Review Assemblies That Allow Partial Trust

Previous page
Table of content
Next page

Review Assemblies That Allow Partial Trust

I well remember the day the decision was made to add the AllowPartiallyTrustedCallersAttribute attribute to .NET. The rationale made perfect sense: most attacks will come from the Internet where code is partially trusted, where code is allowed to perform some tasks and not others. For example, your company might enforce a security policy that allows code originating from the Internet to open a socket connection back to the source server but does not allow it to print documents or to read and write files. So, the decision was made to not allow partially trusted code to access certain assemblies that ship with the CLR and .NET Framework, and that includes, by default, all code produced by third parties, including you. This has the effect of reducing the attack surface of the environment enormously. I remember the day well because this new attribute prevents code from being called by potentially hostile Internet-based code accidentally. Setting this option is a conscious decision made by the developer.

If you develop code that can be called by partially trusted code and you have performed appropriate code reviews and security testing, use the AllowPartiallyTrustedCallersAttribute assembly-level custom attribute to allow invocation from partially trusted code:

[assembly:AllowPartiallyTrustedCallers]

Assemblies that allow partially trusted callers should never expose objects from assemblies that do not allow partially trusted callers.

IMPORTANT
Be aware that assemblies that are not strong-named can always be called from partially trusted code.

Finally, if your code is not fully trusted, it might not be able to use code that requires full trust callers, such as strong-named assemblies that lack AllowPartiallyTrustedCallersAttribute.

You should also be aware of the following scenario, in which an assembly chooses to refuse permissions:

  • Strong-named assembly A does not have AllowPartiallyTrusted CallersAttribute.

  • Strong-named assembly B uses a permission request to refuse permissions, which means it is now partially trusted, because it does not have full trust.

  • Assembly B can no longer call code in Assembly A, because A does not support partially trusted callers.

    IMPORTANT
    The AllowPartiallyTrustedCallersAttribute attri bute should be applied only after the developer has carefully reviewed the code, ascertained the security implications, and taken the necessary precautions to defend from attack.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2001
Pages: 286
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Java I/O
Crystal Reports 9 on Oracle (Database Professionals)
MySQL Stored Procedure Programming
The .NET Developers Guide to Directory Services Programming
Ruby Cookbook (Cookbooks (OReilly))
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy