Subverting wcf security starting points
1 / 36

Subverting WCF Security [starting points] - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Subverting WCF Security [starting points]. Marc Schönefeld University of Bamberg. The speaker. Marc Schönefeld, Diplom-Wirtschaftsinformatiker For Science: External doctoral student @ Lehrstuhl für praktische Informatik at University of Bamberg, Bavaria, Germany

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Subverting WCF Security [starting points]

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Subverting WCF Security[starting points]

Marc Schönefeld

University of Bamberg

The speaker

  • Marc Schönefeld, Diplom-Wirtschaftsinformatiker

    • For Science: External doctoral student @ Lehrstuhl für praktische Informatik at University of Bamberg, Bavaria, Germany


    • For Living: Security Management for large financial group in Germany

WCF is part of NET 3.0

  • NET 3.0 is

    • is the former WinFX ( Windows Framework Extension)

    • According to Microsoft Arithmetics, it is NET 2.0 plus

      • WPF (Presentation) aka Avalon

      • WCF (Communication) aka Indigo

      • WWF (Workflow)

    • available for Windows XP SP2, Windows Server 2003 and Windows Vista

WCF as part of NET 3.0

NET 3.0 is not a new .NET

  • .NET 3.0 is just a set of additional assemblies on top of .NET 2.0

WCF unifies Communication handling

  • Communication

    • WCF supports various existing communications and hosting runtime models

      • ASP.NET

      • COM+

      • WSE

      • NET-Remoting

      • Pipes and Queues


  • allows to publish .NET classes as services

  • import from services into .NET classes.

  • includes interoperability code to handle service protocols, type conversion and value marshaling.

  • Allows developers to easily connect their applications to web services.


  • supports non-functional requirements (reliable calls, asynchronisity, transactionality, security)

  • comes with predefined adapters

  • can be extended with custom handlers for non-standard scenarios.

  • classes reside mostly in the System.ServiceModel namespace

  • is physically located in the System.ServiceModel.dll assembly.

WCF terms

  • SOA (Service oriented architectures) help the infrastructure to host local or remote services that can be used with clients.

  • Clients do not need to know the language, platform or version of the service.

  • Services provide functionality, can be newly written code or a decorated COM+ service

  • Clients use functionality provided by services, can be an ASP.NET page, Windows Form

  • Proxies decouple Services from Clients.

WCF supports local scenarios

WCF supports remote scenarios

WCF authentication and authentication

  • Authentication is about to determine the identity of the service caller:

    • Noauth Anonymous access is allowed

    • Windows Kerberos for Windows Domain or NTLM for workgroup (this is default)

    • UID+PWD Checks credentials against Windows accounts or database entries

    • X509 cert In a PKI environment the client authenticates with a known certificate

    • Secure Token Support a federated trust environment (WS-Trust)

    • Custom authentication Roll your authentication, in most cases not a good idea

  • WCF Authorization determines permissions of service caller by using

    • Windows Groups

    • ASP.NET provider (such as a databases)

Transports: Securing the wire

  • The goal is to maintain integrity and privacy of the message while in transit. Staged options available:

  • Transport Security

    • uses secure transport layer over TCP, HTTP, IPC, MSMQ

  • Message Security

    • encrypts the message

  • Mixed Transport and Message ,

    • transport security secures privacy and integrity, message security secures client credentials, near to overkill

  • Both

    • First the message content secured by message security mechanisms additionally a secure transport is used. Almost always overkill









Address (Where)



Binding (How)

Contract (What)

WCF separates Where, What and How






Service Endpoints

  • Clients and Servers use Service Endpoints for WCF communication

    • Client communicates to 1-n server endpoints

    • Client may open an endpoint for duplex message exchange (DualHttpBinding)

  • Service Endpoints specify

    • Endpoint address: Where is the service

    • Binding: How to attach to the service

    • Contract: What is exchanged between client and server

    • Behavior: Extension of binding behavior







Endpoint address (WHERE)

  • The Physical address of the Endpoint (like an URI)

  • Headers (Optional), needed when multiple servers share an URI

  • Identity information

Binding settings (HOW)

  • Name and namespace identify a service

  • Binding elements adjust communication details (reliability, SOAP message security, TCP layer protection)

  • Many presets




Binding Elements

Bindings Element

WCF Contracts (WHAT)


  • Name and namespace again identify a service

  • Operation Description determine the type (send/forget, request/reply)

  • Duplex operations talk back to the client



Operation Description Set

Operation Descr.

Message Descr. Set

Msg. Description

Contract Behavior Set

Contract Behavior

A Service description is the server config

Service Description

  • A service is typed and has several behavior settings,

  • It can be reached on multiple endpoints (one on plain TCP, another one over HTTP, …)


Service Behavior Set

Service Behavior

Set of Service endpoints

Service Endpoints

Endpoint address



A Channel description is the client config

Channel Description

  • A channel is used by the client and has several behavior settings,

  • It has one endpoint (one on plain TCP, another one over HTTP, …)

Channel Behavior Set

Channel Behavior

Service Endpoints

Endpoint address



WCF runtime environment concepts

  • Messages

    • Represented as a SOAP infoset, the message is the core part of information in WCF

    • its serialization format can be XML text, binary (for WCF2WCF) or a customizable format (JSON, XML-RPC)

  • Channels

    • Path to send a message send from Endpoint to endpoint, channels are layered

    • A Transport channel defines the media to send the physical data (UDP, MQ, Pipe, TCP)

