Assert and RevertAssert

Previous page
Table of content
Next page

You can call the CodeAccessPermission.Assert method to prevent a demand propagating beyond the current stack frame. By using Assert , you vouch for the trustworthiness of your code's callers . Because of the potential for luring attacks, Assert needs to be used with caution.

Asserts are most often used to sandbox privileged code. If you develop code that calls Assert , you need to ensure that there are alternate security measures in place to authorize the calling code. The following recommendations help you to minimize the risks.

  • Use the demand / assert pattern

  • Reduce the Assert duration

Use the Demand / Assert Pattern

Demanding a specific permission before calling Assert is an effective way to authorize upstream code. Sometimes you might be able to demand a built-in permission type to authorize calling code.

Often, if your assembly is exposing functionality that is not provided by the .NET Framework class library, such as calling the Data Protection API (DPAPI), you need to develop a custom permission and demand the custom permission to authorize callers. For example, you might develop a custom Encryption permission to authorize callers to a managed DPAPI wrapper assembly. Demanding this permission and then asserting the unmanaged code permission is an effective way to authorize calling code.

For more information about this approach and about developing custom permissions, see "How To: Create a Custom Encryption Permission" in the "How To" section of this guide.

Reduce the Assert Duration

If you only need to call Assert to satisfy the demands of a single downstream method that your code calls, then place the Assert immediately prior to the downstream method call. Then immediately call RevertAssert to keep the assertion window as small as possible, and to ensure that any subsequent code your method calls does not inadvertently succeed because the Assert is still in effect.

A common practice is to place the call to RevertAssert in a finally block to ensure that it always gets called even in the event of an exception.



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
High-Speed Signal Propagation[c] Advanced Black Magic
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Twisted Network Programming Essentials
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy