The Simple Sandboxing API

A Closer Look at the Simple Sandboxed AppDomain

.Net Security Blog — Tue, 09 Aug 2005 22:02:30 GMT

Yesterday we took a look at Whidbey's new Simple Sandboxing API.&nbsp; At first glance this API does...

re: The Simple Sandboxing API

mihailik — Wed, 10 Aug 2005 10:35:55 GMT

Hmm, it seems this API introduces huge secuirty flaw.

Every assembly loaded in such AppDomain will have at least 'grantSet' permissions. They have no option to restrict execution of some code group.

Right scenario to use this API is keeping 'grantSet' restrictive. But dumb developer can do it wrong. It is possible malicious code come into and get many privileges in this AppDomain.

re: The Simple Sandboxing API

shawnfa — Wed, 10 Aug 2005 20:29:16 GMT

This API makes it easier for an application to sandbox code. Previously, the app developer had to deal with setting up an entire policy tree, which is much more difficult to get correct. This way, he just says what he wants the sandboxed code to get.

A developer misusing the API is not a security hole.

-Shawn

re: The Simple Sandboxing API

Keith Brown — Sat, 20 Aug 2005 20:42:15 GMT

This is great, Shawn. As for mihailik's concern, I assume the creator's assembly must either be fully trusted or have something like ControlPolicy+ControlEvidence, pretty much the equivalent of full trust anyway?

re: The Simple Sandboxing API

shawnfa — Tue, 23 Aug 2005 00:11:17 GMT

Absolutely -- to call this API you need to have ControlAppDomain.

-Shawn

Securing AppDomain Data

.Net Security Blog — Tue, 23 Aug 2005 00:49:46 GMT

While we're on the topic of AppDomains ...
One feature of AppDomains that many people don't know about...

What's New in Security for v2.0

.Net Security Blog — Wed, 24 Aug 2005 17:46:48 GMT

There's a ton of new and enhanced security features coming with the v2.0 release of the CLR.&nbsp; However,...

What's New in Security for v2.0

.Net Security Blog — Thu, 01 Sep 2005 00:08:38 GMT

There's a ton of new and enhanced security features coming with the v2.0 release of the CLR.&nbsp; However,...

re: The Simple Sandboxing API

Michael — Wed, 07 Jun 2006 14:06:00 GMT

An assembly will be fully trusted if it meets one of two conditions, if neither of these conditions are met it receives grantSet:

- The assembly is in the GAC
- It is strongly named and its strong name should match one of the names passed in through the fullTrustAssemblies parameter.

Arrrgghh...
Is there any way to disable that "The Assembly is in the GAC" ? I'm looking for a way to sandbox a third party assembly which installs in the GAC by default, is there a (simple) way to do this ?

re: The Simple Sandboxing API

shawnfa — Wed, 07 Jun 2006 18:24:46 GMT

Hi Michael,

There is no way to sandbox a GACed assembly. When an administrator installs an assembly into the GAC they are effectively making a decision to include that assembly as part of the platform that all code on the machine can build upon. Because of that, the CLR will always treat everything from the GAC as FullTrust (and in fact give it other special treatment, like not verifying its strong name every time its loaded).

Since any code, even code running from an untrusted web site, can access everything in the GAC, having something that needs to be sandboxed living in the GAC doesn't make much sense ... your host is not going to be around to sandbox it in all cases, so it's inherently unsafe to have it in the GAC if you don't trust it.

-Shawn