecuritySecurityPolicyPolicyEvidenceEvidence

G2G2

HostHost

Granted Granted PermissionsPermissions

Default CAS Policy

demodemo

Permissions

Permissions represent the right to interact with a given resource

Permission to access a resource demanded programmatically

Output of Security Policy

Implemented as Managed ClassesSee System.Security.Permissions,

System.Security.CodeAccessPermission

Example PermissionsFileIO

Registry

FileDialog

Environment

IsolatedStorage

UI

Printing

Reflection

Security

Socket

Web

DNS

OleDb

SQLClient

MessageQueue

EventLog

DirectoryServices

… extensible

Execute, Skip Verification, Call unmanaged Execute, Skip Verification, Call unmanaged code, Supply custom evidencecode, Supply custom evidence

Permission EnforcementPermission “Demands”

Statement made in code to protect access to a resourceChecks all callers for the required permissionMay be “Imperative” or “Declarative”

DeclarativeSpecified via Custom Attributes before a Class, Method, etc …

ImperativeInitiated by Calling Demand() on a Permission instance

Checks Enforced through Stack WalkFailed Demands raise a SecurityException

Declarative Demands

Specified using Custom AttributesStored in the assembly’s metadata

Permission State must be known at compile time

Can be viewed with PermView SDK Tool

[FileIOPermission(SecurityAction.Demand, Write = "c:\\temp")]

public void foo() { // class does something with c:\temp}

[FileIOPermission(SecurityAction.Demand, Write = "c:\\temp")]

public void foo() { // class does something with c:\temp}

Declarative DemandsLink and Inheritance Demands

Checks only immediate caller for required permission

Used to seal access to a method or restrict derivation

Link Demand: “My caller must be signed with Key xxx”

Inheritance Demand: “ You may only subclass me if you’re signed with Key yyy”

Checks only the first call to a protected memberOccurs during JIT Compilation

Performs better than a full Demand

Imperative Demands

Allows Security Checks to Vary by Control Flow or Method State

Initiated with call to Demand()

Example: A File Constructorpublic File(String fileName) { //Fully qualify the path for the security check String fullPath =

Directory.GetFullPathInternal(fileName); new FileIOPermission(FileIOPermissionAccess.Read,

fullPath).Demand(); //The above call will either pass or throw a //SecurityException //[…rest of function…]}

public File(String fileName) { //Fully qualify the path for the security check String fullPath =

Directory.GetFullPathInternal(fileName); new FileIOPermission(FileIOPermissionAccess.Read,

fullPath).Demand(); //The above call will either pass or throw a //SecurityException //[…rest of function…]}

Putting it all Together

PolicyPolicyEvaluatorEvaluator

Assembly A3Assembly A3

SecuritySecurityPolicyPolicyEvidenceEvidence

G3G3

HostHost

Granted Granted PermissionsPermissions

Assembly A1Assembly A1

Assembly A2Assembly A2

Assembly A3Assembly A3

G2G2

G1G1

G3G3

Call StackCall Stack

Stack-walking Semantics

Method M3Method M3

Method M2Method M2

Method M1Method M1

Method M4Method M4

Call StackCall StackGrows DownGrows Down

G2G2

G1G1

G3G3

G4G4

Each method has a set of Each method has a set of corresponding grantscorresponding grants

Method M4Method M4demands a demands a permission Ppermission P

PP

P is compared P is compared with grants of all with grants of all callers on the callers on the stack above M4stack above M4

PP

PP

PP

Stack Walk ModifiersModifiers allow fine-grained control of the stack walk

Assert, Deny, PermitOnly

Most common modifier is Assert“I vouch for my callers; checks for this permission can stop with me”

Use with Caution!!

Example: “Gatekeeper” classesManaged wrappers for unmanaged resources

Demand appropriate permission from caller

Assert permission to call unmanaged code

Make the unmanaged call

Key TakeawaysCAS is based on code identity

Augments Windows Security Model

Administrators Set Security PolicyEvidence Granted Permissions

.Net Configuration Tool

Code Authors Demand PermissionsProtects access to resources

CLR uses the call stack to enforce policy

Additional Resources“.NET Framework Security”, Addison-Wesley

MSDN Security Sitewww.msdn.microsoft.com/security

DEV340 “.Net Framework Security Best Practices”

Community ResourcesMS Community Sites

http://msdn.microsoft.com/netframework/community/ http://microsoft.com/communities/default.mspx

List of newsgroupsmicrosoft.public.dotnet.generalmicrosoft.public.dotnet.frameworkmicrosoft.public.dotnet.clrmicrosoft.public.dotnet.security http://microsoft.com/communities/newsgroups/default.mspx

ListServshttp://discuss.develop.com

ADVANCED-DOTNETDOTNET-CLRDOTNET-ROTOR

Attend a free chat or webcasthttp://microsoft.com/communities/chats/default.mspxhttp://microsoft.com/usa/webcasts/default.asp

Locate a local user groupshttp://microsoft.com/communities/usergroups/default.mspx

Community siteshttp://microsoft.com/communities/related/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.