Re: Tightening the default CAS policy
- From: Kurt <Kurt@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 4 Apr 2006 10:04:02 -0700
I guess it could be worse. They could fulltrust applications to bypass ACLs
and allow malware to modify program files, and change administrator defined
group policy settings, etc...
Whats that? File and Registry Virtualization.
Doh! what a supid idea.
Only affects the current user you say?
Doh! what a supid idea.
- Kurt
"Dinis Cruz" wrote:
Kurt, I am also totally with you and have been saying (for more that two.
years now) that Full Trust is a very bad idea, and that we need to move
into a development environment where it makes business sense to develop
partially trusted applications.
The main problem is that nobody (apart from the odd ones like us) seem
to take this problem seriously. The Clients don't ask for it, the
developers don't want to spend the extra development cost to do it, and
Microsoft doesn't want to admit the problem:
The first thing that I ask Microsoft to do is to say very clearly that:
"Full Trust applications are insecure and potentially very dangerous for
the users running them (or for co-hosted websites), so we now need (as
an industry) to make the effort to develop, deploy and maintain
applications that can be executed in secure partially trusted
environments".
But so far Microsoft (and I have meet and emailed with several key
players in there) still refuses to deal with this issue and prefers to
put the head in the sand and ignore it.
I have to say that I was really disappointed when 2.0 was released
without a major push for Partially trusted development. For example I
was hoping that it would be possible to run by default .Net applications
executed from your local computer in a secure partially trusted
environment. But that didn't happened, and I have to say that apart from
a couple more articles (and good blogs) there isn't much difference
between 1.1 and 2.0 (yeah there are things like transparency and other
bits in there too :).
So, until you see guys from Microsoft in discussions like these, nothing
will begin to change.
But hey, keep making noise, I know that one day (eventually) we will get
there.
Dinis Cruz
Owasp .Net Project
www.owasp.net
Kurt wrote:
One thing I noticed in first release of .NET is that programs stored on My
Computer were granted fulltrust regardless its location effectivly equivelant
to an unmanaged application. My thought is that assemblies in temp
directories, my documents, etc, can in general be assumed to have come from a
some external location and should not initially have fulltrust without the
user having explicitly granted it by installing the application and/or
modifying the security policy. Saving an assembly to the local disk should
not in itself be sufficient IMHO to increase an assemblies trust permission.
For example, say the user is requested by a internet site to download an
application that unknown to the user scans all of their files for personal
information and transmits it to some internet site. The internet site knows
that the application will not have permissions to run in the internet zone so
they package instruct the user to save as (despite the warnings presented if
the user can do it he mostlikely will) and run from their computer (where it
will have fulltrust). Once saved the the users computer it effectivly has
the same permissions as any other unmanaged application thus nullifying CAS.
At present the advantages of a tighter security policy have somewhat limited
reach because the internet site could have requested the user download an
unmanaged application but a managed application is in genereal much easier to
develop. However my hope is that in the near future we will have the ability
to restrict execution of unapproved unmanaged applications. For example
administrator approves only unmanaged applications located in program files
and windows folders and the local network share, if we then repeat the above
scenario with a managed and an unmanaged application the unmanaged
application would not be able to run but the managed application would have
full trust and this would be a serious loophole. Of course the CAS policy
can be changed to have simalar restrictions which is exactly what I'm
proposing.
My suggestion is that the default security policy should only grant full
trust only to assemblies located in the Program Files and Windows\... folder
(systemX or whatever is needed but not windows\temp), all other locations
should default to Internet Zone permissions rather then FullTrust. I would
much rather have the permissions of an assembly reduced when the user copies
an assembly from a network share for example then increased when downloaded
from the internet.
Thanks,
- References:
- Re: Tightening the default CAS policy
- From: Dinis Cruz
- Re: Tightening the default CAS policy
- Prev by Date: Re: read public key via code
- Next by Date: Re: How to assert UIPermission from .NET usercontrol hosted in IE?
- Previous by thread: Re: Tightening the default CAS policy
- Next by thread: Re: Restricting Dot Net Access on a hosted server
- Index(es):
Relevant Pages
|
