WCF Named Pipe Security and Multiple User Sessions?

Posted on

Problem :

I have setup a WPF application that is single instance using a Mutex, this allows for the application to run within each user account if you are using user switching. The application sets up a WCF named pipe so that I can communicate to the single instance from another process (i.e. when the second process runs before it terminates due to the Mutex).

I would like to know if anything should be done (best practices) to secure the named pipe?

Also I would like to know if the named pipe messages would reach all running processes within the system or only within current user session. If the named pipe is sent system wide then what would be the best implmentation to restrict the communication to the current users session?

Solution :

Named pipes in WCF are not accessible from the network and no encryption is required to secure them. However, WCF services are not secure against the attack mentioned by romkyns.

I suggest you read this posts:

Exploring the WCF Named Pipe Binding – Part 1

Exploring the WCF Named Pipe Binding – Part 2

Exploring the WCF Named Pipe Binding – Part 3

Exploring the WCF Named Pipe Binding – Part 4

about the security problems involved.

In short WCF allows ANY process to masquerade itself as the service and:

  1. Either simulate the service OR
  2. Eavesdrop and tamper data assuming that the rogue process itself connect to the service. However, if the service uses access security to check the identity of the calling user this may not be possible.

Named pipes imply that the communication is point-to-point on the same machine. I believe that it is secured by default, but since communication is never leaving the machine, even on the same network, that security isn’t the biggest thing to worry about – at least in regards to the communication between a named pipe component and its consumer.

Check out “Programming WCF Services 2nd Edition” by Juval Lowy. Chapter 10 is all about component security. On page 514, he writes “there is no sense in using Message security over IPC, since with IPC there is always exactly one hop from the client to the service. The chart on that page shows that Transport security is turned on by default for named pipes.

This paper on named pipe security discusses the topic in a lot of detail.

In short, if you’re not careful you could allow a malicious program running with standard user permission to exploit a pipe to elevate itself to the same privilege level as the named pipe server.

I’m afraid I don’t know whether the WCF implementation is secure against this type of attack by default.

Leave a Reply

Your email address will not be published. Required fields are marked *