Subverting WCF Security[starting points]: Subverting WCF Security [starting points] Marc Schönefeld
University of Bamberg
The speaker: The speaker Marc Schönefeld, Diplom-Wirtschaftsinformatiker
For Science: External doctoral student @ Lehrstuhl für praktische Informatik at University of Bamberg, Bavaria, Germany
Thesis project: REFACTORING OF SECURITY ANTIPATTERNS IN DISTRIBUTED JAVA COMPONENTS
For Living: Security Management for large financial group in Germany
WCF is part of NET 3.0: WCF is part of NET 3.0 NET 3.0 is
is the former WinFX ( Windows Framework Extension)
According to Microsoft Arithmetics, it is NET 2.0 plus
WPF (Presentation) aka Avalon
WCF (Communication) aka Indigo
WWF (Workflow)
available for Windows XP SP2, Windows Server 2003 and Windows Vista
WCF as part of NET 3.0: WCF as part of NET 3.0
NET 3.0 is not a new .NET: NET 3.0 is not a new .NET .NET 3.0 is just a set of additional assemblies on top of .NET 2.0
WCF unifies Communication handling: WCF unifies Communication handling Communication
WCF supports various existing communications and hosting runtime models
ASP.NET
COM+
WSE
NET-Remoting
Pipes and Queues
WCF …: WCF … allows to publish .NET classes as services
import from services into .NET classes.
includes interoperability code to handle service protocols, type conversion and value marshaling.
Allows developers to easily connect their applications to web services.
WCF …: WCF … supports non-functional requirements (reliable calls, asynchronisity, transactionality, security)
comes with predefined adapters
can be extended with custom handlers for non-standard scenarios.
classes reside mostly in the System.ServiceModel namespace
is physically located in the System.ServiceModel.dll assembly.
WCF terms: WCF terms SOA (Service oriented architectures) help the infrastructure to host local or remote services that can be used with clients.
Clients do not need to know the language, platform or version of the service.
Services provide functionality, can be newly written code or a decorated COM+ service
Clients use functionality provided by services, can be an ASP.NET page, Windows Form
Proxies decouple Services from Clients.
WCF supports local scenarios: WCF supports local scenarios
WCF supports remote scenarios: WCF supports remote scenarios
WCF authentication and authentication: WCF authentication and authentication Authentication is about to determine the identity of the service caller:
Noauth Anonymous access is allowed
Windows Kerberos for Windows Domain or NTLM for workgroup (this is default)
UID+PWD Checks credentials against Windows accounts or database entries
X509 cert In a PKI environment the client authenticates with a known certificate
Secure Token Support a federated trust environment (WS-Trust)
Custom authentication Roll your authentication, in most cases not a good idea
WCF Authorization determines permissions of service caller by using
Windows Groups
ASP.NET provider (such as a databases)
Transports: Securing the wire: Transports: Securing the wire The goal is to maintain integrity and privacy of the message while in transit. Staged options available:
Transport Security
uses secure transport layer over TCP, HTTP, IPC, MSMQ
Message Security
encrypts the message
Mixed Transport and Message ,
transport security secures privacy and integrity, message security secures client credentials, near to overkill
Both
First the message content secured by message security mechanisms additionally a secure transport is used. Almost always overkill
WCF separates Where, What and How : WCF separates Where, What and How Client Server A B C
Service Endpoints: Service Endpoints Clients and Servers use Service Endpoints for WCF communication
Client communicates to 1-n server endpoints
Client may open an endpoint for duplex message exchange (DualHttpBinding)
Service Endpoints specify
Endpoint address: Where is the service
Binding: How to attach to the service
Contract: What is exchanged between client and server
Behavior: Extension of binding behavior
Endpoint address (WHERE): Endpoint address (WHERE) The Physical address of the Endpoint (like an URI)
Headers (Optional), needed when multiple servers share an URI
Identity information
Binding settings (HOW): Binding settings (HOW) Name and namespace identify a service
Binding elements adjust communication details (reliability, SOAP message security, TCP layer protection)
Many presets Binding Binding Elements Bindings Element Namespace Name
WCF Contracts (WHAT): WCF Contracts (WHAT) Name and namespace again identify a service
Operation Description determine the type (send/forget, request/reply)
Duplex operations talk back to the client
Contract Operation Description Set Operation Descr. Namespace Name Message Descr. Set Msg. Description Contract Behavior Set Contract Behavior
A Service description is the server config: A Service description is the server config A service is typed and has several behavior settings,
It can be reached on multiple endpoints (one on plain TCP, another one over HTTP, …)
Service Description Set of Service endpoints Service Endpoints ServiceType Endpoint address Service Behavior Set Service Behavior Binding Contract
A Channel description is the client config: A Channel description is the client config A channel is used by the client and has several behavior settings,
It has one endpoint (one on plain TCP, another one over HTTP, …)
Channel Description Service Endpoints Endpoint address Channel Behavior Set Channel Behavior Binding Contract
WCF runtime environment concepts: WCF runtime environment concepts Messages
Represented as a SOAP infoset, the message is the core part of information in WCF
its serialization format can be XML text, binary (for WCF2WCF) or a customizable format (JSON, XML-RPC)
Channels
Path to send a message send from Endpoint to endpoint, channels are layered
A Transport channel defines the media to send the physical data (UDP, MQ, Pipe, TCP)
A Protocol channels defines how to manipulate the data (like the SOAP protocol)
A security channel defines how to protect the message
