Re: Stack walk
From: Michel Gallant \(MVP\) (neutron_at_istar.ca)
Date: Thu, 29 May 2003 15:11:21 -0400
Yes, Assert is *extremely* dangerous, and any developer who uses it
should, in the words of Keith Brown in "Security in .NET: Enforce Code Access Rights...":
"get a jury of your peers to review any use of the feature ."
It might look like your Assert can not leverage your code for mal-use, but
it is often tricky seeing what COULD happen.
See also the good advice in Michael Howard's "Writing Secure Code 2nd Edn.":
Ch. 18, p. 545 "Overzealous Use of Assert".
"Shawn Farkas [MS]" <email@example.com> wrote in message
> Hi Doman,
> 1) You are correct ... without a stack walk, then any code that, for
> instance, wanted to read a file could, since the System.IO classes wouldn't
> know the trust level of their callers. (This assumes the NTFS permissions
> are set such that the code had permissions to read the file.)
> 2) Assert is extremely dangerous. It is useful to get at a privileged
> operation that you need to perform your work, and you know that your code
> can never be tricked into calling the privileged code by a malicious
> assembly. For instance, if you write a graphing control, and you write out
> the color of the graph to draw to a text file, you might assert
> FileIOPermission to read that text file, so that you can get at your data.
> If you were positive that there was no way for anyone using your control to
> trick you into reading another file and somehow accessing this data, then
> this would be a good use of Assert. When you use Assert, it is generally a
> good idea to do a RevertAssert as soon as you don't need to disable the
> checking for the permissions you Asserted.
> "Doman Maciejko" <firstname.lastname@example.org> wrote in message
> >I have two questions.
> > The level of trust to a unique assembly is defined in the permission set.
> > The permission set is therefore of high importance. The system then uses
> > the
> > permisson set when the stack walk matches the level of trust of a certain
> > caller to the protected operation which is called.
> > Now I wonder. Could you say that the stack walk is crucial, without the
> > stack walk no security actions could be applied?
> > The stack walk can be turned off (assert). Could you say that you to some
> > part get unsecure and should be extra carefull?
> > /Doman