Code:
/ 4.0 / 4.0 / DEVDIV_TFS / Dev10 / Releases / RTMRel / wpf / src / Framework / MS / Internal / AppModel / AssemblyFilter.cs / 1305600 / AssemblyFilter.cs
//---------------------------------------------------------------------------- // //// Copyright (C) Microsoft Corporation. All rights reserved. // // // Description: // This class is used to filter assemblies as they are loaded into an application domain. // The intent is to bring the AppDomain down in the case that one of these is on a disallowed list // similar to the kill bit for Activex // // History: // 11/15/05: akaza Created. //--------------------------------------------------------------------------- using System; using System.Windows; using MS.Internal.PresentationFramework; using System.Collections.Generic; using MS.Win32; using Microsoft.Win32; using System.Security; using System.Security.Permissions; using System.Reflection; using System.Text; using MS.Internal.AppModel; using MS.Internal; using System.Windows.Resources; using System.Diagnostics; using System.Runtime.InteropServices; namespace MS.Internal { internal class AssemblyFilter { ////// Critical: This code sets the allowed assemblies on AssemblyList /// TreatAsSafe: Initializing the data is ok since it does not expose anything /// [SecurityCritical,SecurityTreatAsSafe] static AssemblyFilter() { _disallowedListExtracted = new SecurityCriticalDataForSet(false); _assemblyList = new SecurityCriticalDataForSet >(new System.Collections.Generic.List ()); } /// /// Critical: This code calls into unmanaged Api that has a SUC on this (IAssemblCache related) /// [SecurityCritical] internal void FilterCallback(Object sender, AssemblyLoadEventArgs args) { // This code is reentrant lock (_lock) { // Extract assembly Assembly a = args.LoadedAssembly; // xmlns cache loads assemblies as reflection only and we cannot inspect these using the code below // so we ignore also keeping this first is super important because the first time cost is really high // other wise also we cannot do any processing on a reflection only assembly aside from reflection based actions if (!a.ReflectionOnly) { // check if it is in the Gac , this ensures that we eliminate any non GAC assembly which are of no risk if (a.GlobalAssemblyCache) { object[] aptca = a.GetCustomAttributes(typeof(AllowPartiallyTrustedCallersAttribute), false); // if the dll has APTCA if (aptca.Length > 0 && aptca[0] is AllowPartiallyTrustedCallersAttribute) { string assemblyName = AssemblyNameWithFileVersion(a); // If we are on the disallowed list kill the application domain if (AssemblyOnDisallowedList(assemblyName)) { // Kill the application domain UnsafeNativeMethods.ProcessUnhandledException_DLL(SR.Get(SRID.KillBitEnforcedShutdown) + assemblyName); // I want to ensure that the process really dies new SecurityPermission(SecurityPermissionFlag.UnmanagedCode).Assert();//BlessedAssert try { System.Environment.Exit(-1); } finally { SecurityPermission.RevertAssert(); Debug.Fail("Environment.Exit() failed."); } } } } } } } //appends assembly name with file version to generate a unique entry for the assembly lookup process ////// Critical: This code elevates to extract assembly name /// [SecurityCritical] private string AssemblyNameWithFileVersion(Assembly a) { FileVersionInfo fileVersionInfo; StringBuilder sb = new StringBuilder(a.FullName); // we need unrestricted here because the location is demands too. (new FileIOPermission(PermissionState.Unrestricted)).Assert();//BlessedAssert try { fileVersionInfo = FileVersionInfo.GetVersionInfo(a.Location); } finally { FileIOPermission.RevertAssert(); } if (fileVersionInfo != null && fileVersionInfo.ProductVersion != null) { sb.Append(FILEVERSION_STRING + fileVersionInfo.ProductVersion); } return ((sb.ToString()).ToLower(System.Globalization.CultureInfo.InvariantCulture)).Trim(); } ////// Critical: This code populates _assemblyList with Disallowed Elements and sets the bit that dictates whether to repopulate it /// [SecurityCritical] private bool AssemblyOnDisallowedList(String assemblyToCheck) { bool retVal = false; // if the list disallowed list is not populated populate it once if (_disallowedListExtracted.Value == false) { // hit the registry one time and read ExtractDisallowedRegistryList(); _disallowedListExtracted.Value = true; } if (_assemblyList.Value.Contains(assemblyToCheck)) { retVal = true; } return retVal; } ////// Critical: This code opens an HKLM registry location and reads it. We do not want /// to call this over and over as it could cause performance issues /// [SecurityCritical] private void ExtractDisallowedRegistryList() { string[] disallowedAssemblies; RegistryKey featureKey; //Assert for read access to HKLM\Software\Microsoft\.NetFramework\Policy\APTCA (new RegistryPermission(RegistryPermissionAccess.Read, KILL_BIT_REGISTRY_HIVE + KILL_BIT_REGISTRY_LOCATION)).Assert();//BlessedAssert try { // open the key and read the value featureKey = Registry.LocalMachine.OpenSubKey(KILL_BIT_REGISTRY_LOCATION); if (featureKey != null) { // Enumerate through all keys and populate dictionary disallowedAssemblies = featureKey.GetSubKeyNames(); // iterate over this list and for each extract the APTCA_FLAG value and set it in the // dictionary foreach (string assemblyName in disallowedAssemblies) { featureKey = Registry.LocalMachine.OpenSubKey(KILL_BIT_REGISTRY_LOCATION + @"\" + assemblyName); object keyValue = featureKey.GetValue(SUBKEY_VALUE); // if there exists a value and it is 1 add to hash table if ((keyValue != null) && (int)(keyValue) == 1) { if (!_assemblyList.Value.Contains(assemblyName)) { _assemblyList.Value.Add(assemblyName.ToLower(System.Globalization.CultureInfo.InvariantCulture).Trim()); } } } } } finally { RegistryPermission.RevertAssert(); } } ////// Critical: This holds a list of assemblies that are on an allowed and disallowed list and can be exploited to load /// unsafe dll's into appdomain /// static SecurityCriticalDataForSet> _assemblyList; /// /// Critical: This bit determines whether we need to hit the registry and load the disallowed elements. /// We would like to see this happen only once per appdomain and delay it as much as possible /// static SecurityCriticalDataForSet_disallowedListExtracted; static object _lock = new object(); private const string FILEVERSION_STRING = @", FileVersion="; // This is the location in the registry where all the keys are stored private const string KILL_BIT_REGISTRY_HIVE = @"HKEY_LOCAL_MACHINE\"; private const string KILL_BIT_REGISTRY_LOCATION = @"Software\Microsoft\.NetFramework\policy\APTCA"; private const string SUBKEY_VALUE = @"APTCA_FLAG"; } } // File provided for Reference Use Only by Microsoft Corporation (c) 2007. // Copyright (c) Microsoft Corporation. All rights reserved. //---------------------------------------------------------------------------- // // // Copyright (C) Microsoft Corporation. All rights reserved. // // // Description: // This class is used to filter assemblies as they are loaded into an application domain. // The intent is to bring the AppDomain down in the case that one of these is on a disallowed list // similar to the kill bit for Activex // // History: // 11/15/05: akaza Created. //--------------------------------------------------------------------------- using System; using System.Windows; using MS.Internal.PresentationFramework; using System.Collections.Generic; using MS.Win32; using Microsoft.Win32; using System.Security; using System.Security.Permissions; using System.Reflection; using System.Text; using MS.Internal.AppModel; using MS.Internal; using System.Windows.Resources; using System.Diagnostics; using System.Runtime.InteropServices; namespace MS.Internal { internal class AssemblyFilter { ////// Critical: This code sets the allowed assemblies on AssemblyList /// TreatAsSafe: Initializing the data is ok since it does not expose anything /// [SecurityCritical,SecurityTreatAsSafe] static AssemblyFilter() { _disallowedListExtracted = new SecurityCriticalDataForSet(false); _assemblyList = new SecurityCriticalDataForSet >(new System.Collections.Generic.List ()); } /// /// Critical: This code calls into unmanaged Api that has a SUC on this (IAssemblCache related) /// [SecurityCritical] internal void FilterCallback(Object sender, AssemblyLoadEventArgs args) { // This code is reentrant lock (_lock) { // Extract assembly Assembly a = args.LoadedAssembly; // xmlns cache loads assemblies as reflection only and we cannot inspect these using the code below // so we ignore also keeping this first is super important because the first time cost is really high // other wise also we cannot do any processing on a reflection only assembly aside from reflection based actions if (!a.ReflectionOnly) { // check if it is in the Gac , this ensures that we eliminate any non GAC assembly which are of no risk if (a.GlobalAssemblyCache) { object[] aptca = a.GetCustomAttributes(typeof(AllowPartiallyTrustedCallersAttribute), false); // if the dll has APTCA if (aptca.Length > 0 && aptca[0] is AllowPartiallyTrustedCallersAttribute) { string assemblyName = AssemblyNameWithFileVersion(a); // If we are on the disallowed list kill the application domain if (AssemblyOnDisallowedList(assemblyName)) { // Kill the application domain UnsafeNativeMethods.ProcessUnhandledException_DLL(SR.Get(SRID.KillBitEnforcedShutdown) + assemblyName); // I want to ensure that the process really dies new SecurityPermission(SecurityPermissionFlag.UnmanagedCode).Assert();//BlessedAssert try { System.Environment.Exit(-1); } finally { SecurityPermission.RevertAssert(); Debug.Fail("Environment.Exit() failed."); } } } } } } } //appends assembly name with file version to generate a unique entry for the assembly lookup process ////// Critical: This code elevates to extract assembly name /// [SecurityCritical] private string AssemblyNameWithFileVersion(Assembly a) { FileVersionInfo fileVersionInfo; StringBuilder sb = new StringBuilder(a.FullName); // we need unrestricted here because the location is demands too. (new FileIOPermission(PermissionState.Unrestricted)).Assert();//BlessedAssert try { fileVersionInfo = FileVersionInfo.GetVersionInfo(a.Location); } finally { FileIOPermission.RevertAssert(); } if (fileVersionInfo != null && fileVersionInfo.ProductVersion != null) { sb.Append(FILEVERSION_STRING + fileVersionInfo.ProductVersion); } return ((sb.ToString()).ToLower(System.Globalization.CultureInfo.InvariantCulture)).Trim(); } ////// Critical: This code populates _assemblyList with Disallowed Elements and sets the bit that dictates whether to repopulate it /// [SecurityCritical] private bool AssemblyOnDisallowedList(String assemblyToCheck) { bool retVal = false; // if the list disallowed list is not populated populate it once if (_disallowedListExtracted.Value == false) { // hit the registry one time and read ExtractDisallowedRegistryList(); _disallowedListExtracted.Value = true; } if (_assemblyList.Value.Contains(assemblyToCheck)) { retVal = true; } return retVal; } ////// Critical: This code opens an HKLM registry location and reads it. We do not want /// to call this over and over as it could cause performance issues /// [SecurityCritical] private void ExtractDisallowedRegistryList() { string[] disallowedAssemblies; RegistryKey featureKey; //Assert for read access to HKLM\Software\Microsoft\.NetFramework\Policy\APTCA (new RegistryPermission(RegistryPermissionAccess.Read, KILL_BIT_REGISTRY_HIVE + KILL_BIT_REGISTRY_LOCATION)).Assert();//BlessedAssert try { // open the key and read the value featureKey = Registry.LocalMachine.OpenSubKey(KILL_BIT_REGISTRY_LOCATION); if (featureKey != null) { // Enumerate through all keys and populate dictionary disallowedAssemblies = featureKey.GetSubKeyNames(); // iterate over this list and for each extract the APTCA_FLAG value and set it in the // dictionary foreach (string assemblyName in disallowedAssemblies) { featureKey = Registry.LocalMachine.OpenSubKey(KILL_BIT_REGISTRY_LOCATION + @"\" + assemblyName); object keyValue = featureKey.GetValue(SUBKEY_VALUE); // if there exists a value and it is 1 add to hash table if ((keyValue != null) && (int)(keyValue) == 1) { if (!_assemblyList.Value.Contains(assemblyName)) { _assemblyList.Value.Add(assemblyName.ToLower(System.Globalization.CultureInfo.InvariantCulture).Trim()); } } } } } finally { RegistryPermission.RevertAssert(); } } ////// Critical: This holds a list of assemblies that are on an allowed and disallowed list and can be exploited to load /// unsafe dll's into appdomain /// static SecurityCriticalDataForSet> _assemblyList; /// /// Critical: This bit determines whether we need to hit the registry and load the disallowed elements. /// We would like to see this happen only once per appdomain and delay it as much as possible /// static SecurityCriticalDataForSet_disallowedListExtracted; static object _lock = new object(); private const string FILEVERSION_STRING = @", FileVersion="; // This is the location in the registry where all the keys are stored private const string KILL_BIT_REGISTRY_HIVE = @"HKEY_LOCAL_MACHINE\"; private const string KILL_BIT_REGISTRY_LOCATION = @"Software\Microsoft\.NetFramework\policy\APTCA"; private const string SUBKEY_VALUE = @"APTCA_FLAG"; } } // File provided for Reference Use Only by Microsoft Corporation (c) 2007. // Copyright (c) Microsoft Corporation. All rights reserved.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- InternalBufferOverflowException.cs
- DbLambda.cs
- AbstractExpressions.cs
- FederatedMessageSecurityOverHttp.cs
- RenderCapability.cs
- FrameworkName.cs
- FrameworkReadOnlyPropertyMetadata.cs
- precedingsibling.cs
- XmlDocumentSurrogate.cs
- ControlIdConverter.cs
- XmlUTF8TextWriter.cs
- SessionPageStateSection.cs
- ContextMarshalException.cs
- Canvas.cs
- RadialGradientBrush.cs
- RawStylusInputCustomData.cs
- NativeMethods.cs
- LocalValueEnumerator.cs
- Section.cs
- SctClaimDictionary.cs
- MarkupCompilePass1.cs
- MappingModelBuildProvider.cs
- TraceSource.cs
- IdnMapping.cs
- VisualProxy.cs
- DataSetFieldSchema.cs
- DetailsViewModeEventArgs.cs
- WebEventTraceProvider.cs
- OperationAbortedException.cs
- Nodes.cs
- SystemBrushes.cs
- ConfigurationManagerHelperFactory.cs
- HostingEnvironment.cs
- Brushes.cs
- PropertyEmitterBase.cs
- ImageConverter.cs
- RoutedEventHandlerInfo.cs
- Select.cs
- GetPageCompletedEventArgs.cs
- TransformGroup.cs
- FormatException.cs
- WizardStepBase.cs
- StartUpEventArgs.cs
- FocusChangedEventArgs.cs
- SpellerHighlightLayer.cs
- ConnectionPool.cs
- ColumnBinding.cs
- SoapHelper.cs
- ActivityCodeDomReferenceService.cs
- EditBehavior.cs
- EdmMember.cs
- StreamGeometry.cs
- Adorner.cs
- XmlSchemaAttributeGroup.cs
- InlinedAggregationOperator.cs
- ThreadStaticAttribute.cs
- QilStrConcatenator.cs
- DataControlFieldCollection.cs
- Transform3DCollection.cs
- WindowsIdentity.cs
- ResponseBodyWriter.cs
- Assembly.cs
- TextureBrush.cs
- SmiConnection.cs
- EntityDataSourceMemberPath.cs
- DataGridViewRowsAddedEventArgs.cs
- SchemaComplexType.cs
- GenericTypeParameterBuilder.cs
- UnknownBitmapEncoder.cs
- DataPointer.cs
- PipelineModuleStepContainer.cs
- PasswordRecovery.cs
- EncoderExceptionFallback.cs
- TracingConnectionListener.cs
- GorillaCodec.cs
- ProfileServiceManager.cs
- FocusManager.cs
- SynchronizationFilter.cs
- ChannelFactory.cs
- StrokeNodeData.cs
- ProfileGroupSettings.cs
- AppDomainProtocolHandler.cs
- LinqMaximalSubtreeNominator.cs
- HtmlMeta.cs
- PrePostDescendentsWalker.cs
- FontWeights.cs
- PropertyGeneratedEventArgs.cs
- LoadRetryStrategyFactory.cs
- HtmlInputReset.cs
- GACIdentityPermission.cs
- CachingHintValidation.cs
- httpserverutility.cs
- HyperLinkDesigner.cs
- SwitchLevelAttribute.cs
- LayoutEditorPart.cs
- DateTimeUtil.cs
- StructuredTypeInfo.cs
- HostSecurityManager.cs
- PrivacyNoticeBindingElementImporter.cs
- NonVisualControlAttribute.cs