Designinig .NET Class Libraries: Security (April 20, 2005)
Posted: June 28, 2005
Please note: Portions of this transcript have been edited for clarity
Introduction
frankred [MS] (Moderator):
Welcome to today's Designing .NET Class Libraries chat on Security.
Now, let's meet our experts!
BradA [MS] (Expert):
Hello and welcome… I am Brad Abrams, a PM on the CLR team…
Tarik Soulami [MS] (Expert):
Hello, I am Tarik Soulami. I work on the CLR security development team.
JoeDu [MS] (Moderator):
Welcome to the chat everybody... My name's Joe Duffy (JoeDu, sometimes pronounced Yoda as Raymond noted), and I'm a PM on the CLR team. Looking forward to a great chat. I have a blog at https://www.bluebytesoftware.com/blog/.
frankred [MS] (Moderator):
Now that we've met our experts, let the chatting begin! :)
Tarik Soulami [MS] (Expert):
The following MSDN web page has an introduction to general CAS concepts: https://msdn2.microsoft.com/library/aa302369.aspx
Tarik Soulami [MS] (Expert):
The following presentation discusses some of CAS best practives as well:
Tarik Soulami [MS] (Expert):
https://msdn2.microsoft.com/netframework/aa497263.aspx
Tarik Soulami [MS] (Expert):
Also, for security code review guidelines, see https://msdn2.microsoft.com/library/aa302372.aspx
BradA [MS] (Expert):
Are many folks using CAS today in your applications? Have you found any issues?
Start of Chat
BradA [MS] (Expert):
Q: post blogs fer all experts?
A: mine is https://blogs.msdn.com/brada
BradA [MS] (Expert):
Q: BradA: I've been using it to some degree. I've implemented a no-touch deployment app and used CAS to extend the default permissions for an intranet app. No problems at all concerning CAS.
A: That is great! What kinds of stuff do you add to default policy?
BradA [MS] (Expert):
Q: yall addressing XAML security?
A: You mean for Avalon? Yes, the Avalon security model is built on CAS, so it is the same basic stuff...
Tarik Soulami [MS] (Expert):
Q: Any notable changes to System.Security or System.Security.Permissions.SecurityPermission (to be more specific) in 2.0?
A: There have been a number of changes to the System.Security namespace. It would help to know what specific changes you are actually concerned about.
Tarik Soulami [MS] (Expert):
Q: I heard that Whidbey has a tool that analyses an assembly to tell what are the permissions needed. Is there anything similar for 1.1?
A: The tool in question is currently available in the whidbey beta as permcalc.exe. There is no equivalent in 1.1 unfortunately.
JoeDu [MS] (Moderator):
Q: Are the examples from the presentation available for download?
A: If you're concerned about decompilation, you should check out one of the available IL obfuscators. For example, VS 2k3 and VS 2k5 ship with "Dotfuscator" Community Edition. These products use some really interesting techniques, basically munging symbols so that you can't decompile and determine the names of classes, method names, local variables, and so on.
BradA [MS] (Expert):
Q: BradA: Full Trust (Shame on me!) But it's because we created a private key with sn and sign our apps. There's another app that modifies the machines policy to grant Full Trust for apps signed with our private key.
A: Why did you need full trust? Our hope is that the .NET Framework will one day be large enough such that you will not require full trust for some subset of applications... I want to make sure we cover you case..
Tarik Soulami [MS] (Expert):
Q: Are there still plans for moving toward a model where some/most local code would run with partial permissions by default?
A: We are not changing this in Whidbey. All I can say for now is that there are no solid plans to change this in the near future.
Tarik Soulami [MS] (Expert):
Q: If we have a code that relies on other assemblies that are not signed such as the "memberrole.dll" that is provided with DotNetNuke, how can we still sign our assemblies?
A: The assemblies referenced from a strongly named assembly have to be strongly signed themselves. I am not sure what "memberrole.dll" is (whether it's open source or not), but I guess the right way to go here is to get that DLL signed.
JoeDu [MS] (Moderator):
Q: What are the best practices around securing code libraries that we write so they cannot be decompiled/reflected easily?
A: If you're concerned about decompilation, you should check out one of the available IL obfuscators. For example, VS 2k3 and VS 2k5 ship with "Dotfuscator" Community Edition. These products use some really interesting techniques, basically munging symbols so that you can't decompile and determine the names of classes, method names, local variables, and so on.
Tarik Soulami [MS] (Expert):
Q: Tarik, so PermCalc cannot not examine 1.x assemblies and make recommendations?
A: It can examine 1.1 assemblies but you have to run it against whidbey. We do not support a 1.x version of permcalc.exe.
BradA [MS] (Expert):
Q: BradA: Lazyness and because we were not able to forecast the permission requirements for all of the applications that would be produced thereafter. Whidbey's PermCalc would be of great help.
