none
BIG trouble with SecurityCritical!!! RRS feed

  • Question

  • .NET 4.0

    In documentation: "Transparent code cannot use reflection to access security-critical members, even if the code is fully trusted. A MethodAccessExceptionFieldAccessException, or TypeAccessException is thrown."

    I have:

    library Host.dll 

    class VeryDangerousClass {

    [SecurityCritical]private static readonly int __very_big_secret = 134;       

    public static int ItIsOpen {get{return __very_big_secret ;}}

    }


    I have 2 plug-ins, and Host checkout [assembly:SecurityTransparent] during loading plugins


    library WhitePlugin.dll

    [assembly:SecurityTransparent]

    void pluginWork(){

    Console.WriteLine(VeryDangerousClass.ItIsOpen);

    }


    IT WILL CAUSE Exception "WOW U TRY REACH __very_big_secret  from TRANSPARENT CODE, IT'S CRIME"

    And second plug-in:

    library HackerPlugin.dll

    [assembly:SecurityTransparent]void pluginWork(){

    var fld = typeof(VeryDangerousClass ).GetField("__very_big_secret",

    BindingFlags.NonPublic|BindingFlags.GetField|BindingFlag.Static);

    fld.SetValue(null, 1321321321);

    Console.WriteLine( typeof(VeryDangerousClass )

    .GetProperty("ItIsOpen",BindingFlags.Public|BindingFlags.GetProperty|BindingFlag.Static).GetValue(null,null));}


    Oh... it's very nice for CLR, all work well. It's legal code and legal usage of SecurityCritical code in .NET, WHAT'S THE @$#%#@

    I even not thought that DOCUMENTED and EXTREMELY IMPORTANT THING especially after CAS became obsolete is NOT WORKING!!!!

    I cannot use SandBox because application centralizes all processes and provide core services for all other classes and plugins it's hard to do it with SubDomains


    • Edited by fagim Wednesday, October 10, 2012 7:51 PM
    Wednesday, October 10, 2012 7:49 PM

Answers

All replies

  • Hi Fagim,

    Welcome to the MSDN Forum

    I am trying to involve some other one in this thread, please wait it patiently.

    Thank you for your understanding and support.

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, October 11, 2012 10:54 AM
    Moderator
  • OK, Mike,

    But as You see it's very significant Issue for me, because we have found ourself unsecure on released and full of user/functionality solution. Core feature of our project since 2006 was ability to incomporate client-coded extensions into common platform without risks for core functionality. Now we see that project is discredited. Now we stop adding new extensions and quickly checking existed code about used permissions. So I wish answer will come quickly.

    Best Regards

    Thursday, October 11, 2012 11:15 AM
  • Hi Fagim,

    If so, I suggest you try a phone call support that contacting phone support will be a charged call.

    to obtain the phone numbers for specific technology request please take a look at the web site listed below.

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS  

    If you are outside the US, please see http://support.microsoft.com for regional support phone numbers.

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Friday, October 12, 2012 4:04 AM
    Moderator
  • Bad suggestion, Mike...

    Phone support in Moscow redirect me to technet.microsoft.com, but they not specialized on developer's questions and redirect me to MSDN again.

    Now i suggest you ^) contact .NET guys with internal communcation chanels and inform them about this issue, i'm not oficial partner to do so.

    It's serious lack. I will check it in MONO, and inform You additionally about result (think it will be next week), but MONO is not my main target platform, so even if they are good, I need fix in .NET

    Friday, October 12, 2012 4:58 AM
  • The usual way to submit bug report is to raise an issue at Microsoft Connect. There select "Submit bug". This way you can be sure the problem is taken care of.
    Sunday, October 14, 2012 2:41 PM
  • Thx, have submit info there.
    Sunday, October 14, 2012 6:05 PM
  • Hello Fagim,

    Would you mind to post the link here?

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, October 15, 2012 5:39 AM
    Moderator
  • https://connect.microsoft.com/VisualStudio/feedback/details/767152/big-problem-with-securitycriticalattribute-its-simply-can-be-avoided-with-reflection

    Sample VS solution attached.

    P.S.

    In MONO even worse - no support for this attributes at all, it Ignores them.

    Monday, October 15, 2012 5:46 AM