Loads of time we come across third party components (free or paid subscription) and we use that component and deploy it at client-side (alright i know you would test it, but what if..) and a spammer or hacker identifies the vulnerability in third party component and starts the attack. Wow, client is now catching your throat since its your application that let hacker in and not 3rd party (as your client understands).
To overcome this risks, MS in .net came with AppDomain (read SDK for more info). Here, I'll show you how you can run a third party component with limited privileges. Before that you need to understand below mentioned classes:
I'll not get into explaining all the class, constructors or enums, since there are loads of documents already available, but, explanation will be given whereever required.
System.Security.policy.Evidence: Evidence is the information that runtime gathers to identify the group that assembly belongs to. Please refer the constructor of Evidence class. More can be found at http://msdn2.microsoft.com/en-us/library/system.security.policy.evidence.aspx
AppDomainSetup: Used to provide configuration information to AppDomain
System.Security.SecurityZone: Define the Zone in which asembly will run. Below, are the zones and their explanantions:
Internet: Runs with minimal rights
Intranet: runs under local intranet security zone
MyComputer: maximum privileges in this zone
NoZone: you know it
Trusted: Assembly is from trusted zone
Untrusted: assembly is from untrusted zone means location/site
I guess enough of blah..blah.., lets get coding
AppDomainSetup setup = new AppDomainSetup();
setup.ApplicationBase = "file://" + Environment.CurrentDirectory;
object [] evidence = { new Zone(SecurityZone.Internet)};
Evidence evidence1 = new Evidence(evidence, null);
AppDomain domain = AppDomain.CreateDomain("Test Domain", evidence1, setup);
ClassLibrary1.LocalAccess la = (ClassLibrary1.LocalAccess)
domain.CreateInstanceAndUnwrap(typeof(ClassLibrary1.LocalAccess).Assembly.FullName,
typeof(ClassLibrary1.LocalAccess).FullName);
Console.Write(la.ReadFile());
Console.WriteLine(domain.Id.ToString());
Console.WriteLine(AppDomain.CurrentDomain.Id.ToString());
Console.ReadLine();
ClassLibrary1.LocalAccess- class just reads some information from a file located on C: drive.
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment