Upload
todd-page
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
DEV240
Fundamentals of Code Access Security
Sebastian Lange
Program Manager
Common Language Runtime
Microsoft Corporation
Agenda
Code Access Security (CAS) Design GoalsRelationship to Windows OS Security
CAS InfrastructureVerification and Validation
Evidence
Policy
Permissions
Enforcement
What is a Security System?
Main Purpose: to protect a resource from illicit access or usePrimary security identity
System grants rights, enforces against specific identities
Authentication Determining who is trying to gain access
AuthorizationGranting rights to access resources
Enforcement SystemEnforces the rights given
Example: Windows Security
Primary Security Identity: User identity (or user role)
Authentication:User supplies login credentials
Authorization:User context is granted rights to access system objects
Enforcement: OS gates access to system objects (File, Registry Key, …). Think ACL’s.
Code Access Security – A New Paradigm
Primary Security Identity: Code (Assembly)
Authentication: Information collected about code (Evidence)
Authorization: Code identity based policy system grants rights to access resources
Enforcement: Verification, Validation, Permission Demands, Stackwalks
Code Access Security Design Goals
Robust security system for partially-trusted, mobile code
Adds on to user-level security from OS
Security out of the boxDefault Policy is conservative
Required for end users and some Admins
All code from Internet, Intranet, File Shares, … runs with restricted privileges
Code Access Security Design Goals
Make it easier for…Developers to write secure libraries and applications
As much burden as possible on the system
Easy to perform security checks in code
Administrators to express their policiesFine-grained authorization model
System is completely extensible
End users to work securelyMinimal run-time security decisions (end-user UI by default)
CAS InfrastructureValidation
Ensures correctness of file format
VerificationEnsures Type Safety
Policy System Assigns trust to an assembly
Enforcement Shared Library authors protect access to resources
CLR enforces protection through stackwalks
Validation
Checks Correctness of the PE fileValidates image against PE spec
Meta Data is checkedMD layout validation: i.e pointers have valid destinations
Semantic checks: i.e. Checking for circular inheritance
IL stream is checked All instructions are valid and well-formed
Semantic checks: i.e JMP’s stay within IL stream
Verification
Enforces rules on code Ensures that Security can be enforced
Verification rules are safe, may falsely reject
Code is verified to be memory type safeOnly access objects via well-defined interfaces
No unsafe casts, no access beyond array bounds
No stack underflow/overflow conditions
Helps reduce buffer overruns
Verification
Occurs during JIT Compilation
Verifiability depends on the language compiler
Visual Basic® .NET
C# verifiable (except C# “unsafe” keyword)
C++ is generally not verifiableAddressed in future release
Evidence
Descriptive data about an assemblyURL of origin, site, zone
Strong Name signature, Authenticode signature, hash
Host-defined
Basis for assigning security rules
Computed at load time of assembly by CLRHosts can add their own evidence
See System.Security.Policy.Evidence
CAS Policy
Set of rules that assign trust to an assemblySpecified by Administrator using .NET Configuration Tool
Input: Data describing an assembly (Evidence)
location, digital signature, hash, “host-defined”
Output: Set of rights to access protected resources (Permissions)
e.g File Permission, Registry Permission
CAS Policy
Composed of “Code Groups”Membership Condition Permission Set
Organized into a Hierarchy
Multiple, Ordered Policy LevelsEnterprise, Machine and User
Final Output: Intersection of permissions granted by each level
Result: Most restrictive wins
Stored as XML files on disk
See System.Security.Policy
CAS Policy System
PolicyPolicyEvaluatorEvaluator
Assembly A2Assembly A2
SecuritySecurityPolicyPolicyEvidenceEvidence
G2G2
HostHost
Granted Granted PermissionsPermissions
Default CAS Policy
demodemo
Permissions
Permissions represent the right to interact with a given resource
Permission to access a resource demanded programmatically
Output of Security Policy
Implemented as Managed ClassesSee System.Security.Permissions,
System.Security.CodeAccessPermission
Example PermissionsFileIO
Registry
FileDialog
Environment
IsolatedStorage
