Security and MAF addons

Question

I want to construct a WPF system that can incorporate addin developed by an external developer community. Since I can't vouch for those developers, I want their code to run in a safe environment. It seems that MAF is a good solution, so I decided to investigate the security of MAF. One can define a precise permission set for each addon, which is very nice.

However, I want the AddOns to be able to return WPF controls. For that, they need to be able to run the WPF assemblies. In addition, I don't want the addons to be able to run unmanaged code, so that they can't override the security permissions I've set when loading the addon.

So here's the problem - if I load the addon without permission to run unmanaged code, then the addon won't be able to create WPF controls. How can I solve this problem?

To test this issue a bit more, I've written a small WPF app, and tried to load it and run it from a second app. Bellow is the code that loads and runs the WPF app. It works great if as is, but if I remove the last AddPermission statement (the one with the UnmanageCode flag), then it stops working, saying it can't create the window of the WPF application.

PermissionSet set = new PermissionSet(PermissionState.None);
set.AddPermission(new FileIOPermission(FileIOPermissionAccess.AllAccess, PATH));
set.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
set.AddPermission(new UIPermission(PermissionState.Unrestricted));
set.AddPermission(new SecurityPermission(SecurityPermissionFlag.UnmanagedCode));

Evidence ev = new Evidence();
AppDomain domain = AppDomain.CreateDomain("Test", ev, new AppDomainSetup() { ApplicationBase = PATH }, set);
domain.ExecuteAssembly(PATH);

Answer 1

Did you have a look at this overload of the CreateDomain method? You can set some assebmlies that will be considered as full trust.

If you have a look at the System.AddIn source code (found here) you will see that in file AddInActivator.cs they create an instance of StrongName using the StrongNamePublicKeyBlob that they have taken from the AssemblyName taken from the System.AddIn assembly.

So maybe you could do the same with the PresentationCore and System.Windows.Presentation or any other assembly you want to grant full trust.

For example you could try this (taken almost verbatim from AddInActivator.cs):

//assembly is the Assembly object you want to grant full trust permissions.
AssemblyName assemblyName = assembly.GetName();

// get the public key blob
byte[] publicKey = assemblyName.GetPublicKey(); 
if (publicKey == null || publicKey.Length == 0)
    throw new InvalidOperationException(Res.NoStrongName);

StrongNamePublicKeyBlob keyBlob = new StrongNamePublicKeyBlob(publicKey); 

// and create the StrongName 
StrongName strongName = new StrongName(keyBlob, assemblyName.Name, assemblyName.Version); 
// then call the overload of CreatDomain that takes a StrongName object parametes.

Answer 2

It worked for me, I think the problem is in how you activate the plugin. Try not to create an AppDomain by yourself. Your code should look like:

PermissionSet set = new PermissionSet(PermissionState.None);
set.AddPermission(new FileIOPermission(FileIOPermissionAccess.AllAccess, PATH));
set.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
set.AddPermission(new UIPermission(PermissionState.Unrestricted));

// .. retreive the addin token
var plugin = token.Activate<IMyPluginInterface>(set);

It worked for me when I used to create the plugin this way. It was also a wpf UI.