SlideShare a Scribd company logo

Know Your Security Model

Download as PPTX, PDF
Mikhail Shcherbakov, profile picture
Mikhail Shcherbakov

This document discusses .NET Framework 4 security architecture, including application domains, code verification processes, code access security (CAS), role-based security concepts like authentication and authorization, and cryptography. It also covers security transparency attributes, demonstrates a MS13-015 vulnerability exploit, and provides contact information for the author.

Technology
1 of 13
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
Know Your Security Model Mikhail Shcherbakov 9-я конфСрСнция .NET Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚Ρ‡ΠΈΠΊΠΎΠ² 12 октября 2014 dotnetconf.ru
2 About me β€’ Senior software developer at Positive Technologies β€’ Working on Application Inspector - source code analyzer β€’ Previous team lead at Acronis and Luxoft
3 Terms C# 5.0 Language Specification Common Language Infrastructure (CLI) Standard ECMA-335
4 .NET Framework 4 Security Architecture β€’ Application Domains β€’ The verification process β€’ Code Access Security (CAS) o Policy o Permissions o Enforcement β€’ Role-based security o Authentication o Authorization o Principal and Identity β€’ Cryptography
5 .NET Framework 4 Security Architecture β€’ Application Domains β€’ The verification process β€’ Code Access Security (CAS) o Policy o Permissions o Enforcement β€’ Role-based security o Authentication o Authorization o Principal and Identity β€’ Cryptography
6 Knowledge in Practice β€’ CAS is the base of security β€’ Development of extensible and security- sensitive applications β€’ Troubleshooting and knowledge about the internals o ASP.NET / IIS o Silverlight o SQL CLR o XBAP o ClickOnce o Sharepoint
7 Application Domains β€’ Fully Trusted and Partially Trusted β€’ Heterogeneous and Homogeneous β€’ Sandboxing by AppDomain
8 Type Safety β€’ C# compilation β€’ Just-in-time (JIT) compilation β€’ Native Image Generator (Ngen.exe) β€’ PEVerify tool
9 Code Access Security β€’ Policy (deprecated in .NET Framework 4) β€’ Permissions β€’ Enforcement o Fully Trusted assemblies in Partially Trusted AppDomain o Security Transparency Code o Assert permissions o SecurityPermission o RegistryPermission o ReflectionPermission o SocketPermission o FileIOPermission o WebPermission
10 Level 2 Security Transparency Critical Full Trust code that can do anything Safe Critical Full Trust code Provides access to Critical code Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert
11 Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent οƒΌ   SecuritySafeCritical  οƒΌ οƒΌ SecurityCritical οƒΌ οƒΌ οƒΌ AllowPartiallyTrustedCallers οƒΌ   SecAnnotate.exe - .NET Security Annotator Tool
12 Demo MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277) Exploited by Trusted Chain attack
13 Thank you for your attention! Mikhail Shcherbakov Positive Technologies linkedin.com/in/mikhailshcherbakov yuske.dev@gmail.com github.com/yuske

More Related Content

PPTX
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
Β 
PDF
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
Β 
PDF
Securing Docker Containers
Black Duck by Synopsys
Β 
PDF
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Ruby Meditation
Β 
PDF
OPNFV Security Panel
OPNFV
Β 
PPTX
Finding The Weak Link in Windows Binaries
Ollie Whitehouse
Β 
PDF
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
PROIDEA
Β 
PDF
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Black Duck by Synopsys
Β 
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
Β 
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
Β 
Securing Docker Containers
Black Duck by Synopsys
Β 
Security Scanning Overview - Tetiana Chupryna (RUS) | Ruby Meditation 26
Ruby Meditation
Β 
OPNFV Security Panel
OPNFV
Β 
Finding The Weak Link in Windows Binaries
Ollie Whitehouse
Β 
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...
PROIDEA
Β 
Making Enterprise-Ready Plugins - Kaj Kandler JUC West 2015
Black Duck by Synopsys
Β 

What's hot (20)

