DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 5 of 5

Thread: Sandbox review

  1. #1
    Join Date
    Apr 2007
    Posts
    3

    Question Sandbox review

    I'm looking for a little code review by someone who understands .NET security better than I do. I have written a robot battle simulator that allows you to pit your robot creations against other competitors. Each robot is saved as a .NET assembly in a dll; the simulator instantiates a class from these dlls. Naturally, you don't want to just run some arbitrary dll on your machine, so I think I've found a way to create a sandbox that prevents these robot dlls from harming your system. This is what I'd like reviewed.

    You can download the VB .NET 2005 solution here. You'll be looking for the Sub Main in Module1 of project VbRoboCodeStartup. Thanks in advance to anyone who can help me verify this code.
    ---scott

  2. #2
    Join Date
    Apr 2007
    Location
    Sterling Heights, Michigan
    Posts
    8,663
    Welcome to DevX

    I have not run your code, but ask if the code is doing what you intended it to do? Are you getting any errors?

  3. #3
    Join Date
    Apr 2007
    Posts
    3
    It appears to work. For example, if I include code to write to a file I get an exception. It's just that it was a real stretch for me to piece together this code from examples on the internet and I think it's probable that there are still security flaws.

  4. #4
    Join Date
    Apr 2007
    Posts
    3

    Code excerpt

    I'll post the code here so you don't have to bother with a download:

    Code:
    ' Copyright  Scott Thomason 2007. All rights reserved.
    
    Imports ScottThomason.VbRoboCode
    Imports System.IO
    Imports System.Reflection
    Imports System.Runtime.Remoting
    Imports System.Security
    Imports System.Security.Permissions
    Imports System.Security.Policy
    
    Module Module1
        Private _sandbox As AppDomain
    
        Sub Main()
            Dim ads As New AppDomainSetup
            ads.ApplicationBase = Assembly.GetExecutingAssembly.CodeBase
            'Dim strongNames As StrongName() = {GetStrongName(Assembly.GetExecutingAssembly)}
            Dim strongNames As StrongName() = {}
            Dim permissions As New PermissionSet(Security.Permissions.PermissionState.None)
            permissions.AddPermission(New SecurityPermission(SecurityPermissionFlag.Execution))
            _sandbox = AppDomain.CreateDomain("Sandbox", AppDomain.CurrentDomain.Evidence, ads, permissions, strongNames)
    
            Dim simulator As New Startup
            simulator.Init(GetRobotPublicClasses(GetPotentialDlls))
        End Sub
    
        Private Function GetPotentialDlls() As List(Of FileInfo)
            Dim files As New List(Of FileInfo)
    
            GetDllsFromDirectory(files, ".")
    
            Return files
        End Function
    
        Private Sub GetDllsFromDirectory(ByVal files As List(Of FileInfo), ByVal dir As String)
            Dim di As New DirectoryInfo(dir)
            If di.Exists Then
                For Each f As FileInfo In di.GetFiles("*.dll")
                    files.Add(f)
                Next
            End If
        End Sub
    
        Private Function GetRobotPublicClasses(ByVal files As List(Of FileInfo)) As List(Of RobotPublic)
            Dim robots As New List(Of RobotPublic)
    
            For Each f As FileInfo In files
                Dim fname As String = Left(f.Name, InStr(f.Name, ".") - 1)
                Dim asmClass As String = fname & "." & fname
                Dim asm As Assembly = Nothing
                Try
                    asm = Assembly.LoadFrom(f.FullName)
                Catch ex As System.Reflection.ReflectionTypeLoadException
                    Dim msg As String = ex.Message & vbCrLf & vbCrLf
                    For Each l As Exception In ex.LoaderExceptions
                        msg &= l.Message & vbCrLf & vbCrLf
                    Next
                    MsgBox(msg)
                Catch ex As Exception
                    MsgBox(ex.Message)
                End Try
    
    
                Try
                    Dim type As Type = asm.GetType(asmClass)
                    If type Is Nothing Then Continue For
    
                    Dim oh As ObjectHandle = Activator.CreateInstanceFrom(_sandbox, f.FullName, type.FullName)
                    Dim o As Object = oh.Unwrap
                    Dim r As RobotPublic = CType(o, RobotPublic)
    
                    robots.Add(r)
                Catch ex As ArgumentNullException
                    MsgBox(ex.Message)
                Catch ex As FileNotFoundException
                    MsgBox(ex.Message)
                Catch ex As TypeLoadException
                    Dim msg As String = ex.Message & vbCrLf & vbCrLf & "Types: "
                    For Each t As Type In asm.GetTypes
                        msg &= t.Name & ", "
                    Next
                    MsgBox(msg)
                Catch ex As AppDomainUnloadedException
                    MsgBox(ex.Message)
                Catch ex As MissingMethodException
                    MsgBox(ex.Message)
                Catch ex As MethodAccessException
                    MsgBox(ex.Message)
                Catch ex As BadImageFormatException
                    MsgBox(ex.Message)
                Catch ex As FileLoadException
                    MsgBox(ex.Message)
                Catch ex As System.Reflection.ReflectionTypeLoadException
                    Dim msg As String = ex.Message & vbCrLf & vbCrLf
                    For Each l As Exception In ex.LoaderExceptions
                        msg &= l.Message & vbCrLf & vbCrLf
                    Next
                    MsgBox(msg)
                Catch ex As Exception
                    MsgBox("Could not add object from " & f.FullName & ", make sure filename matches classname." & vbCrLf & vbCrLf & ex.Message & vbCrLf & vbCrLf & ex.InnerException.Message)
                End Try
            Next
    
            Return robots
        End Function
    
        Private Function GetStrongName(ByVal assembly As Assembly) As StrongName
            If assembly Is Nothing Then Throw New ArgumentNullException("assembly")
    
            Dim assemblyName As AssemblyName = assembly.GetName
    
            Dim publicKey As Byte() = assemblyName.GetPublicKey
            If publicKey Is Nothing OrElse publicKey.Length = 0 Then Throw New InvalidOperationException("Assembly is not strongly named.")
    
            Dim keyBlob As New StrongNamePublicKeyBlob(publicKey)
    
            Return New StrongName(keyBlob, assemblyName.Name, assemblyName.Version)
        End Function
    End Module

  5. #5
    Join Date
    May 2008
    Location
    Vienna, Virginia
    Posts
    3
    I'm playing with your code...still seeing some holes though...I'll post feedback as soon as I get another go at it later after work.
    Saving the world, one software at a time through Legacy Modernization | ResQSoft.com

Similar Threads

  1. Replies: 0
    Last Post: 07-14-2002, 04:10 PM
  2. New Book - First Draft Finished and Ready for Review
    By Randy Hayes in forum web.announcements
    Replies: 0
    Last Post: 07-14-2002, 04:09 PM
  3. Replies: 0
    Last Post: 06-19-2001, 03:28 PM
  4. Replies: 4
    Last Post: 11-01-2000, 04:59 PM
  5. Review of The Humane Interface
    By Jef Raskin in forum Talk to the Editors
    Replies: 0
    Last Post: 08-15-2000, 10:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center