Estratégia de segurança do WPF - Engenharia de Segurança

  • Artigo

Trustworthy Computing is a Microsoft initiative for ensuring the production of secure code. A key element of the Trustworthy Computing initiative is the Microsoft Security Development Lifecycle (SDL). The SDL is an engineering practice that is used in conjunction with standard engineering processes to facilitate the delivery of secure code. The SDL consists of ten phases that combine best practices with formalization, measurability, and additional structure, including:

  • Security design analysis

  • Tool-based quality checks

  • Penetration testing

  • Final security review

  • Post release product security management

WPF Specifics

The WPF engineering team both applies and extends the SDL, the combination of which includes the following key aspects:

Threat Modeling

Security Analysis and Editing Tools

Testing Techniques

Critical Code Management

Threat Modeling

Threat modeling is a core component of the SDL, and is used to profile a system to determine potential security vulnerabilities. Once the vulnerabilities are identified, threat modeling also ensures that appropriate mitigations are in place.

At a high level, threat modeling involves the following key steps by using a grocery store as an example:

  1. Identifying Assets. A grocery store's assets might include employees, a safe, cash registers, and inventory.

  2. Enumerating Entry Points. A grocery store's entry points might include the front and back doors, windows, the loading dock, and air conditioning units.

  3. Investigating Attacks against Assets using Entry Points. One possible attack could target a grocery store's safe asset through the air conditioning entry point; the air conditioning unit could be unscrewed to allow the safe to be pulled up through it and out of the store.

Threat modeling is applied throughout WPF and includes the following:

  • How the XAML parser reads files, maps text to corresponding object model classes, and creates the actual code.

  • How a window handle (hWnd) is created, sends messages, and is used for rendering the contents of a window.

  • How data binding obtains resources and interacts with the system.

These threat models are important for identifying security design requirements and threat mitigations during the development process.

Source Analysis and Editing Tools

In addition to the manual security code review elements of the SDL, the WPF team uses several tools for source analysis and associated edits to decrease security vulnerabilities. A wide range of source tools are used, and include the following:

  • O FXCop: Encontra problemas comuns de segurança no código gerenciado, variando de regras de herança para o uso de segurança de acesso do código como com segurança interoperar com código não gerenciado. See FXCop.

  • Prefixo/Prefast: Localiza a vulnerabilidades de segurança e problemas comuns de segurança no código não gerenciado, como saturações de buffer, problemas de seqüência de caracteres de formato e verificação de erros.

  • Proibido APIs: O código para identificar o uso acidental de funções que são conhecidos para causar problemas de segurança, como de fonte de pesquisas strcpy. Once identified, these functions are replaced with alternatives that are more security.

Testing Techniques

WPF uses a variety of security testing techniques that include:

  • Teste de Whitebox: Os testadores exibir código-fonte e, em seguida, criar testes de exploração

  • Teste de Blackbox: Os testadores tentam encontrar explorações de segurança, examinando os recursos e a API e tentam atacar o produto.

  • Problemas de segurança de regressing de outros produtos de: Quando relevante, os problemas de segurança de produtos relacionados são testados. For example, appropriate variants of approximately sixty security issues for Internet Explorer have been identified and tried for their applicability to WPF.

  • Ferramentas com base em testes de penetração por meio da difusão de arquivo: Difusão de arquivo é que a exploração de um leitor de arquivo do intervalo por meio de uma variedade de entradas de entrada. One example in WPF where this technique is used is to check for failure in image decoding code.

Critical Code Management

For XAML browser applications (XBAPs), WPF builds a security sandbox by using .NET Framework support for marking and tracking security-critical code that elevates privileges (see Security-Critical Methodology in Estratégia de segurança do WPF - Segurança da Plataforma). Given the high security quality requirements on security critical code, such code receives an additional level of source management control and security audit. Approximately 5% to 10% of WPF consists of security-critical code, which is reviewed by a dedicated reviewing team. O código-fonte e o processo de check-in é gerenciado pelo controle do código de segurança crítica e o mapeamento de cada entidade essencial (isto é um método que contém o código critical) para seu estado de aprovação. The sign off state includes the names of one or more reviewers. Each daily build of WPF compares the critical code to that in previous builds to check for unapproved changes. If an engineer modifies critical code without approval from the reviewing team, it is identified and fixed immediately. This process enables the application and maintenance of an especially high level of scrutiny over WPF sandbox code.

Consulte também

Conceitos

Segurança (WPF)

WPF Partial Trust Security

Estratégia de segurança do WPF - Segurança da Plataforma

Outros recursos

Computação confiável

modelagem de ameaças do aplicativo

diretrizes de segurança: .NET Framework 2.0