Finally, in this series, I am going to cover some of the security issues that can trip you up when using sandboxed appdomains.
DISCLAIMER: I am not a security expert, and this is by no means an exhaustive list. If you actually are writing security-critical code, then get a proper security audit of your code by a professional. The examples below are just illustrations of the sort of things that can go wrong.
1. AppDomainSetup.ApplicationBase
The most obvious one is the issue covered in the MSDN documentation on creating a sandbox, in step 3 – the sandboxed appdomain has the same ApplicationBase as the controlling appdomain. So let's explore what happens when they are the same, and an exception is thrown.
In the sandboxed assembly, Sandboxed.dll (IPlugin is an interface in a partially-trusted assembly, with a single MethodToDoThings on it):
public class UntrustedPlugin : MarshalByRefObject, IPlugin
{
// implements IPlugin.MethodToDoThings()
public void MethodToDoThings()
{
throw new EvilException();
}
}
[Serializable]
internal class EvilException : Exception
{
public override string ToString()
{
// show we have read access to C:\Windows
// read the first 5 directories
Console.WriteLine("Pwned! Mwuahahah!");
foreach (var d in
Directory.EnumerateDirectories(@"C:\Windows").Take(5))
{
Console.WriteLine(d.FullName);
}
return base.ToString();
}
}
And in the controlling assembly:
// what can possibly go wrong?
AppDomainSetup appDomainSetup = new AppDomainSetup {
ApplicationBase = AppDomain.CurrentDomain.SetupInformation.ApplicationBase
}
// only grant permissions to execute
// and to read the application base, nothing else
PermissionSet restrictedPerms = new PermissionSet(PermissionState.None);
restrictedPerms.AddPermission(
new SecurityPermission(SecurityPermissionFlag.Execution));
restrictedPerms.AddPermission(
new FileIOPermission(FileIOPermissionAccess.Read,
appDomainSetup.ApplicationBase);
restrictedPerms.AddPermission(
new FileIOPermission(FileIOPermissionAccess.pathDiscovery,
appDomainSetup.ApplicationBase);
Read more: Simon Cooper
QR: