Securing a .NET app

[Nak]

Hi there,

I have just decided to attempt to secure my .NET app as much as
possible. The main reason I want to do this is because I have implemented a
plug-in engine, I thought that it would be quite easy for someone to make a
rogue plug-in that deleted files, or done other malicious tasks.

Anyway, the plugins that I have implemeneted so far are passed either 1
filename, or an array of filenames. Ideally I want to plugin to be able to
*read* ONLY the files that it has been passed, that means no access on *any*
other files or write access to the file.

I thought that this could be done quite simply by using the
FileIOPermission class. And yes it was, I implemented a quick deny and
revert deny before and after the plugin is called and it prevents the plugin
from writing to the file. But I could not work out how to set ALL
permissions, i.e. I want to set only read access for the files that it is
being passed and nothing else, how would I go about doing this?

Is there a way that you can deny permissions to everything and then
grant permissions to 1 thing? It would be nice to prevent the plug-ins from
doing *anything* malicious. Thank you very much for your help in advance,
and I look forward to advice on this one, a vice like grip shalt protect my
app's plugins from doing anything dubious!

Nick.

P.S.

Just a thought, is the best way to make an app 100% secure by deny all
permissions outright and having to grant permissions everytime a task is
performed that would need permissions? i.e.

1. When the app loads, deny all permissions
2. The app wants to change a system setting
3. The permissions are granted (or requested?)
4. The setting is changed

Just an idea, I'm probably miles of the mark!

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Peter Huang]

Hi Nick,

At a quick view, I think you may try to pass the FileStream reference to
the plugin.

using System;
using System.Security;
using System.Collections;
using System.Security.Policy;
using System.Security.Permissions;
using System.IO;
namespace ConsoleApplication32
{
class Class1
{
[STAThread]
static void Main(string[] args)
{
FileStream f = new FileStream(@"C:\test.txt",FileMode.Open);
PermissionSet ps= new PermissionSet(PermissionState.Unrestricted);
ps.Deny();
ClassLibrary9.Class1 cls = new ClassLibrary9.Class1();
byte[] rt=cls.hello(f);
f.Close();
}
}
}

using System;
using System.IO;
namespace ClassLibrary9
{
public class Class1
{
public Class1()
{
}
public byte[] hello(FileStream f)
{
byte[] a=new byte[255];
f.Read(a,0,255);
//f = new FileStream(@"C:\1.txt",FileMode.Open); //this line will failed
becaused of security exception
//f.Read(a,0,255);
return a;
}
}
}

You may have a try to see if this works for you.
If I have any new information, I will update with you.
If you have any quesiton on this problem please post here.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Nak]

Hi Peter,

You have completely misunderstood what I was asking unfortunately. I
have a plugin engine that other people can make plugins for, anyone can make
one which is a good point *and* a down point.

Now I could quite easily make a rogue plugin that when called deletes
system files and changes systems settings. I want to prevent this from
happening by only giving the plugin the permissions that I desire, which
would be 1 thing

* Read access to 1 or many files

No more, and no less. I want to achieve this by using CAS (Code Access
Security). Which technically should enable me to set permissions before the
plugin is called, call the plugin and then revert the permissions one
complete. This will prevent the plugin from doing *anything* nasty and
untoward.

I just haven't seen any examples of denying all permissions to the
system other than read access to 1 or many files as yet. As an example of
what I am doing so far,

~~

Dim pIOPPermit As New FileIOPermission(FileIOPermissionAccess.Write,
iFile.FullName)
Call pIOPPermit.Deny()

'CALL PLUGIN WITH iFILE

Call pIOPPermit.RevertDeny()

~~

This prevents the file from being written to full stop, what I want is
*only* to specify read acccess permission and deny every other secruity
permission possible! Have you any ideas or seen any examples around at all?
I have read the docs but they are very descriptive without showing any code
examples, thanks for your help

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Nak]

I forgot to comment,

FileStream f = new FileStream(@"C:\test.txt",FileMode.Open);
PermissionSet ps= new PermissionSet(PermissionState.Unrestricted);
ps.Deny();
ClassLibrary9.Class1 cls = new ClassLibrary9.Class1();
byte[] rt=cls.hello(f);
f.Close();

Unfortunately this would require that I change the interface of my plugins
quite dramatically. The wonder of them is that they are passed simply
FileInfo objects or FileInfo collections. One plugin I have I cannot even
see the code that opens the file as it wraps a 3rd party DLL that performs
all of the necessary tasks.

I have been looking at the PermissionSet class also and the AddPermission
method, is it possible to use this to deny all permissions except for read
access to 1 file?

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Hi Nick,

At a quick view, I think you may try to pass the FileStream reference to
the plugin.

using System;
using System.Security;
using System.Collections;
using System.Security.Policy;
using System.Security.Permissions;
using System.IO;
namespace ConsoleApplication32
{
class Class1
{
[STAThread]
static void Main(string[] args)
{
}
}
}

using System;
using System.IO;
namespace ClassLibrary9
{
public class Class1
{
public Class1()
{
}
public byte[] hello(FileStream f)
{
byte[] a=new byte[255];
f.Read(a,0,255);
//f = new FileStream(@"C:\1.txt",FileMode.Open); //this line will failed
becaused of security exception
//f.Read(a,0,255);
return a;
}
}
}

You may have a try to see if this works for you.
If I have any new information, I will update with you.
If you have any quesiton on this problem please post here.

Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Nak]

I *think* I may have found what I am after

Dim pPStPermit As New PermissionSet(PermissionState.None)
pPStPermit.AddPermission(New FileIOPermission(FileIOPermissionAccess.Write,
iFile.FullName))
Dim pIOPPermit As New FileIOPermission(FileIOPermissionAccess.Read,
iFile.FullName)
Call pPStPermit.PermitOnly()

'CALL PLUGIN WITH iFile

'Revert permissions

Now the only problem being is that the PermissionSet object doesn't contain
revert! :-(

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

 

[Nak]

Hi Peter,

It's quite typical that I choose most things that haven't been covered
too well, I'm not meaning to be awkward by asking so many questions, I'm
just keen to learn so that I can get my program on sale and the like. Tis
the only way that I am ever going to get commercial experience in .NET at
this rate, oh well, maybe I should let the plugins do whatever they want,
but saying that, would simply doing

~~

PermissionSet ps= new PermissionSet(PermissionState.Unrestricted);
ps.Deny();

~~

This would put the plugin in a restricted state for it's lifetime, as
per your first example. I shall have to try it out, I've been giving the
old PC a rest the past couple of days, thanks for your help Peter.

Nick.

--
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
"No matter. Whatever the outcome, you are changed."

Fergus - September 5th 2003
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\