introduction
In today's software environment application source of many, they perform many tasks. For the application code trust is a main demand, because we who don't want to software or information being destroyed. Give permission security strategy will not allow to sensitive information inappropriate access, or will be exposed to the local machine malicious programs or even have the ordinary error code.
In the past, security structure provides based on user account isolation and access control - within those limits to access code completely and assume by specific users executable code with the same trust. Unfortunately, if all programs are represent a user operation, according to user to code for the protection of a program is not isolated by other users is not enough. Another kind of circumstance, cannot be completely trusted code often be transferred to "sand-boxed" model implementation, in this code running in the isolation environment without access to most of the services. On today's successful application security solutions must can strengthen the balance between two security model. It must provide the visit to resources in order to complete useful work, it needs for application security careful control to ensure code is identified, detection, and give the appropriate level of security. The.net Framework provides a such security model.
Microsoft.net Framework security solutions
The.net Framework security solutions based on the concept of management code, and by the common language runtime (CLR) strengthen the safety rules. Most management code should be validated to ensure type safety and predefined behavior of other properties of safety. For example, in the verification code, statement for the reception of the 4 byte value's visit will refuse to provide 8 bytes parameters call, because not type safe. Validation process also ensures that the execution flow only transfer to the known position, such as methods entry point - the process in addition to jump to any position executive ability.
Validation will stop not type safety code execution, in their cause before destroying capture a lot of common programming errors. Usually weaknesses - such as buffer overflow, of arbitrary memory or not initialize the memory read, to control the random transmit - no longer possible. This will make the end users benefit, because in their executable code to check the former. This also good for the developers, they will find many common mistakes (in the past has plagued developed before) can now find out, and can prevent they cause damage.
CLR also can make a non-management code running, but not management code doesn't benefit from these safety measures. Special permission to the management code with calls ability related, a powerful security strategy can ensure that these properly be given permission. After a long time, the management code to management code for non-management transplant will decrease code calls frequency.
Microsoft.net Framework security mechanism of components
Based on evidence of safety
The.net Framework is introduced based on evidence "security" concept. In essence, it is to the security strategy exposed solutions to her problems: · combination from which site won?
Combination is.net Framework application of components. They constitute a deployment, version control, reuse, activate the scope, safe authentication basic unit. The application of combination from website to clients.
· combination from which URL obtain?
Security strategies needed to clarify the address, and combination from this address download.
· combination from which area obtain?
Area is based on code position, to safety standards, such as the Internet, Intranet and the machine etc, the description.
· strong name is?
Strong name is provided by combination, founder of password strengthened identifier. Although it did not provide any proof to founder, but it only indicators combination, ensure the combination not destroyed.
According to the answers to these questions, and other evidence, safety strategy can endow combination of scale suitable permission for calculation. From multiple sources can get evidence, including the CLR, the browser, Microsoft, and case - depending on the source code.
Strategies driven trust model by using code evidence
When combined by a gelatinous memory into, the CLR strategy system through collecting the combination of evidence and in strategic environment of the evidence is calculated, to decide what gives combination licenses. CLR strategy system and then based on the combination of the evaluated evidence and make the licensing requests combination group permission. Only in combination was given a set of the least permission, or combination don't need permission, combination, founder of can know combination proper operation. Through one or more specific permission to requests that additional demand can be transmitted room strategy system.
According to the request of type, strategy permission system can further restrictions on giving combination of permission (delete unnecessary permission) or even refused to run into memory (if combination required minimum combination of permission has not been strategy gives). In does not exist any license request, under the situation of combination will never be given more than strategy system will give permission privileges, the request is further restrict get permission.
Security policy contains a number of code sets, these group contains evidence shall be given according to the permission. Code sets describing permission to offer from a specific safety zone obtain combinations, or provide by specific vendor signature of combination, etc. Although with the CLR issued a group of default code sets (and related permit), but administrator can to these CLR securely set-net to suit their special needs. Remember, by definition and evidence related codes, anything can be submitted as evidence, as long as the security strategy can use it.
Create permission process involving on the evidence of the evaluation to determine code sets applies to which level: enterprise, machines, and users. According to the above order strategy 3 levels assessed, and then create into plugged three different levels of permission Settings. The administrator can any one strategy level marked as end (immigration), such doing cope with stop in other grades on strategies for further evaluation. For example, the administrator can in machine level to terminate strategy combinations, which will prevent user level of the combination of application strategy.
Once completed, the original licensing strategy set is created. Compounding works by from three aspects make specific request can be optimized to these permit:
The first one is specified, in order to make the combination run it must have the minimum permission Settings. If these license does not give, then portfolio will different transferred into memory and exceptions raised.
· second, can specify a set of optional permission. Although combination hope these problems license, but if unable to get the permission, it is still can be transferred into memory.
· finally, behavior particularly good combination would actually refused to which they need not risky permission. These three optimization options is a gelatinous as declaration statements to realize.
At runtime, permission is calculated according to the execution of the code. On the right side of the graph summarized in this process the occurrence of order. A3 its combination of evidence from mainframe evidence and provide strategy evaluation device. Strategy evaluation apparatus in creating permission also want to consider from combination to get permission request, "G3". A3 by combination, and A2 combination A2 calls by combination is invoked A1. When combined A3 executing a trigger safety inspection and A1, A2 when operating obtained permission also should be checked to make sure they have A3 requested permission permissions. In this process, a process called stack traversal (walking), stack each combination of licensing authority will check to determine which gives permission Settings, whether they contain security checks needed permission. If the stack each combination was given a safety check need permission, call will succeed. How did not give any combination needed permission, stack traverse process failure, security exceptions will be thrown.
