RE: Security issues with Asp.Net in Shared Hosting Environments

["Dinis Cruz" <dinis () ddplus net>]

Hello Mark

Thanks for you comments, please see my replies bellow:

> I have read several of your articles, e-mails, and usenet posts and 
> while the facts are correct, I'm not really clear what you expect to 
> happen.
>
> > From what I understand, you want:
>
> - Full trust features made available to web site operators in 
> a shared 
> hosting environment who are not fully trusted.

Yes, namely ODBC, OleDB, FSO and ability to securely call specific COM
objects
 
> - Little or no extra effort on the developer's part to make it run in 
> a partial trust environment.

Yes. Note that in a shared hosting scenario (for example: ISPs) the
developers would have no say in how the server is configured and managed
> - The developers shouldn't have to operate their own server 
> to be able 
> to run trusted code.

Yes, at the moment the only secure option to run a website that need
FullTrust is to run that website in a dedicated server with no other
hosted websites. Even this option is not good because it would then be
that developer's responsibility to securely configure and maintain the
server.

> You state that the .NET framework does not allow the creation of 
> secure hosting environments unless one is prepared to develop 
> partially trusted web applications. This is true and precisely the 
> reason Microsoft created the concept of partial trust. Of course you 
> can't do everything with partial trust because the hosting company 
> doesn't fully trust you. 

My problem is the fact that currently it is almost impossible to write a
'real life' web application in 'Partially Trusted' environments. The
gulf between FullTrust and the most permissive and unsecured 'Partially
Trust' environment, is so big that FullTrust is the only option. 

For example, although there are some cases where Win32 API calls are
required, most websites need access to COM objects (either their own or
the FSO, ODBC or OleDB). In the current situation it is not possible to
create a 'Trust' environment where it is possible to access the FSO and
ODBC COM objects but any direct call to a win32 function (i.e. unmanaged
call) would be disabled. 

I know that ODBC calls can also be dangerous but that at least would
reduce the 'attack perimeter' 

> If a hosting company is willing to grant 
> everyone full trust, that is their own security problem and certainly 
> not a flaw of ASP.NET. 

As I just pointed out, the problem is that today, the ISPs have no
alternative but to run their client's websites with FullTrust. So even
if they don't want (i.e. are not willing to grant everybody FullTrust),
they can't. 

The industry standard is to run code in FullTrust. Since this is an
unknown issue in the industry (i.e. almost nobody is aware of it,
specially the clients), if an ISPs configures their client's websites to
run in 'Partially Trusted' environments, that ISPs would lose those
clients (because their 'secure servers' would break the client's web
applications)

That (the impossibility to run 'Partially trusted' web applications in
shared hosting environments) is in my view, a Asp.Net flaw.

> It would be absurd if a hosting 
> company running 
> classic ASP allowed all customers to install their own COM 
> objects and 
> ISAPI applications. 

But that is what those companies are doing today when they allow the
execution of Asp.Net code with FullTrust!  

It is actually a good analogy: "Running Asp.Net web applications with
FullTrust is the same thing as allowing the installation of COM objects
on the server"

> Further, many of the things you talk about can be restricted in other 
> ways. When I run your ANSA application against any of my 
> servers using 
> my standard build procedure, ALL of the tests fail, not just because 
> of my ASP.NET configuration, but because I take the proper steps in 
> securing the file system, the registry, WSH, FSO WMI, etc. 

That is interesting, even the unmanaged calls? 

Did ANSA run in FullTrust?

> You really can't expect a hosting company to fully trust you. 

I know, so don't you agree that the only solution is to limit what a
malicious user can do?

> The real 
> issue here is a balance of security vs. features and is one that 
> exists for all platforms.

Agree, but if the option is to either have a 'insecure' system connected
to the internet, and an 'secure' system NOT connected to the internet,
which one will you use to send an email? what we need is a 'as secure as
it can be' system connected to the internet. 

> The other issues are knowing how to 
> properly 
> secure a server and properly write code that will run on a secure 
> server.

Agree, but at the moment the ISPs don't have a solution for building a
secure Asp.Net servers which provide the minimum services (i.e.
functionality) required by their clients, and are at the same time,
'secure' (I think that we can agree that a server providing shared
hosting services with all websites running in 'FullTrust' cannot be
considered 'secure')

> You have made several points in your articles, but it seems like you 
> are shifting the burden of this onto Microsoft. But its not 
> clear what 
> you are asking them to do. What do you see as the solution to all 
> this? Are you saying they have the wrong security/features balance?

Yes I am, I think that at the moment, Microsoft is still more focused on
developing applications or development tools that have as many features
as possible, instead of being focused in developing secure products and
secure development environments.

