Mikhail Shcherbakov, profile picture
Uploaded byMikhail Shcherbakov
PPTX, PDF2,929 views

Security Model in .NET Framework

Mikhail Shcherbakov, a senior software developer at Positive Technologies, discusses the security model in the .NET Framework. He outlines how the .NET Framework uses application domains, code access security, and a transparency model to provide sandboxing of code through verification, permissions, and security attributes. The security architecture has evolved over time from .NET Framework 4 to address issues like partial trust applications and trusted chain attacks.

Technology
Related topics:
ASP.NET Overview

Embed presentation

Downloaded 47 times
Security Model in .NET Framework Mikhail Shcherbakov senior software developer Positive Technologies .NEXT conference
About me ― Senior software developer at Positive Technologies ― Working on Application Inspector - source code analysis product ― Former team lead at Acronis and Luxoft
Knowledge in Practice ― Sandboxing is the base of security  ASP.NET / IIS  Silverlight  SQL CLR  XBAP  ClickOnce  Sharepoint ― Development of extensible and security-sensitive applications ― Troubleshooting and knowledge about the internals
Knowledge in Practice ― Are there some security features in Paint.NET that restrict what a plugin can do and what it can access? ― There are no security features. And no, there is no guarantee of safety… ― If there are no security features, then ... whenever Paint.NET was running, it could look for interesting files and send them off to Russia. “ “Plugins & Security?” topic, Paint.NET Forum http://bit.ly/1ABI3sH #send2Russia
Terms C# 5.0 Language Specification http://bit.ly/1tXdOI2 Common Language Infrastructure (CLI) Standard ECMA-335 http://bit.ly/1IesnAK
.NET Framework 4 Security Architecture
.NET Framework 4 Security Architecture
.NET Framework 4 Security Architecture
.NET Framework 4 Security Architecture
Application Domains
The verification process
Just-in-time verification
Code Access Security
Policy
Policy deprecated in .NET Framework 4
Permissions
Permissions
Enforcement
Fully Trusted code in Partially Trusted AppDomain
Transparency Model
Level 2 Security Transparency Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert Safe Critical Full Trust code Provides access to Critical code Critical Full Trust code that can do anything
Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent    SecuritySafeCritical    SecurityCritical    AllowPartiallyTrustedCallers    SecAnnotate.exe – .NET Security Annotator Tool http://bit.ly/1A3vMw3
Stack walking
Sandbox implementation
ASP.NET Partial Trust applications Use Medium trust in shared hosting environments bit.ly/1yABGqf August 2005 For Web servers that are Internet-facing, Medium trust is recommended bit.ly/1z83LVV July 2008 ASP.NET Partial Trust does not guarantee application isolation bit.ly/1CRv3Ux June 2012 ASP.NET Security and the Importance of KB2698981 in Cloud Environments bit.ly/1vXJ50J April 2013 2005 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 October 2013 June 2013 ASP.NET MVC 5 no longer “The official position of the ASP.NET team is that Medium Trust is obsolete” -Levi Broderick, security developer at Microsoft bit.ly/1If14Gv supports partial trust bit.ly/1w0xxuX
Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
Summary http://goo.gl/A5QrZm
Summary .NET Security: ― OWASP Top 10 for .NET developers bit.ly/1mpvG9R ― OWASP .NET Project bit.ly/1vCfknm ― Troy Hunt blog www.troyhunt.com ― The WASC Threat Classification v2.0 bit.ly/1G5d8rM Sandboxing: ― Exploring the .NET Framework 4 Security Model bit.ly/1zBHDl7 ― New Security Model: Moving to a Better Sandbox bit.ly/1qdLTYf ― How to Test for Luring Vulnerabilities bit.ly/1G5asdG ― Using SecAnnotate to Analyze Your Assemblies for Transparency Violations bit.ly/12AtGZF
Thank you for your attention! Mikhail Shcherbakov Positive Technologies linkedin.com/in/mikhailshcherbakov yuske.dev@gmail.com github.com/yuske @yu5k3

More Related Content

PPT
Implementing application security using the .net framework
byLalit Kale
 
PPTX
Practice of AppSec .NET
byMikhail Shcherbakov
 
PPTX
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
byEric Vanderburg
 
PPTX
Dotnet Basics Presentation
bySudhakar Sharma
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons
byAjin Abraham
 
