katholieke universiteit leuven 1.net curriculum workshop teaching software security: case studies on...
TRANSCRIPT
1KATHOLIEKEUNIVERSITEITLEUVEN
.NET Curriculum Workshop
Teaching Software Security: Case Studies on the .NET Framework
Frank Piessens and Wouter Joosen
([email protected]@cs.kuleuven.ac.be)
.NET Curriculum Workshop 2KATHOLIEKEUNIVERSITEITLEUVEN
Who am I
• Professor at the Department of Computer Science, KULeuven, Belgium
• Member of the DistriNet research group on distributed systems and computer networks
• Research focus:– Software security: secure programming languages,
security in component models and frameworks, security engineering
.NET Curriculum Workshop 3KATHOLIEKEUNIVERSITEITLEUVEN
Why am I here?
• Our university has a “security-intensive” computer science curriculum
• The “secure software” course was an early adopter of .NET technologies in university course
• Report on our experiences integrating .NET into that course
.NET Curriculum Workshop 4KATHOLIEKEUNIVERSITEITLEUVEN
Outline of the presentation
• Introduction• Overview of the secure software course• Case studies and projects on .NET• Zooming in on some project assignments• Conclusion
.NET Curriculum Workshop 5KATHOLIEKEUNIVERSITEITLEUVEN
Introduction
• Software is more and more Internet accessible=> importance of software security increases
• Developing secure software is a complex matter– Complex technologies– Binding security technologies to an application is hard– Implementation vulnerabilities– Hard to test security– …
• Hence, it is important to integrate courses on secure software development in computer science curricula
.NET Curriculum Workshop 6KATHOLIEKEUNIVERSITEITLEUVEN
Introduction
• At the K.U.Leuven, we started developing such a course 5 years ago– It is being taught for the 5th time to an average of
some 100 students per year– Fragments of the course have been presented
• At industry conferences• At academic conferences
– Teaching materials for the course are available on the web (see URL at the end of the presentation)
.NET Curriculum Workshop 7KATHOLIEKEUNIVERSITEITLEUVEN
Outline of the presentation
• Introduction• Overview of the secure software course• Case studies and projects on .NET• Zooming in on some project assignments• Conclusion
.NET Curriculum Workshop 8KATHOLIEKEUNIVERSITEITLEUVEN
Overview of the course
• Part I: Introduction• Part II : Security Technologies
– Security technology = reusable algorithm/ model/ service that realizes a security objective
• Part III: Building Secure Applications– Secure application: application that enforces correct
rules of usage• By correct and appropriate use of security technologies• By ensuring high quality of implementation
• Part IV: Conclusion
.NET Curriculum Workshop 9KATHOLIEKEUNIVERSITEITLEUVEN
Overview of the course
• Part I: Introduction– General security concepts: threat, vulnerability,
countermeasure, risk, …– Security for an administrator versus security for a
developer– Case study: perform a threat and vulnerability
analysis on a simplified e-mail system
.NET Curriculum Workshop 10KATHOLIEKEUNIVERSITEITLEUVEN
Overview of the course
• Part II: Software Security Technologies– Cryptographic primitives– Cryptographic Service Provider based libraries– Cryptographic protocols– Software interfaces to protocols– Access control models– Access control in operating systems and application
servers– Untrusted code security
.NET Curriculum Workshop 11KATHOLIEKEUNIVERSITEITLEUVEN
Overview of the course
• Part III: Secure Software Applications– Threat analysis– Secure design principles– Integrating security technologies in applications– Implementation vulnerabilities– Enriching a software engineering process for security
• Part IV: Conclusion– Case study revisited– Current challenges
.NET Curriculum Workshop 12KATHOLIEKEUNIVERSITEITLEUVEN
Overview of the course
• What is available online?– The course is given at our university as a 20h course
with 30h time for exercises/projects• Slides are available for most of the lectures • Lecture notes are available for approximately half of the
lectures• A web site with related links for all covered material• Project assignments (not solutions)
.NET Curriculum Workshop 13KATHOLIEKEUNIVERSITEITLEUVEN
Outline of the presentation
• Introduction• Overview of the secure software course• Case studies and projects on .NET• Zooming in on some project assignments• Conclusion
.NET Curriculum Workshop 14KATHOLIEKEUNIVERSITEITLEUVEN
Case studies and projects on .NET
• The course is a conceptual course, but illustrates concepts with their implementation in real-life systems
• The .NET Framework is used to illustrate implementation of most of the security technologies in Part II of the course– The cryptographic libraries in .NET are discussed as an
example implementation of a CSP based crypto library– Code Access Security is discussed as an example
implementation of untrusted code sandboxing– .NET declarative role based access control is discussed as
an example implementation of application level access control
.NET Curriculum Workshop 15KATHOLIEKEUNIVERSITEITLEUVEN
Case studies and projects on .NET
• The .NET material is relatively new– Before: Java and Windows 2000– Does the .NET case add value with respect to the
