Search Results

Search found 4156 results on 167 pages for 'assembly emit'.

Page 24/167 | < Previous Page | 20 21 22 23 24 25 26 27 28 29 30 31  | Next Page >

  • .NET Security Part 4

    - by Simon Cooper
    Finally, in this series, I am going to cover some of the security issues that can trip you up when using sandboxed appdomains. DISCLAIMER: I am not a security expert, and this is by no means an exhaustive list. If you actually are writing security-critical code, then get a proper security audit of your code by a professional. The examples below are just illustrations of the sort of things that can go wrong. 1. AppDomainSetup.ApplicationBase The most obvious one is the issue covered in the MSDN documentation on creating a sandbox, in step 3 – the sandboxed appdomain has the same ApplicationBase as the controlling appdomain. So let’s explore what happens when they are the same, and an exception is thrown. In the sandboxed assembly, Sandboxed.dll (IPlugin is an interface in a partially-trusted assembly, with a single MethodToDoThings on it): public class UntrustedPlugin : MarshalByRefObject, IPlugin { // implements IPlugin.MethodToDoThings() public void MethodToDoThings() { throw new EvilException(); } } [Serializable] internal class EvilException : Exception { public override string ToString() { // show we have read access to C:\Windows // read the first 5 directories Console.WriteLine("Pwned! Mwuahahah!"); foreach (var d in Directory.EnumerateDirectories(@"C:\Windows").Take(5)) { Console.WriteLine(d.FullName); } return base.ToString(); } } And in the controlling assembly: // what can possibly go wrong? AppDomainSetup appDomainSetup = new AppDomainSetup { ApplicationBase = AppDomain.CurrentDomain.SetupInformation.ApplicationBase } // only grant permissions to execute // and to read the application base, nothing else PermissionSet restrictedPerms = new PermissionSet(PermissionState.None); restrictedPerms.AddPermission( new SecurityPermission(SecurityPermissionFlag.Execution)); restrictedPerms.AddPermission( new FileIOPermission(FileIOPermissionAccess.Read, appDomainSetup.ApplicationBase); restrictedPerms.AddPermission( new FileIOPermission(FileIOPermissionAccess.pathDiscovery, appDomainSetup.ApplicationBase); // create the sandbox AppDomain sandbox = AppDomain.CreateDomain("Sandbox", null, appDomainSetup, restrictedPerms); // execute UntrustedPlugin in the sandbox // don't crash the application if the sandbox throws an exception IPlugin o = (IPlugin)sandbox.CreateInstanceFromAndUnwrap("Sandboxed.dll", "UntrustedPlugin"); try { o.MethodToDoThings() } catch (Exception e) { Console.WriteLine(e.ToString()); } And the result? Oops. We’ve allowed a class that should be sandboxed to execute code with fully-trusted permissions! How did this happen? Well, the key is the exact meaning of the ApplicationBase property: The application base directory is where the assembly manager begins probing for assemblies. When EvilException is thrown, it propagates from the sandboxed appdomain into the controlling assembly’s appdomain (as it’s marked as Serializable). When the exception is deserialized, the CLR finds and loads the sandboxed dll into the fully-trusted appdomain. Since the controlling appdomain’s ApplicationBase directory contains the sandboxed assembly, the CLR finds and loads the assembly into a full-trust appdomain, and the evil code is executed. So the problem isn’t exactly that the sandboxed appdomain’s ApplicationBase is the same as the controlling appdomain’s, it’s that the sandboxed dll was in such a place that the controlling appdomain could find it as part of the standard assembly resolution mechanism. The sandbox then forced the assembly to load in the controlling appdomain by throwing a serializable exception that propagated outside the sandbox. The easiest fix for this is to keep the sandbox ApplicationBase well away from the ApplicationBase of the controlling appdomain, and don’t allow the sandbox permissions to access the controlling appdomain’s ApplicationBase directory. If you do this, then the sandboxed assembly can’t be accidentally loaded into the fully-trusted appdomain, and the code can’t be executed. If the plugin does try to induce the controlling appdomain to load an assembly it shouldn’t, a SerializationException will be thrown when it tries to load the assembly to deserialize the exception, and no damage will be done. 2. Loading the sandboxed dll into the application appdomain As an extension of the previous point, you shouldn’t directly reference types or methods in the sandboxed dll from your application code. That loads the assembly into the fully-trusted appdomain, and from there code in the assembly could be executed. Instead, pull out methods you want the sandboxed dll to have into an interface or class in a partially-trusted assembly you control, and execute methods via that instead (similar to the example above with the IPlugin interface). If you need to have a look at the assembly before executing it in the sandbox, either examine the assembly using reflection from within the sandbox, or load the assembly into the Reflection-only context in the application’s appdomain. The code in assemblies in the reflection-only context can’t be executed, it can only be reflected upon, thus protecting your appdomain from malicious code. 3. Incorrectly asserting permissions You should only assert permissions when you are absolutely sure they’re safe. For example, this method allows a caller read-access to any file they call this method with, including your documents, any network shares, the C:\Windows directory, etc: [SecuritySafeCritical] public static string GetFileText(string filePath) { new FileIOPermission(FileIOPermissionAccess.Read, filePath).Assert(); return File.ReadAllText(filePath); } Be careful when asserting permissions, and ensure you’re not providing a loophole sandboxed dlls can use to gain access to things they shouldn’t be able to. Conclusion Hopefully, that’s given you an idea of some of the ways it’s possible to get past the .NET security system. As I said before, this post is not exhaustive, and you certainly shouldn’t base any security-critical applications on the contents of this blog post. What this series should help with is understanding the possibilities of the security system, and what all the security attributes and classes mean and what they are used for, if you were to use the security system in the future.

