Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Coms 463 Joe Schuldt Dot Net Security Paper 11/13/2005

advertisement 
Coms 463
Dot Net Security Paper
Joe Schuldt
11/13/2005
Developers have always had to deal with the added stress of including security
within applications that they write or maintain. Although security has always been an
issue in application development, it becomes infinitely more complex with the advent of
the internet. Professional developers now have to deal with the “online” world as opposed
to the past where an application was kept in one location. Due to the online nature of the
world more and more people are starting to get access to computer systems/programs.
Application security has changed from an unpleasant development process to a
significant part of the software development lifecycle. Security in dot net is very complex
however, knowing the correct methods could make all the difference within an
application. The methods that will be addressed in this paper are authentication rights,
application security, and testing. Though this is a very brief description of all the security
methods that .net has to offer it is a good start in writing and maintaining a secure
application.
There are several ways to write a secure web application. One of the most
effective ways is user authentication. According to ApacheWeek “There are two ways of
restricting access to documents: either by the hostname of the browser being used or by
asking for a username and password”. Obviously the type of user authentication that you
use is limited to who your core audience is. There are several identifiers that you can use
to give access to only certain computers. One is by IP address which is very useful for
static networks that are very secure. An example of this would be a company. Most
companies do not use DHCP to allocate their IP addresses across a network. This means
that each IP address is unique to a user. Certain users would have the ability to get access
to the web application. The other form ApacheWeek discussed is username and
password. This method allows multiple users to log onto an application. It is user
dependent as opposed to machine dependent. Another authentication method is
certificate. According to Microsoft’s website “The external user must have a certificate.
A certificate is a file used for authentication and secure exchange of data on non-secured
networks, such as the Internet. A certificate securely binds a public key to the entity that
holds the corresponding private key held by the individual. Certificates are digitally
signed by the issuing certification authority (CA) and can be managed for a user, a
computer, or a service.” User sign-on and certificates are useful for users that have to
travel or will not always be at the same work station. Domains and Active directory
groups can also be used for authentication. Authentication has its weak points. First, a
user can easily spoof an IP address or even in some cases a certificate. This will give an
unauthorized user access to an application by making the application think the user is
someone else. Authentication allows users a “door” to get into an application but what is
responsible for security after the user is in the application.
Application security takes care of what users can and can not do while in an
application. There are numerous forms of application security but the ones that will be
mentioned in this paper will be buffer security, code access and Intellisense security.
According to Microsoft’s website “The vast majority of security problems that are found
in native code fall into the category of buffer overruns. Buffer overruns occur when data
exceeding the size of a buffer is pushed into a part of memory from which code can be
executed.” Once the buffer error occurs in .net then the memory block is cleared and a
user can write there own code in that memory block. Obviously this is a severe scenario,
but users have been known to use this trick to execute code in programs that would not
have normally ran. Buffer overrun errors can be avoided by new features that dot net has
created. These features include; code analysis, application verifier, buffer security check
and Safe CRT tools. These tools are all found in visual studios 2005 edition and have
methods of combating buffer overrun issue. Code access is also another application
security risk. According to Microsoft’s site “.NET Framework applications run under a
security model called Code Access Security. This is an evidence-based model, where
security privilege is granted based on factors such as the location of the assembly and the
assembly's signature.” These factors are compared to environment factors that are within
the dot net framework on the machine and can allow access to users that meet certain
criteria in each of those areas. IntelliSense in Zone is another form of application
security. This security setting allows the developers to be controlled in what methods
they are allowed to run while coding an application. If the developer does not have access
to a certain method, it will be grayed out on the IntelliSense drop down menu.
Application security is certainly important within the development process however,
there is another method that is often overlooked in dot net security.
Testing is often thought of as a way to ensure an application is functioning
correctly and within the specified parameters. This is an accurate statement however
testing can also be used in application security. Load testing and unit testing are two very
important examples of this. Load testing is often thought of as only being used to test
servers. However, they can be used to test an application. In load testing an application
has a certain amount of users using it. This amount is increased incrementally until the
application is either killed or quick functioning. This can be used for testing denial of
service attacks. These attacks are caused by users the repeatedly visit a web application
until it dies. Knowing the limits of your user tolerances within an application is very
important for security and performance issues. Performance issues can also happen due to
internal data within your application. This also has an important aspect in security,
because if wrong data is sent to an application how will it react. To answer this questions
most developers use unit testing. Unit testing is basically sending different types of data
to methods within an application to see how it will respond. For example, if you have a
banking application that is sent an alpha character instead of a numeric character how
will the application handle this problem. Testing has the ability to find security errors
rapidly. Obviously by itself it is not an effective security standard.
Developers have always had to deal with application security. Within the last few
years this worry has become a major headache for developers. Due to the online nature of
most business today everything is handled online. Application security is now tested
more then ever for the simple fact the more users have potential access to it. With this in
mind many developers have begun to see application security in a different light. Dot net
for years was an un-secure language but do to the facts of society the developers are
starting to change the structure to a programming language that will easily handle
security matters.
