tags:

views:

60

answers:

1
+3  Q: 

Limiting what a .net plugin can access

I have a web application that can load plugins through reflection. It currently uses Assembly.LoadFrom() and Activator.CreateInstance() to get this done. Right now plugins are loaded into the same AppDomain and have access to anything in my app and anything my app could access.

What I'm looking for is a way to limit what classes and methods the plugin can access for security purposes. I want to have all of my classes and methods throw an exception when called unless they are whitelisted. I'd be whitelisting basically all the functions in an API class and a few data transfer objects.

I also don't want the plugin to be able to access the filesystem or the database on it's own. I think I can do that with trust levels in a separate AppDomain though.

Does anyone out there have any good ideas or resources? Is this something that could be done with Code Access Security or the new Security-Transparent Code features in .net 4?

+2  A: 

Using a separate AppDomain is the right approach if you want to apply general access restrictions. As for restricting access to your app-specific logic, just don't give out instances of your 'app internal' service objects to the plugin objects. Also, any reference type objects that are not MarshalByRef won't cross the AppDomain boundaries, so these objects are safe from access, even if there are exposed methods that would try to return them.

Dan Bryant  2010-04-14 23:56:55
This sounds promising, however what is stopping the plugin from calling into static methods or creating new instances of objects? I'm a little concerned the plugin might be able to get at information that it shouldn't see like connection strings.
David Hogue  2010-04-15 00:23:58
It's non-trivial to create a design that allows secure integration of extensions. You can't prevent instantiation of objects or access to static members, but you do have full control over access to any actual instances in your original AppDomain. The plugin will only get instances you explicitly Marshal. The key is that a plugin instantiating your classes should not allow your application state to be mutated, since none of them can ever get a reference to your real application state. Other indirect side effects (like file system or OS access) are controlled via AppDomain security settings.
Dan Bryant  2010-04-15 00:33:42

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?