开发者

Permission set inversion: running a .NET 4.0 application with 'full trust - (minus) write access'

I have a WCF service to communicate with a Mathematica Kernel to evaluate arbitrary expressions and get results. (My sole intention is to utilize Mathematica as a sophisticated graph layout engine for static graphs using SVG and XAML but my math kernel host can has a decidedly simple interface that can evaluate arbitrary Mathematica expressions: that could, in case of a security breach, could lead to arbitrary code injection.)

  • Is there any way to run an application in a sandbux with a 'full trust permission set - (minus) file io write access'?

Using

    var e = new Evidence();
    e.AddHostEvidence(new Zone(SecurityZone.Trusted));
    var pset = SecurityManager.GetDefaultSandbox(e);

leads to a situation where my app crashes due to a later security exception so I want to make sure I just remove a single permission type. I do not get enough detail about the type of security exception and what caused it, my program is linked against a commercial library with no debug symbols.

  • How can I debug the execution inside the commercial library? Could reflector or a similar tool help me out?

  • How can I get a better stack trace about a security exception? (Full source of the current sandboxing application is below)

or

    var pset = new PermissionSet(PermissionSet.Unrestricted); // set is empty o_O!
    pset.RemovePermission(typeof(FileIOPermission)); // io permission still active

...

does not help.

full context:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Security;
using System.Security.Policy;
using System.Security.Permissions;
using System.Reflection;
using System.Runtime.Remoting;

class Sandboxer : MarshalByRefObject
{
    const string uPath = @"..\..\..\KernelHost\bin\Debug";
    static string aPath = Path.GetFullPath(uPath);
    const string uAssembly = "KernelHost";

    static void Main(string[] args)
    {
        var e = new Evidence();
        e.AddHostEvidence(new Zone(SecurityZone.Trusted));

        var pset = new PermissionSet(PermissionState.Unrestricted);
        //pset.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
        //pset.AddPermission(new UIPermission(UIPermissionWindow.AllWindows, UIPermissionClipboard.AllClipboard));
        //pset.AddPermission(new FileIOPermission(FileIOPermissionAccess.AllAccess, aPath));
        //pset.SetPermission(new UIPermission(PermissionState.None));
        pset.RemovePermission(typeof(UIPermission));
        //pset.SetPermission(new FileIOPermission(PermissionState.None));

        var ass = typeof(Sandboxer).Assembly.Evidence.GetHostEvidence<StrongName>();

        var ads = new AppDomainSetup();
        ads.ApplicationBase = aPath;

        var sandbox = AppDomain.CreateDomain(
            "Sandbox",
            e,
            ads,
            pset,
            ass);

        Console.WriteLine(pset.Count);
        foreach (IPermission p in pset)
        {
            Console.WriteLine(p.ToXml());
        }

        sandbox.ExecuteAssemblyByName("KernelHost");
    }
}

  • Is there开发者_运维技巧 an available open-source/commercial sandboxing solution for .NET 4.0 or maybe at a higher level for Windows Server 2008 R2 (also for native apps) that could help me out?


Full trust is more than "everything"; it is "disable checks" - so no, you can't have "full trust except {foo}", because there would still be nothing checked. You will have to have an inclusive, albeit large, set. And I'm sure there are some pretty nasty things I can do that aren't writing files...

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