Geek Answers Handbook

Is there a way to block the C # plugin from accessing the main C # application in the program?

I have a program and a simple plugin architecture, where plugins implement a common interface, and the main program loads all plugins that implement this interface. This is the most common plugin user architecture I have found so far, so what I use.

I do not use Microsoft MEF, and I have reasons not to. I will leave it with this.

The problem is that when plugins are loaded, no matter how blind they are, they belong to the main program, and it forms / classes / etc. he can still access System.Windows.Forms.Application and therefore can access my application and its currently running forms / methods / controls, etc.

I do not want it. Is there a way to restrict plugin access to the main application?

EDIT: additional information about the plugin

We (my boss and I) are currently discussing what plugins need to do. All of them, obviously, should add functionality, but we initially decided to give each plugin access to the currently running form so that it could add controls and events directly to the form. This was based on the assumption that only we developers will write them.

Now we are considering the possibility of third-party plug-ins, and, obviously, the initial design has the same security as the "Do not enter" sign on an open door without anyone.

Or the Take One sign hanging on a bowl of individual skittles on Halloween.

+6
c # plugins restriction
source share
4 answers

One way to do this is to place your plugins in your own AppDomains. You can configure these AppDomains for limited security so that they cannot access resources in the main AppDomain. This complicates a lot, but will give you the sandbox you need.

An additional benefit that you get from hosting AppDomain is that you can upload and download these domains if you want to update plugins, and you can also protect your main AppDomain from crashes in your child domains.

Update

After watching the update. the capabilities of your plugin, AppDomains will not help if your plugin should have direct access to user interface elements, for example. access to the form to add controls. You cannot directly access the form across the AppDomain border or create controls in one AppDomain and then transfer them to another.

You can still consider placing plugins in another AppDomain, but you need to think about some kind of proxy mechanism so that actions, such as adding a control to the form, can be performed on behalf of the plugin, and not allow access to the form plugin directly. For example, you can pass a form builder object that had methods like AddButton . Then, the proxy server could perform these actions on behalf of the plugin in the main domain. This way you can provide a limited API for the plugin with the required events.

This approach is by no means trivial, but once you have mastered the basics, it is not too difficult.

Update 2

Things have moved since adding your own plugins using AppDomins that day. Support is currently supported in the .Net framework with 3.5 for plugins:

MAF - Managed by Addin Framework / System.Addin

It supports AppDomain isolation modes for plugins and has downloader plugins, etc. No need to download by yourself.

+4
source share

If you can run your plugins in your own AppDomains , this will certainly increase the level of isolation. It can also hurt to communicate with them, though. Without knowing more about what plugins should do, it's hard to see if this is appropriate.

+4
source share

So, to confirm your main problem:

... and therefore can access my application and its currently running forms / methods / controls, etc.

Before embarking on the complex and complex means of loading, isolating, and limiting these extensions, you should know a few things about Windows and the CLR. First, any in-box program can use multiple Windows APIs to enter code into your process. Once the code is loaded into your process, either by you or by the operating system, accessing the CLR runtime and loading assemblies and / or running code in an existing AppDomain is quite simple.

Knowing this, you must weigh and balance the efforts that you choose to limit the "expansion". If I build something like this, I will worry more about other things besides the malicious extension code that controls the state of my application. For example, these are things you can consider:

  • Downloading extensions approved by your user allows them to control what is allowed and allow them to cancel the extension later if necessary. Take a look at Office or VStudio as an example.
  • Ensure that these approved extensions are not fixed using the code signing requirement (strong names or code signing certificates).
  • Consider disabling the extension option for remote launch if it proves to be malicious.
  • Prove the well-appointed API so that developers can easily implement the desired behavior. If itโ€™s easy for them to use their interfaces to accomplish their task, they donโ€™t need to โ€œhackโ€.

Other than that, you really can't do much. As I said, anyone can attack your application even with the help of the aforementioned guards. Your main task is not to surprise your users. Thus, prudent care about what code your application runs in is recommended, but what these extensions do when your users give them access is not really something you can take full control of.

This does not mean that isolation of AppDomain will not give you value, it may be; however, IMHO, providing sufficient security without restricting their ability to function, will be difficult.

UPDATE

... but if you download a plugin in AppDomain that is configured with limited permissions, how can it use this vector?

Right, as I said in my final statements, you can restrict their access to unmanaged code inside the AppDomain. It also limits their ability to develop usable Windows. I expect most WinForms applications to use at least one PInvoke call or unmanaged COM control. This restriction may be acceptable, I really canโ€™t say without additional information about what functionality they are trying to provide.

All that I tried to say is that by installing and approving the extension, your users take responsibility for allowing this extension. What the extension is and how malicious it may be, is not your responsibility, assuming, of course, that you downloaded the correct code. That's why I recommend focusing your energy on running approved code, rather than worrying about what this code can do when it is in your process.

+1
source share

The best way to handle this is to open the plugin's documented API. If your plugins work with full trust, then even if you run the plugin in your own AppDomain, it can inject back into the application - then all that is needed is to make the wrapper available, and all the plugins return to the same state. started with. If your API allows plugins to provide the necessary functions in a simple, consistent and documented manner, then what plugin developers will use.

The following are the external user interfaces for WPF, Windows Forms, and Classic Spy ++ (all with source code).

0
source share

More articles:


All Articles