MSDN Magazine - October 2008 - (Page 17)

Andrew dAI CLR InsIde Out Security In Silverlight 2 In the August 2008 MSDN Magazine CLR Inside Out column, Andrew Pardoe gave a brief description of the CoreCLR security model. He described why we chose not to use code access security (CAS) policy in Silverlight and the difference between Transparent, SafeCritical, and Critical code. In this installment I’ll go into more detail about how the Transparency model was born, how it works in Silverlight, and what you can expect to see from it in the future. Permissions and Sandboxing Untrusted Code Before I dive into the Transparency model, it helps to have some background on CLR security within the full Microsoft .NET Framework. The CLR provides mechanisms for determining what abilities or rights, represented by permissions, code has based on evidence from the code—the location from which the code is running, the signature of the code if one exists, and so forth. This ensures that code coming from an untrusted location, such as the Internet, doesn’t have the same privileges as code coming from a trusted location, such as the local machine’s Program Files folder. The CLR runs each managed application in its own application domain. The preferred mechanism to run code safely from untrusted locations is to run it in a sandboxed application domain. The code running in these domains is restricted to the rights of the sandbox—an environment with limited permissions appropriate for partially trusted code. In general, sandboxed application domains separate code into two groups—full trust and partial trust. I’ll go into more detail as to the purpose of these two groups and how the distinction is drawn later in this section. To make this separation easier to implement and use, we introduced what we call the simple sandboxing APIs in the .NET Framework 2.0, which create each application domain with a given permission set for its sandbox and a list of fully trusted assemblies that are not in the Global Assembly Cache (GAC), as all assemblies in the GAC are already fully trusted. Anything loaded into this application domain that is not on the full-trust assemblies list would get the permissions of the sandbox’s granted set. In the case of the application running from the Internet, this would be the built-in we developed Transparency to create a strong isolation boundary between privileged and unprivileged code. Internet permission set. Shawn Farkas, a Software Design Engineer on the CLR security team, has an excellent blog post on how to use this API at go.microsoft.com/fwlink/?LinkId=124952. With this model, a host (for example, a browser plug-in) would create an application domain for each application running under it—these would load as partially trusted and get the sandbox’s permission set. The host may also want to (safely) wrap some full-trust managed or native functions and provide them to its hosted applications in the form of libraries—these library assemblies would be on the full-trust assembly list. For example, file system access is a privileged operation, but saving information locally is useful and can be safe if done correctly (fixed location, never executed, and so on). Safely exposing this functionality, though, can be challenging. The Transparency Model The Transparency model is not actually new to CoreCLR (the Silverlight version of the CLR)—it’s been around since the .NET Framework 2.0. It was initially introduced to address the issue of the growing number of framework libraries exposing services to partially trusted code and the internal security audits they were incurring within the .NET Framework teams. Libraries with the AllowPartiallyTrustedCallers (APTCA) attribute expose fulltrust services to partially trusted code—something potentially dangerous that requires proper security checks on the part of the APTCA library. Prior to the introduction of Transparency, entire APTCA assemblies were subject to code audits. This was extremely expensive, especially considering that much of the library could be calling a common privileged function but otherwise be completely safe. We developed Transparency with the intention of creating a strong isolation boundary between privileged and unprivileged code. In this model, there are two kinds of code—Transparent and Critical. Transparent code is subject to the following restrictions: • Cannot assert permissions or elevate. Send your questions and comments to clrinout@microsoft.com. October 2008 17 http://go.microsoft.com/fwlink/?LinkId=124952 Table of Contents for the Digital Edition of MSDN Magazine - October 2008MSDN Magazine - October 2008ContentsToolboxCLR Inside OutBasic InstinctsCutting EdgePatterns In PracticeService StationParadigm ShiftCoding ToolsConcurrency HazardsAsp.net AJAX 4.0Easy AsyncFoundationsWindows With C++Going Places.NET Matters{ End Bracket }MSDN Magazine - October 2008MSDN Magazine - October 2008 - (Page Intro)MSDN Magazine - October 2008 - Contents (Page Cover1)MSDN Magazine - October 2008 - Contents (Page Cover2)MSDN Magazine - October 2008 - Contents (Page 1)MSDN Magazine - October 2008 - Contents (Page 2)MSDN Magazine - October 2008 - Contents (Page 3)MSDN Magazine - October 2008 - Contents (Page 4)MSDN Magazine - October 2008 - Contents (Page 5)MSDN Magazine - October 2008 - Contents (Page 6)MSDN Magazine - October 2008 - Contents (Page 7)MSDN Magazine - October 2008 - Contents (Page 8)MSDN Magazine - October 2008 - Contents (Page 9)MSDN Magazine - October 2008 - Contents (Page 10)MSDN Magazine - October 2008 - Toolbox (Page 11)MSDN Magazine - October 2008 - Toolbox (Page 12)MSDN Magazine - October 2008 - Toolbox (Page 13)MSDN Magazine - October 2008 - Toolbox (Page 14)MSDN Magazine - October 2008 - Toolbox (Page 15)MSDN Magazine - October 2008 - Toolbox (Page 16)MSDN Magazine - October 2008 - CLR Inside Out (Page 17)MSDN Magazine - October 2008 - CLR Inside Out (Page 18)MSDN Magazine - October 2008 - CLR Inside Out (Page 19)MSDN Magazine - October 2008 - CLR Inside Out (Page 20)MSDN Magazine - October 2008 - CLR Inside Out (Page 21)MSDN Magazine - October 2008 - CLR Inside Out (Page 22)MSDN Magazine - October 2008 - Basic Instincts (Page 23)MSDN Magazine - October 2008 - Basic Instincts (Page 24)MSDN Magazine - October 2008 - Basic Instincts (Page 25)MSDN Magazine - October 2008 - Basic Instincts (Page 26)MSDN Magazine - October 2008 - Basic Instincts (Page 27)MSDN Magazine - October 2008 - Basic Instincts (Page 28)MSDN Magazine - October 2008 - Basic Instincts (Page 29)MSDN Magazine - October 2008 - Basic Instincts (Page 30)MSDN Magazine - October 2008 - Basic Instincts (Page 31)MSDN Magazine - October 2008 - Basic Instincts (Page 32)MSDN Magazine - October 2008 - Cutting Edge (Page 33)MSDN Magazine - October 2008 - Cutting Edge (Page 34)MSDN Magazine - October 2008 - Cutting Edge (Page 35)MSDN Magazine - October 2008 - Cutting Edge (Page 36)MSDN Magazine - October 2008 - Cutting Edge (Page 37)MSDN Magazine - October 2008 - Cutting Edge (Page 38)MSDN Magazine - October 2008 - Cutting Edge (Page 39)MSDN Magazine - October 2008 - Cutting Edge (Page 40)MSDN Magazine - October 2008 - Cutting Edge (Page 41)MSDN Magazine - October 2008 - Cutting Edge (Page 42)MSDN Magazine - October 2008 - Patterns In Practice (Page 43)MSDN Magazine - October 2008 - Patterns In Practice (Page 44)MSDN Magazine - October 2008 - Patterns In Practice (Page 45)MSDN Magazine - October 2008 - Patterns In Practice (Page 46)MSDN Magazine - October 2008 - Patterns In Practice (Page 47)MSDN Magazine - October 2008 - Patterns In Practice (Page 48)MSDN Magazine - October 2008 - Patterns In Practice (Page 49)MSDN Magazine - October 2008 - Patterns In Practice (Page 50)MSDN Magazine - October 2008 - Patterns In Practice (Page 51)MSDN Magazine - October 2008 - Patterns In Practice (Page 52)MSDN Magazine - October 2008 - Patterns In Practice (Page 53)MSDN Magazine - October 2008 - Patterns In Practice (Page 54)MSDN Magazine - October 2008 - Patterns In Practice (Page 55)MSDN Magazine - October 2008 - Patterns In Practice (Page 56)MSDN Magazine - October 2008 - Patterns In Practice (Page 57)MSDN Magazine - October 2008 - Patterns In Practice (Page 58)MSDN Magazine - October 2008 - Patterns In Practice (Page 59)MSDN Magazine - October 2008 - Patterns In Practice (Page 60)MSDN Magazine - October 2008 - Patterns In Practice (Page 61)MSDN Magazine - October 2008 - Patterns In Practice (Page 62)MSDN Magazine - October 2008 - Patterns In Practice (Page 63)MSDN Magazine - October 2008 - Patterns In Practice (Page 64)MSDN Magazine - October 2008 - Service Station (Page 65)MSDN Magazine - October 2008 - Service Station (Page 66)MSDN Magazine - October 2008 - Service Station (Page 67)MSDN Magazine - October 2008 - Service Station (Page 68)MSDN Magazine - October 2008 - Service Station (Page 69)MSDN Magazine - October 2008 - Service Station (Page 70)MSDN Magazine - October 2008 - Service Station (Page 71)MSDN Magazine - October 2008 - Service Station (Page 72)MSDN Magazine - October 2008 - Service Station (Page 73)MSDN Magazine - October 2008 - Paradigm Shift (Page 74)MSDN Magazine - October 2008 - Paradigm Shift (Page 75)MSDN Magazine - October 2008 - Paradigm Shift (Page 76)MSDN Magazine - October 2008 - Paradigm Shift (Page 77)MSDN Magazine - October 2008 - Paradigm Shift (Page 78)MSDN Magazine - October 2008 - Paradigm Shift (Page 79)MSDN Magazine - October 2008 - Paradigm Shift (Page 80)MSDN Magazine - October 2008 - Paradigm Shift (Page 81)MSDN Magazine - October 2008 - Paradigm Shift (Page 82)MSDN Magazine - October 2008 - Paradigm Shift (Page 83)MSDN Magazine - October 2008 - Paradigm Shift (Page 84)MSDN Magazine - October 2008 - Paradigm Shift (Page 85)MSDN Magazine - October 2008 - Coding Tools (Page 86)MSDN Magazine - October 2008 - Coding Tools (Page 87)MSDN Magazine - October 2008 - Coding Tools (Page 88)MSDN Magazine - October 2008 - Coding Tools (Page 89)MSDN Magazine - October 2008 - Coding Tools (Page 90)MSDN Magazine - October 2008 - Coding Tools (Page 91)MSDN Magazine - October 2008 - Coding Tools (Page 92)MSDN Magazine - October 2008 - Coding Tools (Page 93)MSDN Magazine - October 2008 - Coding Tools (Page 94)MSDN Magazine - October 2008 - Coding Tools (Page 95)MSDN Magazine - October 2008 - Coding Tools (Page 96)MSDN Magazine - October 2008 - Coding Tools (Page 97)MSDN Magazine - October 2008 - Coding Tools (Page 98)MSDN Magazine - October 2008 - Coding Tools (Page 99)MSDN Magazine - October 2008 - Coding Tools (Page 100)MSDN Magazine - October 2008 - Coding Tools (Page 101)MSDN Magazine - October 2008 - Coding Tools (Page 102)MSDN Magazine - October 2008 - Coding Tools (Page 103)MSDN Magazine - October 2008 - Concurrency Hazards (Page 104)MSDN Magazine - October 2008 - Concurrency Hazards (Page 105)MSDN Magazine - October 2008 - Concurrency Hazards (Page 106)MSDN Magazine - October 2008 - Concurrency Hazards (Page 107)MSDN Magazine - October 2008 - Concurrency Hazards (Page 108)MSDN Magazine - October 2008 - Concurrency Hazards (Page 109)MSDN Magazine - October 2008 - Concurrency Hazards (Page 110)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 111)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 112)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 113)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 114)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 