MSDN Magazine - August 2008 - (Page 18)

you keep one GC from suspending the other GC’s ize, or put into a standard format, the inputs and thread? Additionally, there is a problem with footsanitize the outputs of the Critical code to protect print: when you load multiple CLRs into a process the security of the system (see Figure 1). they each have to load code that may be common, The case for canonicalizing inputs to Critical code and they each have their own space for static variis a bit more self-evident than the case for sanitizing ables and managed heaps. outputs. For example, if my Web application wants There are some key scenarios that require the abilto write to a file on the local disk, it can do so usity to host CoreCLR side-by-side with the desktop ing Isolated Storage. However, you don’t want my runtime. If CoreCLR and the desktop CLR couldn’t application asking to write to a file named “..\..\..\..\ run next to each other, it would be impossible to write bootmgr,” so it’s important to make sure the input is a desktop Windows Forms or WPF app that hosts in a regular, canonical format. It’s a little more una Web Browser Control, which could navigate to a usual to think that the outputs of the Critical code Web page that uses Silverlight. To get around this are a security risk. The key security concept is that potential problem, we could have just had Silverlight controlling disclosure of information is of great importance in reducing the overall surface area depend on the CLR installed on your Windows mafor an attacker. Say I try to access some bit of user chine: every install of Windows XP SP2 and Wininformation on your system and get the response dows Vista® has a reasonably recent CLR installed with the OS. But having all Silverlight code run on Figure 1 Security Enforce- “permission denied.” When I repeat the same access CoreCLR guarantees absolute compatibility no mat- ment in the CoreCLR operation, but for a different user, I get the response ter which CLR you have installed on your machine “user Bob does not exist.” If I know that I get both (or in the case of Mac OS X, even if you don’t have any CLR on your responses I can repeatedly attempt invalid accesses to garner a list machine!) So we did the work to make CoreCLR run side-by-side of user names on the system. in process with the desktop CLR, and we think that users’ SilverA simplified security policy is a clear win for developers worklight experience will be much better for our efforts. ing in .NET code, but it also helps developers working on .NET code. We’ve tried to mark as little code Critical and SafeCritical The CoreCLR Security Model as necessary. Having most of our code be Transparent helps us to Another big change in the core engine has to do with the new decrease the amount of code that needs in-depth security reviews. security model. Note that .NET developers have traditionally used We still have to review our Transparent code for correctness and Code Access Security (CAS) to prevent untrusted code from per- security, but at least we know it can’t perform any privileged opforming privileged operations. CAS is very capable, but rather erations. Large pieces of Silverlight, including the Dynamic Lancomplicated. It allows the user or administrator to define various guage Runtime (DLR), are written entirely in Transparent code. sandboxes for code using permission sets and then map individual Limiting the privileged parts of Silverlight allows us to ship a more assemblies to those sandboxes. For Silverlight applications, we just secure product by focusing our attention on the areas that really need one sandbox that’s equivalent to the sandbox that Internet need careful review. Explorer® uses for running script in a Web page. This simplified scenario allowed us to remove all of the CAS policy. The Base Class Library The .NET Framework has evolved on the desktop to address both We also simplified the model of security enforcement. The new model is based on security transparency, a concept introduced in user and server scenarios. Therefore, there’s a lot of functionality the version 2.0 of the CLR. At the core of the transparency model in the Base Class Library (BCL) that doesn’t make sense in Web is a categorization of your code into one of three buckets: Trans- client scenarios. For example, because Silverlight doesn’t support parent, SafeCritical, or Critical code. Transparent, the lowest trust CAS, much of System.Security is not necessary. Many other classlevel for code, cannot elevate privilege or access sensitive resourc- es, like System.Console, don’t make sense on the Web. (Why, then, es or information on the computer. In Silverlight 2, all application do we include a stripped-down System.Console class? It helps us code is Transparent. Critical code, the most trusted level of code, test the product.) can interact with the system through P/Invokes or even contain We had the same goal with the libraries that we had with the unverifiable code. For Silverlight 2, all Critical code must be part of core engine: to pare down to the smallest set of functionality that the Silverlight platform. SafeCritical code, then, acts as the bridge would enable .NET developers to be successful without having to that allows Transparent code to access system resources by calling learn an entirely new technology. We garnered some inspiration Critical code. Think of Critical code as the kernel APIs of Windows, and guidance from the .NET Compact Framework, which had Transparent code as user-application code, and SafeCritical code dealt with the same problem applied to a different scenario. While as the API between user code and kernel code. trimming the BCL for Silverlight we also maintained compatibility Transparent code can only call other Transparent or SafeCritical between the .NET Compact Framework and Silverlight. Sharing a code. SafeCritical code can then call Critical code on behalf of the single library between all the platforms in this way maximizes the user code. It’s the responsibility of SafeCritical code to canonical- reusability of .NET skills. 18 msdn magazine CLR Inside out

Table of Contents Feed for the Digital Edition of MSDN Magazine - August 2008

MSDN Magazine - August 2008 Toolbox CLR Inside Out Basic Instincts Cutting Edge Patterns in Practice Data 2.0 - Expose And Consume Data In A Web Services World Biztalk EDI - Build A Robust EDI Solution With BizTalk Server Silverlight - Create Animations With XAML And Expression Blend Write On! - Create Web Apps You Can Draw On With Silverlight 2 Wicked Code - Craft Custom Controls For Silverlight 2 Team System Foundations Windows With C++ Concurrent Affairs Going Places { End Bracket }

MSDN Magazine - August 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.