7

I'm currently working on a very modular and plugin-based framework for my bachelor's thesis. The main idea is, that there is a folder inside my application structure named plugins where you can drop in compiled plugins (e.g. .dll-files), that conform to a special interface IPlugin. The application then executes tasks using the plugin a user selects. So, if I want to perform a task once in a PDF-file, I'd choose the PdfPlugin and once in a word document, I'd choose the DocPlugin to the work.

The output is also defined in interfaces, so every plugin returns the same data structure. Just the actual work differs for each library.

Now, as the application just calls the methods defined in the interface, e.g. ParseDocument() and such, how can I prevent the plugins (that may have been developed by third parties) from executing harmful code?

I'm working on .NET3.5 (maybe will switch to 4, not yet decided) and C#.

F.P
  • 17,421
  • 34
  • 123
  • 189

3 Answers3

8

I'm working on .NET3.5

In that case, I would isolate your Plugins to run in a separate AppDomain, use Code Access Security and restrict the permission set of the App Domain. This "sandboxes" your plugin assemblies.

For instance, you could take away all Unmanaged Code permissions and File IO Permissions, and then your plugin would never be able to write to the file system.

This isn't for the faint of heart. AppDomains can be tricky to work with and require serialization, object lifetime policies, etc. You could use MAF as it takes away a lot of the plumbing.

Community
  • 1
  • 1
vcsjones
  • 138,677
  • 31
  • 291
  • 286
  • Is it possible to query a plugin for what Code Access Security permissions it wants? In comparison to something like intents on Android? I.e. I'd probably want a plugin framework that allows me to determine what permissions a plugin is asking for, so I can prompt the user for confirmation before loading the plugin. Or is it the other way around, in that I enforce permissions in my app, and then the plugin simply fails/throw exception if it tries to do something outside of the allowed permissions? – AaronLS May 02 '13 at 18:29
  • Not asking for a "how to" as that's kind of out of the scope of the question, but curious which of these two different approaches CAS is appropriate for. – AaronLS May 02 '13 at 18:32
0

I know that there is quite some research done in this area. One working approach is to inspect the IL code and look for forbidden method signatures. Then you can redirect them to an error hook which will stop the plugin vom executing further code.

One application is e.g. increased security for smart phones where you can inspect the IL code from downloaded apps for access methods to the GPS module, camera, mic, .... The security application can then patch these access methods and ask the user if the application should really be allowed to enable the mic.

With .NET you can use an IL reader like Mono.Cecil to inspect the IL code for harmful signatures. But there are always ways around this since you still can generate code dynamically or simply store code as resource and load it at rumtime from a resource. For a proof of concept this approach is quite easy to do.

You could even write an FXCop rule and use this to check statically the plugins for forbidden method calls.

Alois Kraus
  • 13,229
  • 1
  • 38
  • 64
  • 2
    "One working approach is to inspect the IL code and look for forbidden method signatures" ick. What about method calls made via dynamic dispatch, such as the DLR, reflection, etc? – vcsjones Jul 06 '12 at 14:12
  • I am not saying I did this. All I did say that researchers did it and gained quite some press echo (smart phone security is cool). I guess they were just not as hard core devs as the average Stackoverflow visitors are. Perhaps they should have asked on SO if their idea was a good idea. – Alois Kraus Jul 06 '12 at 14:20
-2

You can't.

DLLs are binary code which is executed with the privileges of the calling program. When a method from a DLL is called, you have no control over what it does.

When you want to limit what a plugin can do, you have to move the execution to your main program. A good way to do this would be to implement plugins in a scripting language which is parsed and executed by your program instead of binary libraries.

Philipp
  • 37
  • 1
  • 1
    "You can't." yes you can. That's exactly what CAS was designed to do. Remember, the .NET Framework is a virtual machine, so it can enforce these rules at runtime. – vcsjones Jul 06 '12 at 14:14