MSDN Magazine - October 2008 - (Page 19)

These are significant simplifications Figure 1 Allowed Type Inheritance Patterns Transparent method even though it does that provide the following results: all nothing. Finally, having only one way to Base Type Allowed Derived Type Silverlight applications are Transparent specify safe, Critical code simplifies the Transparent Transparent, SafeCritical, and receive the Silverlight sandbox permodel further. Critical mission set, Silverlight platform librarOne thing to realize regarding this new SafeCritical SafeCritical, Critical ies (most of which are fully trusted) will attribute is that when we talk about CritCritical Critical only ever be called by Silverlight applicaical code, we often include SafeCritical tions, so we don’t need to demand code in the discussion. This is bespecific permissions; marking Figure 2 Allowed Method Inheritance Patterns cause SafeCritical code is Critidangerous APIs as Critical is cal code—it is just as capable as Base (Virtual/Interface) Method Allowed Override Method sufficient. Finally, since there Critical code, but it is also callable Transparent Transparent, SafeCritical are no demands, we will never by Transparent code. Therefore, Transparent, SafeCritical need to stop a permission stack SafeCritical to truly make it safe and CritiCritical Critical walk and, therefore, we don’t cal, the library developer must need asserts. be sure that the proper input Thus, Transparency becomes the sole security enforcement validation or other security checks are being made before Critical mechanism in CoreCLR, and we are able to ignore much of CAS. code (not safe) is called and that the necessary output validation To make it a stronger enforcement mechanism, we tightened the and side-effect checks are being made afterward. SafeCritical berules for Transparent code and made additional improvements to comes a contract that says this method accesses Critical code but the Transparency system to make it more intuitive and effective. does all the appropriate checks beforehand and afterword. With You may have noticed that in the 2.0 Transparency model, un- the new Transparency model, the focus of security audits is the safe or unverifiable code that executes in Transparent code causes SafeCritical code. an injected demand for UnmanagedCodePermission instead of an outright failure/exception. Generally, this permission should only Inheritance Rules be available in full trust, so this code would fail in partial trust but For the Transparency model to be effective, we also had to ensure work otherwise. that the closure of a type or method was secure as well. Deriving With CoreCLR, however, we don’t have the concept of permis- types or methods with resource access rights that were different from sion demands, so an exception will be thrown when this happens the rights of the base type or method raised some access protection (instead of a demand being injected in the new Transparency mod- issues, especially when these were being cast to more accessible parel). This type of code fails in both models, but is more performant ent types or interfaces. For example, you could imagine someone now since we don’t have to deal with the demand’s stack walk be- creating a Critical override of a Transparent virtual method, such fore finally failing. as ToString, and wanting to prevent Transparent code from callAlso, in Silverlight, all code is Transparent by default. This in- ing the override by casting to Object.ToString. cludes Silverlight platform libraries; all Critical code must be explicYou can imagine that there is an access and capability hierarchy itly annotated. This provides us with a secure default that reduces for Transparency levels whereby access becomes more restricted the chances of creating an implicitly Critical method accidentally. and/or capabilities are increased as you move from Transparent to More rules were added with regard to type inheritance and method SafeCritical to Critical. (Here access refers to the ability to contain overrides, which I’ll explain in the Inheritance Rules section. as well as call this level of code). The inheritance rule for types is I mentioned earlier that a Critical API marked TreatAsSafe was that derived types must be at least as restrictive as the base type. considered to be callable from Transparent code. I also pointed out This prevents developers from accidentally creating overloads of that, since Transparency on the desktop framework only applies Critical types callable by Transparent code. Figure 1 shows what’s within an assembly, public Critical APIs are implicitly TreatAsSafe. allowed according to this pattern. In CoreCLR, we created a new attribute, SafeCritical (again, the acThe virtual method override rule is different—the derived tual annotation is SecuritySafeCritical), to describe code that was method must have the same accessibility from Transparent code both Critical and callable from Transparent code. Transparency as the base method. Figure 2 shows what’s allowed according to now applies within and across assemblies, so Critical code, whether this pattern. public or not, cannot be called from Transparent code. Note that we don’t allow Critical overrides of Transparent virtual This change helps to clear up confusion around how to ex- methods—one could simply cast to the base method and bypass pose Critical code to Transparent code. First, all Critical code is the Critical check on the override when calling it. We allow Saferestricted—there is no exception for public code, so adding the Critical overrides of Transparent functions because the cast would Critical annotation will always mean that Transparent code can- buy you nothing—Transparent code can access SafeCritical code not call it. Furthermore, TreatAsSafe only ever makes sense if the anyway. We also allow Transparent overrides of SafeCritical virtual Critical attribute is already there—requiring two attributes may methods—this may seem surprising at first, but it’s actually safe belead to some confusion, as it is possible to put TreatAsSafe on a cause, again, nothing dangerous can be exposed via casts. msdnmagazine.com October 2008 19 http://www.msdnmagazine.com Table of Contents for the Digital Edition of MSDN Magazine - October 2008MSDN Magazine - October 2008ContentsToolboxCLR Inside OutBasic InstinctsCutting EdgePatterns In PracticeService StationParadigm ShiftCoding ToolsConcurrency HazardsAsp.net AJAX 4.0Easy AsyncFoundationsWindows With C++Going Places.NET Matters{ End Bracket }MSDN Magazine - October 2008MSDN Magazine - October 2008 - (Page Intro)MSDN Magazine - October 2008 - Contents (Page Cover1)MSDN Magazine - October 2008 - Contents (Page Cover2)MSDN Magazine - October 2008 - Contents (Page 1)MSDN Magazine - October 2008 - Contents (Page 2)MSDN Magazine - October 2008 - Contents (Page 3)MSDN Magazine - October 2008 - Contents (Page 4)MSDN Magazine - October 2008 - Contents (Page 5)MSDN Magazine - October 2008 - Contents (Page 6)MSDN Magazine - October 2008 - Contents (Page 7)MSDN Magazine - October 2008 - Contents (Page 8)MSDN Magazine - October 2008 - Contents (Page 9)MSDN Magazine - October 2008 - Contents (Page 10)MSDN Magazine - October 2008 - Toolbox (Page 11)MSDN Magazine - October 2008 - Toolbox (Page 12)MSDN Magazine - October 2008 - Toolbox (Page 13)MSDN Magazine - October 2008 - Toolbox (Page 14)MSDN Magazine - October 2008 - Toolbox (Page 15)MSDN Magazine - October 2008 - Toolbox (Page 16)MSDN Magazine - October 2008 - CLR Inside Out (Page 17)MSDN Magazine - October 2008 - CLR Inside Out (Page 18)MSDN Magazine - October 2008 - CLR Inside Out (Page 19)MSDN Magazine - October 2008 - CLR Inside Out (Page 20)MSDN Magazine - October 2008 - CLR Inside Out (Page 21)MSDN Magazine - October 2008 - CLR Inside Out (Page 22)MSDN Magazine - October 2008 - Basic Instincts (Page 23)MSDN Magazine - October 2008 - Basic Instincts (Page 24)MSDN Magazine - October 2008 - Basic Instincts (Page 25)MSDN Magazine - October 2008 - Basic Instincts (Page 26)MSDN Magazine - October 2008 - Basic Instincts (Page 27)MSDN Magazine - October 2008 - Basic Instincts (Page 28)MSDN Magazine - October 2008 - Basic Instincts (Page 29)MSDN Magazine - October 2008 - Basic Instincts (Page 30)MSDN Magazine - October 2008 - Basic Instincts (Page 31)MSDN Magazine - October 2008 - Basic Instincts (Page 32)MSDN Magazine - October 2008 - Cutting