Comparable Consent

SecureASP.NET

LANGUAGES: ALL

ASP.NET VERSIONS: 1.1

Comparable Consent

All Permissions Are Not Alike

By Don Kiely

In the last couple of columns I ve been exploring some ofthe details about developing partially trusted ASP.NET applications, one of themost fundamental ways that you can protect yourself and your users from many ofthe most common attacks out on the network. Fundamental to a partially trustedapp is how the .NET Common Language Runtime (CLR) makes available bothunrestricted and restricted permissions. In most cases, you should request andgrant the most restrictive form of a permission your app can get away with. Togrant anything beyond the minimum is to build an insecure application.

Take FileIOPermission, for example. This is a permissionthat ASP.NET developers often fall afoul of when writing partially trustedapplications. You can tell a lot about the characteristics of a permissionclass by its constructors, and FileIOPermission has three variations (in VB.NET):

Public Sub New(ByVal state As PermissionState)

Public Sub New(ByVal access As FileIOPermissionAccess, ByVal pathAs String)

Public Sub New(ByVal access As FileIOPermissionAccess, ByValpathList() As String)

The last two are variations of a theme, so there are two fundamental ways to instantiate this permission. Inthe first, you can pass a member of the PermissionState enumeration, which hasbut two options: None and Unrestricted. None simply means that the current codehas no permission to read or write to or from any disk file. This is thetotally restrictive state of the FileIOPermission, indicating that whatever code this instance of the permission class is applied to hasno file IO permissions at all.

The other option of the PermissionState enumeration,Unrestricted, essentially tells the CLR to bypass all file IO permissionchecking, since this code has unfettered permission to read or write whereverit wants to. Obviously I hope! this is not apermission that you ll ever give to an ASP.NET application, because then ahacker who got control of the app could party on anywhere on your file systemthat struck his or her fancy.

BIG CAVEAT! Code access security permissions are not a wayto circumvent operating system permissions and privileges! Even if yourassembly has unrestricted FileIOPermission within the world of the CLR, if theprocess identity under which the app is running ASPNET or NETWORK SERVICES bydefault doesn t have permission to read or write somewhere, your app isn tgoing to be able to read or write there. It would be a huge security hole if itcould!

So the first FileIOPermission constructor is a way togrant complete file IO access or to completely withhold it. The other twoconstructors grant a restricted permission to either a single file or directoryor to combinations of multiple files and directories. In either case, the firstparameter specifies the type of file access being granted, using theFileIOPermissionAccess enumeration, which has all the variations you d expect:Read, Write, Append, and PathDiscovery (to access information in the pathitself), as well as AllAccess and NoAccess to grant or deny every type ofaccess.

The second argument to these two constructors is either asingle path string or an array of path strings to which the access type isapplied. Here is one example of the many possible variations:

Dim ioPerm As NewFileIOPermission(FileIOPermissionAccess.AllAccess,"C:MyDirMyFile.txt")

Like most permission objects, FileIOPermission also has afull complement of properties and methods for configuring an instance of thepermission and affecting how the CLR handles stack walks and other protectionsagainst various attacks.

Most .NET permissions have both unrestricted andrestricted forms. Following the principle of least privilege, you should grantcode only the permissions it requires to do its job, no more and no less. Thismeans that it should be extremely rare that you grant code an unrestrictedpermission. In the case of FileIOPermission, you should never do it.

Next time I ll explore these and other features of .NETpermissions.

Don Kielyis senior technology consultant for Information Insights, a business andtechnology consultancy in Fairbanks, AK. E-mail him at mailto:[email protected].