A: Cool -- I hope it is a big help... thanks.
Tarik Soulami [MS] (Expert):
Q: Tarik: Not even sample code or something unofficial? This is the kind of app that would be insteresting to see on GotDotNet or other Microsoft supported sites.
A: You can actually run the whidbey permcalc.exe to analyse 1.1 assemblies; we just do not support a 1.x version of permcalc.exe.
JoeDu [MS] (Moderator):
Q: Doesnt obfuscation just change the names? the MSIL code is still the same right? So something like Reflector will still do the job at decompiling it?
A: Not entirely. It can change control flow in a controlled manner, but yes it works by mostly munging variable and method names. Something like Reflector won't do a great job at decompiling, since most of the time namespaces get flattened, classes get turned into really weird names (like $f, $_, _1), along with method names, fields, locals, and so on. You should give it a try: it's pretty difficult to figure out what's going on, and is akin to decompiling x86 code into human readable ASM. If you have a lot of time and patience, you can figure out what it's doing. You could also do things like encrypting your resources. If you are *really* concerned, there are products out there that link and compile down to a native EXE, but servicing becomes really difficult and I wouldn't encourage it.
JoeDu [MS] (Moderator):
Q: post blogs fer all experts?
A: My blog is https://www.bluebytesoftware.com/blog/, and Brad's is https://blogs.msdn.com/brada/. Unfortunately I don't believe Tarik has a blog.
Tarik Soulami [MS] (Expert):
Q: Sorry, I'm a bit of a newbie. Is CAS focused on controlling the access of code we write by outside assemblies, or controlling the access to outside resources from within code we write?
A: It can be used for either. Basically, you can decorate code you write with CAS demands/link demands/etc... if you are worried about unprivileged code gaining access to system resources through the level of trust your code has. Similarily, code that you call can also be protected with CAS because they don't want you to access resources based on the trust that code has. The following MSDN web page has a good introduction to CAS concepts https://msdn2.microsoft.com/library/aa302369.aspx.
Tarik Soulami [MS] (Expert):
Q: How to decrypt pwd that is encrypted with HashPasswordForStoringInConfigFile?
A: You can't. A hash is not an encryption function; it's a one-way function that maps an input to a fixed size output. So, by design of hash functions, you cannot retrieve the input by only looking at the hash.
Tarik Soulami [MS] (Expert):
Q: Are there any new encryption algorithms in 2.0 as compared to 1.1?
A: There aren't any new raw encryption algorithms in 2.0 compared to 1.1. There are new encryption schemes support like XML encryption and PKCS7/SMIME encryption, but no raw algorithms added. I think 1.1 had already exposed a good set of algorithms.
Tarik Soulami [MS] (Expert):
Q: so can I use HashPasswordForStoringInConfigFile to hash pwd and use it from code?
A: It depends what you want to use it for.
Tarik Soulami [MS] (Expert):
Q: Label me a noob, but, Is there a difference in CAS between C# and VB.NET?
A: No, CAS is a CLR concepts; so it's not language dependent.
Tarik Soulami [MS] (Expert):
Q: Can I downlaod just permcalc.exe ?
A: No, permcalc.exe ships in the SDK and is a managed tool so you would need Whidbey to be installed on the machine to be able to run it.
BradA [MS] (Expert):
Q: What is best practice / HOWTO on documenting security of your class-library ? Is there any established process / document templates ?
A: I would follow the examples in System.IO... Just like exceptions, spell out the permission required under what conditions..
Tarik Soulami [MS] (Expert):
Q: I want to hash pwd and store it in config file, From code I want to use ConfigurationSettings.AppSettings["hashedpwd"] , is it possible?
A: For that purpose, you could take a look at System.Security.Cryptography; it has a number of hash functions (example: SHA1CryptoServiceProvider).
Tarik Soulami [MS] (Expert):
Q: What is the hierarchy for how CAS is evaluated? Something like Assembly->Class->Member->Inline code demand? By that, does a code access specification on a property override the code access specification on a class?
A: Yes, CAS decorations on the type override class decorations. The assembly can only be decorated with assembly requests; these are typically evaluated at assembly load time and they control what the assembly
Tarik Soulami [MS] (Expert):
Q: ...If so, any thoughts on moving away from the full vs partial trust terminology to something that conveys the idea of a partial permission set without making any implications concerning the trustworthiness of the code?
A: In whidbey, we are not changing the fact that local code gets FullTrust by default. So the FullTrust vs. semi (partial) trust code is still providing value.
Tarik Soulami [MS] (Expert):
Q: Microsoft has released to 2 open source products an assembly "memberrole.dll" that is a pre-Whidbey but production licensable version of the Membership 2.0 API - we need to digitally sign assemblies that use it but it is not strong named - workarounds?
