G
Guest
I've been researching how to securely host addins in a .NET 1.1 environment
(AKA sandboxing). I've found various references on the separate AppDomain
method which (if I'm following correctly) essentially loads an assembly and a
type from that assembly within a different AppDomain and marshals the object
to another AppDomain via use of the following functions:
AppDomain.CreateDomain
AppDomain.CreateInstanceAndUnwrap or .CreateInstancFromAndUnwrap
Assembly.Load
....where CreateInstance[From]AndUnwrap would create an internal utility type
(deriving from MarshalByRefObject) that calls Assembly.Load and/or
CreateInstance[From]AndUnwrap for the addin and its type. This also requires
the addin type (and aggregate types) to be Serializable.
This provides a certain physical separation of the addin type from the rest
of the application. Security can be added with AppDomain.SetAppDomainPolicy
before loading the addins assembly and loading the requisite type to apply
the principle of least privilege and to prevent luring attacks.
I've found the bare minimum permissions to be Execution and FileIOPermission
= Unrestricted. Although, I'm leery an addin truely requires this level of
FileIOPermission.
I've only found theoretic discussions on the use of these functions and have
not found a complete concrete example. e.g. is simply calling these
functions provide the best security for an application running addins? Could
someone point me to a good example of this type of sandboxing. Also, I would
be interested in unit tests that show the various types of attacks and how
they are thwarted by this sandboxing technique.
(AKA sandboxing). I've found various references on the separate AppDomain
method which (if I'm following correctly) essentially loads an assembly and a
type from that assembly within a different AppDomain and marshals the object
to another AppDomain via use of the following functions:
AppDomain.CreateDomain
AppDomain.CreateInstanceAndUnwrap or .CreateInstancFromAndUnwrap
Assembly.Load
....where CreateInstance[From]AndUnwrap would create an internal utility type
(deriving from MarshalByRefObject) that calls Assembly.Load and/or
CreateInstance[From]AndUnwrap for the addin and its type. This also requires
the addin type (and aggregate types) to be Serializable.
This provides a certain physical separation of the addin type from the rest
of the application. Security can be added with AppDomain.SetAppDomainPolicy
before loading the addins assembly and loading the requisite type to apply
the principle of least privilege and to prevent luring attacks.
I've found the bare minimum permissions to be Execution and FileIOPermission
= Unrestricted. Although, I'm leery an addin truely requires this level of
FileIOPermission.
I've only found theoretic discussions on the use of these functions and have
not found a complete concrete example. e.g. is simply calling these
functions provide the best security for an application running addins? Could
someone point me to a good example of this type of sandboxing. Also, I would
be interested in unit tests that show the various types of attacks and how
they are thwarted by this sandboxing technique.