    Read the article

  • "Unverifiable code failed policy check" for a closed source assembly

    - by Jason
    I'm attempting to dynamically load some (purchased) assemblies from resource streams in a C# program during an MSI installation routine, but I'm getting "Unverifiable code failed policy check". I read some tips online about compiling the embedded assembly with /clr:safe, but I don't have that option. Is there a way to work around this policy check? Thanks.

    Read the article

  • nservicebus compiler error "reference required to assembly nServicebus" in vb.net programs

    - by mgcain
    I downloaded the nServicebus binaries as of May 17th and have two different vb.net projects (one in .net 3.5, the other in .net 4.0) that both have the error "Reference to Assembly nServicebus, Version 2.0.0.1145, culture=neutral, PublicKeyToken=9fc386479f8a226c containing the type NServicebus.IStartable. Add one to your project. I have in the references already nServicebus.dll, nservicebus.Core.dll, and log4net.dll

    Read the article

  • Could not load Assembly 'Microsoft.Office.Server.Search'

    - by Hitesh Wadekar
    Hi I have got following error: "Could not load file or assembly 'Microsoft.Office.Server.Search, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c' or one of its dependencies. An attempt was made to load a program with an incorrect format." Does anybody know solution for this? or Does anybody gonn through this error? Any input greatly appretiated?

    Read the article

  • Embed pdb into assembly

    - by Konstantin
    Hi! I want my application to be distributable as a single .exe file but I want to be able to get nice error reports with source code line numbers (the application simply sends email with exception.ToString() and some additional information when unhandled exception occurs). Is there any way to embed .pdb into assembly?

    Read the article

  • Ndepend CQL to query types out of assembly wildcard

    - by icelava
    In order to determine what low-level framework types a web application is directly using, one has to define each and every assembly involved. SELECT TYPES FROM ASSEMBLIES "Company.System.Framework", "Company.System.Framework.ReferenceLookup", "Company.System.Framework.Web", "Company.System.Framework.Security", "Company.System.Framework.Logging", "Company.System.Framework.DMS" WHERE IsDirectlyUsedBy "WebAssembly" I cannot find any syntax to wildcard the list of assemblies. Is there no way to shortcut this? We have a lot of framework level assemblies. i.e. Company.System.Framework.*

    Read the article

  • Use the same log4net assembly in .NET and Mono

    - by vtortola
    Hi, I've downloaded log4net, but I've realised that there are different assemblies for .NET and Mono. Is possible to use the same assembly for .NET and Mono? I wouldn't like to have to recompile the application or change the file manually, is there a way to add one or add the two and put a condition somewhere? Cheers.