Java case?• Two examples:
– Comparison of crypto libraries in Java and .NET– Comparison of sandboxing in Java and .NET
.NET Curriculum Workshop 16KATHOLIEKEUNIVERSITEITLEUVEN
Crypto libraries
• All modern cryptographic libraries are structured around the concept of Cryptographic Service Providers (CSP)
Cryptographic framework
CSP1 CSP2 CSP3 …SPI
APIApp1 App2 App3 …
.NET Curriculum Workshop 17KATHOLIEKEUNIVERSITEITLEUVEN
Crypto libraries
• Java and .NET implement decoupling differently– Java: decoupling based on the bridge design pattern
• API objects encapsulate an SPI object that does the real work
– .NET: decoupling based on inheritance• SPI classes inherit from API classes
.NET Curriculum Workshop 18KATHOLIEKEUNIVERSITEITLEUVEN
Sandboxing in Java and .NET
• Both Java and .NET implement stack inspection based configurable sandboxing
• But again, both implementations differ significantly– Integration of user based access control is different– Granularity of permissions and stack walk modifiers
is different– Extensibility is different– …
.NET Curriculum Workshop 19KATHOLIEKEUNIVERSITEITLEUVEN
Projects and exercises on .NET
• Students can do projects and exercises on the .NET framework or the SSCLI (Rotor)
• We distinguish three “levels”:– Simple exercises: a few hours of work– Implementation projects: 20 – 40 hours of teamwork– Advanced projects: several hundred hours of work,
typically in the context of a master thesis• Some of them closely linked to our research• E.g. Context bound objects for application level access
control
.NET Curriculum Workshop 20KATHOLIEKEUNIVERSITEITLEUVEN
Outline of the presentation
• Introduction• Overview of the secure software course• Case studies and projects on .NET• Zooming in on some project assignments• Conclusion
.NET Curriculum Workshop 21KATHOLIEKEUNIVERSITEITLEUVEN
Example implementation project: pluggable authentication
• Problem statement: In the .NET framework, authentication can be done:– By relying on Windows authentication– By custom developed authentication code
Both approaches have their disadvantages.
.NET Curriculum Workshop 22KATHOLIEKEUNIVERSITEITLEUVEN
Example implementation project: pluggable authentication
• Assignment:Design an authentication framework for .NET. The framework should offer a simple uniform authentication API to applications. Implementations of authentication mechanisms should be easy to plug into the framework. The selection of what authentication mechanisms to use should be set by a configuration file. Authentication should be well integrated with role based authorization.
.NET Curriculum Workshop 23KATHOLIEKEUNIVERSITEITLEUVEN
Example implementation project: pluggable authentication
• Discussion:The project introduces students to many aspects of .NET security:– Use of the crypto API’s– User based access control– Building a secure assembly
• An example solution (PAM.NET) that runs on Rotor and the CLR was developed by Bert Lagaisse.
.NET Curriculum Workshop 24KATHOLIEKEUNIVERSITEITLEUVEN
Example advanced project: typing information as evidence
• Problem statement:– Type systems increase security in a number of ways.– Supporting a new type system in a programming
language or in MSIL is a substantial effort.– Can the Code Access Security system be used to
check security-related type information?
.NET Curriculum Workshop 25KATHOLIEKEUNIVERSITEITLEUVEN
Example advanced project: typing information as evidence
• Assignment:Pick a security relevant type system (e.g. types for safe concurrency), and design a new kind of evidence that captures the type information in that system.Design typing rules for IL, and implement a verifier.Integrate the verifier with the Code Access Security system.
.NET Curriculum Workshop 26KATHOLIEKEUNIVERSITEITLEUVEN
Example advanced project: typing information as evidence
• Discussion:Students gain deep knowledge about:– IL and IL typing– The Code Access Security System
• A simplified version of the assignment was implemented by a master thesis student.
.NET Curriculum Workshop 27KATHOLIEKEUNIVERSITEITLEUVEN
Some other projects
• Implementing a Cryptographic Service Provider– Last year, two students integrated the Belgian EID in
the .NET Crypto Libraries• Reusing Code Access Security checks for role based
access control• Design and implement a SOAP firewall• Design and implementation of applications that use the
security API’s intensively– Secured chat application– Simple encrypting file system– Runtime extensible applications– …
.NET Curriculum Workshop 28KATHOLIEKEUNIVERSITEITLEUVEN
Outline of the presentation
• Introduction• Overview of the secure software course• Case studies and projects on .NET• Zooming in on some project assignments• Conclusion
.NET Curriculum Workshop 29KATHOLIEKEUNIVERSITEITLEUVEN
Conclusion
• Importance of software security is high and growing• Inclusion of dedicated courses in curricula is desirable• Our software security course is still in evolution but is
slowly stabilizing as a:– Conceptual course– With illustrations of the concepts on the two application
development platforms of the future (Java and .NET), as well as on operating systems/middleware/databases
• Course materials are available (in draft form) at:
http://securitytf.cs.kuleuven.ac.be/teaching/