WCF Security, FSec


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WCF Security, FSec

  1. 1. WCF security: patterns & practices ante.gulam[at]ri-ing.net
  2. 2. Overview• Intro [Service-Oriented Architecture, MS WCF]• Defining Web Service Threats• Overview of WCF Security Basics• Configuration - Starting Point and Ending Point• Bindings In Depth• Securing Transport Channel - Integrity and Auth.• Messages - What I Send is What You Get?• Few Code-Based WCF Security Best Practices• Outro [conclusion]
  3. 3. Intro• SOA in general (discovery, description, messaging) – UDDI  XML Hierarchy – UDDI Discovery (automated scanning tools) – WSDL and XSD Descriptions – SOAP vs. REST XML Protocols• SOA Security Issues (ASMX, WCF, Java ...)• WCF (Indigo/2006)- .NET Web Service Technology• Endpoints (Transport & Bindings) – ABC (Address/Binding/Contract) – HTTP, TCP, named pipes, MSMQ ... – MEX – Metadata Exchange
  4. 4. Defining Web Service Threats• Attractive target • Open to the World (rare filtering access scheme) • Direct connection to core application • Direct connection to core data• Discovering and Attacking Web Services • WS-discovery (service behaviorConfiguration="serviceDiscoverable”) probe: 3702 – WSScanner • Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool• WCF Test Harness – flexible tool for quick service tests• Common WApp vulns: SQL injection, session theft, XML DoS ...• XML/SOAP Manipulation (abusing the protocol) – Eavesdropping Message Exchange – Message Protection Methods• Configuration Data Injection (tampering .conf)• Local/UDDI XML Processing attack
  5. 5. Overview of WCF Security Basics• Logging and Auditing • Debbuging and Attack Detection• Authentication • Identify Clients » Users, Services, Processes, Machines ... » MiTM Attack Mitigation • Transport Security Mode (cert, NTLM, basic ...) • Message Security Mode (cert, token, username ...)• Authorization • Role-based • Identity-based • Resource-based• Confidentiality • Encryption of Traffic client  WCF service• Integrity
  6. 6. Configuration - Starting Point and Ending Point• Web.config start-up • Web-config encryption • section.SectionInformation.ProtectSection• <system.ServiceModel> • Services » Defining Service Endpoints • Bindings » Basic, WS, WSDual, NetTcp ... ... • Behaviors » <throttling> and other custom behaviors• <Credentials /> Stored in Config <credentials passwordFormat="Clear"> <user name="user1" password="pass1"/> </credentials>• Max Message Size ???? (avoid 2147483647)• Encrypting configuration files (CL tools, code-based...)
  7. 7. Bindings in Depth• System.ServiceModel.Channels.Binding class• Binding types and Security Modes – WSHttpBinding b = new WSHttpBinding(); b.Security.Mode = SecurityMode.?????: • Transport Security • Mixed-Mode Security • Message Security• Considering Scenarios for the right Bindings • Clients accessing through the Internet (wshttp) • Legacy clients (http) • Intranet (netTCP) • Local Machine Clients (netNamedPipeBinding) • Disconnected queued calls support (netMsmqBinding) • bidirectional communication support (wsDualHttp)
  8. 8. • System-Provided bindings – BasicHttpBinding: An HTTP protocol binding suitable for connecting to Web services that conforms to the WS-I Basic Profile specification (for example, ASP.NET Web services-based services) – WSHttpBinding: An interoperable binding suitable for connecting to endpoints that conform to the WS-* protocols. – NetNamedPipeBinding: Uses the .NET Framework to connect to other WCF endpoints on the same machine. – NetMsmqBinding: Uses the .NET Framework to create queued message connections with other WCF endpoints.• Custom Bindings – Meet Requirements of Your Service
