locked
BIG trouble with SecurityCritical!!! (EN) RRS feed

  • Question

  • .NET 4.0

    In documentation: "Transparent code cannot use reflection to access security-critical members, even if the code is fully trusted. A MethodAccessExceptionFieldAccessException, or TypeAccessException is thrown."

    I have:

    library Host.dll 

    class VeryDangerousClass {

    [SecurityCritical]private static readonly int __very_big_secret = 134;       

    public static int ItIsOpen {get{return __very_big_secret ;}}

    }

    I have 2 plug-ins, and Host checkout [assembly:SecurityTransparent] during loading plugins


    library WhitePlugin.dll

    [assembly:SecurityTransparent]

    void pluginWork(){

    Console.WriteLine(VeryDangerousClass.ItIsOpen);

    }

    IT WILL CAUSE Exception "WOW U TRY REACH __very_big_secret  from TRANSPARENT CODE, IT'S CRIME"

    And second plug-in:

    library HackerPlugin.dll

    [assembly:SecurityTransparent]void pluginWork(){

    var fld = typeof(VeryDangerousClass ).GetField("__very_big_secret",

    BindingFlags.NonPublic|BindingFlags.GetField|BindingFlag.Static);

    fld.SetValue(null, 1321321321);

    Console.WriteLine( typeof(VeryDangerousClass )

    .GetProperty("ItIsOpen",BindingFlags.Public|BindingFlags.GetProperty|BindingFlag.Static).GetValue(null,null));}

    Oh... it's very nice for CLR, all work well. It's legal code and legal usage of SecurityCritical code in .NET, WHAT'S THE @$#%#@

    I even not thought that DOCUMENTED and EXTREMELY IMPORTANT THING especially after CAS became obsolete is NOT WORKING!!!!

    I cannot use SandBox because application centralizes all processes and provide core services for all other classes and plugins it's hard to do it with SubDomains

    Friday, October 12, 2012 4:18 AM

Answers

All replies

  • Hello, 

    Can you please elaborate more on this and what are you try to accomplish ?


    Regards, Ravikumar P

    Friday, October 12, 2012 4:23 AM
  • Yes.

    We provide core engine for DB-oriented information system which works with confidential information at client side.

    For UI we use mixed Web application with MVC/self handler factory and native aspx.

    Clients have requirements to have secure, but simply expandable framework.

    Main solution to accomplish it was add-in design, when core dynamically loads addins classes with custom IOC container (windsor-like used).

    By policy ADDINS have acces to common set of core application services and haven't direct permissions to FileSystem,SQL and  Reflection of cause.

    ADDINS was loaded into main domain without subdomains because of high level of intercommunicaiton and aggregation in runtime.

    To secure this scenario before .NET4.0 we used CAS with very strict policy - only our strong named core dll gains full trust - all other in web application is stricted.

    All worked fine.

    After .NET 4.0 released we wait for 1st SP and start migration. 

    CAS became obsolete and in new version we have ported to "SecurityCritical" attrubutes family. So we have close our internal services with SecurityCritical, exposes our public ADDIN API with SecuritySafeAttribute and set on requirement for IOC container that it must check assemblies it loading for SecurityTransparentAttribute. All works well (at first look).

    We was sure that it's secure because:

    1. All trys to call secure API from non-trusted assemblies from our USUAL TESTS fails.

    2. In documentation http://msdn.microsoft.com/en-us/library/stfy7tfc(v=vs.100).aspx we SEE THAT REFLECTION IS DEFENDED BY THIS ATTRUBUTES

    Week before we have written exploit to demonstrate for client that even some hackers could write add-in with rich reflection and low-level code it cannot get more permissions than other addins.

    But when we start our exploit it executes free and get control over system. It was shock. SecurityCritical defends from NORMAL CODE, but REFLECTION simply avoid IT!!!!

    U can reproduce it simply:

    Write assembly with SecurityCritical staff

    Write assembly marked as [SecurityTransparent]

    Write two classes in second:

    1. Will try to access critical code by usual calls

    2. Will try to access critical code with reflection and fully qualified binding info.

    You will see that only first scenario will be protected, second scenario allows control even over readonly private fields in private classes marked as SecurityCritical.

    IT IS VERY BAD.

    So, CAS is obsolete and soon will be not supported, code is migrated but even ASPX page with small changes, any addin from 3d party can exploit and gain control over system.

    Try to find solution in MSDN and other resources. No normal answers.  

    I know that i can use SandBox, but it's good scenario only if we have very autonomic addins, but in our case we have AGGREGATION design, where addins are included in data and execution flow as main parts, so migraition to SandBoxes is hard and we will lost performans and resource economy on launching meny appdomains.

    And why we must do so while SecurityCritical is documented and recomended feature for this scenario.

    We need quick fix for it, but i cannot even regester ISSUE in MS .NET team tracker because MS do thier work in closed mode and i'm not oficial partner.

    Friday, October 12, 2012 4:49 AM
  • Hi,

    This is a Windows Server General forum. And your query is related to coding/development I believe. Unfortunately, coding/development folks do not hang on in this forum. And I am not really sure in which category your question fits in. Hence, I am moving this thread to "Where is the Forum For...?" forum and over there other moderators might redirect you to an appropriate forum where you can post your questions

    Please refer following for posting details in Windows Server General forum.

    Purpose of this Forum (Server General) *** Please Read Before Posting ***

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/9ce53966-49bb-48fe-b195-2652ad8d09d9

    Thanks


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Friday, October 12, 2012 5:29 AM
  • OK, but i was here because MSDN sent me to Call-Center and CC sent me to technet.

    You sent me to MSDN.

    OK. Will wait answer from them. Wish it will be resolved.


    Friday, October 12, 2012 6:08 AM
  • What language? What technologies?

    Thanks!


    Ed Price (a.k.a User Ed), SQL Server Customer Program Manager (Blog, Twitter, Wiki)

    Friday, October 12, 2012 6:26 PM
  • Okay. You need to ask this in one of these forums:

    http://social.msdn.microsoft.com/Forums/en-US/category/netdevelopment

    You asked in the Windows Server forum, where they tell you about how to use Windows Server. That's why it got moved.

    Thanks!


    Ed Price (a.k.a User Ed), SQL Server Customer Program Manager (Blog, Twitter, Wiki)


    Friday, October 12, 2012 6:28 PM