Mikhail Shcherbakov

July 05, 2015

Sandboxing in .NET CLRMikhail Shcherbakov

IT Global Meetup #6

IntelliEgg

Creator of IntelliDebugger projectCoordinator of SPB .NET CommunityFormer Product manager and Team lead at Cezurity, Positive Technologies, Acronis, Luxoft, Boeing

About me

2

Sandboxing is the base of security

Development of extensible and security-sensitive applications

Troubleshooting and knowledge about the internals

Knowledge in Practice

ASP.NET / IIS Silverlight SQL CLR XBAP ClickOnce Sharepoint

3

Security Architecture

4

Security Architecture

5

Application Domains

6

The verification process

7

Just-in-time verification

Code Access Security

9

Policy

10

deprecated 

in .NET Framework

4

Policy

11

Permissions

12

Permissions

13

Enforcement

14

Fully Trusted code in Partially Trusted AppDomain

15

Transparency Model

16

Level 2 Security Transparency

CriticalFull Trust code that can do anything

Safe CriticalFull Trust code Provides access to Critical code

TransparentOnly verifiable code Cannot p/invoke Cannot

elevate/assert

17

Security Transparency Attributes

Assembly Level

Type Level

Member Level

SecurityTransparent SecuritySafeCritical SecurityCritical AllowPartiallyTrustedCallers

SecAnnotate.exe – .NET Security Annotator Tool http://bit.ly/1A3vMw3

18

Stack walking

19

Sandbox implementation

ASP.NET Partial Trust applications

2005 2005 2006 2007 2008 2009 2010 2011 2012

Use Medium trust in shared hosting environments bit.ly/1yABGqfAugust 2005

For Web servers that are Internet-facing, Medium trust is recommended bit.ly/1z83LVVJuly 2008

21

ASP.NET Partial Trust applications

20152008 2009 2010 2011 2012 2013

ASP.NET Partial Trust does not guarantee application isolationbit.ly/1CRv3UxJune 2012

ASP.NET Security and the Importance of KB2698981 in Cloud Environments bit.ly/1vXJ50JApril 2013

“The official position of the ASP.NET team is that Medium Trust is obsolete”

-Levi Broderick, security developer at Microsoft bit.ly/1If14Gv

June 2013ASP.NET MVC 5 no longer supports partial trust bit.ly/1w0xxuX

October 2013

22

DynamicMethod classMS13-015 vulnerability

Could Allow Elevation of Privilege (KB2800277)

Trusted Chain Attack

23

Luring Attack

24

Luring AttackMS02-061 “Elevation of Privilege in SQL Server Web Tasks”

25

Exception Filter Attack

Exception Filter Attack

27

Exception Filter Attack

28

Summary

29

Sandboxing:Exploring the .NET Framework 4 Security Model bit.ly/1zBHDl7

New Security Model: Moving to a Better Sandbox bit.ly/1qdLTYf

How to Test for Luring Vulnerabilities bit.ly/1G5asdG

Using SecAnnotate to Analyze Your Assemblies for Transparency Violations bit.ly/12AtGZF

Summary

30

.NET Security:OWASP Top 10 for .NET developers bit.ly/1mpvG9R

OWASP .NET Project bit.ly/1vCfknmTroy Hunt blog www.troyhunt.comThe WASC Threat Classification v2.0 bit.ly/1G5d8rM

Summary

31

Thank you for your attention!Mikhail Shcherbakov

spbdotnet.orglinkedin.com/in/mikhailshcherbakovgithub.com/yuske@yu5k3

IntelliEgg