SlideShare uma empresa Scribd logo

Security Model in .NET Framework

Transferir como PPTX, PDF
Mikhail Shcherbakov
Mikhail Shcherbakov

Mikhail Shcherbakov, a senior software developer at Positive Technologies, discusses the security model in the .NET Framework. He outlines how the .NET Framework uses application domains, code access security, and a transparency model to provide sandboxing of code through verification, permissions, and security attributes. The security architecture has evolved over time from .NET Framework 4 to address issues like partial trust applications and trusted chain attacks.

Tecnologia
1 de 31
Security Model in .NET Framework Mikhail Shcherbakov senior software developer Positive Technologies .NEXT conference
About me ― Senior software developer at Positive Technologies ― Working on Application Inspector - source code analysis product ― Former team lead at Acronis and Luxoft
Knowledge in Practice ― Sandboxing is the base of security  ASP.NET / IIS  Silverlight  SQL CLR  XBAP  ClickOnce  Sharepoint ― Development of extensible and security-sensitive applications ― Troubleshooting and knowledge about the internals
Knowledge in Practice ― Are there some security features in Paint.NET that restrict what a plugin can do and what it can access? ― There are no security features. And no, there is no guarantee of safety… ― If there are no security features, then ... whenever Paint.NET was running, it could look for interesting files and send them off to Russia. “ “Plugins & Security?” topic, Paint.NET Forum http://bit.ly/1ABI3sH #send2Russia
Terms C# 5.0 Language Specification http://bit.ly/1tXdOI2 Common Language Infrastructure (CLI) Standard ECMA-335 http://bit.ly/1IesnAK
.NET Framework 4 Security Architecture
.NET Framework 4 Security Architecture
.NET Framework 4 Security Architecture
.NET Framework 4 Security Architecture
Application Domains
The verification process
Just-in-time verification
Code Access Security
Policy
Policy deprecated in .NET Framework 4
Permissions
Permissions
Enforcement
Fully Trusted code in Partially Trusted AppDomain
Transparency Model
Level 2 Security Transparency Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert Safe Critical Full Trust code Provides access to Critical code Critical Full Trust code that can do anything
Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent    SecuritySafeCritical    SecurityCritical    AllowPartiallyTrustedCallers    SecAnnotate.exe – .NET Security Annotator Tool http://bit.ly/1A3vMw3
Stack walking
Sandbox implementation
ASP.NET Partial Trust applications Use Medium trust in shared hosting environments bit.ly/1yABGqf August 2005 For Web servers that are Internet-facing, Medium trust is recommended bit.ly/1z83LVV July 2008 ASP.NET Partial Trust does not guarantee application isolation bit.ly/1CRv3Ux June 2012 ASP.NET Security and the Importance of KB2698981 in Cloud Environments bit.ly/1vXJ50J April 2013 2005 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 October 2013 June 2013 ASP.NET MVC 5 no longer “The official position of the ASP.NET team is that Medium Trust is obsolete” -Levi Broderick, security developer at Microsoft bit.ly/1If14Gv supports partial trust bit.ly/1w0xxuX
Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
Summary http://goo.gl/A5QrZm
Summary .NET Security: ― OWASP Top 10 for .NET developers bit.ly/1mpvG9R ― OWASP .NET Project bit.ly/1vCfknm ― Troy Hunt blog www.troyhunt.com ― The WASC Threat Classification v2.0 bit.ly/1G5d8rM Sandboxing: ― Exploring the .NET Framework 4 Security Model bit.ly/1zBHDl7 ― New Security Model: Moving to a Better Sandbox bit.ly/1qdLTYf ― How to Test for Luring Vulnerabilities bit.ly/1G5asdG ― Using SecAnnotate to Analyze Your Assemblies for Transparency Violations bit.ly/12AtGZF
Thank you for your attention! Mikhail Shcherbakov Positive Technologies linkedin.com/in/mikhailshcherbakov yuske.dev@gmail.com github.com/yuske @yu5k3

Recomendados

Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security PlatformPituphong Yavirach
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 