    Read the article

  • Using [assembly: System.Runtime.CompilerServices.InternalsVisibleTo("System.Windows")] To expose Int

    - by Anthony
    Ok so I had a qustion awhile back regarding Silverlight 4 Data Binding with anonymous types, one of the answers was to use [assembly: System.Runtime.CompilerServices.InternalsVisibleTo("System.Windows")] in your AssemblyInfo.cs file. I tried this and it works! I know I'm making all my internal properties classes and methods visible to the System.Windows Assembley. But what kind of risk is this with the following in mind: The product is a hosted silverlight based web application, so it wont be distributed. Thanks in advance

    Read the article

  • Error: Cannot find .net assembly during FxCop analysis

    - by Draco
    I'm running FxCop from MSBuild and during the analysis it throws an error stating that it could not find the System.XML assembly and that I need to specify the location using the /directory parameter, which I then did but it didn't work. Any idea what I should do? I am running it on projects built on .Net 4.0

    Read the article

  • missing a using directive or an assembly reference

    - by cire1507
    I'm in the process of writing a small asp.net mvc application that is using the northwind.mdf. When building the solution I get this error: Error 1 The type or namespace name 'Order' could not be found (are you missing a using directive or an assembly reference?) Order is a table in the northwind database. any help is most appreciated.

    Read the article

  • assembly is not loading in setup Project.

    - by Pankaj Mishra
    I have window service an i want to install this in into my local system. But when I am trying to make setup file that time i have added Project output and it adds two dll file automatically. and error comes when i build that project setup. i Google lot of time and try lot of ideas then i got problem that Assembly is not loading. how can i resolve that problem. Please help me for this.

    Read the article

  • Maven assembly plugin and adding system dependencies to the classpath

    - by NG
    Hi, I have some dependencies which I am providing myself. The jars are in the resources directory. In my pom they are scoped as system and I include the path to them. However, when I jar things up using the assembly plugin and use <addClasspath>true</addClasspath> It doesn't add the path of the system jars. How can I get them to be included automatically? Thanks

    Read the article

  • How to safely store encryption key in a .NET assembly

    - by Alex
    In order to prevent somebody from grabbing my data easily, I cache data from my service as encrypted files (copy protection, basically). However, in order to do this, I must store the encryption key within the .NET assembly so it is able to encrypt and decrypt these files. Being aware of tools like Red Gate's .NET Reflector which can pull my key right out, I get a feeling that this is not a very safe way of doing it... are there any best practices to doing this?

    Read the article

  • add assembly reference dialog

    - by codymanix
    Is there a way to use visual studio's "add assembly reference dialog" (or something similar) in my own application? I need it for dynamic code generation and compilation. This is not simply an OpenFileDialog, since it additionally looks into the GAC and so on, so it will be very complicated to do it on my own, I think. If this is not possible, how can I get a list of all assemblies from the GAC?

    Read the article

  • Issues loading IronRuby.Rack assembly

    - by Johnsonch
    I'm trying to get IronRuby on Rails running with iis7 server 2k8 and can only get as far as it cannot load the assembly 'IronRuby.Rack' (Screen Shot: http://grab.by/3VZm) has anyone gotten this working? Any tips you can give me? Thanks, -CJ

    Read the article

  • Validate Strong Name of Running Assembly

    - by Kyle Rozendo
    Is it possible for one to check the strong name of a .NET application that is already currently running separately from your own running applications process? EDIT: For clarification, a solution that does not require a hard coded path to the executing assembly would be the most ideal solution. EDIT #2: Is there any way to do this without using reflection?

    Read the article

< Previous Page | 20 21 22 23 24 25 26 27 28 29 30 31  | Next Page >