This post is in response to a Microsoft plan to force full trust all assemblies in the GAC regardless of CAS policy settings.
For some time now, I’ve been rather disappointed with the view of code trustworthiness that seems to be generally espoused at Microsoft. IMO, there are at least two main issues to address when evaluating the trustworthiness of code (and/or its source):
- Do I trust it to not be deliberately malicious?
- Do I trust it to not contain any exploitable flaws?
As far as I can tell, Microsoft seems to be concentrating mostly on #1* (and not just with respect to CAS and the .NET Framework). However, I worry at least as much, if not more, about #2. Unfortunately, even the most well intentioned of developers are not necessarily all that competent, particularly when it comes to security.
Even when developers are competent and careful, there’s every reason to expect that their code will contain at least some exploitable flaws since bugs related to security will likely be at least as frequent as problems in any other area. Therefore, even if I trust the developers of a given assembly to be both non-malicious and competent, I would still want to run their code with least possible privilege. This is simple defense in depth.
If all assemblies in the GAC are to become fully trusted regardless of policy settings, administrators will have no way of enforcing least privilege for these assemblies. Is the loss of this ability really worth any trade-off with respect to possible gains that might result in other areas?
*Interestingly enough, the Code Access Security topic in the .NET Framework Developer’s Guide does mention #2 as one of the reasons for the limitation of code permissions under CAS. Unfortunately, it would seem that someone has forgotten about this along the way.