[Mono-list] Implementing "sandbox" security using Mono

Sebastien Pouliot spouliot@videotron.ca
Tue, 20 Apr 2004 11:41:43 -0400 

Hello Stuart,

> Firstly, I really don't understand the .NET security architecture
> well enough to know how it's supposed to be tackled, and

I normally suggest the ".NET Framework Security" book from LaMacchia et al.
but MSDN also has many articles on the subject.
You probably already know about it, but if not, you may be interested to
look at gotdotnet's Terrarium.
http://www.windowsforms.net/default.aspx?tabIndex=6&tabId=42

> secondly, I don't know how much of the necessary stuff is
> implemented in Mono.

Sadly not enough.

> I've also heard that CAS isn't implemented (fully? at all?) in Mono

Some classes are present in the class library but the core isn't
(runtime/JIT).
Right now you should consider CAS as totally non functional.

> The Mono roadmap paints a depressing picture of Mono's CAS capabilities
>- is that still true?

CAS isn't on the roapmap for Mono 1.0.
My hope is to have something working (experimental, not secure) for the 1.2
release.

> And are there any workarounds?

Benjamin Wootton is working on some important parts of CAS for his
university project.
http://www.benjaminwootton.co.uk/project/

Another possibility is a (automated) audit where you use reflection to
ensure that no "illegal" operations (reflection, p/invokes, ...) are done
before actually running the assembly. A simple implementation shouldn't be
hard but would be far more limiting than what CAS can offer (at least if you
want it secure).

Contributions welcomed ;-)


Sebastien Pouliot
http://pages.infinit.net/ctech/poupou.html

-----Original Message-----
From: mono-list-admin@lists.ximian.com
[mailto:mono-list-admin@lists.ximian.com]On Behalf Of Stuart Ballard
Sent: 20 avril 2004 10:38
To: mono-list
Subject: [Mono-list] Implementing "sandbox" security using Mono


In NRobot, I have a pressing need for a security architecture: something
that prevents robots from running with full privileges, since in the
general case you can't trust the source of all the robots you might want
to compete against.

Basically, I want to provide the same level of security that Applets
have in Java - a "sandbox" in which they can run, without being able to
do anything dangerous like access the filesystem or network (except,
perhaps, in limited ways that I specify).

I have two problems when it comes to implementing this: Firstly, I
really don't understand the .NET security architecture well enough to
know how it's supposed to be tackled, and secondly, I don't know how
much of the necessary stuff is implemented in Mono.

My understanding so far is that either Code Access Security (CAS) or
AppDomains, or both, are what I need. But I don't understand either of
them well enough to know how they help me. I'm pretty sure I need
AppDomains anyway because I want to be able to unload, or at least
forget about, loaded robot DLLs in order to start a new game with an
updated copy, without closing the host process. But I'm not sure whether
AppDomains by themselves give me the sandbox security I'm after, or how
I'm supposed to talk to the loaded DLLs across an AppDomain boundary.

I've also heard that CAS isn't implemented (fully? at all?) in Mono, and
that currently Mono has problems with AppDomain unloading. But I don't
know what the current state is, how badly they affect my needs, or how
soon they are expected to be fully complete. The Mono roadmap paints a
depressing picture of Mono's CAS capabilities - is that still true? And
are there any workarounds?

Thanks for any advice you can give me,

Stuart.


--
Stuart Ballard, Senior Web Developer
NetReach, Inc.
(215) 283-2300, ext. 126
http://www.netreach.com/

_______________________________________________
Mono-list maillist  -  Mono-list@lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-list