Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / New Users / January 2006

Tip: Looking for answers? Try searching our database.

Securly hosting addins and/or sandboxing

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Peter Ritchie - 19 Jan 2006 19:29 GMT
I've been researching how to securely host addins in a .NET 1.1 environment
(AKA sandboxing).  I've found various references on the separate AppDomain
method which (if I'm following correctly) essentially loads an assembly and a
type from that assembly within a different AppDomain and marshals the object
to another AppDomain via use of the following functions:
AppDomain.CreateDomain
AppDomain.CreateInstanceAndUnwrap or .CreateInstancFromAndUnwrap
Assembly.Load

...where CreateInstance[From]AndUnwrap would create an internal utility type
(deriving from MarshalByRefObject) that calls Assembly.Load and/or
CreateInstance[From]AndUnwrap for the addin and its type.  This also requires
the addin type (and aggregate types) to be Serializable.

This provides a certain physical separation of the addin type from the rest
of the application.  Security can be added with AppDomain.SetAppDomainPolicy
before loading the addins assembly and loading the requisite type to apply
the principle of least privilege and to prevent luring attacks.

I've found the bare minimum permissions to be Execution and FileIOPermission
= Unrestricted.  Although, I'm leery an addin truely requires this level of
FileIOPermission.

I've only found theoretic discussions on the use of these functions and have
not found a complete concrete example.  e.g. is simply calling these
functions provide the best security for an application running addins?  Could
someone point me to a good example of this type of sandboxing.  Also, I would
be interested in unit tests that show the various types of attacks and how
they are thwarted by this sandboxing technique.

Signature

http://www.peterRitchie.com/

Reply to this Message
"Peter Huang" [MSFT] - 20 Jan 2006 03:30 GMT
Hi,

Based on my research, I did not find a mature Unit test code to simulate
the attack.
Here is link about create Sandboxing application for your reference.
The Simple Sandboxing API
http://blogs.msdn.com/shawnfa/archive/2005/08/08/449050.aspx

Also based on my knowledge, there is no such definite permission setting
for a Sandboxing Application. Less permission will make the Sandboxing
application more secure.  But less permission will restrict the Sandbox
application's function. So how to set the permission depends on what you
Sandboxing application want to do. The principle is as less as possible
based on the functions you want to implement in your Sandboxing application.

Best regards,

Peter Huang
Microsoft Online Partner Support

Signature

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Reply to this Message
Peter Ritchie - 20 Jan 2006 18:40 GMT
Hi Peter.  Thanks for your response.  Your reference to the blog on the
Simple Sandboxing API was interesting; but, I'm dealing with .NET 1.1--the
Simple Sandboxing API is .NET 2.0.

That blog's reference to "Creating an AppDomain with limited permissions"
(http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx) is one of the
references I've been using; but, as with all of the other references, it does
not provide any example of how to properly use the "restricted domain",
especially with external assemblies (e.g. "addins").

For example, I was under the impression that creating a new AppDomain and
attempting to load an assembly with that object doesn't properly load that
assembly within the restricted domain.  I've found other references on doing
that; but, there are no examples on how to use types loaded from that
assembly in the correct domain.  Does all access to anything in that domain
have to be marshaled?

For example, some of Shawn Farkas' examples mandate that in order to truly
load the assembly in another domain CreateInstanceAndUnwrap needs to be
called on an internal class and have a method of that class load the
assembly.  This seems to work fine; the assembly is loaded within the correct
AppDomain and execution of a method of a type loaded from that assembly is
executed within the correct domain.  But, if that type is returned back from
the assembly loader class we're back into the original domain and any calls
into that assembly loaded into a restricted domain are not restricted.

I'm assuming this is because the type has been marshaled back into the
calling domain; which really defeats the purpose of an assembly loader class.

Through trial and error I've found that the permissions required to even
load a type from an assembly are as follows:
FileIOPermission(FileIOPermissionAccess.Read |
FileIOPermissionAccess.PathDiscovery, assemblyDirectory)
FileIOPermission(FileIOPermissionAccess.Read,
System.Runtime.InteropServices.RuntimeEnvironment.SystemConfigurationFile)

For that assembly to do anything else may (probably) requires more
permissions--which are wholly undocumented.  For example, given the above
permissions a call to System.Diagnostics.Debug.WriteLine() causes a security
exception; but Diagnostics, Debug, and WriteLine (in 1.1) make no mention of
permission requirements.

Signature

http://www.peterRitchie.com/

> Hi,
>
[quoted text clipped - 18 lines]
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no rights.
Reply to this Message
"Peter Huang" [MSFT] - 23 Jan 2006 08:25 GMT
Hi

Based on my research, it seems that there are no such a complete sandboxing
example to fully address your concern.
Although the blog is discussing the .NET 2.0, the principle is of the same.

Also commonly we did not want the the sandboxing environment to interact
with other assembly.
e.g. Assembly load in AppDomain A, our application loaded in domain B.
If we allow certian method in AppDomain A to call the method in AppDomain
B. Because B have more rights than A, there will be security vulnerable.

The communication between appdomains is using Remoting which is a mechanism
introduced by .NET.
Here is a sampe for your reference.
Plug-in Manager
https://secure.codeproject.com/csharp/DynamicPluginManager.asp

For the detailed information about .NET Security, please post in the .NET
security group.
microsoft.public.dotnet.security

Best regards,

Peter Huang
Microsoft Online Partner Support

Signature

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.