1 / 35

Securing Microsoft Silverlight: Client & Services Security Guide

Learn how to protect Silverlight apps & services from hacking with best practices for code, XAML, assets, and data security. Explore client protection, intellectual property safeguards, and service encryption methods.

creola
Download Presentation

Securing Microsoft Silverlight: Client & Services Security Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Microsoft Silverlight Shawn Wildermuth Microsoft Corporation

  2. Silverlight Security Vectors Users/Hackers (Reflector, Silverlight Spy, Debuggers, Memory Profilers) Eavesdroppers (Packet Sniffers, etc.) Hackers/Personnel (Intrusion and Physical Security)

  3. Securing the Client

  4. Securing the Client (2) • Client Security Considerations • Code • XAML • Assets • Secrets • Isolated Storage • Data

  5. Securing the Client (3) • Code • Limited Protection • Even with Obfuscation • XAML • Almost No Protection • Stored as Text • Assets • Almost No Protection

  6. Securing the Client (4) • Secrets • Obfuscation Helps • Not Complete – Must Be Loaded Into Memory • Isolated Storage • No Protection • Accessible to Users – Keep Your Secrets Out of Here • Data • Limit Surface Area • Send Summary Data • Data Services’ Projections Are Helpful

  7. Protecting You Intellectual Property • Silverlight does not protect your Algorithms • Unlike .NET: • Obfuscation only protects against decompilation • Code runs in the client • Client must be able to download assemblies

  8. Protecting You Intellectual Property (2) • What is worth protecting? • Labor? No… • Unique implementations? Yes… • Sensitive data? Yes…

  9. Protecting You Intellectual Property (3) • Hide it on the Server • Generate the XAML on the Server • Send only summary data to the client

  10. Protecting Your XAP • Silverlight Apps Are Just Files • Protect like any other web file • Forms Authentication • Windows Authentication • Etc.

  11. Protecting Your XAP (2) • For Apps with Login • XAP needs to be anonymous accessed • Compose at Runtime • Bootstrapper App or Composition (Prism, MEF, etc.)

  12. Securing Services • Only Secure Methods in Silverlight • Token Based • Cookie Based • NTLM Based

  13. Securing Services (2) Browser Silverlight App Network Call with Browser State (cookies, Session ID, NTLM) Network Call

  14. Securing Services (3) • Why Not Basic Auth? • Insecure across the wire • (though could secure with SSL) • Uses Headers • Specifically forbidden using the HTTP Stacks

  15. Securing Services (4) • Integrated Windows Authentication • Just Works • Assumes NTLM on the Platform • OSX is Problematic

  16. Securing Services (5) • Cookie Based Auth • ASP.NET’s Forms Based Auth • Custom Encrypted Cookies • Never decrypt on client • Expire Cookies Frequently

  17. Securing Services (6) • Token-based Security • Can use expiring tokens • Pass them in on web services • Not fool proof or ‘secure’ • Must also expire

  18. Securing Services (7) • Add Service Reference Problem • Doesn’t play well with security • Must disable security when adding/refreshing • Trouble for building references at build-time

  19. Securing Services (8) • ClientCredentials MyServiceClient client = new MyServiceClient(); client.ClientCredentials.UserName.UserName = "Frank"; client.ClientCredentials.UserName.Password = "P2ssw0rd"; client.GetNameCompleted += (s, args) => { theText.Text = args.Result; }; client.GetNameAsync();

  20. Securing Services (9) • Using Forms Authentication Service • AuthenticationService (pre-built WCF) • Simple SOAP call to authenticate <%@ ServiceHost Language="C#" Service="System.Web.ApplicationServices.AuthenticationService" %> var proxy = new AuthenticationServiceClient(); proxy.LoginCompleted += (s, args) => { if (args.Result) { // Succeeded } }; proxy.LoginAsync("Frank", "P2ssw0rd", null, false);

  21. Client HTTP Stack • Standard network stack goes through Browser • Good: • Uses cookies and NTLM • Looks and feels like the browser • Bad: • Only GET/POST are supported • Typically limited to two outbound requests

  22. Client HTTP Stack (2) • Alternative: Client HTTP Stack • For specific scenarios: • Need PUT/DELETE • Need Custom Cookies • Need more control • status codes, bodies and headers

  23. Client HTTP Stack (3) • Create New Request • Use WebRequestCreator’sClientHttp property: • Non-event-based, APM style WebRequestreq = WebRequestCreator.ClientHttp.Create(new Uri("http://api.search.live.net/qson.aspx?query=Silverlight", UriKind.Absolute)); req.BeginGetResponse(new AsyncCallback(r => { var res = req.EndGetResponse(r); varstrm = res.GetResponseStream(); }), null);

  24. Client HTTP Stack (4) • Specify all Client HTTP Stack • Call WebRequest’sRegisterPrefix to specify: • Then all calls become client, even WebClient: boolhttpResult = WebRequest.RegisterPrefix("http://", WebRequestCreator.ClientHttp); WebClient client = new WebClient(); client.DownloadStringCompleted += new DownloadStringCompletedEventHandler(OnDlComplete); client.DownloadStringAsync(new Uri("/template.xaml", UriKind.Relative));

  25. Client HTTP Stack (5) • WebRequests Credentials Supported • For ClientHttp stack only, adds Authentication header var request = WebRequestCreator.ClientHttp.Create( new Uri("http://wildermuth.com", UriKind.Relative)); request.Credentials = new NetworkCredential("shawn", "p@ssw0rd"); request.UseDefaultCredentials = false; WebRequest.RegisterPrefix("http", WebRequestCreator.ClientHttp); var client = new WebClient(); client.Credentials = new NetworkCredential("shawn", "p@ssw0rd"); client.UseDefaultCredentials = false; client.DownloadStringCompleted += (s, a) => a.Result.ToArray(); client.DownloadStringAsync( new Uri("http://wildermuth.com", UriKind.Relative));

  26. Questions?

  27. Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Track Resources • ASP.NET – http://www.asp.net/ • Silverlight – http://silverlight/ • Expression – http://www.microsoft.com/expression/ • Internet Explorer – http://www.microsoft.com/windows/internet-explorer/default.aspx

  28. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  29. Required Slide Complete an evaluation on CommNet and enter to win!

  30. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  31. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  32. Required Slide

More Related