Re: Code Access Security Enforcement anamoly - - Thx in advance.

From: Shawn Farkas [MS] (shawnfa@online.microsoft.com)
Date: 02/18/03 

From: "Shawn Farkas [MS]" <shawnfa@online.microsoft.com>
Date: Tue, 18 Feb 2003 13:17:00 -0800

Krishna,

    Let me see if I understand your situation correctly. You want no trust
granted to any assembly that is not signed by your certificate. This should
be an enterprise-wide policy. However, you have some ASP.Net apps on a
server that cannot run with this policy.
    In this situation, I would recommend either allowing your server
machines to fully trust assemblies on their local hard drive, and make sure
the server is locked down against unauthorized writing of data to the local
drive. If this is unsuitable for you, then adding the APTCA bit to your
assemblies would be a reasonable next move. This would allow untrusted
callers to enter your signed assemblies, so you would have to audit your
code to make sure they aren't tricked into doing anything that they
shouldn't (through use of Asserts), but in general since the security system
walks the entire call stack when a permission is demanded, this should not
leave you very vulnerable. I would avoid your option #2, about trusting the
ASP.Net temporary assembly location, since this will change with each
version of .Net, and you will have to redo your security policies. Option
#3, trusting the website will also not work, since from the perspective of
the ASP.Net application, the assembly is not coming from the website, it is
coming from the local machine.

-Shawn 

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias, this alias is for newsgroup
purposes only.
"Krishna Moturi" <moturi@hotmail.com> wrote in message
news:uuX4gDu1CHA.2188@TK2MSFTNGP10...
> Hi Shawn,
>
> My thoughts on this.
>
> If we look at the documentation and security changes since v1.0 of .NET,
the
> only solutions that is recommended so far are:
>
> 1) Use 'AllowPartiallyTrustedCaller' attribute at assembly level to trust
> partially trusted callers...runtime will skip 'LinkeDemand-FullTrust'
call.
>     Scenarios where u're in control of end-to-end application chain
> (asp.net->.Net componensts->db) and u expect everything to be fully
trusted
> as they're all  signed with u'r SPC,..whic is a security compromise
> 2) Use 'ApplicationDirectory' membership condition to make all dynamically
> generated aspx assemblies (they are at
> C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files) so
that
> aspnet_wp.exe who is above that folder could trust those
assemblies...agian
> this also would be a security compromise.
> 3) Use site membership condition (ex; http://www.acme.com as fully
trusted)
> so that any assemblies under that website would be considered as fully
> trusted.
>
> Ideally , framework should provide some faciltiy where in runtime even
signs
> those dynamically compiled aspx pages..that would be the true security
> facility..not working workarounds and not solving the root cause and
> providing a way for malignant code to use that 'partiallytrustedcallers'
> compromise.
>
> We should be committed to making this .NET based computing environment the
> most trusted and secured computing environment ever put into work, if
that's
> what the place where we could ask our customers to trust our services.
>
> Thanks
> Krishna
>
>
> "Krishna Moturi" <moturi@hotmail.com> wrote in message
> news:#tCyvdt1CHA.1752@TK2MSFTNGP10...
> > Hi Shawn,
> >
> > Thanks for swift response.
> >
> > What would be the best-practices approach to tackle this most commonly
> > anticipated situation for any enterprise ?
> >
> > Do we have any guidance from MSFT dictating any authoritative policy ?
> >
> > we would really appreciate your response to this as we're totally
> > sincere/serious in providing 'total secure computing envionment' promise
> to
> > our customers on .NET platform.
> >
> > Thanks
> >
> >
> >
> > "Shawn Farkas [MS]" <shawnfa@online.microsoft.com> wrote in message
> > news:OZXziqs1CHA.2576@TK2MSFTNGP11.phx.gbl...
> > > Hi Krishna,
> > >
> > >     You are probably running into a situation with dynamic
compilation.
> > > ASP.Net will dynamically compile its web pages into an assembly.  This
> > > assembly will not be signed by your certificate, and as such will not
> have
> > > execution permissions.
> > >
> > > -Shawn
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Please do not send email directly to this alias, this alias is for
> > newsgroup
> > > purposes only.
> > >
> > >
> > > "Krishna Moturi" <moturi@hotmail.com> wrote in message
> > > news:e29Sk4r1CHA.1616@TK2MSFTNGP11.phx.gbl...
> > > > Hi,
> > > >
> > > > We have role-based security, strong naming and
> publisher-signature(SPC)
> > in
> > > > place for our 75k c# codebase (23 assemblies).
> > > > We are trying to enforce CAS so that only our SPC trusted assemblies
> > could
> > > > be granted 'FullTrust' permisson set.
> > > >
> > > > 1) we changed 'Machine' level security policy so that
> 'My_Computer_Zone'
> > > no
> > > > longer would be carrying 'FullTrust' permission set.
> > > >     ( we don't want any malignant code installed to have fullTrust
> > > > permission set.).
> > > > 2) We created a new child code group and granted 'FullTrust' to our
> > > > certificate signed assemblies with appropriate code membership
> > condition.
> > > >
> > > > Our custom windows services with all 23 assemblies are working
> > fine...but
> > > > ASP.NET process no longer works.. (every aspx page just hit deadlock
> > > timeout
> > > > threshold)..........
> > > > we are looking for guidance on this enforcement policy.
> > > >
> > > >
> > > > Thanks in advance
> > > > Krishna
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Locking down CAS policy
    ... I can't find references to these in the default policy. ... the server that the app runs from, it wouldn't be limited by the CAS policy ... you shouldn't mock with the existing code groups - they grant the ... I've used the Evaluate Assembly utility to check the assemblies in ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Locking down CAS policy
    ... CAS policy has 3 levels - you are right that My_Computer in machine policy grants full trust - but there is another policy level called the appdomain level that is applied programmatically. ... You application doesn't even have enough permissions to read files (including assemblies) outside of the application directory ... put on the server that the app runs from, ... you shouldn't mock with the existing code groups - they grant the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: no touch deployment SecurityException
    ... You can't get permissions that you aren't granted by local security policy, ... but other assemblies on the stack or the AppDomain ... >> policy to grant this permission. ...
    (microsoft.public.dotnet.security)
  • Re: Code Access Security Enforcement anamoly - - Thx in advance.
    ... If we look at the documentation and security changes since v1.0 of .NET, ... so that any assemblies under that website would be considered as fully ... > Hi Shawn, ... >> You are probably running into a situation with dynamic compilation. ...
    (microsoft.public.dotnet.security)
  • Re: Am I the only one with doubts about .NET for commercial apps?
    ... > So far, I have found only these two weaknesses, but these are BIG ... harder to do in unmanaged code, no licensing restrictions you add there are ... sense of security by making it clearer how easy it is to do. ... You can make reusing your assemblies a bit harder by using identity demands, ...
    (microsoft.public.dotnet.general)