WebApp Sec mailing list archives
RE: Security issues with Asp.Net in Shared Hosting Environments
From: "Dinis Cruz" <dinis () ddplus net>
Date: Mon, 3 Nov 2003 14:47:46 -0000
Hello Mark Thanks for you comments, please see my replies bellow:
I have read several of your articles, e-mails, and usenet posts and while the facts are correct, I'm not really clear what you expect to happen.From what I understand, you want:- Full trust features made available to web site operators in a shared hosting environment who are not fully trusted.
Yes, namely ODBC, OleDB, FSO and ability to securely call specific COM objects
- Little or no extra effort on the developer's part to make it run in a partial trust environment.
Yes. Note that in a shared hosting scenario (for example: ISPs) the developers would have no say in how the server is configured and managed
- The developers shouldn't have to operate their own server to be able to run trusted code.
Yes, at the moment the only secure option to run a website that need FullTrust is to run that website in a dedicated server with no other hosted websites. Even this option is not good because it would then be that developer's responsibility to securely configure and maintain the server.
You state that the .NET framework does not allow the creation of secure hosting environments unless one is prepared to develop partially trusted web applications. This is true and precisely the reason Microsoft created the concept of partial trust. Of course you can't do everything with partial trust because the hosting company doesn't fully trust you.
My problem is the fact that currently it is almost impossible to write a 'real life' web application in 'Partially Trusted' environments. The gulf between FullTrust and the most permissive and unsecured 'Partially Trust' environment, is so big that FullTrust is the only option. For example, although there are some cases where Win32 API calls are required, most websites need access to COM objects (either their own or the FSO, ODBC or OleDB). In the current situation it is not possible to create a 'Trust' environment where it is possible to access the FSO and ODBC COM objects but any direct call to a win32 function (i.e. unmanaged call) would be disabled. I know that ODBC calls can also be dangerous but that at least would reduce the 'attack perimeter'
If a hosting company is willing to grant everyone full trust, that is their own security problem and certainly not a flaw of ASP.NET.
As I just pointed out, the problem is that today, the ISPs have no alternative but to run their client's websites with FullTrust. So even if they don't want (i.e. are not willing to grant everybody FullTrust), they can't. The industry standard is to run code in FullTrust. Since this is an unknown issue in the industry (i.e. almost nobody is aware of it, specially the clients), if an ISPs configures their client's websites to run in 'Partially Trusted' environments, that ISPs would lose those clients (because their 'secure servers' would break the client's web applications) That (the impossibility to run 'Partially trusted' web applications in shared hosting environments) is in my view, a Asp.Net flaw.
It would be absurd if a hosting company running classic ASP allowed all customers to install their own COM objects and ISAPI applications.
But that is what those companies are doing today when they allow the execution of Asp.Net code with FullTrust! It is actually a good analogy: "Running Asp.Net web applications with FullTrust is the same thing as allowing the installation of COM objects on the server"
Further, many of the things you talk about can be restricted in other ways. When I run your ANSA application against any of my servers using my standard build procedure, ALL of the tests fail, not just because of my ASP.NET configuration, but because I take the proper steps in securing the file system, the registry, WSH, FSO WMI, etc.
That is interesting, even the unmanaged calls? Did ANSA run in FullTrust?
You really can't expect a hosting company to fully trust you.
I know, so don't you agree that the only solution is to limit what a malicious user can do?
The real issue here is a balance of security vs. features and is one that exists for all platforms.
Agree, but if the option is to either have a 'insecure' system connected to the internet, and an 'secure' system NOT connected to the internet, which one will you use to send an email? what we need is a 'as secure as it can be' system connected to the internet.
The other issues are knowing how to properly secure a server and properly write code that will run on a secure server.
Agree, but at the moment the ISPs don't have a solution for building a secure Asp.Net servers which provide the minimum services (i.e. functionality) required by their clients, and are at the same time, 'secure' (I think that we can agree that a server providing shared hosting services with all websites running in 'FullTrust' cannot be considered 'secure')
You have made several points in your articles, but it seems like you are shifting the burden of this onto Microsoft. But its not clear what you are asking them to do. What do you see as the solution to all this? Are you saying they have the wrong security/features balance?
