SlideShare une entreprise Scribd logo

Security Model in .NET Framework

Télécharger en tant que PPTX, PDF
Mikhail Shcherbakov
Mikhail Shcherbakov

Mikhail Shcherbakov, a senior software developer at Positive Technologies, discusses the security model in the .NET Framework. He outlines how the .NET Framework uses application domains, code access security, and a transparency model to provide sandboxing of code through verification, permissions, and security attributes. The security architecture has evolved over time from .NET Framework 4 to address issues like partial trust applications and trusted chain attacks.

Technologie
1  sur  31
Security Model in .NET Framework Mikhail Shcherbakov senior software developer Positive Technologies .NEXT conference
About me ― Senior software developer at Positive Technologies ― Working on Application Inspector - source code analysis product ― Former team lead at Acronis and Luxoft
Knowledge in Practice ― Sandboxing is the base of security  ASP.NET / IIS  Silverlight  SQL CLR  XBAP  ClickOnce  Sharepoint ― Development of extensible and security-sensitive applications ― Troubleshooting and knowledge about the internals
Knowledge in Practice ― Are there some security features in Paint.NET that restrict what a plugin can do and what it can access? ― There are no security features. And no, there is no guarantee of safety… ― If there are no security features, then ... whenever Paint.NET was running, it could look for interesting files and send them off to Russia. “ “Plugins & Security?” topic, Paint.NET Forum http://bit.ly/1ABI3sH #send2Russia
Terms C# 5.0 Language Specification http://bit.ly/1tXdOI2 Common Language Infrastructure (CLI) Standard ECMA-335 http://bit.ly/1IesnAK
.NET Framework 4 Security Architecture
.NET Framework 4 Security Architecture
.NET Framework 4 Security Architecture
.NET Framework 4 Security Architecture
Application Domains
The verification process
Just-in-time verification
Code Access Security
Policy
Policy deprecated in .NET Framework 4
Permissions
Permissions
Enforcement
Fully Trusted code in Partially Trusted AppDomain
Transparency Model
Level 2 Security Transparency Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert Safe Critical Full Trust code Provides access to Critical code Critical Full Trust code that can do anything
Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent    SecuritySafeCritical    SecurityCritical    AllowPartiallyTrustedCallers    SecAnnotate.exe – .NET Security Annotator Tool http://bit.ly/1A3vMw3
Stack walking
Sandbox implementation
ASP.NET Partial Trust applications Use Medium trust in shared hosting environments bit.ly/1yABGqf August 2005 For Web servers that are Internet-facing, Medium trust is recommended bit.ly/1z83LVV July 2008 ASP.NET Partial Trust does not guarantee application isolation bit.ly/1CRv3Ux June 2012 ASP.NET Security and the Importance of KB2698981 in Cloud Environments bit.ly/1vXJ50J April 2013 2005 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 October 2013 June 2013 ASP.NET MVC 5 no longer “The official position of the ASP.NET team is that Medium Trust is obsolete” -Levi Broderick, security developer at Microsoft bit.ly/1If14Gv supports partial trust bit.ly/1w0xxuX
Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
Summary http://goo.gl/A5QrZm
Summary .NET Security: ― OWASP Top 10 for .NET developers bit.ly/1mpvG9R ― OWASP .NET Project bit.ly/1vCfknm ― Troy Hunt blog www.troyhunt.com ― The WASC Threat Classification v2.0 bit.ly/1G5d8rM Sandboxing: ― Exploring the .NET Framework 4 Security Model bit.ly/1zBHDl7 ― New Security Model: Moving to a Better Sandbox bit.ly/1qdLTYf ― How to Test for Luring Vulnerabilities bit.ly/1G5asdG ― Using SecAnnotate to Analyze Your Assemblies for Transparency Violations bit.ly/12AtGZF
Thank you for your attention! Mikhail Shcherbakov Positive Technologies linkedin.com/in/mikhailshcherbakov yuske.dev@gmail.com github.com/yuske @yu5k3

Recommandé

Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security PlatformPituphong Yavirach
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 

Recommandé

Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security PlatformPituphong Yavirach
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOCSplunk
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Entendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroEntendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroKleitor Franklint Correa Araujo
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLRMikhail Shcherbakov
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLRMikhail Shcherbakov
 

Contenu connexe

Tendances

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOCSplunk
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 

Tendances (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOC
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Entendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroEntendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento Seguro
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 

Similaire à Security Model in .NET Framework

ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...Cyber Security Alliance
 
Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesVMware Tanzu
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Matt Raible
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...Kim Clark
 
GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007guest20ab09
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointIvanti
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsPLUMgrid
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 

Similaire à Security Model in .NET Framework (20)

Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
 
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
 
Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice Architectures
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020
 
Crack mcts.com
Crack mcts.comCrack mcts.com
Crack mcts.com
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Walther Mvc
Walther MvcWalther Mvc
Walther Mvc
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 

Plus de Mikhail Shcherbakov

Mythbusters - Web Application Security
Mythbusters - Web Application SecurityMythbusters - Web Application Security
Mythbusters - Web Application SecurityMikhail Shcherbakov
 
