CS795/895: Introduction

Topics

• Distributed Systems– Availability– Performance– Web Services

• Security– Authentication– Authorization– Confidentiality

Distributed Systems

• Geographically Distributed

• Replication is the primary means to provide high availability and performance

• Replication/failure transparency are desired by distributed applications

• Protocols to communicate between distant processes are important: SOAP

Web Services

• Service offered over the web

• It facilitates request-reply paradigm using message exchange

• Uses: • HTTP (Hypertext Transport Protocol) • SOAP (Simple Object Access Protocol) • UDDI (Universal Description, Discovery and Integration) • WS-POLICY (Web Services Policy)

.Net Framework• Write the source code (e.g., using C#)

• Compile using a C# Compiler (csc.exe).

• The compiler converts the source code into an Intermediate Language, much like byte codes in Java. This is managed code (exe or DLL) .

• The compiled file unit is executed using the C# Interpreter. Upon execution, the code is checked for type safety. Moreover, the Just In Time (JIT) compiler compiles the unit into Managed Native Code and finally Common Language Runtime (CLR) produces the final output.

CLR: Common Language Runtime

• Runtime environment of .Net Framework, manages execution of code, and provides different services

• CLR contains: CTS (common type system), CLS (a subset of CTS to be supported by all .Net languages), CIL (Common intermediate language), JIT compiler (converts to MSIL (in assemblies) to executable native code)

• Managed code: IL codes along with metadata files; .exe or dll

Common Type System (CTS)

• Supports OOL like Java as well as procedural languages like C

• Objects and values (atomic types like integers and chars)

• CTS is a superset of CLS --- Not all .Net applications support all types in CTS

Miscellaneous• JIT --- Just in time compiler: This is used to convert the intermediate language

contained in assemblies (executables) into native executable code. • The security policy settings are referred at this stage to decide if code is being

compiled needs to be type safe.• Managed code vs. unmanaged code: This is the Intermediate Language code (IL)

along with metadata contained in portable executables (.EXE or .DLL). This needs JIT compiler to convert it into native executable code.

• Unmanaged code is a precompiled executable that don’t need JIT---but it has the disadvantage of being not portable across different OS platforms. They could also be unsafe.

• CLR provides services to the managed code---(i) The language compiler emits metadata that describes the types, members, and references in the code. (ii) Cross language integration

• Application domains---lightweight processes—An extension of Java’s sandbox security and Thread model. Multiple application domains run in a single Win32 process but they are isolated. Each domain can have its own configuration of security features specified.

Miscellaneous

• Assemblies: A functional unit of sharing and reuse in CLR. It is equivalent to JAR files of java.

• It is like a logical .exe or .dll; it can be an application (with a main point of entry) or a library.

• Consists of one or more files (dlls, exes, html files, etc.) and represents a group of resources, type definitions, and implementation of those types.

• An assembly may contain references to other assemblies---described in manifest---a self-describing assembly

C# (C Sharp)• Improved version of C++ and Java• It is type-safe• In .Net use Projects/Windows application C# to create and run C# programs.

using System;

namespace Helloworld{

/// <summary>/// Summary description for Class1./// </summary>class Class1{

/// <summary>/// The main entry point for the application./// </summary>static void Main(string[] args){

Console.Write("What is your name? ");string a = Console.ReadLine();Console.WriteLine("Hello " + a);

}}

}

ADO.Net

• Provides data access tools for web applications

• Seamless interoperability with XML

• Uses objects such as: Connection, Command, DataSets, DataReaders, DataSetCommands

• Use SQLConnection for MSQL server and ADOConnection via OLEDB provider

using System;using System.Data.SqlClient;class seePubs{

static void Main () {

SqlConnection conn = new SqlConnection("server=nebula.cs.odu.edu;database=pubs;User

ID=cwild;password=wildcs2004");try {

conn.Open ();SqlCommand cmd = new SqlCommand ("select * from titles", conn);SqlDataReader reader = cmd.ExecuteReader ();while (reader.Read ())

Console.WriteLine (reader["title"]);}catch (SqlException ex) {

Console.WriteLine (ex.Message);}finally {

conn.Close ();}

}}

.Net Security: Topics

• Threat models• Storing secrets• Securing Database access• ASP.Net security framework• .Net Cryptography• Windows authentication• .Net Passport• Forms authentication• Implementing Authorization• Code access security• Web services security• Impersonation