Download
securing silverlight n.
Skip this Video
Loading SlideShow in 5 Seconds..
Securing Silverlight PowerPoint Presentation
Download Presentation
Securing Silverlight

Securing Silverlight

291 Views Download Presentation
Download Presentation

Securing Silverlight

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Securing Silverlight Knowing the Enemy

  2. Silverlight Security Vectors Users/Hackers (Reflector, Silverlight Spy, Debuggers, Memory Profilers) Eavesdroppers (Packet Sniffers, etc.) Hackers/Personnel (Intrusion and Physical Security)

  3. Securing the Client

  4. Securing the Client (2) • Client Security Considerations • Code • XAML • Assets • Secrets • Isolated Storage • Data

  5. Securing the Client (3) • Code • Limited Protection • Even with Obfuscation • XAML • Almost No Protection • Stored as Text • Assets • Almost No Protection

  6. Securing the Client (4) • Secrets • Obfuscation Helps • Not Complete – Must Be Loaded Into Memory • Isolated Storage • No Protection • Accessible to Users – Keep Your Secrets Out of Here • Data • Limit Surface Area • Send Summary Data • Data Services’ Projections Are Helpful

  7. Protecting You Intellectual Property • Silverlight does not protect your Algorithms • Unlike .NET: • Obfuscation only protects against decompilation • Code runs in the client • Client must be able to download assemblies

  8. Protecting You Intellectual Property (2) • What is worth protecting? • Labor? No… • Unique implementations? Yes… • Sensitive data? Yes…

  9. Protecting You Intellectual Property (3) • Hide it on the Server • Generate the XAML on the Server • Send only summary data to the client

  10. Protecting Your XAP • Silverlight Apps Are Just Files • Protect like any other web file • Forms Authentication • Windows Authentication • Etc.

  11. Protecting Your XAP (2) • For Apps with Login • XAP needs to be anonymous accessed • Compose at Runtime • Bootstrapper App or Composition (Prism, MEF, etc.)

  12. Securing Services • Only Secure Methods in Silverlight • Token Based • Cookie Based • NTLM Based

  13. Securing Services (2) Browser Silverlight App Network Call with Browser State (cookies, Session ID, NTLM) Network Call

  14. Securing Services (3) • Why Not Basic Auth? • Insecure across the wire • (though could secure with SSL) • Uses Headers • Specifically forbidden using the HTTP Stacks

  15. Securing Services (4) • Integrated Windows Authentication • Just Works • Assumes NTLM on the Platform • OSX is Problematic

  16. Securing Services (5) • Cookie Based Auth • ASP.NET’s Forms Based Auth • Custom Encrypted Cookies • Never decrypt on client • Expire Cookies Frequently

  17. Securing Services (6) • Token-based Security • Can use expiring tokens • Pass them in on web services • Not fool proof or ‘secure’ • Must also expire

  18. Securing Services (7) • Add Service Reference Problem • Doesn’t play well with security • Must disable security when adding/refreshing • Trouble for building references at build-time

  19. Securing Services (8) • ClientCredentials MyServiceClient client = new MyServiceClient(); client.ClientCredentials.UserName.UserName = "Frank"; client.ClientCredentials.UserName.Password = "P2ssw0rd"; client.GetNameCompleted += (s, args) => { theText.Text = args.Result; }; client.GetNameAsync();

  20. Securing Services (9) • Using Forms Authentication Service • AuthenticationService (pre-built WCF) • Simple SOAP call to authenticate <%@ ServiceHost Language="C#" Service="System.Web.ApplicationServices.AuthenticationService" %> var proxy = new AuthenticationServiceClient(); proxy.LoginCompleted += (s, args) => { if (args.Result) { // Succeeded } }; proxy.LoginAsync("Frank", "P2ssw0rd", null, false);

  21. Client HTTP Stack • Standard network stack goes through Browser • Good: • Uses cookies and NTLM • Looks and feels like the browser • Bad: • Only GET/POST are supported • Typically limited to two outbound requests

  22. Client HTTP Stack (2) • Alternative: Client HTTP Stack • For specific scenarios: • Need PUT/DELETE • Need Custom Cookies • Need more control • status codes, bodies and headers

  23. Client HTTP Stack (3) • Create New Request • Use WebRequestCreator’sClientHttp property: • Non-event-based, APM style WebRequestreq = WebRequestCreator.ClientHttp.Create(new Uri("http://api.search.live.net/qson.aspx?query=Silverlight", UriKind.Absolute)); req.BeginGetResponse(new AsyncCallback(r => { var res = req.EndGetResponse(r); varstrm = res.GetResponseStream(); }), null);

  24. Client HTTP Stack (4) • Specify all Client HTTP Stack • Call WebRequest’sRegisterPrefix to specify: • Then all calls become client, even WebClient: boolhttpResult = WebRequest.RegisterPrefix("http://", WebRequestCreator.ClientHttp); WebClient client = new WebClient(); client.DownloadStringCompleted += new DownloadStringCompletedEventHandler(OnDlComplete); client.DownloadStringAsync(new Uri("/template.xaml", UriKind.Relative));

  25. Client HTTP Stack (5) • WebRequests Credentials Supported • For ClientHttp stack only, adds Authentication header var request = WebRequestCreator.ClientHttp.Create( new Uri("http://wildermuth.com", UriKind.Relative)); request.Credentials = new NetworkCredential("shawn", "p@ssw0rd"); request.UseDefaultCredentials = false; WebRequest.RegisterPrefix("http", WebRequestCreator.ClientHttp); var client = new WebClient(); client.Credentials = new NetworkCredential("shawn", "p@ssw0rd"); client.UseDefaultCredentials = false; client.DownloadStringCompleted += (s, a) => a.Result.ToArray(); client.DownloadStringAsync( new Uri("http://wildermuth.com", UriKind.Relative));

  26. Questions?

  27. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.