Windows 8 Security for Developers

Transcript

1. Windows  8  Security   (for  Developers)   Dominick  Baier  

   h=p://leastprivilege.com   @leastprivilege   think mobile!

2. 2   @leastprivilege   Dominick  Baier   •  SoluCon  architect

    and  security  consultant  at   thinktecture   •  Focus  on   –  security  in  distributed  applica9ons   –  iden9ty  management   –  Windows/.NET  security   –  cloud  compu9ng     •  MicrosoF  MVP  for  Developer  Security   •  [email protected]   think mobile!

3. 3   @leastprivilege   Agenda   •  Overview   • 

   Windows  8  Logon  Process  &  Account  Types   •  App  Packages  &  App  ExecuCon  Environment   •  Security  scenarios  for  Windows  Store  Apps  

4. 4   @leastprivilege   Overview   •  Many,  many  security

    features  in  Windows   –  SIDs,  ACLs,  Logon  Sessions,  Groups,  Privileges   –  Firewall,  DEP,  ASLR…   •  Significant  ones  from  the  "Vista  Timeframe"   –  UAC,  UIPI,  Integrity  Levels   •  …and  new  ones   –  Secure  Boot,  An9-­‐Virus  Integra9on   –  Bitlocker,  SmartScreen  

5. 5   @leastprivilege   Windows  8  Account  Types   • 

   Local  Windows  Account   •  Domain  Account   •  MicrosoF  Account  

6. 6   @leastprivilege   Windows.System.UserProfile   if  (UserInformation.NameAccessAllowed)   {

            DisplayName.Text  +=  await  UserInformation.GetDisplayNameAsync();          FirstName.Text  +=  await  UserInformation.GetFirstNameAsync();          LastName.Text  +=  await  UserInformation.GetLastNameAsync();            //  needs  enterprise  authentication  capability          DomainName.Text  +=  await  UserInformation.GetDomainNameAsync();          PrincipalName.Text  +=  await  UserInformation.GetPrincipalNameAsync();   }  

7. 7   @leastprivilege   Profile:  Local  Account  

8. 8   @leastprivilege   Profile:  MicrosoY  Account  

9. 9   @leastprivilege   Using  a  MicrosoF  Account   enables

    synchronizaCon   of  Windows  seWngs  and   roaming  Data  

10. 10   @leastprivilege   Who  Am  I?  

11. 11   @leastprivilege   MicrosoY  to  Windows     Account

     Mapping   [email protected]  (Dominick  Baier)   machine\dominick   MicrosoY  Account   Windows  Account   Passwords  are  synced!  

12. 12   @leastprivilege  

13. 13   @leastprivilege   Profile:  Domain  Account  

14. 14   @leastprivilege   Connect  Domain  Account  to    

    MicrosoY  Account  

15. 15   @leastprivilege   Star9ng  up…   Winlogon   LSA

      Explorer   Full  Token   -­‐  All  groups/privileges   -­‐  High  integrity   Filtered  Token   -­‐  Safe  groups/privileges   -­‐  Medium  integrity   Login   FT   cmd.exe   notepad   FT   FT   devenv.exe   FT   MicrosoF   Account   MS  Account   Token   -­‐  Access  to  MicrosoY     Online  Services  

16. 16   @leastprivilege   Security  Features  for  Store  Apps  

    •  CapabiliCes   –  Apps  declare  them   –  The  Store  verifies  them   –  Users  need  to  review  them   –  Opera9ng  system  needs  to  enforce  them   •  IsolaCon  between  Apps   –  Memory,  disk,  network   •  Signature  verificaCon  

17. 17   @leastprivilege   Capabili9es   •  General  CapabiliCes  

    –  Music  Library   –  Pictures  Library   –  Videos  Library   –  Removable  Storage   –  Microphone   –  Webcam   –  Loca9on   –  Proximity   –  Internet  Client   –  Internet  Client  &  Server   –  Private  Networks  (Client  &   Server)   •  “Business”  CapabiliCes   –  Enterprise  Authen9ca9on   –  Shared  User  Cer9ficates   –  Documents  Library  

18. 18   @leastprivilege   From  Visual  Studio  to  the  Store

     

19. 19   @leastprivilege   Deployment  Package   •  Based  on

     Open  Package   ConvenCon  (OPC)   •  Package  IdenCty:   1.  Name   2.  Publisher   3.  Version   4.  Processor  Architecture   5.  (Resource  ID)   AppXManifest.xml BlockMap Signature Zip Central Directory Files / Assets .appx  package   hgp://msdn.microsoY.com/en-­‐us/library/windows/apps/hh464929.aspx  

20. 20   @leastprivilege   App  Ac9va9on   Explorer   FT

      DCOM  Launcher   SYSTEM   User’s  filtered  token      +  App  SID      +  Capabili9es     Low  Integrity   WwaHost.exe   (dropbox.appx)   Run9me  Broker   FT   AppId   create   use  

21. Process-­‐Isola9on   OS   User  data   Devices   Communica9on

      Handlers   Tiles   Cryptography   …   App  Container  1   Local  context   Web     context   AppData   Local   Temp   Roaming   App  Container  2   Local  context   Web     context   AppData   Local   Temp   Roaming   CapabiliCes   CapabiliCes  

22. 22   @leastprivilege   WinRT  Security  APIs   Windows.Security.CredenCals  

     -­‐  Creden9al  UIs    -­‐  Creden9al  storage  &  roaming   Windows.Security.AuthenCcaCon    -­‐  MicrosoY  Account  +  Services    -­‐  Other  web  services   Windows.Security.Cryptography    -­‐  Hashing,  encryp9on  algorithms    -­‐  Data  protec9on   Windows.System.UserProfile    -­‐  User  informa9on   CommunicaCon   Transport  Protec9on   Windows  Authen9ca9on   RunCme  Broker   Kernel  

23. 23   @leastprivilege   Cryptography   •  Useful  “helper”  class:

     CryptographicBuffer   –  random  numbers   –  string  <>  binary  <>  hex  conversion   –  base64  conversion   •  Hashing:  MD5,  SHA1-­‐512   •  Keyed  Hashing:  HMAC_MD5,  HMAC_SHA1-­‐512   •  EncrypCon:  AES,  RSA  (DES  &  3DES)   •  Key  DerivaCon:  PBKDF2,  SP800   •  Signatures:  RSA,  DSA,  EllipCc  Curves  

24. 24   @leastprivilege   Example:  Encryp9on   private  string  Encrypt(string

     content,  IBuffer  key,  IBuffer  iv)   {          var  algorithm  =  SymmetricKeyAlgorithmProvider.OpenAlgorithm("AES_CBC_PKCS7");                    var  encrypted  =  CryptographicEngine.Encrypt(                  algorithm.CreateSymmetricKey(key);,                  CryptographicBuffer.ConvertStringToBinary(                        content,                          BinaryStringEncoding.Utf8),                  iv);            return  CryptographicBuffer.EncodeToBase64String(encrypted);   }  

25. 25   @leastprivilege   Data  Protec9on  API   •  Allows

     easy  protecCon  of  data   –  encryp9on   –  integrity  protec9on   –  key  management   •  Protected  data  scoped  to   –  local  user/machine   –  domain  user/group   –  web  login  

26. 26   @leastprivilege   Example:  DPAPI   public  async  Task<string>

     ProtectAsync(string  data)   {          var  provider  =  new  DataProtectionProvider("LOCAL=user");          var  dataBuffer  =  CryptographicBuffer.ConvertStringToBinary(              data,  BinaryStringEncoding.Utf8);          var  protectedBuffer  =  await  provider.ProtectAsync(dataBuffer);              return  CryptographicBuffer.EncodeToBase64String(protectedBuffer);   }  

27. 27   @leastprivilege   Dealing  with  Creden9als   •  Ask

     the  user  for  credenCals   –  new  standard  dialogs   •  Store  credenCals   –  "secure"   –  roaming  

28. 28   @leastprivilege   Example:  Creden9al  Picker  &  Vault  

    var  result  =  await  CredentialPicker.PickAsync(options);     if  (result.CredentialSaveOption  ==  CredentialSaveOption.Selected)   {          var  credential  =  new  PasswordCredential(              "MyBackEnd",                result.CredentialUserName,                result.CredentialPassword);            var  vault  =  new  PasswordVault();          vault.Add(credential);   }    

29. 29   @leastprivilege   Authen9ca9on  &  Communica9on   •  UlCmately

     Apps  talk  to  backend  Services   –  WCF,  Web  API,  (Web  Sockets,  Push  No9fica9ons)   •  Various  authenCcaCon  methods  supported   –  username  /  password   –  Windows  authen9ca9on   –  Cer9ficates  /  SmartCards   –  MicrosoY  Account   –  "Web  Accounts"  

30. 30   @leastprivilege   Example:  Use  MicrosoY  Account  to  

    talk  to  MicrosoY  Services   1 2

31. 31   @leastprivilege   Example:  Use  MicrosoY  Account  to  

    talk  to  your  own  Backend   3 2 4 1

32. 32   @leastprivilege   Example:  Web  Authen9ca9on  Broker   Windows

    Store App Web Authentication Broker 1.  Request  token   3.  Use  token   2.  Store  token   Token   Service   Service  

33. 33   @leastprivilege   Summary   •  ExisCng  Windows  security

     features  combined  to  create   new  execuCon  environment  &  sandbox   –  capabili9es   –  isola9on   •  WinRT  re-­‐builds  security  APIs  from  the  ground   –  cryptography  &  data  protec9on   –  creden9al  handling  &  roaming   –  authen9ca9on  

34. 34   @leastprivilege   Demos   •  Windows  Tokens,  SIDs,

     Integrity  Levels   •  FileAccess   •  Crypto   •  DPAPI   •  Dealing  with  Passwords   –  (Creden9al  Picker,  PasswordVault)   •  Windows  AuthenCcaCon   •  OnlineId  /  Live  SDK   •  WebAuthBroker