.NET Security By R.S
advertisement
.NET Security
By
R.S
Security
What is Security ?
Security in general means freedom from risk and
Danger.
So What does Security in Software field means?
Software security is the effort to create a secure computing
platform, designed so that agents (users or programs)
can only perform actions that have been allowed .
Simply put, protecting hardware and software from being
misused or corrupted .
As a software engineer/programmer what should I
know about software security ?
Risks
Risks ?
When Software Security is breached, what risks do I have and what is
the importance of identifying these risks?
Risks may vary depending on
Whether I am user working on my personal computer/laptop or I
am a company employee working on my company computer.
What permissions do I have on the machine that I am working on
(Admin, power user, normal user, domain user etc)
In case 1, I am risking my home computer’s integrity , my personal
information, etc
Case 2, as a company Employee , I am risking everything , including
my Job ……
Importance :
Prevent loss and misery of any kind.
Software Security Breach and
Nightmares in an organization
• Irrespective of what an organization’s business is,
security breach could potentially cause a lot of loss to
the organization starting from customers to $$$.
• Think about somebody hacking into an online bank
where you have saved all your money and getting hold
of your account.
• Now the bank has to go through a lot trying to comfort its
other customers who wants to end their business with
them , bare the $$ loss , fire people that didn’t do their
job right in providing security ,fix loop holes in the system
to make it more secured etc ….
What to Do ?
Alright, Software security breach doesn’t sounds
good. So we decided to enforce security .
The Question is WHERE and HOW ?
Security is not a single entity , rather is a
connection of several entities , like a Chain.
Remember , The strength of a Chain depends
on its weakest link….
Simple Example : A house with multiple doors.
Securing all the doors and windows is not
sufficient .
How much should I secure?
• Securing every inch of your house of
course provides closer to 100% security.
• It also increases the cost of living,
maintenance , stress etc.
Answer is :
Think if its really worth providing so much of
security .
Don’t have to spend $50 a month to protect
your 3 month old tooth brush.
Where to Start ?
• Most likely from the weakest link……
• Securing an organization involves securing its networks,
different applications that it uses/creates , securing the
servers , databases , securing the development
machines etc including securing the premise of the
organization itself .
• Identify and make a list of areas that easily opens the
door for a malicious user .
• Prioritize the list
• Delegate the tasks to the individual groups responsible
• Team Work ?
Where do we come into play ?
• Where does the software programmers
role begins ?
• What do we have to offer to our
organization?
• What are our tools ?
Contd.
•
•
•
•
•
•
•
Our role as software engineers begins from understanding the organizations
operations.
Once we know that , we have a solid ground to stand on to make
suggestions on what the company needs to do to ensure security.
The suggestions could be modifying an existing application’s modules to
increase security or redesigning the entire application to cope up with the
current security trends.
Don’t be afraid to express yourself, you are only trying to help the company.
Always have proofs to support your claims . In other words , Don’t try to
redesign the application to ensure your job security instead of the company
security.
Be a Good team player. Understand your team mates and their
approaches. This has a lot to do with being more efficient
programmers and building trust among the team members.
If you don’t trust your team , how can you expect the company to trust
you and how can you expect the end users to trust the application
created by your team ????
Teams Role
•
A software team should identify existing problems and loop holes within an
existing system.
• Recommend solutions for those problems.
• Should undertake software projects approved by the organization
• Should have a solid strategy for developing and implementing the project.
• Must have knowledge of the developing trends of the platform they use.
• Must have knowledge of the current security threats.
• Must have the knowledge about available tools ,no matter ,whether the tool
is a software/Graphics design tool to aid them in implementing their project
or a security tool that will help them to secure their project.
• The team must have a solid understanding of the environment where the
application will be deployed.
Last but not least , a software team must know what they are trying to
accomplish through their project.
Preparing Yourself
• Learn about different kinds of threats , old or new .
• Find out how those threats are put to sleep.
• Learn about the software updates, what’s new in it , how
it solves an existing problem/vulnerability.
• Understand your platform , its pros and cons , its
vulnerability in particular if any.
Example : Do you know of any disadvantages of
programming in C++ or C#??
C++ - Pointers
C# - Ability to regenerate the entire source code from the
exe file using reflection.
.NET and Security
• There are many technologies used to build .NET
applications. To build effective application-level
authentication and authorization strategies, you
need to understand how to fine-tune the
various security features within each product
and technology area, and how to make them
work together to provide an effective, defensein-depth security strategy.