Recomendados

Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security PlatformPituphong Yavirach
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOCSplunk
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Entendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroEntendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroKleitor Franklint Correa Araujo
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLRMikhail Shcherbakov
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLRMikhail Shcherbakov
 

Mais conteúdo relacionado

Mais procurados

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfTapOffice
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOCSplunk
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Aymeric Lagier
 

Mais procurados (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Building a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdfBuilding a Security Operations Center (SOC).pdf
Building a Security Operations Center (SOC).pdf
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOC
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Entendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroEntendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento Seguro
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 

Semelhante a Security Model in .NET Framework

ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...Cyber Security Alliance
 
Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesVMware Tanzu
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Matt Raible
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...Kim Clark
 
GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007guest20ab09
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointIvanti
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsPLUMgrid
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 

Semelhante a Security Model in .NET Framework (20)

Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
 
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
 
Security Patterns for Microservice Architectures
Security Patterns for Microservice ArchitecturesSecurity Patterns for Microservice Architectures
Security Patterns for Microservice Architectures
 
Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020Security Patterns for Microservice Architectures - SpringOne 2020
Security Patterns for Microservice Architectures - SpringOne 2020
 
Crack mcts.com
Crack mcts.comCrack mcts.com
Crack mcts.com
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...Agile Integration Architecture: A Containerized and Decentralized Approach to...
Agile Integration Architecture: A Containerized and Decentralized Approach to...
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Walther Mvc
Walther MvcWalther Mvc
Walther Mvc
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 

Mais de Mikhail Shcherbakov

Mythbusters - Web Application Security
Mythbusters - Web Application SecurityMythbusters - Web Application Security
Mythbusters - Web Application SecurityMikhail Shcherbakov
 
Михаил Щербаков "WinDbg сотоварищи"
Михаил Щербаков "WinDbg сотоварищи"Михаил Щербаков "WinDbg сотоварищи"
Михаил Щербаков "WinDbg сотоварищи"Mikhail Shcherbakov
 
Apache Ignite.NET в действии
Apache Ignite.NET в действииApache Ignite.NET в действии
Apache Ignite.NET в действииMikhail Shcherbakov
 
Архитектура Apache Ignite .NET
Архитектура Apache Ignite .NETАрхитектура Apache Ignite .NET
Архитектура Apache Ignite .NETMikhail Shcherbakov
 
Знакомство с In-Memory Data Grid
Знакомство с In-Memory Data GridЗнакомство с In-Memory Data Grid
Знакомство с In-Memory Data GridMikhail Shcherbakov
 
сценарии использования статического анализатора
сценарии использования статического анализаторасценарии использования статического анализатора
сценарии использования статического анализатораMikhail Shcherbakov
 
WCF. Легко или проблемно
WCF. Легко или проблемноWCF. Легко или проблемно
WCF. Легко или проблемноMikhail Shcherbakov
 
Поиск ошибок в программах на языке C#
Поиск ошибок в программах на языке C#Поиск ошибок в программах на языке C#
Поиск ошибок в программах на языке C#Mikhail Shcherbakov
 
Когда в C# не хватает C++ . Часть 3.
Когда в C# не хватает C++ . Часть 3. Когда в C# не хватает C++ . Часть 3.
Когда в C# не хватает C++ . Часть 3. Mikhail Shcherbakov
 
WinDbg в руках .NET разработчика
WinDbg в руках .NET разработчикаWinDbg в руках .NET разработчика
WinDbg в руках .NET разработчикаMikhail Shcherbakov
 
RESTful API: Best practices, versioning, design documentation
RESTful API: Best practices, versioning, design documentationRESTful API: Best practices, versioning, design documentation
RESTful API: Best practices, versioning, design documentationMikhail Shcherbakov
 
Простой и кросс-платформенный WEB-сервер на .NET
Простой и кросс-платформенный WEB-сервер на .NETПростой и кросс-платформенный WEB-сервер на .NET
Простой и кросс-платформенный WEB-сервер на .NETMikhail Shcherbakov
 