PPTX
Static Files in the Modern Web Age
Alec Gleason
Β 
PDF
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
mfrancis
Β 
PPTX
Defensive programming
Mark Reynolds
Β 
ODP
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Bijay Senihang
Β 
PDF
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
Β 
PPTX
[OWASP Poland Day] Saving private token
OWASP
Β 
PPTX
Hp fortify source code analyzer(sca)
Nagaraju Repala
Β 
PDF
Securing Serverless - By Breaking In
Guy Podjarny
Β 
PDF
Attacking and defending GraphQL applications: a hands-on approach
Davide Cioccia
Β 
PDF
[OWASP Poland Day] OWASP for testing mobile applications
OWASP
Β 
PDF
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Davide Cioccia
Β 
PDF
Luncheon 2015-01-15 - Managing Security Requirements in Software Projects by ...
North Texas Chapter of the ISSA
Β 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
Β 
PDF
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
Β 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
Β 
PPTX
DevSecCon Boston2018 - advanced mobile security automation with bdd
Davide Cioccia
Β 
PPTX
Best practice recommendations for utilizing open source software (from a lega...
Rogue Wave Software
Β 
PDF
Secure JAX-RS
Rudy De Busscher
Β 
PPTX
Standards and methodology for application security assessment
Mykhailo Antonishyn
Β 
PPTX
[Wroclaw #2] iOS Security - 101
OWASP
Β 
Static Files in the Modern Web Age
Alec Gleason
Β 
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
mfrancis
Β 
Defensive programming
Mark Reynolds
Β 
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Bijay Senihang
Β 
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
Β 
[OWASP Poland Day] Saving private token
OWASP
Β 
Hp fortify source code analyzer(sca)
Nagaraju Repala
Β 
Securing Serverless - By Breaking In
Guy Podjarny
Β 
Attacking and defending GraphQL applications: a hands-on approach
Davide Cioccia
Β 
[OWASP Poland Day] OWASP for testing mobile applications
OWASP
Β 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Davide Cioccia
Β 
Luncheon 2015-01-15 - Managing Security Requirements in Software Projects by ...
North Texas Chapter of the ISSA
Β 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
Β 
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
Β 
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
Β 
DevSecCon Boston2018 - advanced mobile security automation with bdd
Davide Cioccia
Β 
Best practice recommendations for utilizing open source software (from a lega...
Rogue Wave Software
Β 
Secure JAX-RS
Rudy De Busscher
Β 
Standards and methodology for application security assessment
Mykhailo Antonishyn
Β 
[Wroclaw #2] iOS Security - 101
OWASP
Β 
Ad

Viewers also liked (8)

PPTX
The bell la padula model
Shaishav Dahal
Β 
PDF
Inversion of Control Π² .NET
DotNetConf
Β 
PDF
ΠžΡΠΎΠ±Π΅Π½Π½ΠΎΡΡ‚ΠΈ ΠΏΠ΅Ρ€Π΅Π΄Π°Ρ‡ΠΈ ΠΈ ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ Π²ΠΈΠ΄Π΅ΠΎ Π΄Π°Π½Π½Ρ‹Ρ…. ΠŸΡ€ΠΈΠΏΡ€Π°Π²Π° ΠΈΠ· ΠΊΠΎΠ΄Π΅ΠΊΠΎΠ² ΠΈΠ»ΠΈ с Ρ‡Π΅ΠΌ ...
DotNetConf
Β 
PDF
Π’Π²Π΅Π΄Π΅Π½ΠΈΠ΅ Π² Ρ€Π΅Π°ΠΊΡ‚ΠΈΠ²Π½Ρ‹ΠΉ .NET
DotNetConf
Β 
PPTX
ΠΎΡ‚ Π°Π²Π³ΠΈΠ΅Π²Ρ‹Ρ… конюшСн ΠΊ Π·Π²Π΅Π·Π΄Π°ΠΌ
Lev Goncharov
Β 
PPTX
Π’Π½ΡƒΡ‚Ρ€Π΅Π½Π½Π΅Π΅ устройство GC
tym32167
Β 
PPTX
МашинноС ΠΎΠ±ΡƒΡ‡Π΅Π½ΠΈΠ΅ Π½Π° ΠΏΠ»Π°Ρ‚Ρ„ΠΎΡ€ΠΌΠ΅ .NET
DotNetConf
Β 
PDF
Customer satisfaction для программистов
Alexander Byndyu
Β 
The bell la padula model
Shaishav Dahal
Β 
Inversion of Control Π² .NET
DotNetConf
Β 
ΠžΡΠΎΠ±Π΅Π½Π½ΠΎΡΡ‚ΠΈ ΠΏΠ΅Ρ€Π΅Π΄Π°Ρ‡ΠΈ ΠΈ ΠΎΠ±Ρ€Π°Π±ΠΎΡ‚ΠΊΠΈ Π²ΠΈΠ΄Π΅ΠΎ Π΄Π°Π½Π½Ρ‹Ρ…. ΠŸΡ€ΠΈΠΏΡ€Π°Π²Π° ΠΈΠ· ΠΊΠΎΠ΄Π΅ΠΊΠΎΠ² ΠΈΠ»ΠΈ с Ρ‡Π΅ΠΌ ...
DotNetConf
Β 
Π’Π²Π΅Π΄Π΅Π½ΠΈΠ΅ Π² Ρ€Π΅Π°ΠΊΡ‚ΠΈΠ²Π½Ρ‹ΠΉ .NET
DotNetConf
Β 
ΠΎΡ‚ Π°Π²Π³ΠΈΠ΅Π²Ρ‹Ρ… конюшСн ΠΊ Π·Π²Π΅Π·Π΄Π°ΠΌ
Lev Goncharov
Β 
Π’Π½ΡƒΡ‚Ρ€Π΅Π½Π½Π΅Π΅ устройство GC
tym32167
Β 
МашинноС ΠΎΠ±ΡƒΡ‡Π΅Π½ΠΈΠ΅ Π½Π° ΠΏΠ»Π°Ρ‚Ρ„ΠΎΡ€ΠΌΠ΅ .NET
DotNetConf
Β 
Customer satisfaction для программистов
Alexander Byndyu
Β 
Ad