A: As a general guideline, code shipped by MS should be signed. We will try to follow up with the group owning this DLL to see why it wasn't signed.
Tarik Soulami [MS] (Expert):
Q: The ability to view private member contens can potentially open a security leak. Are there any plans to changing this behavior or providing a way to have member that cannot be viewed from outside the type?
A: I assume you are referring to the ability to access private fields using reflection when the code is fully trusted, right? If so, I think the rationale for allowing this is that fully trusted code can do a lot worse things than just view private members; this is why reflection exposes this operation to code running with Full Trust.
Tarik Soulami [MS] (Expert):
Q: Tarik: memberrole.dll is a preview of the membership API coming in whidbey that Microsoft has provided a license to for two open source products, Community Server and DotNetNuke to ship with - it is not compiled with a strong name so we can't sign it
A: We'll follow up with the team shipping this DLL to see why it wasn't signed. As far as I know, the general guideline is that any managed code shipped by MS should be signed.
Tarik Soulami [MS] (Expert):
Q: Tarik: Some code that runs with a partial permission grant is actually more trustworthy that some code that runs with a full grant, and that's also an important distinction. The current terminology hides this by using only the nomenclature of "trust".
A: The "trust" in this instance actually refers to the trust granted by the system administrator to the code to run; not to how trustworthy the code is.
frankred [MS] (Moderator):
We're almost out of time, so get those last questions in!
Tarik Soulami [MS] (Expert):
Q: will there be a way of signing classes or libraries so that they can be downloaded to the GAC without having to deploy an .msi to setup the permissions on the client side when trying to deploy no-touch windows forms applications?
A: In whidbey, there is a new deployment technology called "ClickOnce". This is basically a no touch deployment technology where you won't need to change the CAS policy in effect to do permission elevation. When such an app is downloaded, the user is prompted to see if he wants to allow the application to run. Check it out and let us know what you think!
JoeDu [MS] (Moderator):
Q: Is there any available Bluetooth APIs for .Net Compact Framework?..
A: I don't believe so. I recommend using the MSDN Product Feedback Center to log a request for this--it will get routed to the right people. https://connect.microsoft.com/Main/content/content.aspx?ContentID=2220
Tarik Soulami [MS] (Expert):
Q: Tarik: But local code runs by default in FullTrust. Inspecting private members in managed code is a lot more easier than in unmanaged code. I know that armed with the aproprieate knowledge a person would be able to see anything he wants once he got...
A: I know this was the subject of a lot of heated debate in the past. I will forward your message to the people working on the CLR reflection team (although they are aware of these concerns already).
JoeDu [MS] (Moderator):
Q: will WSE make webservice call slow? is there any detailed info on this?
A: No, in fact a lot of the WSE APIs put you "closer to the wire" than, say, ASMX services. I'd recommend starting with Hervey Wilson's blog for more information. https://channel9.msdn.com/Shows/Identity/Hervey-Wilson-on-the-Geneva-Framework Also, Mark Fussel's the PM lead for WSE (https://blogs.msdn.com/mfussell/). He has a lot of good info there, too.
Tarik Soulami [MS] (Expert):
Q: in asp net althought i use webforms still need to use client script at the user machine, what happend with the security in this cases ?.( some antivirus program doesn't allow client scripts )
A: Code running on the client side is usually run with a restricted set of permissions (if it's coming from the Internet, it's the Internet permission set); so you can't do everything you would like to do on the client side (for example, you can't open a file on the user's disk). The following MSDN web page https://msdn2.microsoft.com/library/aa302369.aspxp has a good introduction to CAS concepts.
Tarik Soulami [MS] (Expert):
Q: Is there any way to use DirectoryServices on an aspx page without enabling full trust for that class?
A: I have to double check the MSDN documentation, but I think this class is protected with a demand for FullTrust so only fully trusted code can access it.
JoeDu [MS] (Moderator):
Q: Will there be any new obfuscating utility in .net 2?
A: Yes, Dotfuscator Community Edition is packaged w/ VS 2k5.
Tarik Soulami [MS] (Expert):
Q: Do declarative security attributes such as FileIOPermissionAttribute support expansion of environment variables? otherwise declarative file security seems of little use as you can never guarantee file locations.
A: Declarative security does not support this. You would probably need to use imperative Demand (so you can't have a link demand in that case unfortunately since link demands are declarative only)
frankred [MS] (Moderator):
Alright. We’re out of time. I hope everyone had a good time and got answers to all of their questions. If you have more questions please visit the CLR team blogs https://msdn2.microsoft.com/netframework/aa569259.aspx section on the .NET Framework developer center. Please join us again next Wednesday for the next chat in the Designing .NET Class Libraries https://msdn2.microsoft.com/netframework/aa497250.aspx/ series.
.gif)
Top of page