• Know the available .NET tools first then learn
what those tools can do for you .
Contd..
• What are the typical deployment patterns
adopted by .NET Web applications?
• What security features are provided by the
various technologies that I use to build
.NET Web applications?
• What gatekeepers should I be aware of
and how do I use them to provide a
defense-in-depth security strategy?
The Design Phase
• Though the requirement phase comes first, the actual
role of the software programmers begins (except in
special conditions) from the design phase.
• With the requirements at hand , the design phase can
begin .
• This is when you can design your project flow, identify
different objects required , their importance,
functionalities , properties etc
• This is also where you can identify different areas where
your projects needs to be secured, possible loop holes
etc…
• But this is just the beginning …….
Contd..
• Once after identifying required objects and areas that
needs to be secured , you are ready to prepare a game
plan that would help you secure your project.
• What is the game plan ?
• Do some research and find out if there are any current
security threats that your application may fall a victim for.
• Find out if there are any available solutions, updates for
your hosting platform that would help you take care of
the threat from the operating system level.
• Make sure to have all the latest updates on your
development machines.
• Next , Analyze the Security tools that .NET offers.
Contd..
• After analyzing the available tools carefully and
in depth, pick the ones that you think will help
you improve the security of your application.
• Since you already know where to secure your
application, this shouldn’t be a tough task.
• Please keep in mind that you don’t want to do
too much of anything. Just what is required to
ensure security .
3 Most Important areas to Secure
• As a software engineers , we should
worry about the following three areas .
• The Code which includes your code/class
design , design documents , source
control etc
• The Databases used by the code
(application)
• The communication layer in a distributed
application environment (Why ??)
Creating Secured Code
Assume the architectural design is
completed and presented to the
programmers. This means you already
know where to secure and what to secure.
Concentrate on creating secured code
based on the design using the tools
provided by .NET.
Restrict Class and Member visibility
• Restrict access to the members and
methods of a class( or object).
• Private, protected , internal etc
• Sealed classes are safer
• Seal virtual methods in derived classes
which also improves performance through
in lining.
Sealed class Example
• A Sealed Class ..
public sealed class FileModifierClass
{
public FileModifierClass() { }
}
This class cannot be inherited…
Sealed Method example
• Only methods in derived classes can be sealed.
public class ParentFileModifierClass
{
public FileModifierClass() { }
public virtual void Modify()
{
}
}
public sealed class FileModifierClass
{
public FileModifierClass() { }
sealed override public void Modify()
{
}
}
Classes inheriting FileModifierClass will not be able to override the Modify method.
Use properties to expose fields
• Using properties facilitates validating a value to
be set to a field .
• Permission can also be demanded for these
fields.
• Use Read/Write and read-Only properties to
access fields.
• Private fields are enforced during compile time.
Code running in fully trusted environment can
bypass this property using reflection and
unmanaged pointers.
Do Not Trust user inputs
•
•
•
•
Do not trust user input . Never!!!!!
Validate for type , length format and range
Use Regular Expressions to validate user inputs
Avoid un trusted input for file names and file
paths.
• If you accept file names, validate them.
• Use absolute file paths where you can.
• Consider constraining file I/O within your
application's context.
Contd….
• Use GetfullPath on a windows application.
• GetFullPath performs the following checks:
• It checks that the file name does not contain any invalid characters,
as defined by Path.InvalidPathChars.
• It checks that the file name represents a file and not another device
type, such as a physical drive, a named pipe, a mail slot, or a DOS
device such as LPT1, COM1, AUX, and other devices.
• It checks that the combined path and file name is not too long.
• It removes redundant characters such as trailing dots.
• It rejects file names that use the //?/ format.
• Use Request.MapPath on a server.
• Note :The MapPath property potentially contains sensitive
information about the hosting environment. The return value
should not be displayed to users.
Contd..
• Validate Input from All Sources Like QueryString,
Cookies, and HTML Controls
• These validation can help prevent injection
attacks.
• Prefer server side validation to client side
validation. If required, combine the client side
validation with the server side validation.
• Prevent using user input for file names and path
inputs.
Injection Attacks
• Injection attacks are attacks initiated by a
user using malicious input which was not
validated by the application in context.
• These attacks can vary from injecting such
malicious inputs into applications to
change their behavior or into a database
to corrupt or read sensitive data.
Most common Injection Attacks
• SQL injection. If you generate dynamic SQL queries based on user
input, an attacker could inject malicious SQL commands that can be
executed by the database.
• Cross-site scripting. Cross-site scripting (XSS) attacks exploit
vulnerabilities in Web page validation by injecting client-side script
code. This code is subsequently sent to an unsuspecting user's
computer and executed on the browser. Because the browser
downloads the script code from a trusted site, the browser has no
way of determining whether the code is legitimate.
• Unauthorized file access. If your code accepts input from a caller,
a malicious user could potentially manipulate your code's file
operations, such as accessing a file they should not access or
exploiting your code by injecting bad data.
Preventing Injection Attacks in
ASP.NET
• Simple Rule : Accept good input, reject bad input
• If your application accepts user inputs, assume
that ,every input is invalid and malicious and
validate them n the server side.
• Define valid input for every field. This means
that, define the range, format length and type of
the input.
• Verify the input against the list of acceptable
characters
• HTML encode the html outputs before displaying
Contd..
• Follow these steps to validate user input.
• Constrain: Check for type, length , range and format . Use Asp.NET
Validator on server controls. For other resources, use regular
expressions.
• Reject: Reject any data that failed validation
• Sanitize: Change potentially malicious input to good input .
Example : Allow few HTML tags ( <b> , <i>, etc) and eliminate other
HTML tags.
• How and where to enable request validation ?
• In Machine.Config and Web.Config as follows
• <pages validateRequest="true" ... />
• Confirm that you have not disabled request validation by overriding
the default settings in your server's Machine.config file or your
application's Web.config file.
ASP.NET Validators
• Text Fields :RegularExpressionValidator
<form id="WebForm" method="post" runat="server">
<asp:TextBox id="txtName" runat="server"></asp:TextBox>
<asp:RegularExpressionValidator id="nameRegex" runat="server"
ControlToValidate="txtName" ValidationExpression="^[a-zA-Z'.\s]{1,40}$"
ErrorMessage="Invalid name"> </asp:regularexpressionvalidator>
</form>
Regex Class :
// Instance method:
Regex reg = new Regex(@"^[a-zA-Z'.\s]{1,40}$");
Response.Write(reg.IsMatch(txtName.Text)); // Static method:
if (!Regex.IsMatch(txtName.Text,@"^[a-zA-Z'.\s]{1,40}$"))
{ // Name does not match expression }
Contd..
• Numeric Fields : Range Validator
<asp:RangeValidator ID="RangeValidator1" Runat="server" ErrorMessage="Invalid
range. Number must be between 0 and 255." ControlToValidate="rangeInput"
MaximumValue="255" MinimumValue="0" Type="Integer" />
Test in your Code for range as follows (only in Framework 2.0)
Int32 i;
if (Int32.TryParse(txtInput.Text, out i) == false) { // Conversion failed }
(Older versions of Framework , use Int32.TryParse or Convert.ToInt32 inside a try catch bolck. Catch
any formatexception inside the catch block and throw an exception to the user.)
CustomValidator
<%@ Page Language="C#" %>
<script runat="server">
void ValidateDateInFuture(object source, ServerValidateEventArgs args)
{
DateTime dt; // Check for valid date and that the date is in the future if ((DateTime.TryParse(args.Value, out dt) ==
false) || (dt <= DateTime.Today)) { args.IsValid = false;
}
}
</script>
<html>
<body>
<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Runat="server" Text="Future Date:"></asp:Label> <asp:TextBox ID="futureDatetxt"
Runat="server"></asp:TextBox> <asp:CustomValidator ID="CustomValidator1" Runat="server"
ErrorMessage="Invalid date. Enter a date in the future." ControlToValidate="futureDatetxt"
OnServerValidate="ValidateDateInFuture"> </asp:CustomValidator> <br /> <asp:Button ID="submitBtn"
Runat="server" Text="Submit" /> </div>
</form>
</body>
</html>
Html Encode
void submitBtn_Click(object sender, EventArgs e)
{
// Encode the string input
StringBuilder sb = new StringBuilder(
HttpUtility.HtmlEncode(htmlInputTxt.Text));
// Selectively allow and <i>
sb.Replace("&lt;b&gt;", "<b>");
sb.Replace("&lt;/b&gt;", "");
sb.Replace("&lt;i&gt;", "<i>");
sb.Replace("&lt;/i&gt;", "");
Response.Write(sb.ToString());
}
Query String Validation
void Page_Load(object sender, EventArgs e)
{
if (!System.Text.RegularExpressions.Regex.IsMatch(
Request.QueryString["Name"], @"^[a-zA-Z'.\s]{1,40}$"))
Response.Write("Invalid name parameter");
else
Response.Write("Name is " + Request.QueryString["Name"]);
}
Request.MapPath
•
Use the Overloaded Request.MapPath method to read file paths.
