6

I am using VSTS 2008 + .Net 2.0 + C#. And I am running Code Analysis after build. I got the following confusing security warning. Here is the warning and related code, any ideas what is wrong? If there is security warning, how to fix it?

System.Diagnostics.Process myProcess = new System.Diagnostics.Process();
myProcess.StartInfo.FileName = "IExplore.exe";
myProcess.StartInfo.Arguments = @"default.html";
myProcess.StartInfo.Verb = "runas";
myProcess.Start();

warning : CA2122 : Microsoft.Security : 'TestHtml()' calls into 'Process.Start()' which has a LinkDemand. By making this call, 'Process.Start()' is indirectly exposed to user code. Review the following call stack that might expose a way to circumvent security protection:

Jason Capriotti
  • 1,836
  • 2
  • 17
  • 33
George2
  • 44,761
  • 110
  • 317
  • 455

2 Answers2

11

Your method calls Foo that calls into a Process.Start which is protected by a link demand for Full Trust. In order to avoid the problem that FxCop is warning you about, you should add a link demand or full demand for the same permissions to your method.

You can fix it by adding to your method

[PermissionSetAttribute(SecurityAction.LinkDemand, Name="FullTrust")]

See http://msdn.microsoft.com/en-us/library/970x52db.aspx

blowdart
  • 55,577
  • 12
  • 114
  • 149
  • Thanks, but your code has build error. Error 1 The name 'True' does not exist in the current context. Any ideas? I am using .Net 2.0 and .Net 2.0 does not support it? – George2 Jul 18 '09 at 11:14
  • Hi blowdart, I have some new ideas and I think it is not a security hole. Suppose method Foo calls TestHtml and TestHtml calls Process.Start. Even if TestHtml is not enabled with LinkDemand, sice Process.Start is enabled with LinkDemand, it will always check permission of TestHtml (TestHtml is immediate caller). So even if Foo does not have enough permission, the call from TestHtml to Process.Start will fail. So, I think no security issues. Any comments? – George2 Jul 18 '09 at 11:25
  • 1
    @George, just guessing now, but it would be better to check the security requirements as early as possible, if TestHtml would change any application state before failing. – sisve Jul 18 '09 at 11:32
  • Thanks Simon, I agree with you from best practice point of view. But I want to make sure my understanding of the LinkDemand theory is correct, and could you confirm my understanding is correct? Here is my understanding -- "Suppose method Foo calls TestHtml and TestHtml calls Process.Start. Even if TestHtml is not enabled with LinkDemand, sice Process.Start is enabled with LinkDemand, it will always check permission of TestHtml (TestHtml is immediate caller). So even if Foo does not have enough permission, the call from TestHtml to Process.Start will fail." – George2 Jul 18 '09 at 11:37
  • 1
    Oops indeed it was wrong, try that :) There are security issues if your assembly allows calls from untrusted/partial trust callees. If your assembly runs in full trust, for example the GAC, but does not check its callers then the call in Process.Start will pass because it's only checking the immediate caller. Better to be safe than sorry. – blowdart Jul 18 '09 at 11:51
  • Sorry blowdart, in your sample, if un-trusted caller calls into TestHtml, and the sucurity token on the thread is un-trusted (do not have enough permission to call Process.Start), then in the code of method TestHtml where I call Process.Start, Process.Start will check privilege of immediate caller TestHtml, since TestHtml has un-trusted security token, the call will fail. What is wrong in my understanding? – George2 Jul 18 '09 at 12:04
  • My understanding is, security token or permission is associated with thread level, not assembly level. So, I am confused about your sample of using GAC, because in that case the thread security token is not trusted (thread initialized from un-trusted party), so the call into Process.Start will never pass. Appreciate if you could let me know where I am wrong. :-) – George2 Jul 18 '09 at 12:06
  • 1
    Yes, you're confused. CAS Permissions are on threads, but on the call stack. Identity permissions are on the thread. It is your code that has CAS permissions, not a particular user. – blowdart Jul 18 '09 at 12:09
  • Thanks blowdart, is it a typo -- "CAS Permissions are on threads", which should be "CAS Permissions are NOT on threads" – George2 Jul 18 '09 at 12:15
  • 1
    Oops yes it is,that should be NOT. – blowdart Jul 18 '09 at 12:23
  • Thanks blowdart! You are a guru of this topic! I want to confirm with you that LinkDemand and Demand are CAS security framework, and .Net has two security framework -- identity based and CAS based. For CAS based, we have assembly level permission, and for identity based, we have thread level permission? – George2 Jul 18 '09 at 12:27
  • 1
    Ah kind of. CAS is .NET only and is for software. Identity is both .NET and then the underlying OS. – blowdart Jul 18 '09 at 13:26
  • Thanks blowdart, so you mean my understanding of CAS security and identity security are correct besides what you mentioned? :-) – George2 Jul 18 '09 at 13:31
  • Another confusion is I did not find in MSDN what does the value "FullTrust" means to Name property of SecurityPermission. Any comments? – George2 Jul 18 '09 at 13:32
  • 1
    It is a permission set used by CAS. Basically it means the program can do anything. There are other permission sets with lower privileges – blowdart Jul 18 '09 at 13:40
  • 1. Why I do not have a property called Name? I still have compile error, but when removing Name it is compiling fine. Here is a screen snapshot, any ideas what is wrong? http://i31.tinypic.com/2lncmsw.jpg 2. my understanding of CAS security and identity security are correct besides what you mentioned about (CAS is .Net special, identity is OS built-in)? – George2 Jul 18 '09 at 13:47
  • Thanks blowdart, I made some more study and I want to let you review whether my understanding is correct -- LinkDemand and Demand are CAS security framework specifically for .Net security framework, and .Net has another security framework, which inherits OS functionality -- identity based which stores identify token in each thread. For CAS based, we have assembly level permission, and for identity based, we have thread level permission? Is that correct understanding? – George2 Jul 19 '09 at 06:53
  • 1
    Well CAS can also be applied to individual classes, or even methods, but the evidence CAS evaluates is based on the assembly (and it's location - where on the hard drive, if it's coming from a network, it's strong naming signing key and so on). You've made me think about completly rewriting my CAS chapter for my book now :) – blowdart Jul 19 '09 at 07:25
  • Thanks blowdart, in the past 2 days, I did a lot of self-learn about CAS permission, one more question, for the Unrestricted property, I have posted here, http://stackoverflow.com/questions/1160146/securityattribute-unrestricted-issue any ideas? – George2 Jul 21 '09 at 16:00
1

