13.1 Allow Partially Trusted Code to Use Your Strong-Named Assembly


Problem

You need to write a shared assembly that is accessible to partially trusted code. (By default, the runtime does not allow partially trusted code to access the types and members contained in a strongly-named assembly.).

Solution

Apply the assembly-level attribute System.Security.AllowPartiallyTrustedCallersAttribute to your shared assembly.

Discussion

To minimize the security risks posed by malicious code, the runtime doesn't allow assemblies granted only partial trust to access strong-named assemblies. This restriction dramatically reduces the opportunity for malicious code to attack your system, but the reasoning behind such a heavy-handed approach requires some explanation.

As a rule, strong-named assemblies are installed in the global assembly cache (GAC) and contain important functionality that is shared between multiple applications. This is particularly true of the assemblies that constitute the .NET Framework class library. Other strong-named assemblies from well- known and widely distributed products will also be in the GAC and accessible to managed applications. The high chance that certain assemblies will be present in the GAC, their easy accessibility, and their importance to many different applications makes strong-named assemblies the most likely target for any type of subversive activity by malicious managed code.

Generally, the code most likely to be malicious is that which is loaded from remote locations ”such as the Internet ”over which you have little or no control. Under the default security policy, all code run from the local machine has full trust, whereas code loaded from remote locations has only partial trust. Stopping partially trusted code from accessing strong-named assemblies means that partially trusted code has no opportunity to use the features of the assembly for malicious purposes and can't probe and explore the assembly to find exploitable holes. Of course, this theory hinges on the assumption that you correctly administer your security policy. If you simply assign all code full trust, not only will any assembly be able to access your strong-named assembly, the code will also be able to access all of the functionality of the .NET Framework. This would be a security disaster!

Note  

If you design, implement, and test your shared assembly correctly using code access security to restrict access to important members, there is no need to impose a blanket restriction to stop partially trusted code using your assembly. However, for an assembly of any significance, it's impossible to prove there are no security holes that malicious code can exploit. Therefore, you should carefully consider the need to allow partially trusted code to access your strong-named assembly before applying AllowPartiallyTrustedCallersAttribute .

The runtime stops partially trusted code from accessing strong-named assemblies by placing an implicit LinkDemand for the FullTrust permission set on every public and protected member of every publicly accessible type defined in the assembly. This means that only assemblies granted the permissions equivalent to the FullTrust permission set are able to access the types and members from the strong-named assembly. Applying AllowPartiallyTrustedCallersAttribute to your strong-named assembly signals the runtime not to enforce the LinkDemand on the contained types and members.

Note  

The runtime is responsible for enforcing the implicit LinkDemand security actions required to protect strong-named assemblies; the C# assembler doesn't generate declarative LinkDemand statements at compile time.

The following code fragment shows the application of the attribute AllowPartiallyTrustedCallersAttribute . Notice that you must prefix the attribute with assembly: to signal to the compiler that the target of the attribute is the assembly (also called a global attribute ). In addition, there is no need to include the Attribute part of the attribute name ”although you can if you want to. Because you target the assembly, the attribute must be positioned after any top level using statements, but before any namespace or type declarations.

 using System.Security; [assembly:AllowPartiallyTrustedCallers] public class AllowPartiallyTrustedCallersExample {      } 
Tip  

It's common practice to contain all global attributes in a file separate from the rest of your application code. Microsoft Visual Studio .NET uses this approach, creating a file named AssemblyInfo.cs to contain all global attributes.

If, after applying AllowPartiallyTrustedCallersAttribute to your assembly, you want to restrict partially trusted code from calling only specific members, you should implement a LinkDemand for the FullTrust permission set on the necessary members, as shown in the following code fragment:

 [System.Security.Permissions.PermissionSetAttribute     (System.Security.Permissions.SecurityAction.LinkDemand,     Name="FullTrust")] public void SomeMethod() {      } 



C# Programmer[ap]s Cookbook
C# Programmer[ap]s Cookbook
ISBN: 735619301
EAN: N/A
Year: 2006
Pages: 266

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net