Try
{
string mappedPath = Request.MapPath( inputPath.Text, Request.ApplicationPath, false);
}
catch (HttpException ex)
{
// Cross-application mapping attempted
}
The false parameter will prevent the user from using file paths that contains “..” to traverse outside
your app directory.
For server controls, use the Control.MapPathSecure method to retrieve the physical
path . Control.MapPathSecure uses code access security and throws an
HttpException if the server control does not have permissions to read the resulting
mapped file.
NOTE : An Applications trust level can be set to medium by an administrator if he/she
wants to restrict its File I/O to its own virtual directory.
<trust level=“medium”/> (Web.Config or machine.Config)
Validating Urls
• Use Regular expressions..
^(?:http|https|ftp)://[a-zA-Z0-9\.\-]+(?:\:\d{1,5})?(?:[A-Za-z0-9\.\;\:\@\&\=\+\$\,\?/]|%u[0-9AFa-f]{4}|%[0-9A-Fa-f]{2})*$
Use HttpUtility.HtmlEncode and HttpUtility.UrlEncode( urlString ) to putput html output
and URL output respectively;
Note : Get yourself familiar with Regular expressions if you are planning to
specialize in security oriented programming .
SQL Injection
•
•
•
•
"SQL Injection" is subset of the unverified/unsanitized user input
vulnerability ("buffer overflows" are a different subset), and the idea is to
convince the application to run SQL code that was not intended. If the
application is creating SQL strings naively on the fly and then running them,
it's straightforward to create some real surprises .
Is it that bad ???
Of course . If you loose the integrity of your database, you loose everything.
If the database gets corrupted, I can guarantee that 100% of the users will
be affected . This statement is not true when it comes to a corrupted client
side script .
SQL Injection Example
• SQL injection is caused mainly by inputs that are not sanitized .
Consider the following Query,
“Select * from Users where Username =‘”+username.Text+”’ and
Password=‘”+password.Text+”’”;
What is wrong with this query and how can I inject code into this SQL statement ?
Nothing wrong , untill I enter the following values for Username.Text and Password.Text,
Username.Text= something’ or ‘1’=‘1’;-Password.Text=password
“Select * from Users where Username =‘”+username.Text+”’ and
Password=‘”+password.Text+”’”
The code generated on the fly will now look like
Select * from Users where Username=‘something’ or ‘1’=‘1’;-- and Password=‘password’;
This condition in the statement will always result in true returning all the rows from the
users table.
If the inputs in the Username and password field are validated and sanitized this injection
could have been prevented.
Contd…
• We can also inject a complete SQL
statement in the fields to drop tables,
insert records into the tables etc.
• You can guess the table names, fields,
passwords etc or any other valuable
information.
• Using Stored procedures necessarily don’t
provide protection against SQL Injection.
Data Access Tips
•
•
•
•
•
•
•
Do not hard code connection strings.
Consider encrypting connection strings.
Do not generate dynamic SQL queries
To help prevent SQL injection, you should validate input and use parameterized
stored procedures for data access. The use of parameters (for example,
SqlParameterCollection) ensures that input values are checked for type and length
and values outside the range throw an exception. Parameters are also treated as
safe literal values and not as executable code within the database.
Avoid stored procedures that accept a single parameter as an executable query.
Instead, pass query parameters only.
Use structured exception handling to catch errors that occur during database access,
and prevent them from being returned to the client. A detailed error message may
reveal valuable information such as the connection string, SQL server name, or table
and database naming conventions. Attackers can use this information to construct
more precise attacks.
As an additional precaution, use a least privileged account to access the database,
so that even if your application is compromised, the impact will be reduced.
