Code Access Security

1
Code Access Security

• Defense in Depth

2
Definition

• Code Access Security is a native .Net ability for
  the consumer (or calling code) to be examined and
  base on the results, have varying degrees of
  trust accordingly granted.

3
Functions of CAS

• Defines permissions that represent the right to
  access a system resource
• Allow external administration of policies that
  grant sets of permissions to groups of code
• Enables code to declare what permissions
• Are needed to run
• Are optional
• Are never needed
• Allows code to remove particular permissions
• Enforces checks that all callers are granted the
  required permission
• Automatically determine the appropriate policy
  based on evidence about the executing assembly
  such as
• Location
• Digital Signature
• The interactive User

4
CAS Permissions

• Permissions are objects that descend from
  System.Security.CodeAccessPermission
• All permissions have several basic capabilities
• Assert The ability to grant a permission
  irregardless of higher callers
• Demand The ability to force all callers have
  been granted a permission
• Deny The ability to remove a permission
  irregardless of higher callers
• And the ability to revert the each of the above
  (via static methods)

5
Examples of Permission Capabilities

• Allow/Disallow database access
• Restrict the ability to create UI elements
• Secure access to unmanaged (or native win32/COM)
  code
• Allow/Disallow access the internet or network
• Filter if and where an application can read or
  write to the file system

6
Example 1 Permissions at Work

• We are going to show an example of permissions
  being used directly by .Net itself and how this
  effects your code when running locally vs. over
  the network.

7
So what happened here?

• When .Net attempts to create a FileStream object
  its constructor demands the right to read the
  file system. A complete stack walk is performed.
  The evidence for this assembly does not allow
  file system access and therefore a
  SecurityException is thrown as the caller lacks
  that permission. The difference in behavior is
  related to the executing assemblies Zone

8
So How does CAS work?

• Any permission action will introduce a stack walk
  of all executing code in the application domain
• The evidence for each assembly will determine if
  the requested permission has been granted for the
  executing method on the stack
• The evidence is determined by the combination of
  what zone the execution is, the digital signature
  of the assemblies, the combination of Enterprise
  Computer User configured policies
• If any member in any assembly on the call stack
  (known as a Frame) fails the test then the CAS
  system will block the call and an exception will
  be thrown
• The security tests therefore are an AND operator
  in Boolean Logic

9
Stack Walks
10
Permission Syntax

• CAS allows two methods of utilizing permissions
  in code
• Imperative permissions
• Declarative permissions

11
Imperative Permissions

• Utilizes invocation of methods on permission
  objects by code. Permissions are manually scoped
  by the developer.
• FileIOPermission fiop new FileIOPermission(Permi
  ssionState.Unrestricted)
• fiop.Demand()
• Available ActionsDemandAssertDenyPermitOnly

12
Pros and Cons

• Allows manual control of application of
  permissions
• Allows runtime change in conditions and
  parameters
• Allows the use of groups of permissions together

• Adds complexity to code
• If same permission is needed on many methods the
  code is duplicated on each method

13
Declarative Permissions

• Declarative security syntax uses attributes to
  place security information into the metadata of
  your code. Attributes can be placed at the
  assembly, class, or member level, to indicate the
  type of request, demand, or override you want to
  use
• FileIOPermissionAttribute(SecurityAction.Demand,
  Unrestricted true)
• Available ActionsLinkDemand DenyInheritenceD
  emand PermitOnlyDemand RequestMinimumAssert
  RequestOptional RequestRefuse

14
Pros and Cons

• Reduces complexity
• Automatic execution
• Metadata can easily be automatically documented
• Many permissions can be placed on methods,
  classes, or entire assemblies
• More security options

• Attributes are not cumulative for the same action
  across class level and method level
• Allows low level capabilities that can cause
  security risks when incorrectly applied
• Requires more unit testing and peer review for
  security bugs

15
Security Actions

• Demand
• Link Demand
• Inheritance Demand
• Deny
• Assert
• PermitOnly
• Other Actions

16
Demand

• Performs a stack walk checking each frames
  permissions
• Occurs when the member is invoked
• Its behavior is effected by Deny and Assert
• Declarative implementation can target classes and
  methods

17
Link Demand

• Link Demands perform the same operation as Demand
  but only checks the immediate caller.
• Occurs only during when the member is JITd
• Link demands are escalated into Demands if the
  immediate caller is the .Net reflection types
• Declarative implementation can target classes and
  methods

18
Inheritance Demand

• Inheritance Demands allow your code to ensure
  that only sufficiently privileged code can extend
  your types or override methods
• When placed on a class then all virtual methods
  are considered to have the same demand
• Is applied during load of a type
• Declarative implementation can target classes,
  methods, and interfaces
• Interface inheritance demands only work when the
  instance is accessed via the interface datatype