Михаил Щербаков "WinDbg сотоварищи"
Михаил Щербаков "WinDbg сотоварищи"Михаил Щербаков "WinDbg сотоварищи"
Михаил Щербаков "WinDbg сотоварищи"Mikhail Shcherbakov
 
Apache Ignite.NET в действии
Apache Ignite.NET в действииApache Ignite.NET в действии
Apache Ignite.NET в действииMikhail Shcherbakov
 
Архитектура Apache Ignite .NET
Архитектура Apache Ignite .NETАрхитектура Apache Ignite .NET
Архитектура Apache Ignite .NETMikhail Shcherbakov
 
Знакомство с In-Memory Data Grid
Знакомство с In-Memory Data GridЗнакомство с In-Memory Data Grid
Знакомство с In-Memory Data GridMikhail Shcherbakov
 
сценарии использования статического анализатора
сценарии использования статического анализаторасценарии использования статического анализатора
сценарии использования статического анализатораMikhail Shcherbakov
 
WCF. Легко или проблемно
WCF. Легко или проблемноWCF. Легко или проблемно
WCF. Легко или проблемноMikhail Shcherbakov
 
Поиск ошибок в программах на языке C#
Поиск ошибок в программах на языке C#Поиск ошибок в программах на языке C#
Поиск ошибок в программах на языке C#Mikhail Shcherbakov
 
Когда в C# не хватает C++ . Часть 3.
Когда в C# не хватает C++ . Часть 3. Когда в C# не хватает C++ . Часть 3.
Когда в C# не хватает C++ . Часть 3. Mikhail Shcherbakov
 
WinDbg в руках .NET разработчика
WinDbg в руках .NET разработчикаWinDbg в руках .NET разработчика
WinDbg в руках .NET разработчикаMikhail Shcherbakov
 
RESTful API: Best practices, versioning, design documentation
RESTful API: Best practices, versioning, design documentationRESTful API: Best practices, versioning, design documentation
RESTful API: Best practices, versioning, design documentationMikhail Shcherbakov
 
Простой и кросс-платформенный WEB-сервер на .NET
Простой и кросс-платформенный WEB-сервер на .NETПростой и кросс-платформенный WEB-сервер на .NET
Простой и кросс-платформенный WEB-сервер на .NETMikhail Shcherbakov
 
Использование Visual Studio Tools for Apache Cordova в реальных проектах
Использование Visual Studio Tools for Apache Cordova в реальных проектахИспользование Visual Studio Tools for Apache Cordova в реальных проектах
Использование Visual Studio Tools for Apache Cordova в реальных проектахMikhail Shcherbakov
 
Когда в C# не хватает C++ . Часть 2.
Когда в C# не хватает C++ . Часть 2.Когда в C# не хватает C++ . Часть 2.
Когда в C# не хватает C++ . Часть 2.Mikhail Shcherbakov
 
Распространённые ошибки оценки производительности .NET-приложений
Распространённые ошибки оценки производительности .NET-приложенийРаспространённые ошибки оценки производительности .NET-приложений
Распространённые ошибки оценки производительности .NET-приложенийMikhail Shcherbakov
 
Когда в C# не хватает C++
Когда в C# не хватает C++Когда в C# не хватает C++
Когда в C# не хватает C++Mikhail Shcherbakov
 
Как это работает: DLR
Как это работает: DLRКак это работает: DLR
Как это работает: DLRMikhail Shcherbakov
 

Plus de Mikhail Shcherbakov (20)

Delegates and events in C#
Delegates and events in C#Delegates and events in C#
Delegates and events in C#
 
Mythbusters - Web Application Security
Mythbusters - Web Application SecurityMythbusters - Web Application Security
Mythbusters - Web Application Security
 
Михаил Щербаков "WinDbg сотоварищи"
Михаил Щербаков "WinDbg сотоварищи"Михаил Щербаков "WinDbg сотоварищи"
Михаил Щербаков "WinDbg сотоварищи"
 
Apache Ignite.NET в действии
Apache Ignite.NET в действииApache Ignite.NET в действии
Apache Ignite.NET в действии
 
Архитектура Apache Ignite .NET
Архитектура Apache Ignite .NETАрхитектура Apache Ignite .NET
Архитектура Apache Ignite .NET
 
Знакомство с In-Memory Data Grid
Знакомство с In-Memory Data GridЗнакомство с In-Memory Data Grid
Знакомство с In-Memory Data Grid
 
сценарии использования статического анализатора
сценарии использования статического анализаторасценарии использования статического анализатора
сценарии использования статического анализатора
 
WCF. Легко или проблемно
WCF. Легко или проблемноWCF. Легко или проблемно
WCF. Легко или проблемно
 
Поиск ошибок в программах на языке C#
Поиск ошибок в программах на языке C#Поиск ошибок в программах на языке C#
Поиск ошибок в программах на языке C#
 
Когда в C# не хватает C++ . Часть 3.
Когда в C# не хватает C++ . Часть 3. Когда в C# не хватает C++ . Часть 3.
Когда в C# не хватает C++ . Часть 3.
 
