Home All Groups Group Topic Archive Search About

Custom validation of mixed .dlls in a rights managed application

microsoft.public.dotnet.security
Author
15 Mar 2005 3:01 PM
Bern McCarty
We have a large desktop application that supports a home-grown rights
management capability.  It is written in C++/MEC++ under .NET 1.1  The
application is very extensible.  During a right's managed session the
extension loader will perform custom checks on a native extension .dll to
make sure that it is trusted before calling LoadLibrary() to load it.  Now
we've made the application extensible with .NET assemblies too.  In that
case the extension loader calls System.Reflection.Assembly.Load() to load an
extension.  For CLR:PURE assemblies I think this is OK.  I believe that I
can count on no code having been run yet just because I've loaded a CLR:PURE
assembly.  Then I can find out where the assembly file is by accessing its
Location property and perform our custom validation on the .dll file to
ensure that the assembly is trusted for execution within a rights managed
session.  If not then we won't proceed to do further reflection on the
extension assembly to find and call it's custom entry point.

The snag is that if the assembly is a mixed assembly that it could have code
executed already before System.Reflection.Assembly.Load() returns to me.
Specifically I think that the .dlls entry point will be called; causing
static initializers for global data to be run, et cetera.  That's bad,
because I haven't verified that the extension is trusted yet.

What can I do about it?

I tried calling System.Reflection.AssemblyName.GetAssemblyName() and passing
it the same unqualified, simple assembly name that I pass in the call to
System.Reflection.Assembly.Load(), but it gave a FileNotFoundException so it
appears that GetAssemblyName() requires a fully qualified path (though this
isn't stated in the doc).  We load our extensions with the default load
context, so we don't know ahead of time the location that
System.Reflection.Assembly.Load() will find and load the assembly from.  Is
there a way to ask that question, "Where would you load this assembly from
if I asked you too?".

Any other suggestions?

-Bern McCarty

AddThis Social Bookmark Button


Post Other interesting topics
Error instantiating RSACryptoServiceProvider
Error from CAS Config util
Assembly.Load fails after assembly preloaded using Assembly.LoadFrom (v1.1.4322)
get remote server's SSL public key
IIS Authentication Problem?