none
CLR assembly: is it possible to detect "unsafe" compile-time flag? RRS feed

  • Question

  • Hello,

    I'm developing a security checking mechanism for a plugin-based system.

    I already verify for P/Invoke usage and third-party assembly referencing/loading - using a CLR parser to lookup assembly headers and metadata.

    Is there some flag or a way to detect if "unsafe" flag was used during compilation, or if a method uses unsafe keyword?

    At least .NET reflector does not show unsafe keyword in disassembly (did not check actual IL code generated), so I suppose it may only be a flag or some distinguishable sign in metadata.

    Anybody tried that?

     

    Thanks.

    Tuesday, May 11, 2010 11:37 PM

Answers

  • When the /unsafe switch is used, the C# compiler emits a SecurityPermission attribute for SkipVerification on the assembly:

    [assembly: SecurityPermission(SecurityAction.RequestMinimum, SkipVerification=true)]

    You might need to be concerned with modified assemblies where the attacker has intentionally removed this attribute even though unverifiable code is present.  (IIRC, if you are running at full trust, the verification step is omitted regardless of this attribute.)

    > I'm developing a security checking mechanism for a plugin-based system.

    If you haven't already, you might want to look into the AppDomain sandboxing capabilities.  It sounds like you are trying to roll a lot of your own logic for this, duplicating what Microsoft did with both the IL verifier and CAS.  Doing this on your own undoubtedly has a lot of security pitfalls!

    http://msdn.microsoft.com/en-us/library/bb763046.aspx

     

    Tuesday, May 11, 2010 11:50 PM

All replies

  • When the /unsafe switch is used, the C# compiler emits a SecurityPermission attribute for SkipVerification on the assembly:

    [assembly: SecurityPermission(SecurityAction.RequestMinimum, SkipVerification=true)]

    You might need to be concerned with modified assemblies where the attacker has intentionally removed this attribute even though unverifiable code is present.  (IIRC, if you are running at full trust, the verification step is omitted regardless of this attribute.)

    > I'm developing a security checking mechanism for a plugin-based system.

    If you haven't already, you might want to look into the AppDomain sandboxing capabilities.  It sounds like you are trying to roll a lot of your own logic for this, duplicating what Microsoft did with both the IL verifier and CAS.  Doing this on your own undoubtedly has a lot of security pitfalls!

    http://msdn.microsoft.com/en-us/library/bb763046.aspx

     

    Tuesday, May 11, 2010 11:50 PM
  • BinaryCoder: Thanks.

    Sandboxing shall not work for me as I make a solution, which shall work on Compact Framework as well.

    It'll probably be sufficient for me to lookup assembly attributes.  I have a requirement for all assemblies to be signed with known keys; on Full Framework I also force signature verification on assembly load so altering is not possible.

    Wednesday, May 12, 2010 2:03 PM