115)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 116)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 117)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 118)MSDN Magazine - October 2008 - Easy Async (Page 119)MSDN Magazine - October 2008 - Easy Async (Page 120)MSDN Magazine - October 2008 - Easy Async (Page 121)MSDN Magazine - October 2008 - Easy Async (Page 122)MSDN Magazine - October 2008 - Easy Async (Page 123)MSDN Magazine - October 2008 - Easy Async (Page 124)MSDN Magazine - October 2008 - Easy Async (Page 125)MSDN Magazine - October 2008 - Easy Async (Page 126)MSDN Magazine - October 2008 - Easy Async (Page 127)MSDN Magazine - October 2008 - Easy Async (Page 128)MSDN Magazine - October 2008 - Foundations (Page 129)MSDN Magazine - October 2008 - Foundations (Page 130)MSDN Magazine - October 2008 - Foundations (Page 131)MSDN Magazine - October 2008 - Foundations (Page 132)MSDN Magazine - October 2008 - Foundations (Page 133)MSDN Magazine - October 2008 - Foundations (Page 134)MSDN Magazine - October 2008 - Foundations (Page 135)MSDN Magazine - October 2008 - Foundations (Page 136)MSDN Magazine - October 2008 - Foundations (Page 137)MSDN Magazine - October 2008 - Foundations (Page 138)MSDN Magazine - October 2008 - Windows With C++ (Page 139)MSDN Magazine - October 2008 - Windows With C++ (Page 140)MSDN Magazine - October 2008 - Windows With C++ (Page 141)MSDN Magazine - October 2008 - Windows With C++ (Page 142)MSDN Magazine - October 2008 - Windows With C++ (Page 143)MSDN Magazine - October 2008 - Windows With C++ (Page 144)MSDN Magazine - October 2008 - Going Places (Page 145)MSDN Magazine - October 2008 - Going Places (Page 146)MSDN Magazine - October 2008 - Going Places (Page 147)MSDN Magazine - October 2008 - Going Places (Page 148)MSDN Magazine - October 2008 - Going Places (Page 149)MSDN Magazine - October 2008 - Going Places (Page 150)MSDN Magazine - October 2008 - Going Places (Page 151)MSDN Magazine - October 2008 - Going Places (Page 152)MSDN Magazine - October 2008 - .NET Matters (Page 153)MSDN Magazine - October 2008 - .NET Matters (Page 154)MSDN Magazine - October 2008 - .NET Matters (Page 155)MSDN Magazine - October 2008 - .NET Matters (Page 156)MSDN Magazine - October 2008 - .NET Matters (Page 157)MSDN Magazine - October 2008 - .NET Matters (Page 158)MSDN Magazine - October 2008 - .NET Matters (Page 159)MSDN Magazine - October 2008 - { End Bracket } (Page 160)MSDN Magazine - October 2008 - { End Bracket } (Page Cover3)MSDN Magazine - October 2008 - { End Bracket } (Page Cover4)http://www.nxtbook.com/nxtbooks/cmp/msdnmag1109http://www.nxtbook.com/nxtbooks/cmp/msdnmag1009http://www.nxtbook.com/nxtbooks/cmp/msdnmag0909http://www.nxtbook.com/nxtbooks/cmp/msdnmag0809http://www.nxtbook.com/nxtbooks/cmp/msdnmag0709http://www.nxtbook.com/nxtbooks/cmp/msdnmag0609http://www.nxtbook.com/nxtbooks/cmp/msdnmag0509http://www.nxtbook.com/nxtbooks/cmp/msdnmag0409http://www.nxtbook.com/nxtbooks/cmp/msdnmag0309http://www.nxtbook.com/nxtbooks/cmp/msdnmag0209http://www.nxtbook.com/nxtbooks/cmp/msdnmag0109http://www.nxtbook.com/nxtbooks/cmp/msdnmag1208http://www.nxtbook.com/nxtbooks/cmp/msdnmag1108http://www.nxtbook.com/nxtbooks/cmp/msdnmag1008http://www.nxtbook.com/nxtbooks/cmp/msdnmag0908http://www.nxtbook.com/nxtbooks/cmp/msdnmag0808http://www.nxtbook.com/nxtbooks/cmp/msdnmag0708http://www.nxtbook.com/nxtbooks/cmp/msdnmag0608http://www.nxtbook.com/nxtbooks/cmp/msdnmag0408http://www.nxtbook.com/nxtbooks/cmp/msdnmag0308http://www.nxtbook.com/nxtbooks/cmp/msdnmag-launch021508http://www.nxtbook.com/nxtbooks/cmp/msdnmag0208http://www.nxtbook.com/nxtbooks/cmp/msdnmag0108http://www.nxtbook.com/nxtbooks/cmp/msdnmag1207http://www.nxtbookMEDIA.com

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.