PPT
Ch10 Hacking Web Servers http://ouo.io/2Bt7X
byphanleson
 
PDF
Browser Exploit Framework
byn|u - The Open Security Community
 
PDF
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 
Implementing application security using the .net framework
byLalit Kale
 
Practice of AppSec .NET
byMikhail Shcherbakov
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
byEric Vanderburg
 
Dotnet Basics Presentation
bySudhakar Sharma
 
Abusing, Exploiting and Pwning with Firefox Add-ons
byAjin Abraham
 
Ch10 Hacking Web Servers http://ouo.io/2Bt7X
byphanleson
 
Browser Exploit Framework
byn|u - The Open Security Community
 
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 

What's hot

PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
PDF
Hacking Tizen: The OS of everything - Whitepaper
byAjin Abraham
 
PDF
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
PPTX
Pentesting With Web Services in 2012
byIshan Girdhar
 
PPT
Introduction to dot net framework by vaishali sahare [katkar]
byvaishalisahare123
 
PPTX
Presentation web based application|Web designing training center in coimbator...
byVignesh026
 
PPT
Microsoft dot net framework
byInstantenigma
 
PPTX
Abusing Exploiting and Pwning with Firefox Addons
byAjin Abraham
 
PPTX
4. features of .net
byPramod Rathore
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
byAjin Abraham
 
PDF
Shellcoding in linux
byAjin Abraham
 
PDF
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
PPT
Working in Visual Studio.Net
byDutch Dasanaike {LION}
 
PPTX
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
PDF
Asec r01-resting-on-your-laurels-will-get-you-pwned
byDinis Cruz
 
PDF
[OWASP Poland Day] A study of Electron security
byOWASP
 
PPTX
Microsoft Fakes, Unit Testing the (almost) Untestable Code
byAleksandar Bozinovski
 
PPTX
Fortify dev ops (002)
byMadhavan Marimuthu
 
PPT
Benefits of web application firewalls
byEnclaveSecurity
 
PPTX
[OWASP Poland Day] Saving private token
byOWASP
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
Hacking Tizen: The OS of everything - Whitepaper
byAjin Abraham
 
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
Pentesting With Web Services in 2012
byIshan Girdhar
 
Introduction to dot net framework by vaishali sahare [katkar]
byvaishalisahare123
 
Presentation web based application|Web designing training center in coimbator...
byVignesh026
 
Microsoft dot net framework
byInstantenigma
 
Abusing Exploiting and Pwning with Firefox Addons
byAjin Abraham
 
4. features of .net
byPramod Rathore
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
byAjin Abraham
 
Shellcoding in linux
byAjin Abraham
 
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
Working in Visual Studio.Net
byDutch Dasanaike {LION}
 
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
byDinis Cruz
 
[OWASP Poland Day] A study of Electron security
byOWASP
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
byAleksandar Bozinovski
 
Fortify dev ops (002)
byMadhavan Marimuthu
 
Benefits of web application firewalls
byEnclaveSecurity
 
[OWASP Poland Day] Saving private token
byOWASP
 

Similar to Security Model in .NET Framework

PPTX
Sandboxing in .NET CLR
byMikhail Shcherbakov
 
PPTX
Sandboxing in .NET CLR
byMikhail Shcherbakov
 
PPTX
Know Your Security Model
byMikhail Shcherbakov
 
PPTX
.NET Security (Radu Vunvulea)
byRadu Vunvulea
 
PPTX
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
PPT
Making the case for sandbox v1.1 (SD Conference 2007)
byDinis Cruz
 
PPTX
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
PPTX
NET Security Features and Their Importance
byArna Softech
 
PDF
Meetup DotNetCode Owasp
bydotnetcode
 
PPTX
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
byCyber Security Alliance
 
PDF
Full Download Programming NET Security 1st Edition Adam Freeman PDF DOCX
bycalessidey19
 
PDF
[OPD 2019] .NET Core Security
byOWASP
 
PPTX
Securing .Net Hosted Services
byBrett Nemec
 
DOCX
Security Focus: Built-in Features to Safeguard Your Applications
byakankshawande
 
PPT
Security_Updates_cybersecuirty ppt presentation.ppt
by21881a6619
 
PDF
.NET TECHNOLOGIES
byProf Ansari
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
The Enduring Popularity of .NET: From Framework to Core and Beyond
bycoretechmsm
 
