Geek Answers Handbook

Implement IPermission to protect user access to code

I'm currently trying to create a secure code access solution for our project.

Therefore, I created the CustomPermissionAttribute attribute, which should be used as shown:

[CustomPermissionAttribute(SecurityAction.Demand, Permission="PermMethodABC")] public void MethodABC() { }

The CreatePermission() method of the Attribute creates and returns a new instance of CustomPermission.

The Demand method of the CustomPermission class should check the protection against my custom IPrincipial implementation in Thread.Current.CurrentPrincipial:

 public sealed class CustomPermission : IPermission { private string _RequiredPermission; ... public void Demand() { ICustomPrincipial _pr = Thread.Current.CurrentPrincipial as ICustomPrincipial; if (_pr == null) throw... if (!_pr.HasPermission(_RequiredPermission)) throw... } } public interface ICustomPrincipial : IPrincipial { bool HasPermission(string RequiredPermission); }

All of the above is in signed assembly A. "

Unsigned assembly B contains the following CustomPrincipial implementation, which implements ICustomPrincipial assembly A:

 public sealed class CustomPrincipial : ICustomPrincipial { User _User; ... public bool HasPermission(string RequiredPermission) { if (_User has permission defined with "PermMethodABC") ... return true/false; } ... }

(Now Assembly A should know something about the user type. If I placed the CustomPrincipial class in Assembly A, then all assemblies with custom material should also be signed ... otherwise I cannot compile assembly A)

When the application starts, a new instance of CustomPrincipial is assigned to Thread.Current.CurrentPrincipial.

Two questions:

  • Can problems caused by the ICustomPermission public interface in Assembly A be safe?

  • Is it absolutely necessary to fully implement all members of IPermission? Especially in ToXML and FromXML methods ... The CreatePermission () method still runs every time I run MethodABC () at runtime.

EDIT: ad 1: I think of the following situation: "Assembly C" contains MethodXY, which is protected by the CustomPermissionAttribute attribute. To gain access to this protected method, an attacker could create a new application, links to Assembly A and Assembly C, and could make his own implementation of the public interface ICustomPrincipial Assembly A (-> HasPermission (), which returns true all the time). He could assign an instance of his implementation to his own Thread.Current.CurrentPrincipial. If the Assembly A Demand () method checks Thread.Current.CurrentPrincipial, an attacker could gain access to MethodXY. This may be a possible situation ..!?

+4
source share
1 answer

Can problems caused by the ICustomPermission public interface in Assembly A be safe?

Assuming you are careful about your permissions, Thread.Current.CurrentPrincipal should be read-only for most other programs, making it impossible to bypass. (At least a quick glance at the MSDN page)

However, as with any security issue, it is best to check yourself. Try writing code that works in your environment and implements your own way to bypass CurrentPrincipal .

Is it necessary to fully implement all members of IPermission? Especially in ToXML and FromXML methods ... The CreatePermission () method still runs every time I access MethodABC () at runtime.

There is an example on the msdn page of the full implementation, it doesnโ€™t look too nasty, and it would guarantee that you no longer have problems due to NotImplementedException .

However, I have not experimented enough with IPermission to find out which methods are called during normal operations.

EDIT: This is more of a comment, but a bit long.

One of the important things to keep in mind is that if part of the code has permissions to change the principal, you cannot do this to stop it from bypassing any of your permissions. SecurityPermissionFlag.ControlPrincipal is a permission that sets the requirements of CurrentPrincipal . I believe that if you do not use a tool such as Caspol.exe, any executable by default will work under full trust.

To summarize, by default, the .NET platform assumes that user code is fully trusted until it is said otherwise. If you invoke code that you donโ€™t trust, there are mechanisms to ensure that the code works with lower security credentials, or if you have an executable file that you donโ€™t trust, you can lower its security credentials. However, any computer administrator has more than enough power to circumvent any secure code protection that you implement (as you commented out with an IPrincipal override).

If this does not explain well enough, let me know and I can add more details.

+1
source

More articles:


All Articles