UI
Printing
Reflection
Security
Socket
Web
DNS
OleDb
SQLClient
MessageQueue
EventLog
DirectoryServices
… extensible
Execute, Skip Verification, Call unmanaged Execute, Skip Verification, Call unmanaged code, Supply custom evidencecode, Supply custom evidence
Permission EnforcementPermission “Demands”
Statement made in code to protect access to a resourceChecks all callers for the required permissionMay be “Imperative” or “Declarative”
DeclarativeSpecified via Custom Attributes before a Class, Method, etc …
ImperativeInitiated by Calling Demand() on a Permission instance
Checks Enforced through Stack WalkFailed Demands raise a SecurityException
Declarative Demands
Specified using Custom AttributesStored in the assembly’s metadata
Permission State must be known at compile time
Can be viewed with PermView SDK Tool
[FileIOPermission(SecurityAction.Demand, Write = "c:\\temp")]
public void foo() { // class does something with c:\temp}
[FileIOPermission(SecurityAction.Demand, Write = "c:\\temp")]
public void foo() { // class does something with c:\temp}
Declarative DemandsLink and Inheritance Demands
Checks only immediate caller for required permission
Used to seal access to a method or restrict derivation
Link Demand: “My caller must be signed with Key xxx”
Inheritance Demand: “ You may only subclass me if you’re signed with Key yyy”
Checks only the first call to a protected memberOccurs during JIT Compilation
Performs better than a full Demand
Imperative Demands
Allows Security Checks to Vary by Control Flow or Method State
Initiated with call to Demand()
Example: A File Constructorpublic File(String fileName) { //Fully qualify the path for the security check String fullPath =
Directory.GetFullPathInternal(fileName); new FileIOPermission(FileIOPermissionAccess.Read,
fullPath).Demand(); //The above call will either pass or throw a //SecurityException //[…rest of function…]}
public File(String fileName) { //Fully qualify the path for the security check String fullPath =
Directory.GetFullPathInternal(fileName); new FileIOPermission(FileIOPermissionAccess.Read,
fullPath).Demand(); //The above call will either pass or throw a //SecurityException //[…rest of function…]}
Putting it all Together
PolicyPolicyEvaluatorEvaluator
Assembly A3Assembly A3
SecuritySecurityPolicyPolicyEvidenceEvidence
G3G3
HostHost
Granted Granted PermissionsPermissions
Assembly A1Assembly A1
Assembly A2Assembly A2
Assembly A3Assembly A3
G2G2
G1G1
G3G3
Call StackCall Stack
Stack-walking Semantics
Method M3Method M3
Method M2Method M2
Method M1Method M1
Method M4Method M4
Call StackCall StackGrows DownGrows Down
G2G2
G1G1
G3G3
G4G4
Each method has a set of Each method has a set of corresponding grantscorresponding grants
Method M4Method M4demands a demands a permission Ppermission P
PP
P is compared P is compared with grants of all with grants of all callers on the callers on the stack above M4stack above M4
PP
PP
PP
Stack Walk ModifiersModifiers allow fine-grained control of the stack walk
Assert, Deny, PermitOnly
Most common modifier is Assert“I vouch for my callers; checks for this permission can stop with me”
Use with Caution!!
Example: “Gatekeeper” classesManaged wrappers for unmanaged resources
Demand appropriate permission from caller
Assert permission to call unmanaged code
Make the unmanaged call
Key TakeawaysCAS is based on code identity
Augments Windows Security Model
Administrators Set Security PolicyEvidence Granted Permissions
.Net Configuration Tool
Code Authors Demand PermissionsProtects access to resources
CLR uses the call stack to enforce policy
Additional Resources“.NET Framework Security”, Addison-Wesley
MSDN Security Sitewww.msdn.microsoft.com/security
DEV340 “.Net Framework Security Best Practices”
Community ResourcesMS Community Sites
http://msdn.microsoft.com/netframework/community/ http://microsoft.com/communities/default.mspx
List of newsgroupsmicrosoft.public.dotnet.generalmicrosoft.public.dotnet.frameworkmicrosoft.public.dotnet.clrmicrosoft.public.dotnet.security http://microsoft.com/communities/newsgroups/default.mspx
ListServshttp://discuss.develop.com
ADVANCED-DOTNETDOTNET-CLRDOTNET-ROTOR
Attend a free chat or webcasthttp://microsoft.com/communities/chats/default.mspxhttp://microsoft.com/usa/webcasts/default.asp
Locate a local user groupshttp://microsoft.com/communities/usergroups/default.mspx
Community siteshttp://microsoft.com/communities/related/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.