PDF
Addressing New Challenges in Software Protection for .NET
byLicensingLive! - SafeNet
 
PPT
21 security and_trust
byMajong DevJfu
 
Sandboxing in .NET CLR
byMikhail Shcherbakov
 
Sandboxing in .NET CLR
byMikhail Shcherbakov
 
Know Your Security Model
byMikhail Shcherbakov
 
.NET Security (Radu Vunvulea)
byRadu Vunvulea
 
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
Making the case for sandbox v1.1 (SD Conference 2007)
byDinis Cruz
 
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
NET Security Features and Their Importance
byArna Softech
 
Meetup DotNetCode Owasp
bydotnetcode
 
ASFWS 2013 - Advances in secure (ASP).NET development – break the hackers’ sp...
byCyber Security Alliance
 
Full Download Programming NET Security 1st Edition Adam Freeman PDF DOCX
bycalessidey19
 
[OPD 2019] .NET Core Security
byOWASP
 
Securing .Net Hosted Services
byBrett Nemec
 
Security Focus: Built-in Features to Safeguard Your Applications
byakankshawande
 
Security_Updates_cybersecuirty ppt presentation.ppt
by21881a6619
 
.NET TECHNOLOGIES
byProf Ansari
 
Software Security in the Real World
byMark Curphey
 
The Enduring Popularity of .NET: From Framework to Core and Beyond
bycoretechmsm
 
Addressing New Challenges in Software Protection for .NET
byLicensingLive! - SafeNet
 
21 security and_trust
byMajong DevJfu
 

More from Mikhail Shcherbakov

PPTX
Delegates and events in C#
byMikhail Shcherbakov
 
PPTX
Mythbusters - Web Application Security
byMikhail Shcherbakov
 
PPTX
Михаил Щербаков "WinDbg сотоварищи"
byMikhail Shcherbakov
 
PPTX
Apache Ignite.NET в действии
byMikhail Shcherbakov
 
PPTX
Архитектура Apache Ignite .NET
byMikhail Shcherbakov
 
PPTX
Знакомство с In-Memory Data Grid
byMikhail Shcherbakov
 
PDF
сценарии использования статического анализатора
byMikhail Shcherbakov
 
PPTX
WCF. Легко или проблемно
byMikhail Shcherbakov
 
PDF
Поиск ошибок в программах на языке C#
byMikhail Shcherbakov
 
PPTX
Когда в C# не хватает C++ . Часть 3.
byMikhail Shcherbakov
 
PDF
Project Rider
byMikhail Shcherbakov
 
PPTX
WinDbg в руках .NET разработчика
byMikhail Shcherbakov
 
PPTX
Structured logging
byMikhail Shcherbakov
 
PPTX
RESTful API: Best practices, versioning, design documentation
byMikhail Shcherbakov
 
PPTX
Простой и кросс-платформенный WEB-сервер на .NET
byMikhail Shcherbakov
 
PPTX
Использование Visual Studio Tools for Apache Cordova в реальных проектах
byMikhail Shcherbakov
 
PPTX
Когда в C# не хватает C++ . Часть 2.
byMikhail Shcherbakov
 
PDF
Распространённые ошибки оценки производительности .NET-приложений
byMikhail Shcherbakov
 
PPTX
Когда в C# не хватает C++
byMikhail Shcherbakov
 
PDF
Как это работает: DLR
byMikhail Shcherbakov
 
Delegates and events in C#
byMikhail Shcherbakov
 
Mythbusters - Web Application Security
byMikhail Shcherbakov
 
Михаил Щербаков "WinDbg сотоварищи"
byMikhail Shcherbakov
 
Apache Ignite.NET в действии
byMikhail Shcherbakov
 
Архитектура Apache Ignite .NET
byMikhail Shcherbakov
 
Знакомство с In-Memory Data Grid
byMikhail Shcherbakov
 
сценарии использования статического анализатора
byMikhail Shcherbakov
 
WCF. Легко или проблемно
byMikhail Shcherbakov
 
Поиск ошибок в программах на языке C#
byMikhail Shcherbakov
 
Когда в C# не хватает C++ . Часть 3.
byMikhail Shcherbakov
 
Project Rider
byMikhail Shcherbakov
 
WinDbg в руках .NET разработчика
byMikhail Shcherbakov
 
Structured logging
byMikhail Shcherbakov
 
RESTful API: Best practices, versioning, design documentation
byMikhail Shcherbakov
 
