1

I have a C++ program that allows user to input arbitrary C# (.NET compatible) scripts, which are then interpreted at runtime and which allow the user to customize my program's functionality to a certain extent, through my program's C# (.NET) API.

When a user saves their work in my program, their scripts are saved with their file and automatically executed/interpreted next time the program is run and their file is loaded.

Obviously if a user wants to destroy their own machine with malicious code, more power to them. However, due to the nature of my software their is strong potential for users to share their files with each other...and thus the possibility of users sending malicious code to other users exists (through this C# scripting interface).

Some workarounds might be to warn users if a file contains a script, before automatically executing it, etc...but that still leaves room for error....if a user mistakenly ignores such warnings, they still leave themselves open to attack.

Is there a way to take a bunch of arbitrary C# code, and figure out if it contains any code which could be used to delete/rename/move/modify/harm system files? Basically a way to ensure that some arbitrary c# code doesn't try to change any files on the system? Or maybe a way to simply prevent any file-access .NET assemblies from being loaded by the interpreter?

Camilo Terevinto
  • 31,141
  • 6
  • 88
  • 120
Tyson
  • 1,226
  • 1
  • 10
  • 33
  • You might take a look at [What is a partially trusted assembly/application/code/etc in .NET?](https://stackoverflow.com/q/376049) - though I don't know enough about [partial trust](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/partial-trust) to know if it would help you. – dbc Apr 14 '18 at 20:52
  • You might want to read this: https://learn.microsoft.com/en-us/dotnet/framework/misc/how-to-run-partially-trusted-code-in-a-sandbox , though note that at the moment its usage is discouraged for your scenario. Still I'd say its better than nothing nevertheless. – Evk Apr 14 '18 at 20:59
  • If your program really only allows competent users to write C# scripts *for themselves*, it is perhaps not necessary to sanitize the scripts at all - after all they would knowingly be sabotaging themselves rather than others. If, on the other hand, you have something like a plugin system where untrusted 3rd party code might be loaded and executed, C# scripts aren't a good way to do it. As others have pointed out, partial trust is not recommended because it simply has too many loopholes. Instead, embedded scripting languages like Javascript or Lua were developed for this exact purpose. – dialer Apr 23 '18 at 07:40

1 Answers1

0

There is no known way to do that. Partial trust does not work, and was deprecated a few years ago as a trust boundary. If the code is truly malicious you are opening up a big security hole for sharing.

One way to deal with it, is create a sharing site, where you prevent scripting on that site. You can prevent scripts on files with "mark of the internet" automatically, and make it not a button click, but a truly complex step to allow the individual piece of software to load, including viewing the C# code for example. You can look at what chrome did for untrusted certificates as an example.

Ultimately you are just opening a security hole, and you can't truly plug a malicious code.

Yishai Galatzer
  • 8,791
  • 2
  • 32
  • 41