Yes I am, I think that at the moment, Microsoft is still more focused on developing applications or development tools that have as many features as possible, instead of being focused in developing secure products and secure development environments. This article explains this in length: "Microsoft must deliver 'secure environments' not tools to write 'secure code'" - http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852 (That is my solution for this problem) This lack of focus, can be clearly seen in the latest PR buzz surrounding the next version of the .Net framework (2.0). I have read quite a bit of documentation about this new version and 99% of it is about the new features and rapid development tools. The mentions of security in .Net 2.0 are general and none address the issues that I am talking about. Although I have heard some unofficial rumors that the next version (to be release in Q4 2004) will have a more 'feature rich' 'Partially Trusted' environment. As a final point I would like to say that my comments are based on my experience of managing and developing web applications and, on my work with ISPs in building secure Asp.Net' and ASP servers. Please do correct me if you think that what I am saying is not accurate, or I got some details wrong. Best regards Dinis Cruz .Net Security Consultant DDPlus (www.ddplus.net)
Mark Burnett On Thu, 30 Oct 2003 23:17:29 -0000, Dinis Cruz wrote:Hello Over the last couple of months I have posted several items in the official Asp.Net website (www.asp.net) related to the security problems that occur when Asp.Net is used in shared hosting environments (such as ISPs, Asp.Net developers and companies that manage/host several websites in their servers). The objective of this email is to consolidate all thisinformation inone single point: 1) for us, it all started with our "Security guide for ISPsprovidingWindows-based Shared Hosting Services" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624) 2) then we created and released an Open Source webapplication to testthe security configuration of servers hosting Asp.Net websites - the Asp.Net Security Analyser (ANSA) - which is published in GotDotNet (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023) 3) Following the release of this tool, we started a publicdiscussionon what we considered to be serious problems that needed to be addressed: a) "Asp.Net.Vulnerability: Full Trust (current security problems and possible solutions)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663) b) "Asp.Net.Vulnerability: Win32 API calls (potential security problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686) c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential security problems)" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016) 4) When (as a reply to one of the "Asp.Net vulnerabilities"posts) wewhere advised to talk first to Microsoft before publishing this information publicly, we decided to write the story (so far) of our email exchange with several Microsoft employees andMicrosoft SecurityResponse Center: "When will Microsoft take Asp.Net Securityseriously?" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723) 5) Meanwhile we where continuing to work on a solution forthe 'FullTrust' problem and posted: a) some ideas on how to tackle the problem: "Idea to solvethe currentshared hosting 'Full trust' issue." (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761) b) a 'proof of concept' example on one of the proposedsolutions: "FSOin 'Medium trust' environments" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247) 6) Finally we wrote two articles (soon to be published)that explainthese problems with more detail, and say what we think Microsoft should be doing to solve this problems and make Asp.Net a secure platform for the development of secure web applications a) "Microsoft must deliver 'secure environments' not tools to write 'secure code' - draft article" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852) b) "'An 'Asp.Net' accident waiting to happen" - draft article" (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837) Our next steps will be the release of a new version of ANSA and continue working on the proposed solution for the 'FullTrust' problem(when we have more solid data we will release a white paper called "living in a Asp.Net 'Partially Trusted' world'" which will provide more details about how this can be successfully achieved with the requirements of today's Asp.Net developers). Best regards Dinis Cruz .NET Security Consultant DDPlus (www.ddplus.net) Note: We also posted a query for 'real life' examples of web applications developed and deployed in 'Partially Trust'Environments("examples of 'Medium' or 'high' trust Asp.Net applications" - http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380468), but haven't received any feedback. If you know of examples we would be very appreciated if you give provide us (and the Asp.Net community) feedback and 'real life' knowledge.
Current thread:
- Security issues with Asp.Net in Shared Hosting Environments Dinis Cruz (Oct 30)
- Re: Security issues with Asp.Net in Shared Hosting Environments Mark Burnett (Nov 01)
- RE: Security issues with Asp.Net in Shared Hosting Environments Dinis Cruz (Nov 03)
- RE: Security issues with Asp.Net in Shared Hosting Environments Mark Burnett (Nov 03)
- RE: Security issues with Asp.Net in Shared Hosting Environments Dinis Cruz (Nov 03)
- Re: Security issues with Asp.Net in Shared Hosting Environments Mark Burnett (Nov 01)