tags:

views:

448

answers:

2
+1  Q: 

what does this security warning mean (.Net Process class)?

Hello everyone,

I am using VSTS 2008 + .Net 2.0 + C#. And I am running Code Analysis after build. I got the following confusing security warning. Here is the warning and related code, any ideas what is wrong? If there is security warning, how to fix it?

                System.Diagnostics.Process myProcess = new System.Diagnostics.Process();
                myProcess.StartInfo.FileName = "IExplore.exe";
                myProcess.StartInfo.Arguments = @"default.html";
                myProcess.StartInfo.Verb = "runas";
                myProcess.Start();


warning : CA2122 : Microsoft.Security : 'TestHtml()' calls into 'Process.Start()' which has a LinkDemand. By making this call, 'Process.Start()' is indirectly exposed to user code. Review the following call stack that might expose a way to circumvent security protection:
+4  A: 

Your method calls Foo that calls into a Process.Start which is protected by a link demand for Full Trust. In order to avoid the problem that FxCop is warning you about, you should add a link demand or full demand for the same permissions to your method.

You can fix it by adding to your method

[PermissionSetAttribute(SecurityAction.LinkDemand, Name="FullTrust")]

See http://msdn.microsoft.com/en-us/library/970x52db.aspx

blowdart  2009-07-18 10:45:11
Thanks, but your code has build error. Error 1 The name 'True' does not exist in the current context. Any ideas? I am using .Net 2.0 and .Net 2.0 does not support it?
George2  2009-07-18 11:14:36
Hi blowdart, I have some new ideas and I think it is not a security hole. Suppose method Foo calls TestHtml and TestHtml calls Process.Start. Even if TestHtml is not enabled with LinkDemand, sice Process.Start is enabled with LinkDemand, it will always check permission of TestHtml (TestHtml is immediate caller). So even if Foo does not have enough permission, the call from TestHtml to Process.Start will fail. So, I think no security issues. Any comments?
George2  2009-07-18 11:25:00
@George, just guessing now, but it would be better to check the security requirements as early as possible, if TestHtml would change any application state before failing.
Simon Svensson  2009-07-18 11:32:31
Thanks Simon, I agree with you from best practice point of view. But I want to make sure my understanding of the LinkDemand theory is correct, and could you confirm my understanding is correct? Here is my understanding -- "Suppose method Foo calls TestHtml and TestHtml calls Process.Start. Even if TestHtml is not enabled with LinkDemand, sice Process.Start is enabled with LinkDemand, it will always check permission of TestHtml (TestHtml is immediate caller). So even if Foo does not have enough permission, the call from TestHtml to Process.Start will fail."
George2  2009-07-18 11:37:33
Oops indeed it was wrong, try that :)There are security issues if your assembly allows calls from untrusted/partial trust callees. If your assembly runs in full trust, for example the GAC, but does not check its callers then the call in Process.Start will pass because it's only checking the immediate caller.Better to be safe than sorry.
blowdart  2009-07-18 11:51:10
Sorry blowdart, in your sample, if un-trusted caller calls into TestHtml, and the sucurity token on the thread is un-trusted (do not have enough permission to call Process.Start), then in the code of method TestHtml where I call Process.Start, Process.Start will check privilege of immediate caller TestHtml, since TestHtml has un-trusted security token, the call will fail. What is wrong in my understanding?
George2  2009-07-18 12:04:03
My understanding is, security token or permission is associated with thread level, not assembly level. So, I am confused about your sample of using GAC, because in that case the thread security token is not trusted (thread initialized from un-trusted party), so the call into Process.Start will never pass. Appreciate if you could let me know where I am wrong. :-)
George2  2009-07-18 12:06:12
Yes, you're confused. CAS Permissions are on threads, but on the call stack. Identity permissions are on the thread. It is your code that has CAS permissions, not a particular user.
blowdart  2009-07-18 12:09:42
Thanks blowdart, is it a typo -- "CAS Permissions are on threads", which should be "CAS Permissions are NOT on threads"
George2  2009-07-18 12:15:09
Oops yes it is,that should be NOT.
blowdart  2009-07-18 12:23:42
Thanks blowdart! You are a guru of this topic! I want to confirm with you that LinkDemand and Demand are CAS security framework, and .Net has two security framework -- identity based and CAS based. For CAS based, we have assembly level permission, and for identity based, we have thread level permission?
George2  2009-07-18 12:27:02
Ah kind of. CAS is .NET only and is for software. Identity is both .NET and then the underlying OS.
blowdart  2009-07-18 13:26:42
Thanks blowdart, so you mean my understanding of CAS security and identity security are correct besides what you mentioned? :-)
George2  2009-07-18 13:31:42
Another confusion is I did not find in MSDN what does the value "FullTrust" means to Name property of SecurityPermission. Any comments?
George2  2009-07-18 13:32:42
It is a permission set used by CAS. Basically it means the program can do anything. There are other permission sets with lower privileges
blowdart  2009-07-18 13:40:57
1. Why I do not have a property called Name? I still have compile error, but when removing Name it is compiling fine. Here is a screen snapshot, any ideas what is wrong? http://i31.tinypic.com/2lncmsw.jpg2. my understanding of CAS security and identity security are correct besides what you mentioned about (CAS is .Net special, identity is OS built-in)?
George2  2009-07-18 13:47:44
Agh,doh it's not a security demand. Fixed again!
blowdart  2009-07-18 23:40:43
Thanks blowdart, I made some more study and I want to let you review whether my understanding is correct -- LinkDemand and Demand are CAS security framework specifically for .Net security framework, and .Net has another security framework, which inherits OS functionality -- identity based which stores identify token in each thread. For CAS based, we have assembly level permission, and for identity based, we have thread level permission? Is that correct understanding?
George2  2009-07-19 06:53:57
Well CAS can also be applied to individual classes, or even methods, but the evidence CAS evaluates is based on the assembly (and it's location - where on the hard drive, if it's coming from a network, it's strong naming signing key and so on).You've made me think about completly rewriting my CAS chapter for my book now :)
blowdart  2009-07-19 07:25:57
Thanks blowdart, in the past 2 days, I did a lot of self-learn about CAS permission, one more question, for the Unrestricted property, I have posted here, http://stackoverflow.com/questions/1160146/securityattribute-unrestricted-issue any ideas?
George2  2009-07-21 16:00:40
+1  A: 