Similar to Know Your Security Model (20)

PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
Β 
PPTX
Sandboxing in .NET CLR
Mikhail Shcherbakov
Β 
PPTX
Started In Security Now I'm Here
Christopher Grayson
Β 
PDF
Proactive Security AppSec Case Study
Andy Hoernecke
Β 
PDF
ShiftGearsWithInformationSecurity.pdf
Steven Carlson
Β 
PPTX
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
Β 
PPSX
Meetup code security
UttamParmar7
Β 
PDF
Attacking and Defending Mobile Applications
Jerod Brennen
Β 
PPTX
Integrating security into the application development process
Jerod Brennen
Β 
PDF
AppSec in an Agile World
David Lindner
Β 
PPTX
Application security meetup k8_s security with zero trust_29072021
lior mazor
Β 
PPTX
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
Β 
PPTX
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Emerasoft, solutions to collaborate
Β 
PDF
Cncf checkov and bridgecrew
LibbySchulze
Β 
PPTX
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
Β 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
Β 
PDF
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Mansi Kandari
Β 
PDF
Advanced-Penetration-Testing_course_content
priyanshamadhwal2
Β 
PDF
Nicolas destor pres_f5agility2018
Nicolas Destor
Β 
PPTX
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
Β 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
Β 
Sandboxing in .NET CLR
Mikhail Shcherbakov
Β 
Started In Security Now I'm Here
Christopher Grayson
Β 
Proactive Security AppSec Case Study
Andy Hoernecke
Β 
ShiftGearsWithInformationSecurity.pdf
Steven Carlson
Β 
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
Β 
Meetup code security
UttamParmar7
Β 
Attacking and Defending Mobile Applications
Jerod Brennen
Β 
Integrating security into the application development process
Jerod Brennen
Β 
AppSec in an Agile World
David Lindner
Β 
Application security meetup k8_s security with zero trust_29072021
lior mazor
Β 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
Β 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Emerasoft, solutions to collaborate
Β 
Cncf checkov and bridgecrew
LibbySchulze
Β 
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
Β 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
Β 
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Mansi Kandari
Β 
Advanced-Penetration-Testing_course_content
priyanshamadhwal2
Β 
Nicolas destor pres_f5agility2018
Nicolas Destor
Β 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
Β 

More from Mikhail Shcherbakov (20)

