Welcome to MSDN Blogs Sign in | Join | Help

Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

The MSDN Magazine site just put up my article, Do You Trust It? Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0, as a preview of their November security issue.  In the article I cover various techniques for safely hosting Add-Ins which may or may not be trusted, starting from the basic Assembly.Load technique and moving onto sandboxing, transparency, and AppDomainManagers.  I'd say it's worth a read, but then I might be a little biased as well :-)

This issue also features an article by Mike Downen covering the various enhancements to CLR security in v2.0.

November 2005 MSDN Cover

Published Monday, September 26, 2005 8:38 AM by shawnfa
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Tuesday, October 04, 2005 7:01 PM by Eric Marthinsen
Shawn-

Great article. Do you have a complete set of sample code?

Regards-
Eric

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Thursday, October 13, 2005 6:17 PM by Eric Marthinsen
Hello-

Do you have a complete sample solution that describes your techniques? It would be great to see how everything fits together.

Regards-
Eric

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Friday, November 04, 2005 7:48 PM by shawnfa
Releasing a sample here is a great idea -- I'll look into doing that.

Glad you liked the article!

-Shawn

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Wednesday, February 15, 2006 5:20 PM by Alex
Shawn,
Great article. Thank you.
One thing keeps bothering me. Where would you define IAddIn interface in the case of separating addins by subdirectories? The assembly where interface is defined has to be present in each add-in directory, right?
So, as Eric noticed it would be nice to have a sample code.

Thanks,
Alex

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Wednesday, February 22, 2006 12:28 PM by shawnfa
A simple sample is definately a todo item :-)

In the subdirectory case, you might want to consider putting IAddIn in the GAC.

-Shawn

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Wednesday, April 26, 2006 2:17 PM by Yishai
I am trying to convert a 1.1 sandboxing application to use the techniques in this article for 2.0.  The existing application uses AppDomain.ExecuteAssembly to call the client code in the sandbox AppDomain, but this doesn't seem to work with the 2.0 simple sandboxing API.  I get a security exception for the demand of a FileIOPermission to read the file containing the client assembly.  I tried giving MyComputer zone in the top-of-stack evidence parameter to CreateDomain, while the grant set corresponds to the Internet zone, but that didn't help.  (The code that calls ExecuteAssembly has full trust.)  It seems like the 2.0 Framework is changing the grant set in the new AppDomain before loading the client assembly.  Does this mean I can't use ExecuteAssembly to load client code in a sandbox?

Thanks,
Yishai

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Thursday, April 27, 2006 2:51 PM by shawnfa
Funny you should mention it, this is the next topic on my todo list on the whiteboard.  I'll probably do a full write up on Monday, but basically you should make sure the AppBase of the domain points to the location of the EXE you're trying to run and use ExecuateAssemblyByName instead of ExecuteAssembly.

-Shawn

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Sunday, April 30, 2006 7:56 AM by Yishai
Thanks a lot, great tip.  It now works, except that I had to add an unrestricted UIPermission to the grant set.  This is not a problem for this particular application, but could be for others.  Is there a way around this?

-- Yishai

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Monday, May 01, 2006 12:20 PM by shawnfa
Hi Yishai,

Console applications require unrestricted UI permission in v2.0 of the CLR (http://blogs.msdn.com/shawnfa/archive/2005/06/06/425804.aspx).  I'd bet that this is the problem you're running into.

-Shawn

# re: Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

Thursday, January 04, 2007 8:55 AM by leng

In the MSDN article you mention to use a seperate AppDomain (c.q. application base), either one for all add-ins or one per add-in. Is there an upper limit for the number of AppDomains that can be created per process and/or system? How many AppDomains are typically running on a system?

Leave a Comment

(required) 
required 
(required) 
 
Page view tracker