Bugs and Books and News
By Don Kiely
Two items recently crossed my desk that have me thinking about security and Web applications in different ways. One is a tool, the other is a book. In addition, there is some interesting news to report regarding Windows Vista. Finally, I ll be on the road next week talking to some INETA user groups about security.
Eradicating Least Privilege Bugs
If you ve been reading asp.netNOW for a while, you may remember that I m a strong proponent of least privilege development. This means two things:
- you run without admin privileges on your development machine, and
- you write applications that don t require users to be admins on their machine
Many of the current software vulnerabilities and attacks ultimately exploit applications running with excessive permissions. For example, if I run Outlook as a mere member of the Users group rather than Administrators, e-mail malware can t write to protected registry and file locations. A Web application running with medium trust is protected against many kinds of attacks that depend on administrative rights on the server. And so on.
Microsoft Consulting Services Aaron Margosis has long been the voice of sanity when it comes to least privilege issues. His blog is a great read about these issues. He recently released a pre-release version of a new tool, LUA Buglight. LUA usually means Limited User Account, and the tool is all about ferreting out bugs in your code that use the registry, file system, and other resources that require admin privileges. The tool is just for analyzing desktop applications, so here I m departing from ASP.NET for a moment (don t worry; I ll make the connection in a moment). The tool is a great way to understand what is happening in code that might cause a mere user problems so that you can eradicate the problems before shipping. Aaron has done some very clever work so that Buglight has both normal user tokens and a special user-as-admin token. For monitored API calls in the code, Buglight first tries the call with the normal user token. If it fails, it tries it with the token that has admin privileges. If the code responds differently, it s a potential LUA bug and it s logged for later analysis.
Playing with LUA Buglight over the last month or so has made me think again about ASP.NET applications that run with less than full trust. A fully trusted Web application is pure evil, a sitting duck waiting for an attack. The problem is that no matter how bulletproof you make the app, no matter how thoroughly you test and scan it with security analysis tools, an attacker has time on his or her side to probe and find weaknesses, maybe coming up with an attack that no one has thought of yet. So when the attacker finds that chink in the armor, a full trust Web app immediately crumples and offers the attacker the golden keys to the city. Evil, evil, evil.
If you re running full trust Web applications, please rethink security. I know that full trust is the default for ASP.NET applications, but that doesn t mean you have to accept the default and build an insecure Web site. If you want to read up on non-full trust ASP.NET apps, see my previous columns, all from 2004:
MVP Hacks and Tips
I m always a bit intrigued by books that collect development superstars and let them run wild with content. The latest one to come to my attention is ASP.NET 2.0 MVP Hacks and Tips. They apparently herded seven ASP.NET MVPs into a tiny room and kept them there until they came up with the very best hacks and tips. It s not the most cohesive book, but it isn t meant to be. There is a lot packed into its relatively slim 370 pages, with some things kind of ho-hum, but also a lot of head-whacking tips. As in, why didn t I think of that?!?
The security chapter isn t nearly as long as it could be, but it has some good information about SQL injection, canonicalization attacks, the new file upload control, and validating strong passwords in the login control. One gem in the chapter is the tip about using an IN expression in a SQL statement to overcome the inability of using a parameter in the expression. (Using a parameterized query is one way to protect against SQL injection.) Basically, you convert values to a table, which can be used in IN. Another good security tip is about using dynamic impersonation rather than the impersonate attribute of the <identity> element in web.config to narrow the scope of the impersonation. In this case, dynamic means doing it in code, wrapping the code that needs to execute with the user s credentials. The one quibble I have is that the author doesn t warn of the dangers of using exceptions in this scenario. The code only handles one specific type of exception, UnauthorizedAccessException, but if the code throws any other kind of exception, it can give an attacker a window during which the code is executing with user privileges. The dynamic impersonation technique is valid you just have to be careful with exceptions.
The rest of the book is packed with great stuff. Definitely worth a read! But don t bother with it unless you re fairly proficient with ASP.NET 2.0 it isn t a beginner s book.
ASP.NET 2.0 MVP Hacks and Tips
By All Stars David Yack, Joe Mayo, Scott Hanselman, Fredrik Norm n, Dan Wahlin, J. Ambrose Little, and Jonathan Goodyear
Windows Vista News
Did you catch the recent news about Visual Studio, SQL Server, and Windows Vista? Microsoft will only support the latest versions of those products on Vista, Visual Studio 2005 and SQL Server 2005, largely because of security concerns. Below are references to the news and details. Guess I won t be moving to Vista anytime soon, since I support apps written in Visual Studio 2003 and SQL Server 2000. The .NET apps will run on Vista; I just can t develop them on Vista or run the database there.
Kind of a pity, though, since Vista will be so much more secure than other Windows versions.
Next week I ll be visiting three INETA user groups to talk about security. At the Inland Empire .NET User s Group in southern California and Little Rock .NET User Group in Arkansas I ll be talking about SQL Server 2005 security from a developer s perspective. At the Dallas .NET Users Group in Texas I ll be talking about least privilege development and showing off LUA Buglight. In Dallas, Ron Jacobs from Microsoft s Patterns & Practices Group also will be speaking during an extended meeting. If you re in the area, come join us!
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.