Restrict loaded assemblies:
I’m writing a console app with a plugin system, for security I want to try restrict it to assemblies that don’t use certain namespaces like system IO with the intention being they have to request stuff like input and config values through interfaces. Is this possible and how do I check what namespaces an assembly uses ?
9 Replies
Stack Overflow
.NET/Security: Limiting runtime-loaded assemblies from accessing ce...
In a shell application, I need to be able to load and execute other .NET assemblies at runtime, but without giving them full trust. Essentially, I want to limit them (the loaded assemblies) from to...
Not sure if CAS is still supported in newer .net versions
i think that's netfw only
ya i finally found an msdn page with some info, looks like it's unsupported for .net core / .net
doesn't seem like there's an equivalent for modern .net :Smoge:
You'd like have each plugin in it's own ACL with the host providing the communication types https://github.com/dotnet/runtime/issues/96207#issuecomment-1875311453
GitHub
[AssemblyLoadContext]: Restriction dlls for new Plugins · Issue #96...
Background and motivation hi everyone i have an application that writed with aspnetcore and now i wana to create plugin managment system for that. my users have high level data that must be cared f...
the other option would be using process boundaries and restricting access that way. If their process can't access the file system/network/etc then you're providing your own security
Does an ALC do any restrictions for accessing file system or input?
(Sorry, been a hectic 24 hours)
You can provide your own hook when assemblies are loaded and reject them. It sort of solves the problem but like most things it doesn't fully restrict. The best way for that would be to use OS specific restrictions and another process
You could use DotNetIsolator and run the loaded assembly inside a wasm runtime for sandbox-like isolation (you control which IO surfaces are available to the plugin assembly):
https://www.nuget.org/packages/DotNetIsolator/0.1.0-preview.10032
DotNetIsolator 0.1.0-preview.10032
Package Description