WCF startup procedure : WCF startup procedure The server initializes a ServiceHost object and opens the endpoints (XML config or hardcoded )
The client initializes a ChannelFactory object (also in config or In code)
Intranet bindings: Intranet bindings BasicHttpBinding
For ASMX-based Web services and clients and other services that conform to the WS-I Basic Profile 1.1
Security is turned off by default
Text encoding, UTF-8
NetTcpBinding
For secure for cross-machine communication
transport security
binary message encoding
Intranet bindings: Intranet bindings NetPeerTcpBinding
Peer-2-Peer communication over TCP
Input, Output and Duplex channels
Transport security by default
NetNamedPipe
for on-machine communication
Transport security on by default
Pipename is Base64 encoded servicename
Internet bindings: Internet bindings WSHttpBinding
http binding for Web services features
message security
transactions, reliable messaging, and WS-Addressing secure and reliable binding
WSFederationHttp
Like WSHttpBinding but with SSO capabilities
Ideal choice for secure tokens (http://weblogs.asp.net/cibrax/archive/2006/03/14/440222.aspx)
Internet bindings: Internet bindings WSDualHttpBinding
Usable for service contracts in duplex mode allowing both services and clients to send and receive messages
supports only SOAP security and requires reliable messaging
NetMsmqBinding
support for transport on top of Microsoft Message Queuing (MSMQ)
For designing loosely coupled applications, failure isolation, load leveling and disconnected operations
In early versions there were DOS problems with msgs larger than 64K
Threat modeling: Integrity WCF & OWASP : Threat modeling: Integrity WCF andamp; OWASP A1 Unvalidated Parameters
A2 Broken Access Control
A3 Broken Account and Session Management
A4 Cross-Site Scripting (XSS) Flaws
A5 Buffer Overflows
A6 Command Injection Flaws
A7 Error Handling Problems
A8 Insecure Use of Cryptography
A9 Remote Administration Flaws
A10 Server Misconfiguration
WCF & OWASP: WCF andamp; OWASP A1: Unvalidated parameters :
There is no protection against unvalidated parameters, there is no tainting model in .NET 3.0
A4: XSS:
Therefore no support against XSS
A5: Buffer overflows
COM+ legacy code (in C/C++) can be overflowed, although connected via WCF
A6: Command injection:
Depends on how the application handles and propagates data flow of untrusted values into SQL parms
A10: Server Misconfiguration
Hard coded configurations in applications may lead to flaws, deployer personnel may be confused by the many options to choose from (where to set ciphersuite?)
Threat modeling: WCF & COM+ : Threat modeling: WCF andamp; COM+ WCF allows to integrate COM+ with the ComSvcConfig tool
Two hosting modes available for COM+
COM+ default: The Component runs within DLLHOST
Web based: The component runs within IIS, activation with request
Beware that you don’t resurrect some old vulnerable components
Before deploying check the component!
Threat modeling: Confidentiality: Threat modeling: Confidentiality In a threat modeling setup about communication we have
Alice wants to communicate with Bob,
Mallory wants to interfere
WCF protects us very good against wiretapping
Mallory sitting on the transport wire
WCF does not protect against interfering
Mallory sitting between Alice and her endpoint or Bob and his endpoint (like a patched CLR, application)
WCF does not protect against stolen credentials
Once Mallory has stolen/leaked the key and code from Alice she has full access
Threat modeling: Code security: Threat modeling: Code security WCF protects us against type confusion
by the use of strong contracts
Big advantage over Java serialisation
.NET protects against integer overflows
In contrast to java it alarms the flipping sign
XML parser seems to be quite stable
Against large message attacks
Against several XML anomalies attacks
Secure coding in WCF: Secure coding in WCF Static code checking helps to find problem areas in own and third party code
Not all code is immediately accessible
Third party libraries may be encrypted or otherwise protected, so often a free tool from salamander helps to get the code out
http://www.remotesoft.com/deprotector/
No Sourcecode is no Prob: MSIL binary has it all!
Despite a lot of false positives static MSIL checkers may help
FXCop is a good starting point, is free at http://www.gotdotnet.com/Team/FxCop
Comes with a set of predefined security rules !
Secure coding in WCF: Secure coding in WCF Some Relevant FXCop secure coding guidelines, which are helpful when coding with WCF
Review imperative security
Review sql queries for security vulnerabilities
Pointers should not be visible
Do not indirectly expose methods with link demands
Do not declare read only mutable reference types
Aptca methods should only call aptca methods
Aptca types should only extend aptca base types
Code your own rules and alter existing ones:
http://weblogs.asp.net/pglavich/archive/2005/07/19/419869.aspx
http://www.futureware.biz/blog/index.php?title=writing_your_own_fxcop_rules_library
The wishlist: The wishlist Better performance
WCF over XML is slow
WCF over XML + security is d**n slow (even on 3Ghz machine)
Remember: Availability is a security aspect !
Home phoning issues
WCF wants to validate certificates and sends HTTP request to Microsoft
Better usage of Secure string implementation
Credentials are stored insecure in normal strings
It would be helpful to advise .NET to store directly data directly in SecureString fields after reception from a service
No patterns available, Developers are left alone
with finding the relevant mix of options
With adjusting protection level and performance
Summary : Summary WCF delivers a new baseline security model.
Various deployment and configuration features allow subverting the default security model
Easiness of legacy (COM+) integration allows vulnerable code to be called in the backend
Secure coding is still a must, despite a secure transport framework
Q&A: Qandamp;A
どうもありがとう
Domo arigato
marc.schoenefeld ät gmx dot org.ilasm