Code access security stack traversal can protect code from attack. In proficient in attack, malicious code deceive trusted code execute it alone cannot run operation - effectively use code permission permissions realize malicious purpose. For this type of attack, the developer is difficult to guard against - but stack traversal ensured that if involving the low-level trust levels of code, effective license will be reduced to trust level has the lowest code permission.
Results, obtained from the source code will be different, and in the trust level suitable for specific code executes environmental restrictions operation. The.net Framework calls the "freedom" safety
Some activities, such as literacy file, display dialog box, literacy environment variables, can pass contained in the Framework of the.net Framework security architecture method of realization. This makes.net Framework can according to security policy allows or do not permit an operation, without the need for programmers doing extra work. Although exposed the protection of resources management category, founder of the repository in their made specific safety requirements, use the.net Framework class library visit protected resources developers can freely use code access security system, They don't have to explicitly safety calls.
The administrator can through decided to give what permission to optimize security strategy, then, rely on the.net Framework handle all the safety operation. Code access security can prevent most malicious attacks, the code verification reduced buffer overflow and other will result in security against the desired behavior. Therefore, application and component was born by the protection, they from most safety problems impact, but these safety problem has been plagued with native code realization.
Based on the roles of safety
Sometimes the identity authentication according to already with code execution context or according to the relative roles make certification decision is appropriate. For example, financial and enterprise software can be assessed through role of enterprise logic to strengthen information strategy. According to the request of user role can be made to financial transaction data restrictions. Cashier allowed can handle a certain amount of request, and more than the amount of all work requires the role of supervisor to deal with it.
Identity can be mapped to login system users, or by applications definition. Corresponding principle encapsulates the identity and other relative roles information (for example, but not limited to this, the user's "group" by the operating system definitions).
Authentication and authorization
Accreditation is a process, it receives from the user to certificate, and certificate of authorization for confirmation. If the certificate is valid, so users can say he has already authentication identity. And authorized process is: to determine whether a given authentication user can access the resources. The authentication through system or enterprise logic to complete, through an API is it or get. The authentication API is completely extensible, so developers according to need to use their own enterprise logic. Developers can for their certification demands to code can modify rock-bottom authentication methods instead of their code to be too big change. In addition to Microsoft Windows? The operating system of the identity authentication, besides the authentication methods including basic HTTP, summary and Kerberos, and Microsoft Passport and based on the form of authentication. These authentication methods has been fully integrated into.
In form the authentication, users provide certificate, and submit the form. If the application Deng don't request, the system sends a cookie, this cookie in some form contains contains a certificate or contain regain identity keyword. Then send request at the head contains a cookie, processing program through the application of the expectations of any effective method for these requests authentication and authorization. If request without authentication, HTTP client will be used in the request to send to the certification form where users may provide a trust certificate. Form the authentication is sometimes used to personalized - as known users on the content of set-net. In some cases, the problem is not the identity authentication, so the user's individualized information can be simply by accessing a user or gain.
Authorized aim was to determine whether the identity made request was given to a given access to resources. Provides two types of authorized service: documents authorize and URL authorized. Documents authorize according to the method and effect are made request of user identity decided which used to access control list. The URL is licensed namespace URI and different user or between characters logic mapping.
Isolated storage
The.net Framework provides a special function, isolated storage, used for storing data, even when not allowed on the document interview -- for example, when from Internet download a management control and run it, as it provides limited permission but no power reading and writing files.
Isolated storage is a group of new for.net support for the local store types and methods. In essence, each combination can access disk on a broken quarantined storage space. It doesn't allow access to other data, isolated storage for it only to create effective combination.
Isolated storage application may also be used to store activities records, files Settings, or will state data saved to disk for future reference. Because isolated storage locations are usually predetermined, so isolated storage for the specified storage space only provides a convenient way, without the need to decide file path.
From local enterprise LAN obtain code with similar restrictions, but less, it can access big limitation of isolated storage. At last, from limited site area (distrust site) to the code does not access to the isolated storage.
encryption
The.net Framework provides a set of encryption object, they support encryption algorithm and digital signature, hash, generating random, is through known algorithms, such as the realization of RSA, DSA, Rijndael/AES, Triple DES, DES, and RC2 and MD5, SHA1 SHA - 256, SHA - 384 and SHA - 512 hashing algorithms. Also support in both the IETF and development of the W3C XML digital signature norms. The.net Framework using encryption objects support internal service. These objects as management code available for those who need encryption support developers.
How to specify security?
If you want to combination runtime behavioural modify, according to the programmer needs, make a statement type safety or intimidating safe modifications.
Statement type safety
Statement type safety which programmers can directly on the combination of metadata in code for combination designated security needs. Licensing requests and all other forms of statement type safety is in code as set-net attribute specified. Classes, properties, and the method is used to optimize the annotation permission. For example, the statement type safety can be used in the calling of caller before check whether the caller method known to closing.it signature, or have a specific strong name.
Due to the statement attribute is the combination of metadata part, so easy to distinguish combination security needs. Can use tools to combination scanned, to discover what methods need some licensing, what method asserting some permission.
When requested activity and licensing at compile time is know, statement type examination can alternatively solutions one. For example, if the methods of C: always check 1389 write access permission, then licensing examination will benefit from the statement. On the other hand, if requested has access to position changed, so intimidating security may be a good solution.
Intimidating safety
Intimidating security directly in code realization. Programmers through program to take safety activities, and according to the safety of the stack state decision is given or refused permission. For example, when a method request access a specific document, if the caller (or methods of any one caller) has not been give the necessary permission permissions, then request failure. Because intimidating security is through program realization, so satisfied the dynamic requirements. If you need a particular file access permission, but even this permission according to other information change, so, intimidating safety is optional solutions.
No comments:
Post a Comment