More information about security warnings and CA2122 - Do not indirectly expose methods with link demands

Kb  2009-07-18 10:56:18
Thanks Kb, the documents you recommended are very helpful. I want to confirm whether my understanding is correct. I think the root cause is Process.Start needs link demand (permission check for immediate caller), but the method TestHtml I implemented does not check permission for immediate caller, so there is a security hole that the immediate caller of TestHtml may not have enough permission, is that correct understanding?
George2  2009-07-18 11:18:39
@George2: As I understand it, you are correct. Process.Start has declared a security check. The caller must declare the same security check or make sure that security will not be violated (and then ignore the check).
Kb  2009-07-18 11:33:36
Thanks Kb, I have some new ideas and I think it is not a security hole. Suppose method Foo calls TestHtml and TestHtml calls Process.Start. Even if TestHtml is not enabled with LinkDemand, sice Process.Start is enabled with LinkDemand, it will always check permission of TestHtml (TestHtml is immediate caller). So even if Foo does not have enough permission, the call from TestHtml to Process.Start will fail. So, I think no security issues. Any comments?
George2  2009-07-18 11:38:05
@George2: Link Demand does not walk the stack, so I think LinkDemand is check only to the immediate caller. http://msdn.microsoft.com/en-us/library/60zfc754.aspx : "The only demands that do not result in a stack walk are link demands, which check only the immediate caller. "
Kb  2009-07-18 11:53:47
Thanks Kb, so it means Process.Start will check permission for immediate caller TestHtml, so even if TestHtml does not check security permission for the caller of TestHtml, I think it does not matter since the call into Process.Start will fail in the end. Why I must add LinkDemand check into method TestHtml?
George2  2009-07-18 11:59:31
@George2: There is a good example in this link: http://msdn.microsoft.com/en-us/library/hzsc022c.aspx read second paragraf. This check is between assemblies.
Kb  2009-07-18 12:15:35
Thanks Kb, my confusion is, LinkDemand is checked against assembly level, not thread level? My confusion is I think the privilege token is associated with thread, not associated with assembly. If un-trusted caller calls into TestHtml, and the sucurity token on the thread is un-trusted (do not have enough permission to call Process.Start), then in the code of method TestHtml where I call Process.Start, Process.Start will check privilege of immediate caller TestHtml, since TestHtml has un-trusted security token, the call will fail. What is wrong in my understanding? Any comments?
George2  2009-07-18 12:24:17

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?