Month: February 2005

Finally wrapping up my rebuttal of Shawn’s listing of reasons for forcing full trust of assemblies in the GAC… 6.a) “Based upon the assumption that GACed assemblies are receiving FullTrust, tools such as NGEN can have simpler code paths around security.” Not too many users of the platform are likely to lose sleep worrying about how complex Microsoft’s private implementation of such tools might be. If any given feature is too difficult to implement without eroding the security protections offered by the platform, dropping the feature might be a better solution than dropping the protection. Of course, this only holds … Continue reading Heads, you lose. Tails, you lose.

Continuing with my rebuttal of Shawn’s listing of reasons for forcing full trust of assemblies in the GAC… 4. “If an application is hosting the CLR, it has the ability to protect itself from assemblies it doesn’t trust to load. For instance, SQL Server 2005 does not allow the Windows Forms library to load. Applications can provide an AppDomainManager and HostSecurityManager in order to disallow some assemblies from loading, or to tweak their grant sets.” That’s nice. Unfortunately, it does nothing to protect users against the majority of .NET applications, which are run outside of such custom hosts. I suppose … Continue reading If only everyone would just play nice…

Continuing with my rebuttal of Shawn’s listing of reasons for forcing full trust of assemblies in the GAC… 3.a) “Since you have to be an administrator in order to add an assembly to the GAC, it is already considered special from a security standpoint.” Ouch. Got a few things to say about this one… i. Joe User can’t write to the Program Files directory either. Does this make it special too? (Rhetorical question, I hope. ;)) ii. One absolutely does not need to be an administrator to add assemblies to the GAC. Even under default ACLs (at least on fully … Continue reading I’m so special…

Continuing with my rebuttal of Shawn’s listing of reasons for forcing full trust of assemblies in the GAC… 2.a) “By side-effect, assemblies in the GAC did already receive FullTrust.” Under default policy only. I’d be one of the first to argue that this default policy is probably too permissive, but it’s a little late in the game for that. At least those of us who don’t like the default policy can alter it so that not all locally installed code is fully trusted. Forcing full trust of all assemblies in the GAC would deny us that possibility. 2.b) “The only … Continue reading Secure by default?

After introducing a Microsoft plan to force full trust all assemblies in the GAC, Shawn Farkas posted follow-up inviting further feeback. Included in his post are six points explaining some of the reasoning behind the change. In my opinion, none of these reasons even begins to justify the change, and I’d like to present some counter-arguments to each. I’ll address each of Shawn’s points in a separate post here, with the individual points and subpoints labeled for ease of discussion. Starting with point 1… 1.a) “Assemblies in the GAC build up the managed platform that all managed applications can run … Continue reading I’m in the platform? Little old me?

This post is in response to a Microsoft plan to force full trust all assemblies in the GAC regardless of CAS policy settings. CAS Imagine for a moment that you could find an “intro to CAS” document from Microsoft that gives a simple, clear statement of the purpose of CAS. What would that statement be? Unfortunately, my own search for such a document failed to turn up anything that didn’t jump directly from the “why” into the “how” of CAS, leaving the reader to infer the purpose from the “why”. In the absence of a clear statement of from Microsoft … Continue reading Keep it simple, smarty

This post is in response to a Microsoft plan to force full trust all assemblies in the GAC regardless of CAS policy settings. For some time now, I’ve been rather disappointed with the view of code trustworthiness that seems to be generally espoused at Microsoft. IMO, there are at least two main issues to address when evaluating the trustworthiness of code (and/or its source): Do I trust it to not be deliberately malicious? Do I trust it to not contain any exploitable flaws? As far as I can tell, Microsoft seems to be concentrating mostly on #1* (and not just … Continue reading Do I trust you? Well, sort of…