Использование Visual Studio Tools for Apache Cordova в реальных проектах
Использование Visual Studio Tools for Apache Cordova в реальных проектахИспользование Visual Studio Tools for Apache Cordova в реальных проектах
Использование Visual Studio Tools for Apache Cordova в реальных проектахMikhail Shcherbakov
 
Когда в C# не хватает C++ . Часть 2.
Когда в C# не хватает C++ . Часть 2.Когда в C# не хватает C++ . Часть 2.
Когда в C# не хватает C++ . Часть 2.Mikhail Shcherbakov
 
Распространённые ошибки оценки производительности .NET-приложений
Распространённые ошибки оценки производительности .NET-приложенийРаспространённые ошибки оценки производительности .NET-приложений
Распространённые ошибки оценки производительности .NET-приложенийMikhail Shcherbakov
 
Когда в C# не хватает C++
Когда в C# не хватает C++Когда в C# не хватает C++
Когда в C# не хватает C++Mikhail Shcherbakov
 
Как это работает: DLR
Как это работает: DLRКак это работает: DLR
Как это работает: DLRMikhail Shcherbakov
 

Mais de Mikhail Shcherbakov (20)

Delegates and events in C#
Delegates and events in C#Delegates and events in C#
Delegates and events in C#
 
Mythbusters - Web Application Security
Mythbusters - Web Application SecurityMythbusters - Web Application Security
Mythbusters - Web Application Security
 
Михаил Щербаков "WinDbg сотоварищи"
Михаил Щербаков "WinDbg сотоварищи"Михаил Щербаков "WinDbg сотоварищи"
Михаил Щербаков "WinDbg сотоварищи"
 
Apache Ignite.NET в действии
Apache Ignite.NET в действииApache Ignite.NET в действии
Apache Ignite.NET в действии
 
Архитектура Apache Ignite .NET
Архитектура Apache Ignite .NETАрхитектура Apache Ignite .NET
Архитектура Apache Ignite .NET
 
Знакомство с In-Memory Data Grid
Знакомство с In-Memory Data GridЗнакомство с In-Memory Data Grid
Знакомство с In-Memory Data Grid
 
сценарии использования статического анализатора
сценарии использования статического анализаторасценарии использования статического анализатора
сценарии использования статического анализатора
 
WCF. Легко или проблемно
WCF. Легко или проблемноWCF. Легко или проблемно
WCF. Легко или проблемно
 
Поиск ошибок в программах на языке C#
Поиск ошибок в программах на языке C#Поиск ошибок в программах на языке C#
Поиск ошибок в программах на языке C#
 
Когда в C# не хватает C++ . Часть 3.
Когда в C# не хватает C++ . Часть 3. Когда в C# не хватает C++ . Часть 3.
Когда в C# не хватает C++ . Часть 3.
 
Project Rider
Project RiderProject Rider
Project Rider
 
WinDbg в руках .NET разработчика
WinDbg в руках .NET разработчикаWinDbg в руках .NET разработчика
WinDbg в руках .NET разработчика
 
Structured logging
Structured loggingStructured logging
Structured logging
 
RESTful API: Best practices, versioning, design documentation
RESTful API: Best practices, versioning, design documentationRESTful API: Best practices, versioning, design documentation
RESTful API: Best practices, versioning, design documentation
 
Простой и кросс-платформенный WEB-сервер на .NET
Простой и кросс-платформенный WEB-сервер на .NETПростой и кросс-платформенный WEB-сервер на .NET
Простой и кросс-платформенный WEB-сервер на .NET
 
Использование Visual Studio Tools for Apache Cordova в реальных проектах
Использование Visual Studio Tools for Apache Cordova в реальных проектахИспользование Visual Studio Tools for Apache Cordova в реальных проектах
Использование Visual Studio Tools for Apache Cordova в реальных проектах
 
Когда в C# не хватает C++ . Часть 2.
Когда в C# не хватает C++ . Часть 2.Когда в C# не хватает C++ . Часть 2.
Когда в C# не хватает C++ . Часть 2.
 