More information about security warnings and CA2122 - Do not indirectly expose methods with link demands

Kb.
  • 7,240
  • 13
  • 56
  • 75
  • Thanks Kb, the documents you recommended are very helpful. I want to confirm whether my understanding is correct. I think the root cause is Process.Start needs link demand (permission check for immediate caller), but the method TestHtml I implemented does not check permission for immediate caller, so there is a security hole that the immediate caller of TestHtml may not have enough permission, is that correct understanding? – George2 Jul 18 '09 at 11:18
  • 1
    @George2: As I understand it, you are correct. Process.Start has declared a security check. The caller must declare the same security check or make sure that security will not be violated (and then ignore the check). – Kb. Jul 18 '09 at 11:33
  • Thanks Kb, I have some new ideas and I think it is not a security hole. Suppose method Foo calls TestHtml and TestHtml calls Process.Start. Even if TestHtml is not enabled with LinkDemand, sice Process.Start is enabled with LinkDemand, it will always check permission of TestHtml (TestHtml is immediate caller). So even if Foo does not have enough permission, the call from TestHtml to Process.Start will fail. So, I think no security issues. Any comments? – George2 Jul 18 '09 at 11:38
  • 1
    @George2: Link Demand does not walk the stack, so I think LinkDemand is check only to the immediate caller. http://msdn.microsoft.com/en-us/library/60zfc754.aspx : "The only demands that do not result in a stack walk are link demands, which check only the immediate caller. " – Kb. Jul 18 '09 at 11:53
  • Thanks Kb, so it means Process.Start will check permission for immediate caller TestHtml, so even if TestHtml does not check security permission for the caller of TestHtml, I think it does not matter since the call into Process.Start will fail in the end. Why I must add LinkDemand check into method TestHtml? – George2 Jul 18 '09 at 11:59
  • 1
    @George2: There is a good example in this link: http://msdn.microsoft.com/en-us/library/hzsc022c.aspx read second paragraf. This check is between assemblies. – Kb. Jul 18 '09 at 12:15
  • Thanks Kb, my confusion is, LinkDemand is checked against assembly level, not thread level? My confusion is I think the privilege token is associated with thread, not associated with assembly. If un-trusted caller calls into TestHtml, and the sucurity token on the thread is un-trusted (do not have enough permission to call Process.Start), then in the code of method TestHtml where I call Process.Start, Process.Start will check privilege of immediate caller TestHtml, since TestHtml has un-trusted security token, the call will fail. What is wrong in my understanding? Any comments? – George2 Jul 18 '09 at 12:24