访问级别和修饰符(私有，密封等)是否出于C#的安全目的? [英] Do the access levels and modifiers (private, sealed, etc) serve a security purpose in C#?

问题描述

我已经看到您可以使用反射来操纵私有成员和内部成员 .我还看到它说，密封"类比没有密封的类更安全.

I've seen that you can manipulate private and internal members using reflection. I've also seen it said that a 'sealed' class is more secure that one that isn't.

修饰符公共的，受保护的，内部的，私有的，抽象的，密封的，只读的"修饰符是否只是绅士关于设计和API使用的协议，只要您能够获得反思，修饰符就可以被破坏吗?而且，如果黑客已经在运行调用您的API的代码，那么游戏就已经丢失了，对吧?

Are the modifiers "public, protected, internal, private, abstract, sealed, readonly" anything more than a gentleman's agreement about design and API use, that can be broken as long as you have access to reflection? And if a hacker is already is running code that calls your API, the game is already lost, right?

以下内容比其他任何类别都更加安全吗?

Is the following anymore secure than any other class?

//private class
sealed class User
{
    private string _secret = "shazam";
    public readonly decimal YourSalary;
    public string YourOffice{get;};
    private DoPrivilegedAction()
    {
    }
}

推荐答案

首先，回答您的问题:安全系统旨在保护 GOOD USERS免受错误代码的侵害；它显然不是旨在保护良好代码免受不良用户的侵害.您的访问限制通过部分受信任的敌对代码减轻了对用户的攻击.它们不会减轻敌对用户对您代码的攻击.如果威胁是敌对的用户获取您的代码，那么您将遇到很大的问题.安全系统根本无法缓解这种威胁.

First, to answer your question: The security system is designed to protect GOOD USERS from BAD CODE; it is explicitly not designed to protect GOOD CODE from BAD USERS. Your access restrictions mitigate attacks on your users by partially trusted hostile code. They do not mitigate attacks on your code from hostile users. If the threat is hostile users getting your code, then you have a big problem. The security system does not mitigate that threat at all.

第二，要解决一些先前的答案:了解反射和安全性之间的完整关系需要仔细注意细节并充分了解CAS系统的细节.先前发布的答案指出，由于反射，安全性和访问之间没有联系，这是误导和错误的.

Second, to address some of the previous answers: understanding the full relationship between reflection and security requires careful attention to detail and a good understanding of the details of the CAS system. The previously posted answers which state that there is no connection between security and access because of reflection are misleading and wrong.

是的，反射使您可以覆盖可见性"限制(有时).这并不意味着访问和安全之间没有联系.与此相关的是，使用反射来覆盖访问限制的权利已通过多种方式与CAS系统紧密相连.

Yes, reflection allows you to override "visibility" restrictions (sometimes). That does not imply that there is no connection between access and security. The connection is that the right to use reflection to override access restrictions is deeply connected to the CAS system in multiple ways.

首先，为了任意这样做，必须由CAS系统为代码授予私有反射权限.这通常仅授予完全受信任的代码，毕竟，该代码可能已经完成了任何操作.

First off, in order to do so arbitrarily, code must be granted private reflection permission by the CAS system. This is typically only granted to fully trusted code, which, after all, could already do anything.

第二，在新的.NET安全模型中，假定程序集A被CAS系统授予了程序集B授予集的超集.在这种情况下，程序集A中的代码被允许使用反射来观察B的内部.

Second, in the new .NET security model, suppose assembly A is granted a superset of the grant set of assembly B by the CAS system. In this scenario, code in assembly A is allowed to use reflection to observe B's internals.

第三，将动态生成的代码放入组合中时，事情变得非常复杂.如果要解释跳过可见性"与受限跳过可见性"的工作原理，以及它们如何更改在运行时吐出代码的情况下反射，访问控制和安全系统之间的交互，将使我比我花费更多的时间和空间.有空.如果需要详细信息，请参阅Shawn Farkas的博客.

Third, things get really quite complicated when you throw in dynamically generated code into the mix. An explanation of how "Skip Visibility" vs "Restricted Skip Visibility" works, and how they change the interactions between reflection, access control, and the security system in scenarios where code is being spit at runtime would take me more time and space than I have available. See Shawn Farkas's blog if you need details.

这篇关于访问级别和修饰符(私有，密封等)是否出于C#的安全目的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！