PPTX
Delegates and events in C#
Mikhail Shcherbakov
Β 
PPTX
Mythbusters - Web Application Security
Mikhail Shcherbakov
Β 
PPTX
ΠœΠΈΡ…Π°ΠΈΠ» Π©Π΅Ρ€Π±Π°ΠΊΠΎΠ² "WinDbg сотоварищи"
Mikhail Shcherbakov
Β 
PPTX
Apache Ignite.NET Π² дСйствии
Mikhail Shcherbakov
Β 
PPTX
АрхитСктура Apache Ignite .NET
Mikhail Shcherbakov
Β 
PPTX
Знакомство с In-Memory Data Grid
Mikhail Shcherbakov
Β 
PDF
сцСнарии использования статичСского Π°Π½Π°Π»ΠΈΠ·Π°Ρ‚ΠΎΡ€Π°
Mikhail Shcherbakov
Β 
PPTX
WCF. Π›Π΅Π³ΠΊΠΎ ΠΈΠ»ΠΈ ΠΏΡ€ΠΎΠ±Π»Π΅ΠΌΠ½ΠΎ
Mikhail Shcherbakov
Β 
PDF
Поиск ошибок Π² ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠ°Ρ… Π½Π° языкС C#
Mikhail Shcherbakov
Β 
PPTX
Когда Π² C# Π½Π΅ Ρ…Π²Π°Ρ‚Π°Π΅Ρ‚ C++ . Π§Π°ΡΡ‚ΡŒ 3.
Mikhail Shcherbakov
Β 
PDF
Project Rider
Mikhail Shcherbakov
Β 
PPTX
WinDbg Π² Ρ€ΡƒΠΊΠ°Ρ… .NET Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚Ρ‡ΠΈΠΊΠ°
Mikhail Shcherbakov
Β 
PPTX
Structured logging
Mikhail Shcherbakov
Β 
PPTX
RESTful API: Best practices, versioning, design documentation
Mikhail Shcherbakov
Β 
PPTX
ΠŸΡ€ΠΎΡΡ‚ΠΎΠΉ ΠΈ кросс-ΠΏΠ»Π°Ρ‚Ρ„ΠΎΡ€ΠΌΠ΅Π½Π½Ρ‹ΠΉ WEB-сСрвСр Π½Π° .NET
Mikhail Shcherbakov
Β 
PPTX
ИспользованиС Visual Studio Tools for Apache Cordova Π² Ρ€Π΅Π°Π»ΡŒΠ½Ρ‹Ρ… ΠΏΡ€ΠΎΠ΅ΠΊΡ‚Π°Ρ…
Mikhail Shcherbakov
Β 
PPTX
Когда Π² C# Π½Π΅ Ρ…Π²Π°Ρ‚Π°Π΅Ρ‚ C++ . Π§Π°ΡΡ‚ΡŒ 2.
Mikhail Shcherbakov
Β 
PDF
РаспространённыС ошибки ΠΎΡ†Π΅Π½ΠΊΠΈ ΠΏΡ€ΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΡΡ‚ΠΈ .NET-ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ
Mikhail Shcherbakov
Β 
PPTX
Когда Π² C# Π½Π΅ Ρ…Π²Π°Ρ‚Π°Π΅Ρ‚ C++
Mikhail Shcherbakov
Β 
PDF
Как это Ρ€Π°Π±ΠΎΡ‚Π°Π΅Ρ‚: DLR
Mikhail Shcherbakov
Β 
Delegates and events in C#
Mikhail Shcherbakov
Β 
Mythbusters - Web Application Security
Mikhail Shcherbakov
Β 
ΠœΠΈΡ…Π°ΠΈΠ» Π©Π΅Ρ€Π±Π°ΠΊΠΎΠ² "WinDbg сотоварищи"
Mikhail Shcherbakov
Β 
Apache Ignite.NET Π² дСйствии
Mikhail Shcherbakov
Β 
АрхитСктура Apache Ignite .NET
Mikhail Shcherbakov
Β 
Знакомство с In-Memory Data Grid
Mikhail Shcherbakov
Β 
сцСнарии использования статичСского Π°Π½Π°Π»ΠΈΠ·Π°Ρ‚ΠΎΡ€Π°
Mikhail Shcherbakov
Β 
WCF. Π›Π΅Π³ΠΊΠΎ ΠΈΠ»ΠΈ ΠΏΡ€ΠΎΠ±Π»Π΅ΠΌΠ½ΠΎ
Mikhail Shcherbakov
Β 
Поиск ошибок Π² ΠΏΡ€ΠΎΠ³Ρ€Π°ΠΌΠΌΠ°Ρ… Π½Π° языкС C#
Mikhail Shcherbakov
Β 
Когда Π² C# Π½Π΅ Ρ…Π²Π°Ρ‚Π°Π΅Ρ‚ C++ . Π§Π°ΡΡ‚ΡŒ 3.
Mikhail Shcherbakov
Β 
Project Rider
Mikhail Shcherbakov
Β 
WinDbg Π² Ρ€ΡƒΠΊΠ°Ρ… .NET Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚Ρ‡ΠΈΠΊΠ°
Mikhail Shcherbakov
Β 
Structured logging
Mikhail Shcherbakov
Β 
RESTful API: Best practices, versioning, design documentation
Mikhail Shcherbakov
Β 
ΠŸΡ€ΠΎΡΡ‚ΠΎΠΉ ΠΈ кросс-ΠΏΠ»Π°Ρ‚Ρ„ΠΎΡ€ΠΌΠ΅Π½Π½Ρ‹ΠΉ WEB-сСрвСр Π½Π° .NET
Mikhail Shcherbakov
Β 
ИспользованиС Visual Studio Tools for Apache Cordova Π² Ρ€Π΅Π°Π»ΡŒΠ½Ρ‹Ρ… ΠΏΡ€ΠΎΠ΅ΠΊΡ‚Π°Ρ…
Mikhail Shcherbakov
Β 
Когда Π² C# Π½Π΅ Ρ…Π²Π°Ρ‚Π°Π΅Ρ‚ C++ . Π§Π°ΡΡ‚ΡŒ 2.
Mikhail Shcherbakov
Β 
РаспространённыС ошибки ΠΎΡ†Π΅Π½ΠΊΠΈ ΠΏΡ€ΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡ‚Π΅Π»ΡŒΠ½ΠΎΡΡ‚ΠΈ .NET-ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ
Mikhail Shcherbakov
Β 
Когда Π² C# Π½Π΅ Ρ…Π²Π°Ρ‚Π°Π΅Ρ‚ C++
Mikhail Shcherbakov
Β 
Как это Ρ€Π°Π±ΠΎΡ‚Π°Π΅Ρ‚: DLR
Mikhail Shcherbakov
Β 

Recently uploaded (20)

PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
Β 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
Β 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
Β 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
Β 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
Β 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
Β 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
Β 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
Β 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
Β 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
Β 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
Β 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
Β 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
Β 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
Β 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
Β 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
Β 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
Β 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
Β 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
Β 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
Β 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
Β 
Hybrid model detection and classification of lung cancer
IAESIJAI
Β 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
Β 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
Β 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
Β 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
Β 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
Β 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
Β 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
Β 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
Β 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
Β 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
Β 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
Β 
Getting Started with Data Integration: FME Form 101
Safe Software
Β 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
Β 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
Β 
Web App vs Mobile App What Should You Build First.pdf
KodekX
Β 
Chapter 5: Probability Theory and Statistics
RandyFin
Β 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
Β 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
Β 

Know Your Security Model

  • 1. Know Your Security Model Mikhail Shcherbakov 9-я конфСрСнция .NET Ρ€Π°Π·Ρ€Π°Π±ΠΎΡ‚Ρ‡ΠΈΠΊΠΎΠ² 12 октября 2014 dotnetconf.ru
  • 2. 2 About me β€’ Senior software developer at Positive Technologies β€’ Working on Application Inspector - source code analyzer β€’ Previous team lead at Acronis and Luxoft
  • 3. 3 Terms C# 5.0 Language Specification Common Language Infrastructure (CLI) Standard ECMA-335
  • 4. 4 .NET Framework 4 Security Architecture β€’ Application Domains β€’ The verification process β€’ Code Access Security (CAS) o Policy o Permissions o Enforcement β€’ Role-based security o Authentication o Authorization o Principal and Identity β€’ Cryptography
  • 5. 5 .NET Framework 4 Security Architecture β€’ Application Domains β€’ The verification process β€’ Code Access Security (CAS) o Policy o Permissions o Enforcement β€’ Role-based security o Authentication o Authorization o Principal and Identity β€’ Cryptography
  • 6. 6 Knowledge in Practice β€’ CAS is the base of security β€’ Development of extensible and security- sensitive applications β€’ Troubleshooting and knowledge about the internals o ASP.NET / IIS o Silverlight o SQL CLR o XBAP o ClickOnce o Sharepoint
  • 7. 7 Application Domains β€’ Fully Trusted and Partially Trusted β€’ Heterogeneous and Homogeneous β€’ Sandboxing by AppDomain
  • 8. 8 Type Safety β€’ C# compilation β€’ Just-in-time (JIT) compilation β€’ Native Image Generator (Ngen.exe) β€’ PEVerify tool
  • 9. 9 Code Access Security β€’ Policy (deprecated in .NET Framework 4) β€’ Permissions β€’ Enforcement o Fully Trusted assemblies in Partially Trusted AppDomain o Security Transparency Code o Assert permissions o SecurityPermission o RegistryPermission o ReflectionPermission o SocketPermission o FileIOPermission o WebPermission
  • 10. 10 Level 2 Security Transparency Critical Full Trust code that can do anything Safe Critical Full Trust code Provides access to Critical code Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert
  • 11. 11 Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent οƒΌ   SecuritySafeCritical  οƒΌ οƒΌ SecurityCritical οƒΌ οƒΌ οƒΌ AllowPartiallyTrustedCallers οƒΌ   SecAnnotate.exe - .NET Security Annotator Tool
  • 12. 12 Demo MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277) Exploited by Trusted Chain attack
  • 13. 13 Thank you for your attention! Mikhail Shcherbakov Positive Technologies linkedin.com/in/mikhailshcherbakov yuske.dev@gmail.com github.com/yuske