Простой и кросс-платформенный WEB-сервер на .NET
byMikhail Shcherbakov
 
Использование Visual Studio Tools for Apache Cordova в реальных проектах
byMikhail Shcherbakov
 
Когда в C# не хватает C++ . Часть 2.
byMikhail Shcherbakov
 
Распространённые ошибки оценки производительности .NET-приложений
byMikhail Shcherbakov
 
Когда в C# не хватает C++
byMikhail Shcherbakov
 
Как это работает: DLR
byMikhail Shcherbakov
 

Recently uploaded

PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 

Security Model in .NET Framework

  • 2.
    Security Model in.NET Framework Mikhail Shcherbakov senior software developer Positive Technologies .NEXT conference
  • 3.
    About me ―Senior software developer at Positive Technologies ― Working on Application Inspector - source code analysis product ― Former team lead at Acronis and Luxoft
  • 4.
    Knowledge in Practice ― Sandboxing is the base of security  ASP.NET / IIS  Silverlight  SQL CLR  XBAP  ClickOnce  Sharepoint ― Development of extensible and security-sensitive applications ― Troubleshooting and knowledge about the internals
  • 5.
    Knowledge in Practice ― Are there some security features in Paint.NET that restrict what a plugin can do and what it can access? ― There are no security features. And no, there is no guarantee of safety… ― If there are no security features, then ... whenever Paint.NET was running, it could look for interesting files and send them off to Russia. “ “Plugins & Security?” topic, Paint.NET Forum http://bit.ly/1ABI3sH #send2Russia
  • 6.
    Terms C# 5.0Language Specification http://bit.ly/1tXdOI2 Common Language Infrastructure (CLI) Standard ECMA-335 http://bit.ly/1IesnAK
  • 7.
    .NET Framework 4Security Architecture
  • 8.
    .NET Framework 4Security Architecture
  • 9.
    .NET Framework 4Security Architecture
  • 10.
    .NET Framework 4Security Architecture
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
    Policy deprecated in.NET Framework 4
  • 17.
  • 18.
  • 19.
  • 20.
    Fully Trusted codein Partially Trusted AppDomain
  • 21.
  • 22.
    Level 2 SecurityTransparency Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert Safe Critical Full Trust code Provides access to Critical code Critical Full Trust code that can do anything
  • 23.
    Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent    SecuritySafeCritical    SecurityCritical    AllowPartiallyTrustedCallers    SecAnnotate.exe – .NET Security Annotator Tool http://bit.ly/1A3vMw3
  • 24.
  • 25.
  • 26.
    ASP.NET Partial Trustapplications Use Medium trust in shared hosting environments bit.ly/1yABGqf August 2005 For Web servers that are Internet-facing, Medium trust is recommended bit.ly/1z83LVV July 2008 ASP.NET Partial Trust does not guarantee application isolation bit.ly/1CRv3Ux June 2012 ASP.NET Security and the Importance of KB2698981 in Cloud Environments bit.ly/1vXJ50J April 2013 2005 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 October 2013 June 2013 ASP.NET MVC 5 no longer “The official position of the ASP.NET team is that Medium Trust is obsolete” -Levi Broderick, security developer at Microsoft bit.ly/1If14Gv supports partial trust bit.ly/1w0xxuX
  • 27.
    Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
  • 28.
    Trusted Chain attack ― DynamicMethod class ― MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277)
  • 29.
  • 30.
    Summary .NET Security: ― OWASP Top 10 for .NET developers bit.ly/1mpvG9R ― OWASP .NET Project bit.ly/1vCfknm ― Troy Hunt blog www.troyhunt.com ― The WASC Threat Classification v2.0 bit.ly/1G5d8rM Sandboxing: ― Exploring the .NET Framework 4 Security Model bit.ly/1zBHDl7 ― New Security Model: Moving to a Better Sandbox bit.ly/1qdLTYf ― How to Test for Luring Vulnerabilities bit.ly/1G5asdG ― Using SecAnnotate to Analyze Your Assemblies for Transparency Violations bit.ly/12AtGZF
  • 31.
    Thank you foryour attention! Mikhail Shcherbakov Positive Technologies linkedin.com/in/mikhailshcherbakov yuske.dev@gmail.com github.com/yuske @yu5k3