SQLParameterCollection sample
using System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myAdapter = new SqlDataAdapter(
"LoginStoredProcedure", connection);
myAdapter.SelectCommand.CommandType = CommandType.StoredProcedure;
myAdapter.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myAdapter.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myAdapter.Fill(userDataset);
}
SQlParameters with Dynamic SQL
using System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myDataAdapter = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id =
@au_id",
connection);
myDataAdapter.SelectCommand.Parameters.Add("@au_id",
SqlDbType.VarChar, 11);
myDataAdapter.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myDataAdapter.Fill(userDataset);
}
Exceptions
• Please keep in mind not to give any valuable information
when you throw exceptions to the user . Prefer giving a
generic error rather than returning the exception stack
which would actually let the malicious user guess more
about your database.
• Example: In this specific scenario , if submitting the form
with the injected code return a server error , it Indicates
your query is malformed. But this gives away the truth
that you are constructing your query on the fly which
would encourage a malicious user to keep on trying with
his attacks until he finds something useful.
Authentication
• Forms Authentication : Cookie based
authentication system where username and
password are stored in XML/Text file or in the
database.
• Passport authentication : Single Authentication
point through Microsoft.
• Windows Authentication: Authentication mode
that uses local/domain windows users .
Web.Config file is used to tells the web application
which mode of authentication should be used.
Forms Authentication
• Prefer Membership providers over custom
authentication.
• Communication through SSL should be
preferred while using Forms
authentication.
• Use strong passwords.
• Encrypt username passwords in the user
store.
• Do not persist cookies
Membership Providers
• ActiveDirectoryMembershipProvider
• SqlMembershipProvider
ActiveDirectoryMembershipProvider
•
ActiveDirectoryMembershipProvider: Uses Microsoft Active Directory directory service to
maintain user information .Used in Intranet applications. To use this provider , first, configure the
forms authentication using the web.config as follows.
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Contd… (Step 2)
•
Configure the ActiveDirectoryMembershipProvider as follows ,
<connectionStrings>
<add name="ADConnectionString"
connectionString=
"LDAP://domain.testing.com/CN=Users,DC=domain,DC=testing,DC=com" />
</connectionStrings>
<system.web>
...
<membership defaultProvider="MembershipADProvider">
<providers>
<add
name="MembershipADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="<domainName>\administrator"
connectionPassword="password"/>
</providers>
</membership>
...
</system.web>
LDAP : LightWeight Directory Access protocol .
LDAP Connectionstring Format : LDAP://server/userdn/
Server ; name or IP address of the server using the directory
Userdn is the unique name of the active directory user store.
Creating Users
• Using Website administration tool (ASP.NET
configuration) in visual Studio 2005 toolbar.
• CreateUserWizard Control on a web page.
• Membership API (to create users
programmatically) .
Membership.CreateUser("UserName@DomainNa
me", "P@ssw0rd", "userName@emailAddress");
Authenticating Users
•
Using Login Control in ASP.NET 2.0 (uses membership providers by default without writing any
additional code)
•
Custom login page : call Membership.validateUser to authenticate users.
if (Membership.ValidateUser(userName.Text, password.Text))
{
if (Request.QueryString["ReturnUrl"] != null)
{
FormsAuthentication.RedirectFromLoginPage(userName.Text, false); );//false to prevent creating
persistant cookies
}
else
{
FormsAuthentication.SetAuthCookie(userName.Text, false }
}
else
{
Response.Write("Invalid UserID and Password");
}
SQLMembershipProvider
• Used for applications facing internet where
users don’t have Active directory account.User
credentials are stored in the database.
Steps:
Configure forms authentication. (Same as for
ADMP)
Install the membership database.
Configure the SqlMembershipProvider.
Create users.
Authenticate users.
Install Membership database
• Log on to SQLServer with a database admin account.
• Run the following command aspnet_regsql.exe -E -S
localhost -A m
-E indicates authenticate using the Windows credentials
of the currently logged on user.
-S (server) indicates the name of the server where the
database will be installed or is already installed.
-A m indicates add membership support. This creates
the tables and stored procedures required by the
membership provider.
Configure the
SqlMembershipProvider
<connectionStrings>
<add name="MySqlConnection" connectionString="Data Source=MySqlServer;Initial Catalog=aspnetdb;Integrated
Security=SSPI;" />
</connectionStrings>
<system.web>
...
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MySqlConnection"
applicationName="MyApplication"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
•
Note : Make sure the ASP.NET user account has enough permissions on the SQL server database .
