[Mono-list] Security

Sebastien Pouliot sebastien.pouliot at gmail.com
Sun May 7 20:53:15 EDT 2006


Hello Matthias,

On Sun, 2006-05-07 at 17:47 +0200, Matthias Gutheil wrote:
> on one of the Mono pages I read that the security manager is not complete
> enough to run not trusted code. Is this still the case?

Yes, it's still true. For many reasons (e.g. auditing the whole class
library) this wasn't a goal of Mono 1.2, but the current security
manager is complete enough for interested people that want to play with
it (e.g. test applications, embedding Mono).

>  So when I will run
> C# code which I not trust, I have a security problem?

Well, there's no simple answer to this simple question, so...

<answer format="short">
Yes, you have a security problem if you execute untrusted code. 

And this is true for most existing languages/environments. Also note
that having a (working/complete) security manager doesn't mean you don't
have a security problem ;-)
</answer>

<answer format="long">
The fact that you have a security problem running untrusted code doesn't
mean the security manager will solve it. Why ? the security manager is
there to enforce a security policy, which is selected based on
evidences.

So depending on how you're executing the untrusted code it is possible
that the security manager won't do anything to stop "bad things"(tm)
from happening. 

E.g. you download r3411yc0114pp.zip, decompress and execute it. Because
the application is executed locally, the evidence will point to the
local computer and the current user, both of them are trusted (by
default). The security policy will give this process "full trust" which
means it can do about anything (good or bad) with your computer.

Now to be (really) useful we need more than a (working) security
manager, we also need environments that use it. Sadly there are very few
such environment (generally) and even less for Mono. Some examples are:
- hosting web applets in a browser (e.g. Java applets, IE for .NET);
- managed stored proc in a database server (e.g. SQL Server, DB2);
- a game engine running scripts/bots (e.g. NRobots which works on
Mono :)

The main point of those environment is to create some limits around what
can be done. E.g. ever wondered, from an end-user point of view, why a
screensaver could delete all your files ?

(Current) reality dictates that many kind of applications cannot run
without having "full trust" (e.g. interoperability with existing
unmanaged code). On a positive note that means that Mono, even without a
security manager, is useful and more secure than other technologies
(e.g. buffer overflows are "more difficult" using managed code). On a
negative note it means that running untrusted code is still a risky
business ;-)

p.s. it's a long, but still very incomplete, answer ;-)
</answer>
-- 
Sebastien Pouliot  <sebastien at ximian.com>
Blog: http://pages.infinit.net/ctech/



More information about the Mono-list mailing list