In previous post we see how to create application domain, how to load and unload application domain. Sometime we don’t have idea of running assembly as we have loaded it from internet or some third party vendor. Such type of assembly may have possibly contains code, which create security vulnerabilities. Malicious code may corrupt your file system, application and damage to your hardware. To reduce this attack we can allow assembly to run in application domain but with limited privileges.
When you create an application domain, you have complete control over host evidence. Host evidence is the information of assembly, form which code group assembly belongs to.
With help of System.Security and System.Security.Policy you can provide evidence for particular application domain.
You can pass zone or code group for assembly when creating application domain with help of System.Security.Policy.Zone and System.Security.SecurityZone enumeration.
object[] hostEvidence = {new Zone(SecurityZone.Internet)};
Evidence internetEvidence = new Evidence(hostEvidence, null);
AppDomain myDomain = AppDomain.CreateDomain("MyAppDomain");
myDomain.ExecuteAssembly("myAssembly.exe", internetEvidence);
In above sample code we have created hostEvidence object with Internet code group and passed evidence object to ExecuteAssembly method.
Now “MyAppDomain” application domain will run “myAssembly.exe” with internet group privileges. As we know there is a very low control to run code which has been downloaded from internet or running directly from internet. By default Internet zone has very limited permission. There are other code groups are exist like “MyComputer” they can be useful when we want to give more permission to executable assembly in application domain.
We can pass evidence object when creating application domain as.
object [] hostEvidence = {new Zone(SecurityZone.Internet)};
Evidence appDomainEvidence = new Evidence(hostEvidence, null);
AppDomain d = AppDomain.CreateDomain("MyAppDomain", appDomainEvidence);
d.ExecuteAssembly("myAssembly.exe");
To fully customize application domain environment .net has provided AppDomainSetup class. By assigning various property and method to this class we can built up environment for new application domain.
AppDomainSetup has some properties like ApplicaitonBase which used to set root path for assembly, ApplicationName, ConfigurationFile, LicenceFile most of them are self describing from their name.
We can examine current application domains by using.
AppDomainSetup ads = AppDomain.CurrentDomain.SetupInformation;
No comments:
Post a Comment