Code Access Security - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Code Access Security

Description:

We are going to show an example of permissions being used directly by .Net itself and how this effects your code when running locally vs. over the network. ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 34
Provided by: james594
Category:

less

Transcript and Presenter's Notes

Title: Code Access Security


1
Code Access Security
  • Defense in Depth

2
Definition
  • Code Access Security is a native .Net ability for
    the consumer (or calling code) to be examined and
    base on the results, have varying degrees of
    trust accordingly granted.

3
Functions of CAS
  • Defines permissions that represent the right to
    access a system resource
  • Allow external administration of policies that
    grant sets of permissions to groups of code
  • Enables code to declare what permissions
  • Are needed to run
  • Are optional
  • Are never needed
  • Allows code to remove particular permissions
  • Enforces checks that all callers are granted the
    required permission
  • Automatically determine the appropriate policy
    based on evidence about the executing assembly
    such as
  • Location
  • Digital Signature
  • The interactive User

4
CAS Permissions
  • Permissions are objects that descend from
    System.Security.CodeAccessPermission
  • All permissions have several basic capabilities
  • Assert The ability to grant a permission
    irregardless of higher callers
  • Demand The ability to force all callers have
    been granted a permission
  • Deny The ability to remove a permission
    irregardless of higher callers
  • And the ability to revert the each of the above
    (via static methods)

5
Examples of Permission Capabilities
  • Allow/Disallow database access
  • Restrict the ability to create UI elements
  • Secure access to unmanaged (or native win32/COM)
    code
  • Allow/Disallow access the internet or network
  • Filter if and where an application can read or
    write to the file system

6
Example 1 Permissions at Work
  • We are going to show an example of permissions
    being used directly by .Net itself and how this
    effects your code when running locally vs. over
    the network.

7
So what happened here?
  • When .Net attempts to create a FileStream object
    its constructor demands the right to read the
    file system. A complete stack walk is performed.
    The evidence for this assembly does not allow
    file system access and therefore a
    SecurityException is thrown as the caller lacks
    that permission. The difference in behavior is
    related to the executing assemblies Zone

8
So How does CAS work?
  • Any permission action will introduce a stack walk
    of all executing code in the application domain
  • The evidence for each assembly will determine if
    the requested permission has been granted for the
    executing method on the stack
  • The evidence is determined by the combination of
    what zone the execution is, the digital signature
    of the assemblies, the combination of Enterprise
    Computer User configured policies
  • If any member in any assembly on the call stack
    (known as a Frame) fails the test then the CAS
    system will block the call and an exception will
    be thrown
  • The security tests therefore are an AND operator
    in Boolean Logic

9
Stack Walks
10
Permission Syntax
  • CAS allows two methods of utilizing permissions
    in code
  • Imperative permissions
  • Declarative permissions

11
Imperative Permissions
  • Utilizes invocation of methods on permission
    objects by code. Permissions are manually scoped
    by the developer.
  • FileIOPermission fiop new FileIOPermission(Permi
    ssionState.Unrestricted)
  • fiop.Demand()
  • Available ActionsDemandAssertDenyPermitOnly

12
Pros and Cons
  • Allows manual control of application of
    permissions
  • Allows runtime change in conditions and
    parameters
  • Allows the use of groups of permissions together
  • Adds complexity to code
  • If same permission is needed on many methods the
    code is duplicated on each method

13
Declarative Permissions
  • Declarative security syntax uses attributes to
    place security information into the metadata of
    your code. Attributes can be placed at the
    assembly, class, or member level, to indicate the
    type of request, demand, or override you want to
    use
  • FileIOPermissionAttribute(SecurityAction.Demand,
    Unrestricted true)
  • Available ActionsLinkDemand DenyInheritenceD
    emand PermitOnlyDemand RequestMinimumAssert
    RequestOptional RequestRefuse

14
Pros and Cons
  • Reduces complexity
  • Automatic execution
  • Metadata can easily be automatically documented
  • Many permissions can be placed on methods,
    classes, or entire assemblies
  • More security options
  • Attributes are not cumulative for the same action
    across class level and method level
  • Allows low level capabilities that can cause
    security risks when incorrectly applied
  • Requires more unit testing and peer review for
    security bugs

15
Security Actions
  • Demand
  • Link Demand
  • Inheritance Demand
  • Deny
  • Assert
  • PermitOnly
  • Other Actions

16
Demand
  • Performs a stack walk checking each frames
    permissions
  • Occurs when the member is invoked
  • Its behavior is effected by Deny and Assert
  • Declarative implementation can target classes and
    methods

17
Link Demand
  • Link Demands perform the same operation as Demand
    but only checks the immediate caller.
  • Occurs only during when the member is JITd
  • Link demands are escalated into Demands if the
    immediate caller is the .Net reflection types
  • Declarative implementation can target classes and
    methods

18
Inheritance Demand
  • Inheritance Demands allow your code to ensure
    that only sufficiently privileged code can extend
    your types or override methods
  • When placed on a class then all virtual methods
    are considered to have the same demand
  • Is applied during load of a type
  • Declarative implementation can target classes,
    methods, and interfaces
  • Interface inheritance demands only work when the
    instance is accessed via the interface datatype

