I have setup a WPF application that is single instance using a Mutex, this allows for the application to run within each user account if you are using user switching. The application sets up a WCF named pipe so that I can communicate to the single instance from another process (i.e. when the second process runs before it terminates due to the Mutex).
我已经使用Mutex设置了一个单实例的WPF应用程序,如果您使用用户切换,这允许应用程序在每个用户帐户中运行。应用程序设置一个名为WCF的管道,以便我可以从另一个进程与单个实例进行通信(即第二个进程在由于Mutex而终止之前运行)。
I would like to know if anything should be done (best practices) to secure the named pipe?
我想知道是否应该采取任何措施(最佳实践)来保护命名管道?
Also I would like to know if the named pipe messages would reach all running processes within the system or only within current user session. If the named pipe is sent system wide then what would be the best implmentation to restrict the communication to the current users session?
此外,我想知道命名管道消息是否会到达系统内的所有正在运行的进程,或者仅在当前用户会话中。如果命名管道是系统范围发送的,那么限制通信到当前用户会话的最佳方法是什么?
3 个解决方案
#1
7
Named pipes in WCF are not accessible from the network and no encryption is required to secure them. However, WCF services are not secure against the attack mentioned by romkyns.
无法从网络访问WCF中的命名管道,并且不需要加密来保护它们。但是,WCF服务并不能抵御romkyns提到的攻击。
I suggest you read this posts:
我建议你阅读这篇文章:
Exploring the WCF Named Pipe Binding - Part 1
探索WCF命名管道绑定 - 第1部分
Exploring the WCF Named Pipe Binding - Part 2
探索WCF命名管道绑定 - 第2部分
Exploring the WCF Named Pipe Binding - Part 3
探索WCF命名管道绑定 - 第3部分
Exploring the WCF Named Pipe Binding - Part 4
探索WCF命名管道绑定 - 第4部分
about the security problems involved.
关于所涉及的安全问题。
In short WCF allows ANY process to masquerade itself as the service and:
简而言之,WCF允许任何进程将自己伪装成服务并且:
- Either simulate the service OR
- 要么模拟服务OR
- Eavesdrop and tamper data assuming that the rogue process itself connect to the service. However, if the service uses access security to check the identity of the calling user this may not be possible.
- 假设流氓进程本身连接到服务,窃听和篡改数据。但是,如果服务使用访问安全性来检查主叫用户的身份,则可能无法实现。
#2
2
Named pipes imply that the communication is point-to-point on the same machine. I believe that it is secured by default, but since communication is never leaving the machine, even on the same network, that security isn't the biggest thing to worry about - at least in regards to the communication between a named pipe component and its consumer.
命名管道意味着通信在同一台机器上是点对点的。我相信它默认是安全的,但由于通信永远不会离开机器,即使在同一网络上,安全性也不是最令人担心的问题 - 至少在命名管道组件与其之间的通信方面消费者。
Check out "Programming WCF Services 2nd Edition" by Juval Lowy. Chapter 10 is all about component security. On page 514, he writes "there is no sense in using Message security over IPC, since with IPC there is always exactly one hop from the client to the service. The chart on that page shows that Transport security is turned on by default for named pipes.
查看Juval Lowy撰写的“编程WCF服务第2版”。第10章是关于组件安全性的。在第514页,他写道“在IPC上使用Message安全没有任何意义,因为使用IPC时,从客户端到服务的传输总是只有一跳。该页面上的图表显示默认情况下启用传输安全性管道。
#3
1
This paper on named pipe security discusses the topic in a lot of detail.
这篇关于命名管道安全的论文详细讨论了这个主题。
In short, if you're not careful you could allow a malicious program running with standard user permission to exploit a pipe to elevate itself to the same privilege level as the named pipe server.
简而言之,如果您不小心,您可以允许以标准用户权限运行的恶意程序利用管道将自身提升到与命名管道服务器相同的权限级别。
I'm afraid I don't know whether the WCF implementation is secure against this type of attack by default.
我担心默认情况下我不知道WCF实现是否可以抵御此类攻击。
#1
7
Named pipes in WCF are not accessible from the network and no encryption is required to secure them. However, WCF services are not secure against the attack mentioned by romkyns.
无法从网络访问WCF中的命名管道,并且不需要加密来保护它们。但是,WCF服务并不能抵御romkyns提到的攻击。
I suggest you read this posts:
我建议你阅读这篇文章:
Exploring the WCF Named Pipe Binding - Part 1
探索WCF命名管道绑定 - 第1部分
Exploring the WCF Named Pipe Binding - Part 2
探索WCF命名管道绑定 - 第2部分
Exploring the WCF Named Pipe Binding - Part 3
探索WCF命名管道绑定 - 第3部分
Exploring the WCF Named Pipe Binding - Part 4
探索WCF命名管道绑定 - 第4部分
about the security problems involved.
关于所涉及的安全问题。
In short WCF allows ANY process to masquerade itself as the service and:
简而言之,WCF允许任何进程将自己伪装成服务并且:
- Either simulate the service OR
- 要么模拟服务OR
- Eavesdrop and tamper data assuming that the rogue process itself connect to the service. However, if the service uses access security to check the identity of the calling user this may not be possible.
- 假设流氓进程本身连接到服务,窃听和篡改数据。但是,如果服务使用访问安全性来检查主叫用户的身份,则可能无法实现。
#2
2
Named pipes imply that the communication is point-to-point on the same machine. I believe that it is secured by default, but since communication is never leaving the machine, even on the same network, that security isn't the biggest thing to worry about - at least in regards to the communication between a named pipe component and its consumer.
命名管道意味着通信在同一台机器上是点对点的。我相信它默认是安全的,但由于通信永远不会离开机器,即使在同一网络上,安全性也不是最令人担心的问题 - 至少在命名管道组件与其之间的通信方面消费者。
Check out "Programming WCF Services 2nd Edition" by Juval Lowy. Chapter 10 is all about component security. On page 514, he writes "there is no sense in using Message security over IPC, since with IPC there is always exactly one hop from the client to the service. The chart on that page shows that Transport security is turned on by default for named pipes.
查看Juval Lowy撰写的“编程WCF服务第2版”。第10章是关于组件安全性的。在第514页,他写道“在IPC上使用Message安全没有任何意义,因为使用IPC时,从客户端到服务的传输总是只有一跳。该页面上的图表显示默认情况下启用传输安全性管道。
#3
1
This paper on named pipe security discusses the topic in a lot of detail.
这篇关于命名管道安全的论文详细讨论了这个主题。
In short, if you're not careful you could allow a malicious program running with standard user permission to exploit a pipe to elevate itself to the same privilege level as the named pipe server.
简而言之,如果您不小心,您可以允许以标准用户权限运行的恶意程序利用管道将自身提升到与命名管道服务器相同的权限级别。
I'm afraid I don't know whether the WCF implementation is secure against this type of attack by default.
我担心默认情况下我不知道WCF实现是否可以抵御此类攻击。