Understanding Reflection and Security

Suppose you downloaded some code from the Internet. If any of that code could poke around on your system, load any assembly, and perform any operation, then .NET would be problematic indeed. However, instead of opening security holes, Microsoft has advertised that security risks have been diminished by the security model introduced in .NET.

Chapter 18 goes into security at length, so I will refer you to that chapter for the complete picture. In general, code must be granted ReflectionPermission to obtain information about nonpublic members . Without ReflectionPermission code can obtain information about public types and members; enumerate types, modules, and assemblies; and invoke public members.

You might be concerned about code downloaded from the Internet performing some malicious activity, which might include accessing the file system or emitting code and modifying your .NET applications. The default security policy does not extend Reflection, environment, registry, DNS, or socket permissions to Internet code, and it has only limited permissions ”like read-only access for file IO, printing, security, and Web permissions.

If security is an immediate risk to your project, read Chapter 5 on attributes and then skip ahead to Chapter 18. (You can also explore the help documentation links like ms-help://MS.VSCC/MS.MSDNVS/cpguide/html/cpconadministeringsecuritypolicy.htm in Visual Studio .NET.)