This article explains this in length: "Microsoft must deliver 'secure
environments' not tools to write 'secure code'" -
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852 (That
is my solution for this problem)

This lack of focus, can be clearly seen in the latest PR buzz
surrounding the next version of the .Net framework (2.0). I have read
quite a bit of documentation about this new version and 99% of it is
about the new features and rapid development tools. The mentions of
security in .Net 2.0 are general and none address the issues that I am
talking about. Although I have heard some unofficial rumors that the
next version (to be release in Q4 2004) will have a more 'feature rich'
'Partially Trusted' environment.

As a final point I would like to say that my comments are based on my
experience of managing and developing web applications and, on my work
with ISPs in building secure Asp.Net' and ASP servers.

Please do correct me if you think that what I am saying is not accurate,
or I got some details wrong.

Best regards

Dinis Cruz
.Net Security Consultant
DDPlus (www.ddplus.net)


> Mark Burnett
>
>
>
>
>
> On Thu, 30 Oct 2003 23:17:29 -0000, Dinis Cruz wrote:
> > Hello
> >
> >
> > Over the last couple of months I have posted several items in the 
> > official Asp.Net website (www.asp.net) related to the security 
> > problems that occur when Asp.Net is used in shared hosting 
> > environments (such as ISPs, Asp.Net developers and companies that 
> > manage/host several websites in their servers).
> >
> > The objective of this email is to consolidate all this 
> information in 
> > one single point:
> >
> > 1) for us, it all started with our "Security guide for ISPs 
> providing 
> > Windows-based Shared Hosting Services"
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=249624)
> >
> >
> > 2) then we created and released an Open Source web 
> application to test 
> > the security configuration of servers hosting Asp.Net websites
> > - the Asp.Net Security Analyser (ANSA) - which is published in 
> > GotDotNet
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=360023)
> >
> > 3) Following the release of this tool, we started a public 
> discussion 
> > on what we considered to be serious problems that needed to be 
> > addressed: a) "Asp.Net.Vulnerability: Full Trust (current security 
> > problems and possible solutions)"
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368663)
> > b) "Asp.Net.Vulnerability: Win32 API calls (potential security 
> > problems)"
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=368686)
> > c) "Asp.Net.Vulnerability: Asp.Net buffer overflows (potential 
> > security problems)"
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=369016)
> >
> >
> > 4) When (as a reply to one of the "Asp.Net vulnerabilities" 
> posts) we 
> > where advised to talk first to Microsoft before publishing this 
> > information publicly, we decided to write the story (so far) of our 
> > email exchange with several Microsoft employees and 
> Microsoft Security 
> > Response Center: "When will Microsoft take Asp.Net Security 
> seriously? 
> > "
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=370723)
> >
> > 5) Meanwhile we where continuing to work on a solution for 
> the 'Full 
> > Trust' problem and posted:
> >
> > a) some ideas on how to tackle the problem: "Idea to solve 
> the current 
> > shared hosting 'Full trust' issue."
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=371761)
> >
> >
> > b) a 'proof of concept' example on one of the proposed 
> solutions: "FSO 
> > in 'Medium trust' environments"
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380247)
> >
> >
> > 6) Finally we wrote two articles (soon to be published) 
> that explain 
> > these problems with more detail, and say what we think Microsoft 
> > should be doing to solve this problems and make Asp.Net a secure 
> > platform for the development of secure web applications
> >
> > a) "Microsoft must deliver 'secure environments' not tools to write 
> > 'secure code' - draft article"
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379852)
> >
> >
> > b) "'An 'Asp.Net' accident waiting to happen" - draft article"
> > (http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=379837)
> >
> > Our next steps will be the release of a new version of ANSA and 
> > continue working on the proposed solution for the 'Full 
> Trust' problem 
> > (when we have more solid data we will release a white paper called 
> > "living in a Asp.Net 'Partially Trusted' world'" which will provide 
> > more details about how this can be successfully achieved with the 
> > requirements of today's Asp.Net developers).
> >
> > Best regards
> >
> >
> > Dinis Cruz
> > .NET Security Consultant
> > DDPlus (www.ddplus.net)
> >
> >
> > Note: We also posted a query for 'real life' examples of web 
> > applications developed and deployed in 'Partially Trust' 
> Environments 
> > ("examples of 'Medium' or 'high' trust Asp.Net applications" -
> > http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=380468),
> > but haven't received any feedback. If you know of examples we would
> > be very appreciated if you give provide us (and the Asp.Net
> > community) feedback and 'real life' knowledge.