[Mono-list] Limiting access in embedded mono

Sebastien Pouliot sebastien.pouliot at gmail.com
Fri Mar 20 08:19:30 EDT 2009

On Fri, 2009-03-20 at 11:53 +0100, Robert Jordan wrote:
> robiwan wrote:
> > We're planning on using mono embedded in our application, however, since
> > arbitrary users might write code for it we'd need to limit access to certain
> > things, like FS IO, memory allocation and perhaps even network IO.
> > 
> > Does mono have provision for limiting such stuff? Is it simply a matter of
> > limiting which class libraries are available for the mono run-time?
> You're looking for CAS, but this is unfortunately neither fully
> implemented nor tested. It's a really great area for contributions :)

There's another option becoming available, the coreclr model that is
used in Silverlight 2.0 (and Moonlight 2.0). It's much simpler than CAS
and it's being actively worked on.


> Mono projects that need this kind of protection are usually verifying
> and parsing the assembly upon invocation. The parsing can be performed
> with a library like Mono.Cecil: You could define a whitelist of
> allowed types and reject the assembly if unsuitable.

Quite a few existing (and big) projects works that way. So this is
definitively a workable approach.

CoreCLR makes it even easier because this whitelisting is now done by
attributes - and the features are still available for "platform" code. 

Other advanced features (like SRE) are also possible under the CoreCLR
where only small restrictions are added to "application code".


> For more security, you may want to disable some features (p/invoke,
> Reflection/Reflection.Emit) in mono itself. See the
> "--enable-minimal=LIST" option of the configure script.
> This is only feasible if the host doesn't need this features
> itself.
> > Also, is there a way in mono to load an assembly (for execution) from memory
> > (f.i. have the assembly stored in a database) ?
> Yes. See the (MSDN) docs of the Assembly class.
> Robert
> _______________________________________________
> Mono-list maillist  -  Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list

More information about the Mono-list mailing list