Edge (Page 33)MSDN Magazine - October 2008 - Cutting Edge (Page 34)MSDN Magazine - October 2008 - Cutting Edge (Page 35)MSDN Magazine - October 2008 - Cutting Edge (Page 36)MSDN Magazine - October 2008 - Cutting Edge (Page 37)MSDN Magazine - October 2008 - Cutting Edge (Page 38)MSDN Magazine - October 2008 - Cutting Edge (Page 39)MSDN Magazine - October 2008 - Cutting Edge (Page 40)MSDN Magazine - October 2008 - Cutting Edge (Page 41)MSDN Magazine - October 2008 - Cutting Edge (Page 42)MSDN Magazine - October 2008 - Patterns In Practice (Page 43)MSDN Magazine - October 2008 - Patterns In Practice (Page 44)MSDN Magazine - October 2008 - Patterns In Practice (Page 45)MSDN Magazine - October 2008 - Patterns In Practice (Page 46)MSDN Magazine - October 2008 - Patterns In Practice (Page 47)MSDN Magazine - October 2008 - Patterns In Practice (Page 48)MSDN Magazine - October 2008 - Patterns In Practice (Page 49)MSDN Magazine - October 2008 - Patterns In Practice (Page 50)MSDN Magazine - October 2008 - Patterns In Practice (Page 51)MSDN Magazine - October 2008 - Patterns In Practice (Page 52)MSDN Magazine - October 2008 - Patterns In Practice (Page 53)MSDN Magazine - October 2008 - Patterns In Practice (Page 54)MSDN Magazine - October 2008 - Patterns In Practice (Page 55)MSDN Magazine - October 2008 - Patterns In Practice (Page 56)MSDN Magazine - October 2008 - Patterns In Practice (Page 57)MSDN Magazine - October 2008 - Patterns In Practice (Page 58)MSDN Magazine - October 2008 - Patterns In Practice (Page 59)MSDN Magazine - October 2008 - Patterns In Practice (Page 60)MSDN Magazine - October 2008 - Patterns In Practice (Page 61)MSDN Magazine - October 2008 - Patterns In Practice (Page 62)MSDN Magazine - October 2008 - Patterns In Practice (Page 63)MSDN Magazine - October 2008 - Patterns In Practice (Page 64)MSDN Magazine - October 2008 - Service Station (Page 65)MSDN Magazine - October 2008 - Service Station (Page 66)MSDN Magazine - October 2008 - Service Station (Page 67)MSDN Magazine - October 2008 - Service Station (Page 68)MSDN Magazine - October 2008 - Service Station (Page 69)MSDN Magazine - October 2008 - Service Station (Page 70)MSDN Magazine - October 2008 - Service Station (Page 71)MSDN Magazine - October 2008 - Service Station (Page 72)MSDN Magazine - October 2008 - Service Station (Page 73)MSDN Magazine - October 2008 - Paradigm Shift (Page 74)MSDN Magazine - October 2008 - Paradigm Shift (Page 75)MSDN Magazine - October 2008 - Paradigm Shift (Page 76)MSDN Magazine - October 2008 - Paradigm Shift (Page 77)MSDN Magazine - October 2008 - Paradigm Shift (Page 78)MSDN Magazine - October 2008 - Paradigm Shift (Page 79)MSDN Magazine - October 2008 - Paradigm Shift (Page 80)MSDN Magazine - October 2008 - Paradigm Shift (Page 81)MSDN Magazine - October 2008 - Paradigm Shift (Page 82)MSDN Magazine - October 2008 - Paradigm Shift (Page 83)MSDN Magazine - October 2008 - Paradigm Shift (Page 84)MSDN Magazine - October 2008 - Paradigm Shift (Page 85)MSDN Magazine - October 2008 - Coding Tools (Page 86)MSDN Magazine - October 2008 - Coding Tools (Page 87)MSDN Magazine - October 2008 - Coding Tools (Page 88)MSDN Magazine - October 2008 - Coding Tools (Page 89)MSDN Magazine - October 2008 - Coding Tools (Page 90)MSDN Magazine - October 2008 - Coding Tools (Page 91)MSDN Magazine - October 2008 - Coding Tools (Page 92)MSDN Magazine - October 2008 - Coding Tools (Page 93)MSDN Magazine - October 2008 - Coding Tools (Page 94)MSDN Magazine - October 2008 - Coding Tools (Page 95)MSDN Magazine - October 2008 - Coding Tools (Page 96)MSDN Magazine - October 2008 - Coding Tools (Page 97)MSDN Magazine - October 2008 - Coding Tools (Page 98)MSDN Magazine - October 2008 - Coding Tools (Page 99)MSDN Magazine - October 2008 - Coding Tools (Page 100)MSDN Magazine - October 2008 - Coding Tools (Page 101)MSDN Magazine - October 2008 - Coding Tools (Page 102)MSDN Magazine - October 2008 - Coding Tools (Page 103)MSDN Magazine - October 2008 - Concurrency Hazards (Page 104)MSDN Magazine - October 2008 - Concurrency Hazards (Page 105)MSDN Magazine - October 2008 - Concurrency Hazards (Page 106)MSDN Magazine - October 2008 - Concurrency Hazards (Page 107)MSDN Magazine - October 2008 - Concurrency Hazards (Page 108)MSDN Magazine - October 2008 - Concurrency Hazards (Page 109)MSDN Magazine - October 2008 - Concurrency Hazards (Page 110)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 111)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 112)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 113)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 114)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 115)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 116)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 117)MSDN Magazine - October 2008 - Asp.net AJAX 4.0 (Page 118)MSDN Magazine - October 2008 - Easy Async (Page 119)MSDN Magazine - October 2008 - Easy Async (Page 120)MSDN Magazine - October 2008 - Easy Async (Page 121)MSDN Magazine - October 2008 - Easy Async (Page 122)MSDN Magazine - October 2008 - Easy Async (Page 123)MSDN Magazine - October 2008 - Easy Async (Page 124)MSDN Magazine - October 2008 - Easy Async (Page 125)MSDN Magazine - October 2008 - Easy Async (Page 126)MSDN Magazine - October 2008 - Easy Async (Page 127)MSDN Magazine - October 2008 - Easy Async (Page 128)MSDN Magazine - October 2008 - Foundations (Page 129)MSDN Magazine - October 2008 - Foundations (Page 130)MSDN Magazine - October 2008 - Foundations (Page 131)MSDN Magazine - October 2008 - Foundations (Page 132)MSDN Magazine - October 2008 - Foundations (Page 133)MSDN Magazine - October 2008 - Foundations (Page 134)MSDN Magazine - October 2008 - Foundations (Page 135)MSDN Magazine - October 2008 - Foundations (Page 136)MSDN Magazine - October 2008 - Foundations (Page 137)MSDN Magazine - October 2008 - Foundations (Page 138)MSDN Magazine - October 2008 - Windows With C++ (Page 139)MSDN Magazine - October 2008 - Windows With C++ (Page 140)MSDN Magazine - October 2008 - Windows With C++ (Page 141)MSDN Magazine - October 2008 - Windows With C++ (Page 142)MSDN Magazine - October 2008 - Windows With C++ (Page 143)MSDN Magazine - October 2008 - Windows With C++ (Page 144)MSDN Magazine - October 2008 - Going Places (Page 145)MSDN Magazine - October 2008 - Going Places (Page 146)MSDN Magazine - October 2008 - Going Places (Page 147)MSDN Magazine - October 2008 - Going Places (Page 148)MSDN Magazine - October 2008 - Going Places (Page 149)MSDN Magazine - October 2008 - Going Places (Page 150)MSDN Magazine - October 2008 - Going Places (Page 151)MSDN Magazine - October 2008 - Going Places (Page 152)MSDN Magazine - October 2008 - .NET Matters (Page 153)MSDN Magazine - October 2008 - .NET Matters (Page 154)MSDN Magazine - October 2008 - .NET Matters (Page 155)MSDN Magazine - October 2008 - .NET Matters (Page 156)MSDN Magazine - October 2008 - .NET Matters (Page 157)MSDN Magazine - October 2008 - .NET Matters (Page 158)MSDN Magazine - October 2008 - .NET Matters (Page 159)MSDN Magazine - October 2008 - { End Bracket } (Page 160)MSDN Magazine - October 2008 - { End Bracket } (Page Cover3)MSDN Magazine - October 2008 - { End Bracket } (Page Cover4)http://www.nxtbook.com/nxtbooks/cmp/msdnmag1109http://www.nxtbook.com/nxtbooks/cmp/msdnmag1009http://www.nxtbook.com/nxtbooks/cmp/msdnmag0909http://www.nxtbook.com/nxtbooks/cmp/msdnmag0809http://www.nxtbook.com/nxtbooks/cmp/msdnmag0709http://www.nxtbook.com/nxtbooks/cmp/msdnmag0609http://www.nxtbook.com/nxtbooks/cmp/msdnmag0509http://www.nxtbook.com/nxtbooks/cmp/msdnmag0409http://www.nxtbook.com/nxtbooks/cmp/msdnmag0309http://www.nxtbook.com/nxtbooks/cmp/msdnmag0209http://www.nxtbook.com/nxtbooks/cmp/msdnmag0109http://www.nxtbook.com/nxtbooks/cmp/msdnmag1208http://www.nxtbook.com/nxtbooks/cmp/msdnmag1108http://www.nxtbook.com/nxtbooks/cmp/msdnmag1008http://www.nxtbook.com/nxtbooks/cmp/msdnmag0908http://www.nxtbook.com/nxtbooks/cmp/msdnmag0808http://www.nxtbook.com/nxtbooks/cmp/msdnmag0708http://www.nxtbook.com/nxtbooks/cmp/msdnmag0608http://www.nxtbook.com/nxtbooks/cmp/msdnmag0408http://www.nxtbook.com/nxtbooks/cmp/msdnmag0308http://www.nxtbook.com/nxtbooks/cmp/msdnmag-launch021508http://www.nxtbook.com/nxtbooks/cmp/msdnmag0208http://www.nxtbook.com/nxtbooks/cmp/msdnmag0108http://www.nxtbook.com/nxtbooks/cmp/msdnmag1207http://www.nxtbookMEDIA.com

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.