Project Rider
Project RiderProject Rider
Project Rider
 
WinDbg в руках .NET разработчика
WinDbg в руках .NET разработчикаWinDbg в руках .NET разработчика
WinDbg в руках .NET разработчика
 
Structured logging
Structured loggingStructured logging
Structured logging
 
RESTful API: Best practices, versioning, design documentation
RESTful API: Best practices, versioning, design documentationRESTful API: Best practices, versioning, design documentation
RESTful API: Best practices, versioning, design documentation
 
Простой и кросс-платформенный WEB-сервер на .NET
Простой и кросс-платформенный WEB-сервер на .NETПростой и кросс-платформенный WEB-сервер на .NET
Простой и кросс-платформенный WEB-сервер на .NET
 
Использование Visual Studio Tools for Apache Cordova в реальных проектах
Использование Visual Studio Tools for Apache Cordova в реальных проектахИспользование Visual Studio Tools for Apache Cordova в реальных проектах
Использование Visual Studio Tools for Apache Cordova в реальных проектах
 
Когда в C# не хватает C++ . Часть 2.
Когда в C# не хватает C++ . Часть 2.Когда в C# не хватает C++ . Часть 2.
Когда в C# не хватает C++ . Часть 2.
 
Распространённые ошибки оценки производительности .NET-приложений
Распространённые ошибки оценки производительности .NET-приложенийРаспространённые ошибки оценки производительности .NET-приложений
Распространённые ошибки оценки производительности .NET-приложений
 
Когда в C# не хватает C++
Когда в C# не хватает C++Когда в C# не хватает C++
Когда в C# не хватает C++
 
Как это работает: DLR
Как это работает: DLRКак это работает: DLR
Как это работает: DLR
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Dernier (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Security Model in .NET Framework

  • 1.
  • 2. Security Model in .NET Framework Mikhail Shcherbakov senior software developer Positive Technologies .NEXT conference
  • 3. About me ― Senior software developer at Positive Technologies ― Working on Application Inspector - source code analysis product ― Former team lead at Acronis and Luxoft
  • 4. Knowledge in Practice ― Sandboxing is the base of security  ASP.NET / IIS  Silverlight  SQL CLR  XBAP  ClickOnce  Sharepoint ― Development of extensible and security-sensitive applications ― Troubleshooting and knowledge about the internals
  • 5. Knowledge in Practice ― Are there some security features in Paint.NET that restrict what a plugin can do and what it can access? ― There are no security features. And no, there is no guarantee of safety… ― If there are no security features, then ... whenever Paint.NET was running, it could look for interesting files and send them off to Russia. “ “Plugins & Security?” topic, Paint.NET Forum http://bit.ly/1ABI3sH #send2Russia
  • 6. Terms C# 5.0 Language Specification http://bit.ly/1tXdOI2 Common Language Infrastructure (CLI) Standard ECMA-335 http://bit.ly/1IesnAK
  • 7. .NET Framework 4 Security Architecture
  • 8. .NET Framework 4 Security Architecture
  • 9. .NET Framework 4 Security Architecture
  • 10. .NET Framework 4 Security Architecture
  • 16. Policy deprecated in .NET Framework 4
  • 20. Fully Trusted code in Partially Trusted AppDomain
  • 22. Level 2 Security Transparency Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert Safe Critical Full Trust code Provides access to Critical code Critical Full Trust code that can do anything
  • 23. Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent    SecuritySafeCritical    SecurityCritical    AllowPartiallyTrustedCallers    SecAnnotate.exe – .NET Security Annotator Tool http://bit.ly/1A3vMw3
  • 26. ASP.NET Partial Trust applications Use Medium trust in shared hosting environments bit.ly/1yABGqf August 2005 For Web servers that are Internet-facing, Medium trust is recommended bit.ly/1z83LVV July 2008 ASP.NET Partial Trust does not guarantee application isolation bit.ly/1CRv3Ux June 2012 ASP.NET Security and the Importance of KB2698981 in Cloud Environments bit.ly/1vXJ50J April 2013 2005 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 October 2013 June 2013 ASP.NET MVC 5 no longer “The official position of the ASP.NET team is that Medium Trust is obsolete” -Levi Broderick, security developer at Microsoft bit.ly/1If14Gv supports partial trust bit.ly/1w0xxuX
  • 27. Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
  • 28. Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
  • 30. Summary .NET Security: ― OWASP Top 10 for .NET developers bit.ly/1mpvG9R ― OWASP .NET Project bit.ly/1vCfknm ― Troy Hunt blog www.troyhunt.com ― The WASC Threat Classification v2.0 bit.ly/1G5d8rM Sandboxing: ― Exploring the .NET Framework 4 Security Model bit.ly/1zBHDl7 ― New Security Model: Moving to a Better Sandbox bit.ly/1qdLTYf ― How to Test for Luring Vulnerabilities bit.ly/1G5asdG ― Using SecAnnotate to Analyze Your Assemblies for Transparency Violations bit.ly/12AtGZF
  • 31. Thank you for your attention! Mikhail Shcherbakov Positive Technologies linkedin.com/in/mikhailshcherbakov yuske.dev@gmail.com github.com/yuske @yu5k3