none
.NET 4 Security Trusted Assemblies not given unrestricted permissions. RRS feed

  • Question

  • I am running into some issues with the .NET 4 Security Model around trusted assemblies not being given unrestricted permissions in a sandboxed app domain. Based on my understanding (which could be wrong) homogeneous app domains have two sets of permissions. The specified set and an unrestricted set for trusted assemblies (GACed or those listed as with trusted strong names at app domain creation). Untrusted code should be able to call SecuritySafeCritical trusted code in order to perform otherwise restricted operations. I am however not seeing this behavior, my trusted assemblies are still subject to the partially trusted app domain permissions set. Below is an example that should work based on my understanding but throws a an exception. Is there anyway to allow trusted assemblies to execute unrestricted using the .NET 4 security model.

    Assembly A - Trusted host interface

    using System;
    using System.IO;
    using System.Security;
    
    [assembly: AllowPartiallyTrustedCallers]
    namespace Trusted
    {
        [SecuritySafeCritical]
        public class HostInterface : MarshalByRefObject
        {
            public string RequiresFsPermission()
            {
                return Directory.GetDirectories(@"C:\").Length.ToString();
            }
        }
    }
    
    Assembly B - Host which loads assembly A as trusted
    using System;
    using System.IO;
    using System.Security;
    using System.Security.Policy;
    using Trusted;
    
    namespace PartialTrustTest
    {
        class Program
        {
            static void Main()
            {
                var thisAsm = typeof(Program).Assembly;
                var ev = new Evidence();
                ev.AddHostEvidence(new Zone(SecurityZone.Internet));
                var permSet = SecurityManager.GetStandardSandbox(ev);
    
                var sn = typeof(HostInterface).Assembly.Evidence.GetHostEvidence<StrongName>();
    
                var sandboxInfo = new AppDomainSetup
                {
                    ApplicationBase = Path.GetDirectoryName(thisAsm.Location)
                };
    
                var sandboxDomain = AppDomain.CreateDomain("Sandbox", null, sandboxInfo, permSet, sn);
                Console.WriteLine(sandboxDomain.IsFullyTrusted);
                var host = (HostInterface)sandboxDomain.CreateInstanceAndUnwrap(typeof(HostInterface).Assembly.FullName,
                    typeof(HostInterface).FullName);
    
                //throws System.Security.SecurityException: 'Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.'
                Console.WriteLine(host.RequiresFsPermission());
    
                Console.ReadKey();
            }
        }
    }
    

    Saturday, May 13, 2017 1:04 AM

Answers

  • IIRC, when a piece of code demands a security right, it looks up the stack* to ensure that the callers all have the required rights. This is so that an un-trusted piece of code can't use your method to bypass security. If you want to take on the responsibility for ensuring that the specified access is safe and doesn't leak any 'sensitive' information, then your method can assert the required permissions.

    (*) I believe it actually looks up the compressed stack which gets copied around with the execution context.

    • Marked as answer by Greg Horvath Saturday, May 13, 2017 2:45 AM
    Saturday, May 13, 2017 2:29 AM

All replies

  • IIRC, when a piece of code demands a security right, it looks up the stack* to ensure that the callers all have the required rights. This is so that an un-trusted piece of code can't use your method to bypass security. If you want to take on the responsibility for ensuring that the specified access is safe and doesn't leak any 'sensitive' information, then your method can assert the required permissions.

    (*) I believe it actually looks up the compressed stack which gets copied around with the execution context.

    • Marked as answer by Greg Horvath Saturday, May 13, 2017 2:45 AM
    Saturday, May 13, 2017 2:29 AM
  • That's what I was missing. That means I would have to go through every class/method and add the proper asserts for each method. Thanks for the quick reply.
    • Marked as answer by Greg Horvath Saturday, May 13, 2017 2:45 AM
    • Unmarked as answer by Greg Horvath Saturday, May 13, 2017 2:46 AM
    Saturday, May 13, 2017 2:45 AM