Bibliography
New Security Features in Visual Studios 2005. Retrieved November 10, 2005
http://msdn.microsoft.com/security/default.aspx?pull=/library/enus/dnvs05/html/vs05security.asp
Active Directory Users, Computers, and Groups. Retrieved November 10, 2005
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedire
ctory/maintain/adusers.mspx
Using User Authentication. Retrieved November 10, 2005
http://www.apacheweek.com/features/userauth
Computer Security Information. Retrieved November 10, 2005
http://www.alw.nih.gov/Security/security.html
Code Examples
First paragraph code example (Example 1A): User Authentication
This code grabs the user id off of a network
This function uses windows api to interface and pull the user ID off of the network
This method will return the username and the length
Private Declare Function GetUserName Lib "advapi32.dll" Alias _
"GetUserNameA" (ByVal lpBuffer As String, nSize As Long) As Long
This method pulls the user name off of the API
Public Function UserName() As String
Calls the method above in order to get the user name
Variables for the user name and length
Dim userLength As Long, name2 As Long
Dim strUserName As String
Pulls the user name from the method
strUserName = String$(254, 0)
userLength = 255
Checks the length of the user id
name2 = apiGetUserName(strUserName, userLength)
If the length is greater then zero then the userid is extracted
If name2 <> 0 Then
UserName = Left$(strUserName, userLength - 1)
UserID is not extracted
Else
UserName = ""
End If
End Function
===============================================================
First paragraph code example (Example 2A): User Authentication
Code checks to see if a user is an admin
Public Function Admin() As Boolean
Check to see if user is already an admin
If AdminFlag Then
IsAdmin = AppAdmin
Exit Function
End If
Run queries to get admin name out of table
Dim strSQL As String
strSQL = "SELECT FunctionNum,Control, ItemName " & _
"FROM tblLookup WHERE FunctionNum = 3 AND ItemName = '" & UCase(User
& "' ;")
Opens the database connection
OpenDBConn
Dim rs As ADODB.Recordset
Set rs = New ADODB.Recordset
rs.CursorLocation = adUseClient
rs.Open strSQL, _
DBConn, _
ADODB.adOpenForwardOnly, _
CloseDBConn
Checks to see if a record set is found if not then it will not run
If rs.EOF Then
IsAdmin = False
Else
IsAdmin = True
rs.Close
End If
If the user is an admin then the following code will run
AppAdmin = IsAdmin
AdminFlag = True
Set rs = Nothing
End Function
===============================================================
Code Example on version control (3A):
Public variable for application version
Public Const appVersion As String = "2.7"
Function to check the version
Public Function Check_Version() As Boolean
Dim strSQL As String
Check_Version = False
Queries the database to get the version number
strSQL = "SELECT FunctionNum, CName, ItemName FROM Lookup WHERE
LDomain = 0 AND ItemName = '" & appVerNum & "' ;"
OpenDBConn
Dim rs As ADODB.Recordset
Set rs = New ADODB.Recordset
rs.CursorLocation = adUseClient
rs.Open strSQL, _
DBConn, _
ADODB.adOpenForwardOnly, _
ADODB.adLockBatchOptimistic
Set rs.ActiveConnection = Nothing
CloseDBConn
If record set is not found then the version numbers are incorrect
If rs.EOF Then
'MsgBox "AppVer False"
Check_Version = False
User is authenticate
Else
'MsgBox "AppVer True"
rs.Close
Check_Version = True
End If
Resets the record set
Set rs = Nothing
End Function
Questions
Questions:
1. How does Certificate Authentication work?
a. By placing a local file on the user’s hard drive the website/application can
authenticate that user.
2. How are managers keeping applications secure from developers
a. By using methods like the IntelliSense Zone to limit what developers can
do
3. Why is unit testing important with application security?
a. Unit testing is important with application security in order to ensure how
methods will react if wrong data values are sent to it.
4. How can attackers use a Buffer overrun?
a. Attackers can use a Buffer overrun to put their own code in reserved
memory slots and have it ran instead of the actual code
5. Why is application security more important now then in the past?
a. Due to the nature of business today personal information is readily
available online. Without proper security applications can cause anything
to happen from information sharing to identity theft
MC
1. Certificate Authentication uses the following:
a. Local files
b. User entered names and passwords
c. IP address
d. None of the above
2. Attackers can do all of the following with a buffer overrun except?:
a. Change a command in memory
b. Have the application react differently
c. Enter machine code directly into memory
d. Change the IP address of the computer
3. Which type of testing can be used for security?
a. Ready testing
b. Beta testing
c. Alpha testing
d. Load testing
4. .Net framework applications run under which security model?
a. Code Access
b. .net restriction
c. Authentication
d. Limited
5. Unit testing does what?
a. Tests return types of methods
b. Tests entire application output
c. Tests the number of users that an application can handle
d. Tests for denial of service attacks
T/F
6. Testing can not be used for security?
7. Load testing is only used for servers?
8. Code access is the .net security framework model?
9. IP addresses can be used to restrict user access to an application?
10. Machine code can cause a buffer overrun?
Answer to problems:
1. By placing a local file on the user’s hard drive the website/application can
authenticate that user.
2. By using methods like the IntelliSense Zone to limit what developers can do
3. Unit testing is important with application security in order to ensure how
methods will react if wrong data values are sent to it.
4. Attackers can use a Buffer overrun to put their own code in reserved memory
slots and have it ran instead of the actual code
5. Due to the nature of business today personal information is readily available
online. Without proper security applications can cause anything to happen from
information sharing to identity theft
MC
T/F
1. A
6. F
2. D
7. F
3. D
8. T
4. A
9. T
5. A
10. F
Related documents
CS 2813 - Loyola College
CS 2813 - Loyola College
H.264 Rate Control
H.264 Rate Control
Chapter 11 HW
Chapter 11 HW
Chapter 1:
Chapter 1:
Honors Chem- Buffers Worksheet
Honors Chem- Buffers Worksheet
Lecture 6
Lecture 6
I think that public-key`s authentication process and symmetric key`s
I think that public-key`s authentication process and symmetric key`s
2008-2011 - Online MMCE
2008-2011 - Online MMCE
Download
advertisement