[Mono-list] Limiting access in embedded mono
Sebastien Pouliot
sebastien.pouliot at gmail.com
Fri Mar 20 08:19:30 EDT 2009
On Fri, 2009-03-20 at 11:53 +0100, Robert Jordan wrote:
> robiwan wrote:
> > We're planning on using mono embedded in our application, however, since
> > arbitrary users might write code for it we'd need to limit access to certain
> > things, like FS IO, memory allocation and perhaps even network IO.
> >
> > Does mono have provision for limiting such stuff? Is it simply a matter of
> > limiting which class libraries are available for the mono run-time?
>
> You're looking for CAS, but this is unfortunately neither fully
> implemented nor tested. It's a really great area for contributions :)
There's another option becoming available, the coreclr model that is
used in Silverlight 2.0 (and Moonlight 2.0). It's much simpler than CAS
and it's being actively worked on.
http://www.mono-project.com/Moonlight2CoreCLR
> Mono projects that need this kind of protection are usually verifying
> and parsing the assembly upon invocation. The parsing can be performed
> with a library like Mono.Cecil: You could define a whitelist of
> allowed types and reject the assembly if unsuitable.
Quite a few existing (and big) projects works that way. So this is
definitively a workable approach.
CoreCLR makes it even easier because this whitelisting is now done by
attributes - and the features are still available for "platform" code.
Other advanced features (like SRE) are also possible under the CoreCLR
where only small restrictions are added to "application code".
http://www.mono-project.com/MoonlightSecurity
> For more security, you may want to disable some features (p/invoke,
> Reflection/Reflection.Emit) in mono itself. See the
> "--enable-minimal=LIST" option of the configure script.
>
> This is only feasible if the host doesn't need this features
> itself.
>
> > Also, is there a way in mono to load an assembly (for execution) from memory
> > (f.i. have the assembly stored in a database) ?
>
> Yes. See the (MSDN) docs of the Assembly class.
>
> Robert
>
> _______________________________________________
> Mono-list maillist - Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list
More information about the Mono-list
mailing list