19
Deny

• Affects stack walking behavior by decorating the
  current frame to automatically fail a permission
  irregardless of the granted policy
• Use the RevertDeny() method to remove the Deny
• Unexpected behavior with demands on the same
  frame
• Occurs during runtime
• Declarative implementation can target classes and
  methods

20
Assert

• Is the opposite of Deny
• Decorates the current frame with the requested
  permission irregardless of the granted policy
• Only intranet zone and fully trusted code is
  allowed to Assert. The intranet zone has a small
  subset of permissions it can assert
• Occurs during runtime
• An assembly can only assert permissions it was
  granted in the first place
• Must be removed with RevertAssert() as soon as
  possible

21
PermitOnly

• Only the resources specified by this permission
  object can be accessed, even if the code has been
  granted permission to access other resources
• Occurs during runtime
• Declarative implementation can target classes and
  methods
• Considered a better practice to state what is
  allowed instead of what is not

22
Other Actions

• RequestMinimum allows an assembly to state what
  permissions it must have to be used when the
  assembly is loaded
• RequestOptional allows an assembly to state what
  optional permissions are needed for all
  capabilities to be enabled
• RequestRefuse allows an assembly to state what
  permissions will not be granted to the calling
  code

23
Some Important Built In Permissions

• DBDataPermission allows ado.net to be used
• PrintingPermission allows interaction with the
  spooler service
• MessageQueuePermission allows use of MSMQ
• EnvironmentPermissions allows access to the
  system environment parameters
• FileIOPermission allows access to the file
  system
• IsolatedStoragePermissions allows use of
  isolated storage service based on the running
  user
• RegistryPermission allows access to the
  registry
• UIPermission allows the ability to create UI
  items
• SocketPermission allows the ability to create
  network connections

24
Principals and Identities

• A principle object is any type that implements
  the System.Security.IPrincipal interface. A
  principle represents the security context of the
  credentials the process is executing under.
• An identity object is any type that implements
  the System.Security.IIdentity interface. The
  identity represents the user that the code is
  running under. Identities always are bound to a
  principal.

25
Role Based Permissions

• The PrincipalPermission class works on the
  ability to check role based security and make
  appropriate decisions in the same way that other
  permissions examine the executing frames.
• This allows applications to perform CAS in users
  and groups with the same methodology.

26
Using Principals and Identities

• The principle can be accessed from the
  Thread.CurrentPrincipal static property
• The identity for a principal can be accessed from
  the Identity property of a principal
• As the role based permissions operate on
  interface references there is the ability to
  substitute any number of role based security
  systems as appropriate for application
  requirements
• Some implementations add additional methods and
  properties to allow specific capabilities

27
Spot The Bug 1

• public string ComputerName()
• get
• if (this._computerName null)
• EnvironmentPermission ep new
  EnvironmentPermission(EnvironmentPermissionAccess.
  Read, "ComputerName")
• ep.Demand()
• this._computerName Environment.MachineName
• return this._computerName

28
Solution

• The inconsistent use of Permissions is a serious
  bug. Here the only time the Permission is
  demanded is when the data is fetched. All
  subsequent calls allow the data to be accessed
  without checks.

29
Spot the Bug 2

• SecurityPermission(SecurityAction.LinkDemand,
  Flags SecurityPermissionFlag.UnmanagedCode)
• public void CallAPI()
• //do api call

30
Solution

• Incorrect method visibility for LinkDemand
  Permission application. To successfully make the
  method call all a hostile assembly has to do is
  get your code to call into the method first in
  order to JIT the method. Subsequent calls will
  all succeed.

31
Spot the Bug 3

• EnvironmentPermission(SecurityAction.Demand,
  Unrestrictedtrue
• public class MyClass
• SecurityPermission(SecurityAction.Demand,
  Unrestrictedtrue
• SqlClientPermission(SecurityAction.InheritanceDe
  mand, Unrestrictedtrue
• public virtual void PayBill()
• //do work
• //rest of code omitted for brevity

32
Solution

• Security action collisions between Permissions
  defined on the class and on the method. Security
  actions are not cumulative! The semantics of the
  class declaration state that the environment
  permission must be present on all members
  therefore it must be duplicated on the
  conflicting method signature.

33
Assignment

• Create a desktop application that is capable of
  communicating with the Northwind database to
  return the number of customers for display to the
  user. If the user is also member of the local
  administrators group the count should be written
  to a safe location as a text file. The ability to
  write the file should not be allowed if the user
  lacks the proper group membership.
• Hints
• The particular IPrincipal implementation might
  not be what type you expect. There are ways to
  select what system to use.
• Windows groups have well known names. Maybe there
  are other ways to state the one you want other
  than by name.
• The application domain is the .Net equivalent of
  a process