Распространённые ошибки оценки производительности .NET-приложений
Распространённые ошибки оценки производительности .NET-приложенийРаспространённые ошибки оценки производительности .NET-приложений
Распространённые ошибки оценки производительности .NET-приложений
 
Когда в C# не хватает C++
Когда в C# не хватает C++Когда в C# не хватает C++
Когда в C# не хватает C++
 
Как это работает: DLR
Как это работает: DLRКак это работает: DLR
Как это работает: DLR
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Security Model in .NET Framework

  • 1.
  • 2. Security Model in .NET Framework Mikhail Shcherbakov senior software developer Positive Technologies .NEXT conference
  • 3. About me ― Senior software developer at Positive Technologies ― Working on Application Inspector - source code analysis product ― Former team lead at Acronis and Luxoft
  • 4. Knowledge in Practice ― Sandboxing is the base of security  ASP.NET / IIS  Silverlight  SQL CLR  XBAP  ClickOnce  Sharepoint ― Development of extensible and security-sensitive applications ― Troubleshooting and knowledge about the internals
  • 5. Knowledge in Practice ― Are there some security features in Paint.NET that restrict what a plugin can do and what it can access? ― There are no security features. And no, there is no guarantee of safety… ― If there are no security features, then ... whenever Paint.NET was running, it could look for interesting files and send them off to Russia. “ “Plugins & Security?” topic, Paint.NET Forum http://bit.ly/1ABI3sH #send2Russia
  • 6. Terms C# 5.0 Language Specification http://bit.ly/1tXdOI2 Common Language Infrastructure (CLI) Standard ECMA-335 http://bit.ly/1IesnAK
  • 7. .NET Framework 4 Security Architecture
  • 8. .NET Framework 4 Security Architecture
  • 9. .NET Framework 4 Security Architecture
  • 10. .NET Framework 4 Security Architecture
  • 16. Policy deprecated in .NET Framework 4
  • 20. Fully Trusted code in Partially Trusted AppDomain
  • 22. Level 2 Security Transparency Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert Safe Critical Full Trust code Provides access to Critical code Critical Full Trust code that can do anything
  • 23. Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent    SecuritySafeCritical    SecurityCritical    AllowPartiallyTrustedCallers    SecAnnotate.exe – .NET Security Annotator Tool http://bit.ly/1A3vMw3
  • 26. ASP.NET Partial Trust applications Use Medium trust in shared hosting environments bit.ly/1yABGqf August 2005 For Web servers that are Internet-facing, Medium trust is recommended bit.ly/1z83LVV July 2008 ASP.NET Partial Trust does not guarantee application isolation bit.ly/1CRv3Ux June 2012 ASP.NET Security and the Importance of KB2698981 in Cloud Environments bit.ly/1vXJ50J April 2013 2005 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 October 2013 June 2013 ASP.NET MVC 5 no longer “The official position of the ASP.NET team is that Medium Trust is obsolete” -Levi Broderick, security developer at Microsoft bit.ly/1If14Gv supports partial trust bit.ly/1w0xxuX
  • 27. Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
  • 28. Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
  • 30. Summary .NET Security: ― OWASP Top 10 for .NET developers bit.ly/1mpvG9R ― OWASP .NET Project bit.ly/1vCfknm ― Troy Hunt blog www.troyhunt.com ― The WASC Threat Classification v2.0 bit.ly/1G5d8rM Sandboxing: ― Exploring the .NET Framework 4 Security Model bit.ly/1zBHDl7 ― New Security Model: Moving to a Better Sandbox bit.ly/1qdLTYf ― How to Test for Luring Vulnerabilities bit.ly/1G5asdG ― Using SecAnnotate to Analyze Your Assemblies for Transparency Violations bit.ly/12AtGZF
  • 31. Thank you for your attention! Mikhail Shcherbakov Positive Technologies linkedin.com/in/mikhailshcherbakov yuske.dev@gmail.com github.com/yuske @yu5k3