The topic here is security through partial trust. Don asked if anyone had done a partial trust application, one hand was raised... it was not mine. I do agree hat this is overlooked by most devs because there is not a lot of people doing it out there and not a lot of blogging about this topic.
Don has a sample application setup where you can enter a file name and it will open it and output it to the screen. Windows allows us to access any file that the application identity has access to (in this case the asp.net identity). Don showed us the app opening his boot.ini file (H4XZ0R!). He also showed us a sample where a web page accessed the webservers file system to list and even download any file on the server.
How would you stop people from uploading a site that accesses other folders? Open up the central web.config and change the default trust level. This can be overridden and there is a way to prevent that setting from being overridden. Each one of the trust levels in the web.config file has a config file associated with it. The goal is to have applications use the medium trust level.
-Unrestricted fileIO permission has full rights to every file on that machine. Restricted fileIO permission can allow certain types of access (read, write, append, pathdiscovery) to certain files/directories.
-To change your trust level simply add <trust level="Medium" /> in your config file. Once this was done our file reading example blew up as we do not have fileIO permissions.
Security policies are customizeable in two ways: custom trust level or sandbox risky code. Custom trust can be created by creating a custom config file (he copied the medium security config file as a good baseline). We then changed the fileIO permission set to allow read access to the "c:\windows\system32" directory that we were accessing earlier. From the web.config file we reference that file like so:
<SecurityPolicy>
<trustlevel name="CustomTrust" policyFile="web_customtrust.config" />
</SecurityPolicy>
<trustlevel level="CustomTrust" originUrl="" />
Now that we have done that we can access files in that directory. But it we try to open ../../boot.ini we get a security exception.
An interesting point was that using an oledbconnection requires access to call unmanaged code which is quite dangerous. There is no way to setup restricted unmanaged code access. For this we are going to use the second option of sandboxing the code. We created our own permission set that allows oleDbPermission and unmanagedPermission. We then created a code group in the file called AccessDBSet with a membership condition of a strong name (sorry I know this is a little hard to get without seeing the presentation but I have been thinking of doing a series/talk on code access security so maybe that will help). We then sign our data access assembly with the strong name (which makes it a member of the codeGroup we defined in the config file). We also add [assembly: AllowPartiallyTrustedCallers] to the datalayer assembly (careful as this will allow any partially trusted app to call it).
-Don mentioned that anything installed in the GAC gets full trust which is a surprising fact I did not know.
Now normally when you have a partially trusted assembly it will check all callers up the stack to see if they have OleDbPermissions. What the following code does is explicitly state that we do not want to check the callers at all.
oleDbPermission perm = new OleDbPErmisson(PermissionState.Unrestricted);
perm.assert();
...code here
perm.revertAll();
-Oh a new fact: OleDb actually requires full trust (its in small print on MSDN somewhere) but the sandboxing technique still applies.
overall a really good talk. I found it hard to follow as we were jumping through a lot of config files but some really good info I found.
Don asked a few questions and gave away some swag. I missed two of them but here are the rest:
What is the greatest vuln on the network? the user
What is the best protection against code injection? best answer: not accepting user input
In xp what is the best way to protect the user? not running as admin. W00t I won!