•
Encrypt the database connection string in the config file.
•
Creating and authenticating users is same as for ADMP.
Code Access Security
CAS is a resource constraint model responsible for
restricting the types of system resources code
can access. CAS provides application level
isolation in a shared environment .
Consider code access security for partial trust applications.
Choose a trust level that does not exceed your application's requirements.
Create a custom trust policy if your application needs additional permissions.
Use Medium trust in shared hosting environments
CAS policy is defined by applications trust level .
<trust level="Full|High|Medium|Low|Minimal" />
Be wary about choosing a trust level for your
application. Remember that , at full trust, CAs
always succeeds.
CAS Example
• // Allow only this code to read files from c:\YourAppDir
[FileIOPermission(SecurityAction.PermitOnly,Read=@"c:\YourAppDir\")]
[FileIOPermission(SecurityAction.PermitOnly, PathDiscovery=@"c:\YourAppDir\")]
public static string ReadFile(string filename)
{ // Use Path.GetFullPath() to canonicalize the file name
// Use FileStream.OpenRead to open the file
// Use FileStream.Read to access and return the data
}
The above code will allow the users to read a file
from the c:\YourAppDir and only from that
directory using this method .
Saving sensitive Information on a
computer
• Saving sensitive information on a machine is not
recommended .
• Never save sensitive information in plain text(text files,
xml files etc) .
• Encrypt the data using the hashing algorithms before
saving them .
• Protect the folders and files that has the sensitive data.
(using permission control)
• Use names that doesn’t describes the content of the
files. (for example , a file containing password should not
be named as passwords especially if they are plain text).
Use Registry
• Sometimes, Registry can also be used to
save sensitive data.
• Encrypt these data before saving the
registry in HKEY_LOCAL_MACHINE or
HKEY_CURRENT_USER keys.
• Saving under KKEY_CURRENT_USER
provides much better security as it only
gives permission to the current logged in
user.
Protecting your Assemblies
• Assemblies must be protected from being
accessed or executed by malicious users .
• Assemblies are vulnerable through .NET’s
own Reflection class .
• Reverse Engineering add to the misery
• Obfuscators provide a cure
Strong Names
Strong name signatures provide a unique identity for code, and they
cannot be spoofed. The identity associated with the signature can
be used to make security decisions. For example, you could set
code access security policy to trust assemblies signed with your
company's strong name when the assemblies come from a server
you control. Consider the following guidelines for strong names:
• Evaluate whether you need strong names.
• Do not expect strong names to make your assembly tamper proof.
• Use delay signing appropriately.
• Use .pfx files to protect your private key if you do not use delay
signing.
• Do not depend on strong name identity permissions in full trust
scenarios.
Do Strong Name tamper proof my
assembly ?
•
•
•
•
Do Not Expect Strong Names to Make Your Assembly Tamper Proof
By adding a strong name to an assembly, you ensure that it cannot be
modified and still retain your strong name signature. The strong name
does not make your assembly tamper proof. It is still possible to
remove a strong name, modify the IL code, and then reapply a
different strong name.
However, an attacker cannot recreate a valid signature from your
original publisher's key unless your publisher's private key has been
compromised. Because the key is part of the strong name identity, if
an attacker strips a strong name signature, signs the code, and then
installs the code in the global assembly cache, the code will have a
different identity. Any callers looking for the original assembly will not
bind to an assembly signed with a different private key. Strong names
prevent this type of substitution attack.
Note Both Authenticode and strong name signing ensure that if the signed
code is tampered with, the signature will be invalidated. However, neither
technology prevents an attacker from stripping off the signature, modifying
the IL, and signing the code with the attacker's key.
Communication Security
• If your application passes sensitive data over networks,
consider the threats of eavesdropping, tampering, and
unauthorized callers accessing your end point.
• .NET Framework 2.0 provides a set of managed classes
in the System.Net.Security namespace to enable secure
communication between hosts when you are using
remoting or raw-sockets based communication.
• This allows you to implement both client and server-side
secure channels using SSPI or SSL. These classes
support mutual authentication, data encryption, and data
signing.
Transport Level Encryption
• If your servers are not inside a physically secure data center where
the network eavesdropping threat is considered insignificant, you
need to use an encrypted communication channel to protect data
sent between servers.