  9. 9. Securing Transport Channel• SSL tunneling on WS transport channel• Choosing secure binding or SSL transport?? – More and more on security (end-to-end, part encrypt) – Performances on Message/Transport level – Combining Message and Transport security• Custom Binding and Custom Validator • public override void Validate(string uname, string pass) • <bindingname="CustomBinding“> <securityauthenticationMode="UserNameOverTransport“> </security>
  10. 10. Messages - What I Send is What You Get?• Message integrity check • Ability to detect and manage invalid data • Imposition of complete transactions • Rollbacks• [Service Behavior] attrib: Transaction Isolation - Serializable transaction – protection for consistent data• Hash calculation on message: xml/json messages (HMAC, SHA1..)• ETag (base64 encoding of the md5sum)• Distributed Transaction Controller – Single Transaction building • ‘Global’ Rollback (whole call chain rollback) – transactionFlow="true"
  11. 11. Few Code-Based WCF Security Best Practices• using() and try/finally keywords in WCF ?• Why to Avoid Them??? – IL almost identical – So, where is the problem!?!?• During Disposal the Channel is NEVER closed!• Control the catch of Exceptions• Use a global exception handler to catch unhandled exceptions• FaultContract • FaultContract(typeof(CustomException))] – throw new FaultException<MathFault>(mf);
  12. 12. • using() • try/finally block• IL_0000: newobj instance void • IL_0012: ldnull [System.Windows.Forms]System. IL_0013: stloc.1 Windows.Forms.Form::.ctor() .try IL_0005: stloc.0 { .try IL_0014: newobj instance { void IL_0006: leave.s IL_0012 [System.Windows.Forms]System.Win } // end .try dows.Forms.Form::.ctor() finally IL_0019: stloc.1 { IL_001a: leave.s IL_0026 IL_0008: ldloc.0 } // end .try IL_0009: brfalse.s IL_0011 finally IL_000b: ldloc.0 { IL_000c: callvirt instance IL_001c: ldloc.1 void IL_001d: brfalse.s IL_0025 [mscorlib]System.IDisposable::Di IL_001f: ldloc.1 spose() IL_0020: callvirt instance void IL_0011: endfinally [System]System.ComponentModel.C } // end handler omponent::Dispose() IL_0025: endfinally } // end handler
  13. 13. • CAS in WCF services – [assembly: AllowPartiallyTrustedCallers] – [PermissionSet(SecurityAction.Assert,Name = "FullTrust")] – Calling out from the Restricted client Environment • Security breach – bypass direct connection – PartialTrustClientBase<T> ?? – GAC on the client side? • Proxy Assembly Installation – Raw WCF Demands
  14. 14. • ChannelFactory class – Used in advanced scenarios – Creation of Multiple Channels for Communication • ChannelFactory<xx> myChannelFactory = new ChannelFactory<xx>(myBinding, myEndpoint); xx wcfClient1 = myChannelFactory.CreateChannel(); – channelFactory.Credentials (username/password) – Avoid Creation of ChannelFactory on each page call (overhead)
  15. 15. • Make a port scanner out of WCF – WSDualHttpBinding – “CreateSequence” SOAP request – “ReplyTo” address• https://github.com/GDSSecurity/WCF-WSDualHttpBinding-Port-Scanner
  16. 16. Outro [conclusion]• What have we remembered to make our WS more secure? – Best practice – combine technologies and techniques to get security on higher level!!! • Combine Smart Coding with Good Configuration• Test your WCF’s on various attack techniques• ServiceThrottlingBehavior class – MaxConcurrentCalls (default = 16) [Per-message] – MaxConcurrentInstances (default = Int32.Max) • InstanceContextMode  ServiceBehaviorAttribute  PerCalls / Sessions – MaxConcurrentSessions (default = 10) [Per-channel]• Stay in touch with Recent Security Discoveries Related to Technologies you are using! • Platforms, OS services, dev technologies, transport/protocol technologies, encryption algorithms etc.
  17. 17. thank you for your attention questions and comments