.NET 4、AllowPartiallyTrustedCallers 属性和 SecurityCritical 等安全标记 [英] .NET 4, AllowPartiallyTrustedCallers attribute, and security markings like SecurityCritical
问题描述
我是 C# 新手,正在尝试了解 .NET-4.
为了填写一些详细信息,我目前正在尝试更新 AutofacContrib.Moq 以使用最新的 Moq.对于 .NET-3.5 及以下版本,我没有问题.但是在 .NET-4 中,安全限制导致了许多安全异常.
Moq 有一个方法,GetObjectData,用 SecurityCritical 属性.AutofacContrib.Moq 具有 AllowPartiallyTrustedCallers 属性集,它是异常的来源.似乎与其添加 SecurityLevel 为 1 的 SecurityRules 属性,不如删除 AllowPartiallyTrustedCallers 属性.我相信这会默认使程序集 SecurityTransparent,这可能还不够(尽管 AutofacContrib.Moq 单元测试通过).
我目前的主要问题是面向 .NET-4 的程序集是否应该使用 AllowPartiallyTrustedCallers 属性?但是,鉴于我绝对还没有完全理解,在使用带有安全标记的程序集时应该考虑哪些细节?我是否需要在我的程序集直接或间接使用的那些地方用安全属性明确标记我的程序集,标记为 SecurityCritical 的东西?
您是对的:在 .NET 4 中,将 APTCA 留在那里会使程序集 SecurityTransparent,这可能是导致您悲伤的原因.
MSDN 文章 Migrating an APTCA Assembly to the .NET Framework 4 有很好的讨论以及对 .NET 4 中 AllowPartiallyTrustedCallersAttribute 更改的说明.
特别是:
<块引用>AllowPartiallyTrustedCallers 属性已更改.在 v4 中,它不再与链接需求有关.事实上,v2 中签名库中存在的隐式链接需求已经消失.相反,默认情况下,v4 中所有完全受信任的程序集都是 SecurityCritical.
[剪断/]
在 v4 中,APTCA 的作用是从应用它的程序集中删除自动 SecurityCritical 行为.
还有……
<块引用>由于 AllowPartiallyTrustedCallers 属性默认会导致整个程序集为 SecurityTransparent,因此程序集的作者必须专门将需要执行特权操作的方法标记为 SecurityCritical 或 SecuritySafeCritical.
(这真是一篇好文章,作者 Mike Rousos 写得很好.我鼓励您阅读)
如果您要开始一个新的 .NET 4 库,最好坚持使用 .NET 4 安全模型并在需要时使用适当的 SecurityCritical、SecuritySafeCritical 和 SecurityTransparent 属性.它们比旧的代码访问安全更容易管理和理解.
如果您要将旧库迁移到新模型,文章中有一个很好的示例说明如何执行此操作……但基本上相当于删除旧的 LinkDemands 并在其位置添加 [SecurityCritical].
在您的特定情况下,最快 的开始方式是添加 SecurityRules 属性,以便您获得旧行为,但我不确定我是否会考虑 正确的方式.正确的方法可能是丢失 APTCA 并在程序集上添加 SecurityCritical 因为程序集可能包含 SecurityCritical 代码,然后用 SecuritySafeCritical 标记调用 SecurityCritical 代码的各种类型(例如,引用 GetObjectData 的内容),以便您的 SecurityTransparent 代码可以调用它.当然,第二种方法需要做更多的工作,因此您可能希望运行 SecAnnotate.exe 并获得一些自动提示.
查看 Moq 主干,搜索 GetObjectData 显示有问题的方法是异常序列化机制的覆盖(System.Exception 上的 ISerializable.GetObjectData),无论如何只有 SecurityCritical 代码会调用它,因此您可能不会如果您只是丢失 APTCA 并标记程序集 SecurityCritical,甚至会遇到任何麻烦.
Autofac 提出了一个问题,需要将其更新为最新的安全模型. 如果你喜欢这个想法,去投票/评论它.
抱歉,这不是一个简短的答案.不幸的是,安全从来都不是一件容易的事.:S
I'm new C# and am trying to understand the new security features of .NET-4.
To fill in some details, I'm currently trying to update AutofacContrib.Moq to work with the latest Moq. I had no problems doing this for .NET-3.5 and under. But in .NET-4 the security restrictions result in numerous security exceptions.
Moq has a a single method, GetObjectData, that's marked with the SecurityCritical attribute. AutofacContrib.Moq has the AllowPartiallyTrustedCallers attribute set which is the source of the exceptions. It seems that rather than adding the SecurityRules attribute with a SecurityLevel of 1, I'd be better off removing AllowPartiallyTrustedCallers attribute. I believe this makes the assembly SecurityTransparent by default, which may not be sufficient (though the AutofacContrib.Moq unit tests pass).
My main question at the moment is whether assemblies targeting .NET-4 should ever use the AllowPartiallyTrustedCallers attribute? But, given that I definitely don't understand everything yet, what details should be considered when working with assemblies that are security marked? Do I need to explicitly mark my assembly with security attributes in those places it uses, directly or indirectly, something that's marked SecurityCritical?
You are correct: in .NET 4, leaving the APTCA on there makes the assembly SecurityTransparent, and that may be what's causing you grief.
The MSDN article Migrating an APTCA Assembly to the .NET Framework 4 has a good discussion and explanation of the changes to the AllowPartiallyTrustedCallersAttribute in .NET 4.
Specifically:
The AllowPartiallyTrustedCallers attribute has changed. In v4, it no longer has anything to do with link demands. In fact, the implicit link demand that was present on signed libraries in v2 is gone. Instead, all fully trusted assemblies in v4 are, by default, SecurityCritical.
[snip /]
In v4, the effect of APTCA is to remove the automatic SecurityCritical behavior from the assembly to which it’s applied.
And...
Because the AllowPartiallyTrustedCallers attribute causes the entire assembly to be SecurityTransparent by default, the assembly’s author must specifically mark methods needing to perform privileged operations as SecurityCritical or SecuritySafeCritical.
(It's really a good article that author Mike Rousos did a great job with. I encourage you to read it in its entirety.)
If you're starting a new .NET 4 library, it's probably best to stick with the .NET 4 security model and use the appropriate SecurityCritical, SecuritySafeCritical, and SecurityTransparent attributes where needed. They're far easier to manage and understand than old code access security.
If you're migrating an old library to the new model, there's a good example in the article of how to do that... but basically it amounts to removing old LinkDemands and adding [SecurityCritical] in their place.
In your particular case, the fastest way to get going would be to add the SecurityRules attribute so you get the old behavior, but I'm not sure I'd consider that the right way. The right way would probably be to lose the APTCA and add SecurityCritical on the assembly because the assembly may contain SecurityCritical code, then mark the various types that call SecurityCritical code (e.g., stuff that references GetObjectData) with SecuritySafeCritical so your SecurityTransparent code can call it. Of course, that second approach will be a lot more work, so you'll probably want to run SecAnnotate.exe and get some automated tips.
Looking at the Moq trunk, a search for GetObjectData shows that the method in question is the override for an exception serialization mechanism (ISerializable.GetObjectData on System.Exception), which only SecurityCritical code will be calling anyway, so you may not even run into any trouble if you just lose APTCA and mark the assembly SecurityCritical.
There is an issue filed on Autofac to update it to the latest security model. If you like the idea, go vote/comment on it.
Sorry that wasn't a short answer. Security is, unfortunately, never easy. :S
这篇关于.NET 4、AllowPartiallyTrustedCallers 属性和 SecurityCritical 等安全标记的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
