tags:

views:

207

answers:

3
+2  Q: 

Thread security in sandboxed AppDomain

I have application domain to host untrusted code/assembly. I solved all problems with security with security attributes and it works well. The untrusted code runs on dedicated thread. CLR is 2.0. This is what I have AppDomainShell AppDomainSeed, Shell is running in main domain, seed is trusted proxy/helper in untrusted domain.

I'm interested to restrict creating new threads and changing priority. At the moment my untrusted assembly could set ThreadPriority.Highest or kill operating system by creating 10k threads. There is SecurityPermissionFlag.ControlThread but that prevents just from advanced operations like Abort().

I was looking at Thread class implementation and there is no declarative security on C# API of it for those simple operations, rest of the implementation is native.

I guess I could use some Win32 functions to ban that on OS level. But how operating system recognizes the thread/code/assembly which is not trusted? SetThreadPrincipal() ?

Is there any API of CLR which could be abused ? I prefer solution without need for installation and portable to Mono, :-/ hmmm.

Any other ideas welcome. Thanks!

A: 

Threads run within a single process, and you should be safe as your untrusted code can't change the priority of the process. (See MSDN here for details.)

I'm not sure that even creating 10k threads within a process would necessarily kill Windows - at least, not any version of Windows above Windows NT. Your process would almost certainly stop running, however, so you might want to consider two processes and use a mechanism such as remoting or WCF to communciate between them.

Jeremy McGee  2009-12-31 20:58:35
Unfortunately I need fast calls into other (Java) part of the application running in same process. So another process and any slow message interface is not solution.
Pavel Savara  2009-12-31 21:15:31
Then I think you need to say more about what it is you're trying to achieve and why you assume a malicious assembly might stop it.
Jeremy McGee  2009-12-31 21:28:35
Jeremy I gave more context above. Boosted thread priority is strong competitive advantage for robot.
Pavel Savara  2010-01-02 17:57:46
A: 

Maybe HostProtectionAttribute is the right thing for limiting thread manipulation by untrusted code?

Pent Ploompuu  2010-01-04 13:55:31
Documentation says that the host protection is not tested if you don't run native host. I think it's rather attribute for static analysis tool, not the runtime. Maybe I understood incorrectly...
Pavel Savara  2010-01-04 19:21:20
If you host the runtime yourself then it acts like a LinkDemand.
Pent Ploompuu  2010-01-04 23:04:32
I'm looking at it now. Found this:http://blogs.msdn.com/shawnfa/archive/2005/10/12/480186.aspxhttp://blogs.msdn.com/shawnfa/archive/2005/10/13/480210.aspxNow I wonder how to achieve that from inside running CLR.http://msdn.microsoft.com/en-us/library/zaf1h1h5%28VS.80%29.aspx
Pavel Savara  2010-01-05 21:36:30
It was interesting, but not possible. CLR till v4 can't be twice in same process. I tried code below, but there is restriction in CLR hosting code. It could be verified in Rotor sources.I wrapped several COM interfaces from mscoree.hCLRRuntimeHostClass host = new CLRRuntimeHostClass();ICLRControl icc;host.GetCLRControl(out icc);// this throws COM exception invalid operation,// if CLR is already startedicc.GetCLRManager(ref IID_ICLRHostProtectionManager, out hpmp);
Pavel Savara  2010-01-05 23:20:56
Anyway, this is not guaranteed security. Search for "(HPA)" in this article: http://blogs.msdn.com/cbrumme/archive/2004/02/21/77595.aspx
Pavel Savara  2010-01-05 23:29:12
A: 

I consider another solution. Static analysis of CIL of untrusted assembly. I could search thru all methods, properties, constructors. Recognize references to types. If I found reference to Thread type, I throw security exception and unload assembly.

I quite like work of Jb Evain. He created Mono Cecil, but that's quite heavyweight. He also drafted CIL reader, just with .NET reflection.

I created Linq over reflection using CIL Reader. Usage look like this.


var myAssembly = typeof (Program).Assembly;
foreach (Type usedType in myAssembly.GetUsedTypes())
{
    if (typeof (Thread).IsAssignableFrom(usedType) ||
        typeof (ThreadPool).IsAssignableFrom(usedType) ||
        typeof (ThreadPriority).IsAssignableFrom(usedType)
        )
    {
        throw new SecurityException("Thread usage is banned here!");
    }
}
Pavel Savara  2010-01-10 00:35:44

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?