19
Deny
  • Affects stack walking behavior by decorating the
    current frame to automatically fail a permission
    irregardless of the granted policy
  • Use the RevertDeny() method to remove the Deny
  • Unexpected behavior with demands on the same
    frame
  • Occurs during runtime
  • Declarative implementation can target classes and
    methods

20
Assert
  • Is the opposite of Deny
  • Decorates the current frame with the requested
    permission irregardless of the granted policy
  • Only intranet zone and fully trusted code is
    allowed to Assert. The intranet zone has a small
    subset of permissions it can assert
  • Occurs during runtime
  • An assembly can only assert permissions it was
    granted in the first place
  • Must be removed with RevertAssert() as soon as
    possible

21
PermitOnly
  • Only the resources specified by this permission
    object can be accessed, even if the code has been
    granted permission to access other resources
  • Occurs during runtime
  • Declarative implementation can target classes and
    methods
  • Considered a better practice to state what is
    allowed instead of what is not

22
Other Actions
  • RequestMinimum allows an assembly to state what
    permissions it must have to be used when the
    assembly is loaded
  • RequestOptional allows an assembly to state what
    optional permissions are needed for all
    capabilities to be enabled
  • RequestRefuse allows an assembly to state what
    permissions will not be granted to the calling
    code

23
Some Important Built In Permissions
  • DBDataPermission allows ado.net to be used
  • PrintingPermission allows interaction with the
    spooler service
  • MessageQueuePermission allows use of MSMQ
  • EnvironmentPermissions allows access to the
    system environment parameters
  • FileIOPermission allows access to the file
    system
  • IsolatedStoragePermissions allows use of
    isolated storage service based on the running
    user
  • RegistryPermission allows access to the
    registry
  • UIPermission allows the ability to create UI
    items
  • SocketPermission allows the ability to create
    network connections

24
Principals and Identities
  • A principle object is any type that implements
    the System.Security.IPrincipal interface. A
    principle represents the security context of the
    credentials the process is executing under.
  • An identity object is any type that implements
    the System.Security.IIdentity interface. The
    identity represents the user that the code is
    running under. Identities always are bound to a
    principal.

25
Role Based Permissions
  • The PrincipalPermission class works on the
    ability to check role based security and make
    appropriate decisions in the same way that other
    permissions examine the executing frames.
  • This allows applications to perform CAS in users
    and groups with the same methodology.

26
Using Principals and Identities
  • The principle can be accessed from the
    Thread.CurrentPrincipal static property
  • The identity for a principal can be accessed from
    the Identity property of a principal
  • As the role based permissions operate on
    interface references there is the ability to
    substitute any number of role based security
    systems as appropriate for application
    requirements
  • Some implementations add additional methods and
    properties to allow specific capabilities

27
Spot The Bug 1
  • public string ComputerName()
  • get
  • if (this._computerName null)
  • EnvironmentPermission ep new
    EnvironmentPermission(EnvironmentPermissionAccess.
    Read, "ComputerName")
  • ep.Demand()
  • this._computerName Environment.MachineName
  • return this._computerName

28
Solution
  • The inconsistent use of Permissions is a serious
    bug. Here the only time the Permission is
    demanded is when the data is fetched. All
    subsequent calls allow the data to be accessed
    without checks.

29
Spot the Bug 2
  • SecurityPermission(SecurityAction.LinkDemand,
    Flags SecurityPermissionFlag.UnmanagedCode)
  • public void CallAPI()
  • //do api call

30
Solution
  • Incorrect method visibility for LinkDemand
    Permission application. To successfully make the
    method call all a hostile assembly has to do is
    get your code to call into the method first in
    order to JIT the method. Subsequent calls will
    all succeed.

31
Spot the Bug 3
  • EnvironmentPermission(SecurityAction.Demand,
    Unrestrictedtrue
  • public class MyClass
  • SecurityPermission(SecurityAction.Demand,
    Unrestrictedtrue
  • SqlClientPermission(SecurityAction.InheritanceDe
    mand, Unrestrictedtrue
  • public virtual void PayBill()
  • //do work
  • //rest of code omitted for brevity

32
Solution
  • Security action collisions between Permissions
    defined on the class and on the method. Security
    actions are not cumulative! The semantics of the
    class declaration state that the environment
    permission must be present on all members
    therefore it must be duplicated on the
    conflicting method signature.

33
Assignment
  • Create a desktop application that is capable of
    communicating with the Northwind database to
    return the number of customers for display to the
    user. If the user is also member of the local
    administrators group the count should be written
    to a safe location as a text file. The ability to
    write the file should not be allowed if the user
    lacks the proper group membership.
  • Hints
  • The particular IPrincipal implementation might
    not be what type you expect. There are ways to
    select what system to use.
  • Windows groups have well known names. Maybe there
    are other ways to state the one you want other
    than by name.
  • The application domain is the .Net equivalent of
    a process
Write a Comment
User Comments (0)
About PowerShow.com