• You can use SSL or IPSec to encrypt traffic and help protect
communication between servers. Use SSL when you need granular
channel protection for a particular application, instead of protection
for all applications and services running on a computer.
• Use IPSec to help protect the communication channel between two
servers and to restrict the computers that can communicate with
each other.
• For example, you can help protect a database server by establishing
a policy that permits requests only from a trusted client computer,
such as an application or Web server. You can also restrict
communication to specific IP protocols and TCP/UDP ports.
Event Log
• When you write event logging code, consider the threats
of tampering and information disclosure. For example,
can an attacker retrieve sensitive data by accessing the
event logs? Can an attacker cover tracks by deleting the
logs or erasing particular records?
• Windows security restricts direct access to the event
logs using system administration tools, such as the
Event Viewer. Your main concern should be to ensure
that the event logging code you write cannot be used by
a malicious user for unauthorized access to the event
log.
• Do not log sensitive data.
• Do not expose event log data to unauthorized users.
Reflection
•
•
•
•
•
•
•
•
•
•
•
•
•
Reflection
.NET reflection is a feature that allows running code to dynamically discover, load, and generate
assemblies. With reflection, you can enumerate an assembly's types, methods, and properties—including
those marked as private. By using Reflection.Emit, you can generate a new assembly dynamically at run
time and invoke its members. Reflection is a powerful feature that has a number of security implications:
If your code has the ReflectionPermission, it can enumerate and invoke non-public members or types in other
assemblies. If you do not use code access security permission demands to authorize calling code, an attacker
could gain access to code that would otherwise be inaccessible.
By using reflection, you can dynamically load assemblies—for example, by using
System.Reflection.Assembly.Load. If you allow untrusted code or data to influence which assembly is loaded,
an attacker could trick your code into loading and executing malicious code.
By using reflection, you can dynamically invoke methods on assemblies—for example, by using
System.Reflection.MethodInfo.Invoke. If you allow untrusted code or data to influence the method invocation,
an attacker could trick your code into making unexpected and potentially malicious method calls.
With Reflection.Emit, your code can dynamically generate and execute code at run time. If you allow untrusted
code or data to influence the code generation, an attacker could coerce your application into generating malicious
code.
When you use reflection, consider the following guidelines:
Use full assembly names when you dynamically load assemblies.
Avoid letting untrusted code or data control run-time assembly load decisions.
Avoid letting untrusted code or data control Reflection.Emit.
Consider restricting the permissions of dynamically generated assemblies.
Only persist dynamically created assemblies if necessary.
Use ReflectionOnlyLoadFrom if you only need to inspect code.
Summary : What should you
know??
•
•
•
•
•
•
•
Know When, Where and how to authenticate
Know When , Where and how to authorize
How to Secure communication ?
Common issues ? How to avoid them?
Top Risks ? How to avoid them ?
Never bypass security to get things to work.
Always follow the best practices starting from
design to implementation and testing.
Terminologies
•
•
•
•
•
•
Authentication. Positively identifying the clients of your application; clients might
include end-users, services, processes or computers.
Authorization. Defining what authenticated clients are allowed to see and do within
the application.
Secure Communications. Ensuring that messages remain private and unaltered as
they cross networks.
Impersonation. This is the technique used by a server application to access
resources on behalf of a client. The client's security context is used for access checks
performed by the server.
Delegation. An extended form of impersonation that allows a server process that is
performing work on behalf of a client, to access resources on a remote computer.
Security Context. Security context is a generic term used to refer to the collection of
security settings that affect the security-related behavior of a process or thread. The
attributes from a process' logon session and access token combine to form the
security context of the process.
Identity. Identity refers to a characteristic of a user or service that can uniquely
identify it. For example, this is often a display name, which often takes the form
authority/user name.
References
http://en.wikipedia.org/wiki/Software_security
http://support.microsoft.com/kb/910443
http://msdn2.microsoft.com/enus/library/aa292118(VS.71).aspx
http://msdn2.microsoft.com/en-us/library/aa302381.aspx
http://msdn2.microsoft.com/en-us/library/ms998372.aspx
http://msdn2.microsoft.com/en-us/library/bb355989.aspx
http://www.unixwiz.net/techtips/sql-injection.html
http://msdn2.microsoft.com/en-us/library/ms998258.aspx
http://msdn2.microsoft.com/en-us/library/ms998258.aspx
http://msdn2.microsoft.com/en-us/library/ms998264.aspx
