none
MBR, AppDomain and cross-domain security RRS feed

  • Question

  • Hi!

    My scenario consits of three steps:

    1. Default application domain creates a new sandbox domain with restricted set of granted permissions;
    2. Default application domain loads necessary assemblies into sandbox;
    3. Default application domain creates a new instance of MarshalByRef-derived class that provides a small API to work with files. This instance is saved into sandbox with SetData method. So, this instance is accessible from sandbox by remoting reference.
    4. Code located in sandbox uses remoting reference (obtained with GetData) to invoke some methods.

    and I got the strange problem with security:

    Code in sandboxed domain have no security permissions for file access. But invocation of MBR-derived is transferring from partially-trusted code to fully-trusted code in default domain across remoting boundaries. In this case, instance of MBR-derived class should have the same granted set as default domain, but it not. Shortly, my question is "Why CAS inherits security context across remoting boundaries?".

    Thank a lot!


    E' più facile spezzare un atomo che un pregiudizio
    Tuesday, March 22, 2011 3:39 AM

Answers

All replies

  •  

    Hi Roman,

     

    Thank you for your question, we're doing research on this case, it might take some time before we get back to you.


    Eric Yang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, March 23, 2011 9:58 AM
  • After two days and nigths of research I found the solution.

    This is a complex error therefore there is no way to write a small portion of code that demonstrates security problems. But I'll try:

    interface IRemoteObj
     {
     void SomeMethod();
     }
    
     sealed class RemoteObj : MarshalByRefObject, IRemoteObj
     {
     public void SomeMethod()
     {
      File.Create("sample.txt").Dispose(); //Exception here
     }
     }
    
     static class Program
     {
    
     static void CallMethodAcrossDomains()
     {
      var obj = (IRemoteObj)AppDomain.CurrentDomain.GetData("REM_OBJ");
      obj.SomeMethod();
     }
    
     static void Main(string[] args)
     {
      var permset = new PermissionSet(PermissionState.None);
      permset.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
      permset.AddPermission(new ReflectionPermission(PermissionState.Unrestricted));
      var newdom = AppDomain.CreateDomain("SANDBOX", null, AppDomain.CurrentDomain.SetupInformation, permset);
      newdom.SetData("REM_OBJ", new RemoteObj());
      newdom.DoCallBack(CallMethodAcrossDomains);
    

    CAS generates the following exception:

    Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

    But this is not right, because code is located in fully-trusted app domain.

    Fortunately, solution is very simple: I just need to elevate CAS through assertion in SomeMethod implementation. There is two way to do this: imperative and declarative (preferable for me).

    [PermissionSet(SecurityAction.Assert, Unrestricted = true)]
    public void SomeMethod()
    
    {
     File.Create("sample.txt").Dispose();
    }
    

    And I'll discover a small bug(by my opinion) associated with SecurityCriticalAttribute attribute. According with MSDN documentation, security transparent code cannot call security-critical code. But if I decorate SomeMethod with SecurityCriticalAttribute then CAS ignores this fact and doesn't throw an exception. This is very strange, because I don't understand the context in which SomeMethod is executed: fully-trusted or partially-trusted.

    P.S.: Mono doesn't have this securitu issue. 

    Thursday, March 24, 2011 7:44 AM
  • You may submit this issue to Microsoft Connect feedback portal http://connect.microsoft.com, Microsoft engineers will evaluate them seriously, thanks.
    Eric Yang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by eryang Tuesday, April 19, 2011 2:10 AM
    Saturday, March 26, 2011 8:17 AM