Plug-ins and security?

[Jesper]

Im creating a host application (a game) which allows for users to supply a
custom computer AI. This will be in the form of a plugin assembly which
supports a specified interface. So the host will call interface functions in
the plugins like PerformMove(GameState gs). The host application is a
trusted application that runs on a server, and users upload plugins to this
server, but I can't trust the plugins.

PlugIn:
- Must adhere to a specific public interface.
- Is allowed to create and maintain private state information, to be used
between calls.
- Is not allowed access to I/O, Networks, Other processes, etc.
- Will recieve some objects by reference form the host, but has only read
capabilities on these objects. If this is not possible, it will recieve
objects by value only.

Host:
- Can kill any plugin process/thread that takes too long time.
- Can kill any plugin process/thread that takes too much memory (or maybe
limit the allowed memory size at creation of the plugin process?)
- In order to allow the host enough control over the plugin to be able to
kill it, I expect to have to run the plugin functions in a different thread
or process.

I'm pretty new to security, so how would you set up these plugins,
securitywise?

 

[Joshua Flanagan]

The Code Access Security model of the .NET Framework allows you to do
this pretty easily. You will want to create a separate AppDomain to
load your plugin assemblies. You can specify limited permissions for
all code executing in the AppDomain. You then communicate with your
plugin code using .NET Remoting.

See the documentation for AppDomain.SetAppDomainPolicy for a hint on how
to get started:

http://msdn.microsoft.com/library/d...stemappdomainclasssetappdomainpolicytopic.asp

Joshua Flanagan
http://flimflan.com/blog

 

[Jesper]

Thanks. At first glance, it seems like just what I am looking for.