    • A Protocol channels defines how to manipulate the data (like the SOAP protocol)

    • A security channel defines how to protect the message

WCF startup procedure

  • The server initializes a ServiceHost object and opens the endpoints (XML config  or hardcoded )

  • The client initializes a ChannelFactory object (also in config or In code)

Intranet bindings

  • BasicHttpBinding

    • For ASMX-based Web services and clients and other services that conform to the WS-I Basic Profile 1.1

    • Security is turned off by default

    • Text encoding, UTF-8

  • NetTcpBinding

    • For secure for cross-machine communication

    • transport security

    • binary message encoding

Intranet bindings

  • NetPeerTcpBinding

    • Peer-2-Peer communication over TCP

    • Input, Output and Duplex channels

    • Transport security by default

  • NetNamedPipe

    • for on-machine communication

    • Transport security on by default

    • Pipename is Base64 encoded servicename

Internet bindings

  • WSHttpBinding

    • http binding for Web services features

    • message security

    • transactions, reliable messaging, and WS-Addressing secure and reliable binding

  • WSFederationHttp

    • Like WSHttpBinding but with SSO capabilities

    • Ideal choice for secure tokens (

Internet bindings

  • WSDualHttpBinding

    • Usable for service contracts in duplex mode allowing both services and clients to send and receive messages

    • supports only SOAP security and requires reliable messaging

  • NetMsmqBinding

    • support for transport on top of Microsoft Message Queuing (MSMQ)

    • For designing loosely coupled applications, failure isolation, load leveling and disconnected operations

    • In early versions there were DOS problems with msgs larger than 64K

Threat modeling: Integrity WCF & OWASP

A1 Unvalidated Parameters

A2 Broken Access Control

A3 Broken Account and Session Management

A4 Cross-Site Scripting (XSS) Flaws

A5 Buffer Overflows

A6 Command Injection Flaws

A7 Error Handling Problems

A8 Insecure Use of Cryptography

A9 Remote Administration Flaws

A10 Server Misconfiguration


  • A1: Unvalidated parameters :

    • There is no protection against unvalidated parameters, there is no tainting model in .NET 3.0

  • A4: XSS:

    • Therefore no support against XSS

  • A5: Buffer overflows

    • COM+ legacy code (in C/C++) can be overflowed, although connected via WCF

  • A6: Command injection:

    • Depends on how the application handles and propagates data flow of untrusted values into SQL parms

  • A10: Server Misconfiguration

    • Hard coded configurations in applications may lead to flaws, deployer personnel may be confused by the many options to choose from (where to set ciphersuite?)

Threat modeling: WCF & COM+

  • WCF allows to integrate COM+ with the ComSvcConfig tool

  • Two hosting modes available for COM+

    • COM+ default: The Component runs within DLLHOST

    • Web based: The component runs within IIS, activation with request

  • Beware that you don’t resurrect some old vulnerable components

  • Before deploying check the component!

Threat modeling: Confidentiality

  • In a threat modeling setup about communication we have

    • Alice wants to communicate with Bob,

    • Mallory wants to interfere

  • WCF protects us very good against wiretapping

    • Mallory sitting on the transport wire

  • WCF does not protect against interfering

    • Mallory sitting between Alice and her endpoint or Bob and his endpoint (like a patched CLR, application)

  • WCF does not protect against stolen credentials

    • Once Mallory has stolen/leaked the key and code from Alice she has full access

Threat modeling: Code security

  • WCF protects us against type confusion

    • by the use of strong contracts

    • Big advantage over Java serialisation

  • .NET protects against integer overflows

    • In contrast to java it alarms the flipping sign

  • XML parser seems to be quite stable

    • Against large message attacks

    • Against several XML anomalies attacks

Secure coding in WCF

  • Static code checking helps to find problem areas in own and third party code

  • Not all code is immediately accessible

    • Third party libraries may be encrypted or otherwise protected, so often a free tool from salamander helps to get the code out


  • No Sourcecode is no Prob: MSIL binary has it all!

    • Despite a lot of false positives static MSIL checkers may help

    • FXCop is a good starting point, is free at

    • Comes with a set of predefined security rules !

Secure coding in WCF

  • Some Relevant FXCop secure coding guidelines, which are helpful when coding with WCF

    • Review imperative security

    • Review sql queries for security vulnerabilities

    • Pointers should not be visible

    • Do not indirectly expose methods with link demands

    • Do not declare read only mutable reference types

    • Aptca methods should only call aptca methods

    • Aptca types should only extend aptca base types

  • Code your own rules and alter existing ones:



The wishlist

  • Better performance

    • WCF over XML is slow

    • WCF over XML + security is d**n slow (even on 3Ghz machine)

    • Remember: Availability is a security aspect !

  • Home phoning issues

    • WCF wants to validate certificates and sends HTTP request to Microsoft

  • Better usage of Secure string implementation

    • Credentials are stored insecure in normal strings

    • It would be helpful to advise .NET to store directly data directly in SecureString fields after reception from a service

  • No patterns available, Developers are left alone

    • with finding the relevant mix of options

    • With adjusting protection level and performance


  • WCF delivers a new baseline security model.

  • Various deployment and configuration features allow subverting the default security model

  • Easiness of legacy (COM+) integration allows vulnerable code to be called in the backend

  • Secure coding is still a must, despite a secure transport framework



Domo arigato

marc.schoenefeld ät gmx dot org.ilasm

  • Login