.NET Security
Home About Workshops Articles Writing Talks Books Contact

.NET Security Workshop

This is a self paced workshop designed to lead you through the benefits and features of .NET security.

This Workshop Will Teach You:

  • How .NET security solves common software vulnerabilities; .NET security architecture
  • Protecting assembly modules and resources
  • Validation and verification
  • Code access security; permission set and code groups; evaluating an assembly
  • Permission enforcement with attributes and code; assert, demands and link demands
  • Role based security; principals; roles
  • Windows Access Control Lists
  • How to use the security utilities; strong name utility; configuration tool
  • Cryptography; crypto transforms and crypto streams; keys and initialization vectors; message digests; hash routines
  • Data protection APIs, Encrypting configuration files, Encrypting XML

Introduction

The single most important thing in any application is security. If you receive a specification that does not have a complete description for security then return it - the specification is incomplete and it indicates that the author does not understand software development. Security is vitally important because if you don't fix the security holes in your software someone will exploit them. You must be aware of all security implications and you must build security into your software from the start rather than adding security as an afterthought.

This workshop will help you understand .NET security and how to administer it. You will be lead through all security aspects with fully working examples. At the end of the tutorial you'll have a deep understanding about what .NET security is and how to use it effectively.

Example code for this workshop can be found here.

Requirements

This workshop was originally written for .NET version 1.1 on Windows XP. When Microsoft released .NET 2.0 I revised the workshop adding annotations for the changes in version 2.0. Since then Microsoft have released 'version 3.0' of the .NET framework. However (with a few minor changes), this is merely version 2.0 distributed with the WinFX library. This means that in most cases .NET 2.0 and .NET 3.0 are interchangeable. In the workshop when I say version 3.0 you can assume that I also mean version 2.0. If I do not mention a version then you should assume that the text refers to all versions of .NET which means 3.0, 2.0, 1.1 and 1.0. The later sections (page 9, 14, 15, 16) are specific to .NET 3.0/2.0.

The demonstrations will use the command line tools provided by the .NET SDK and the code will be written in C#. The example code can easily be converted to other .NET languages and can easily be converted to VS.NET projects. Using the command line tools was a deliberate action because I wanted to show that there was no 'magic' being performed by Visual Studio.

The examples in this workshop will use the following tools:

Tool Path Description
csc CORFolder\csc.exe The C# compiler
fuslogvw SDKFolder\bin\fuslogvw.exe The Fusion log viewer
gacutil SDKFolder\bin\gacutil.exe The GAC utility
ildasm SDKFolder\bin\ildasm.exe The IL disassembly tool
nmake SDKFolder\bin\nmake.exe Program maintenance utility
sn SDKFolder\bin\sn.exe The strong name generator

Here, CORFolder is the location of the .NET framework assemblies (%systemroot%\Microsoft.NET\Framework\vx.x.xxx), SDKFolder is the location of the .NET SDK (usually it is in the Visual Studio folder). To do the examples in the workshop you should ensure that your command line path is set to give access to the folders in the table. The simplest way to do this is to run the vsvars32.bat file in the Common7\Tools folder in the Visual Studio .NET folder.

Cost

There is no charge for this tutorial, if this workshop was published as a book then you would pay $50 for it, if I were to give you this workshop as a training session then you would have to pay several thousand dollars, instead, you get it entirely for free. If you want to show your appreciation for the effort I have put into this workshop then please consider making a donation through Paypal. 

I give training courses and conference talks, and I write white papers and books on a variety of .NET topics; I also architect systems and perform code reviews. Please contact me if you want me to provide my services for you.

Contents

1. Common Vulnerabilities
1.1 Buffer Overruns
1.2 Strings
1.3 Overflows
1.4 Casting
1.5 Delegates
1.6 Library Code and Access Tokens

2. Security Architecture
2.1 NTFS Security and .NET Classes

3. Strong Name Validation and Assembly Hash Validation
3.1 Spoofing by Tampering an Assembly
3.2 Signing the Assembly
3.3 Multi Module Assemblies
3.4 Assembly Resource Files
3.5 Entry Point
3.6 Caution

4. Validation and Verification
4.1 Verifying An Assembly
4.2 Validating An Assembly

5. Code Access Security
5.1 Jargon
5.2 Evidence
5.3 Creating a Permission Set
5.4 Creating a Code Group
5.5 Evaluating an Assembly
5.6 Code Group Levels
5.7 Administering Policies

6. Permission Enforcement
6.1 Types Of Permissions
6.2 Demanding Permissions
6.3 Imperative Demands
6.4 Assert Demands
6.5 Link Demands
6.6 Requested Permissions
6.7 Inheritance
6.8 Partially Trusted Code
6.9 Transparency

7. Customizing Code Access Security
7.1 Changing CAS Policy
7.2 Custom Evidence
7.3 Custom Non-CAS Permission
7.4 Custom CAS Permission

8. Principal Based Security
8.1 Principals
8.2 Roles
8.3 Custom Role Checks
8.4 Principal Control
8.5 Enterprise Services Role Based Security

9. Access Control
9.1 Overview of .NET Access Control
9.2 Security Descriptor Definition Language
9.3 Reading Security Information
9.4 Altering Security Information
9.5 Creating An Object With A Security Descriptor
9.6 Custom Security Descriptors

10. Cryptography
10.1 Terminology
10.2 .NET Cryptographic Classes

11. Secret Key Cryptography
11.1 Symmetric Key Algorithms
11.2 Persisting Data
11.3 Cryptographic Hash Functions
11.3 Base64 Encoding

12. Public Key Cryptography
12.1 Public Key Algorithms
12.2 Cryptographic Signatures
12.3 Key Exchange

13. Certificates

13.1 Certificates And Certificate Stores
13.2 .NET Version 1.0 Certificate Classes
13.3 .NET Version 3.0/2.0 Certificate Classes
13.4 Certificate Store
13.5 Using Certificates
13.6 The Strong Name Utility and Certificates

14. PKCS
14.1 Architecture
14.2 Signed Messages
14.3 Enveloped Messages
14.4 Message Attributes

15. Data Protection API
15.1 Protected Data
15.2 Protecting Configuration Files
15.3 Protected Memory

16 Encrypted XML
16.1 Signing XML
16.2 Encrypting XML

17 .NET Vulnerabilities and Exploits
17.1 Chronology
17.2 Virus Analysis
17.3 Vulnerabilities In .NET
17.4 Process Monitor
17.5 Conclusion

I hope that you enjoy this tutorial and value the knowledge that you will gain from it. I am always pleased to hear from people who use this tutorial (contact me). If you find this tutorial useful then please also email your comments to mvpga@microsoft.com.

This page is (c) 2007 Richard Grimes, all rights reserved