Application Domain and its configuration (Part-2)

In previous post we see how to create application domain, how to load and unload application domain. Sometime we don’t have idea of running assembly as we have loaded it from internet or some third party vendor. Such type of assembly may have possibly contains code, which create security vulnerabilities. Malicious code may corrupt your file system, application and damage to your hardware. To reduce this attack we can allow assembly to run in application domain but with limited privileges.

When you create an application domain, you have complete control over host evidence. Host evidence is the information of assembly, form which code group assembly belongs to.

With help of System.Security and System.Security.Policy you can provide evidence for particular application domain.

You can pass zone or code group for assembly when creating application domain with help of System.Security.Policy.Zone and System.Security.SecurityZone enumeration.

object[] hostEvidence = {new Zone(SecurityZone.Internet)};

Evidence internetEvidence = new Evidence(hostEvidence, null);

AppDomain myDomain = AppDomain.CreateDomain("MyAppDomain");

myDomain.ExecuteAssembly("myAssembly.exe", internetEvidence);

In above sample code we have created hostEvidence object with Internet code group and passed evidence object to ExecuteAssembly method.

Now “MyAppDomain” application domain will run “myAssembly.exe” with internet group privileges. As we know there is a very low control to run code which has been downloaded from internet or running directly from internet. By default Internet zone has very limited permission. There are other code groups are exist like “MyComputer” they can be useful when we want to give more permission to executable assembly in application domain.

We can pass evidence object when creating application domain as.

object [] hostEvidence = {new Zone(SecurityZone.Internet)};

Evidence appDomainEvidence = new Evidence(hostEvidence, null);

AppDomain d = AppDomain.CreateDomain("MyAppDomain", appDomainEvidence);

d.ExecuteAssembly("myAssembly.exe");

To fully customize application domain environment .net has provided AppDomainSetup class. By assigning various property and method to this class we can built up environment for new application domain.

AppDomainSetup has some properties like ApplicaitonBase which used to set root path for assembly, ApplicationName, ConfigurationFile, LicenceFile most of them are self describing from their name.

We can examine current application domains by using.

AppDomainSetup ads = AppDomain.CurrentDomain.SetupInformation;

Application Domain and its configuration (Part-1)

In .net all application assembly run under an application domain that is created by default for each application, we don’t need to create it. Common Language Runtime does it for application.

Application domain is logical unit to run different application in a single process. IIS is the very good example of it, in IIS more than one website or application are hosted, still they run independent with out interfering to any other application, hosted on same IIS.

Application domain creates a separate layer for application; .net run time is responsible for the various application runtime, while operating system manage process. In a process, we can run more than one application domain and each application domain has one or more assembly, application running. Each of these application domains can’t access resource or memory used by another application domain.

To create an application domain is as simple as we create an object of a class. The benefit of application domain is that when we don’t require or our work has been completed we can unload resource occupied by application runtime.

System.AppDomain class provides many methods and property to manipulate application domain.

-->Create an application domain
AppDomain ad = new AppDomain(“myAppDomain”);

We can run our assembly under this newly created Application domain.
ad.ExecuteAssembly(“myAssembly.exe”);

We can either call ExecuteAssemblyByName method to run assembly, in that case we need to pass name of assembly.
ad.ExecuteAssembly(“myAssembly.exe”);

There are so many properties and methods provide by AppDomain which gives ability to specify ID to process, friendlyname etc. Methods like Load, ApplyPolicy,CreateIntance etc.

If you notice in above code, we don’t have any constructor to create application domain, we are using static method of AppDomain class.

We can access current domains by ..


AppDomain myCurrentDomain = AppDomain.CurrentDomain;
To unload application domain, call Unload method of AppDomain

AppDomain.Unload(ad);