如何包装不受信任的应用程序?
想象一下一个不受信任的应用程序(插件)从标准输入读取并写入标准输出。
如何获取此应用程序为指定输入返回的输出防止任何副作用?
例如,如果应用程序删除了磁盘上的文件,则应检测到该操作并取消此尝试。
这是某种包装应用程序。可以建造吗?
不太复杂的任务太有趣了:使用 .NET 制作这个包装器(主机和客户端都是用 .NET 语言编写的)。
Imagine an untrusted application (plugin) that reads from the standard input and writes to the standard output.
How to get the output returned for the specified input by this application preventing any side effects?
For example, if application deletes file on a disk, it should be detected and this attempt should be canceled.
It's some kind of wrapper application. Is it possible to build it?
Less complicated task is too interesting: make this wrapper using .NET (both host and client are written in .NET language).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
最安全的方法是将该插件加载到您所在的单独的 AppDomain 中使用符合您要求的安全证据进行配置。
创建 AppDomain 时,您可以准确指定代码可以在此沙箱中执行的操作类型。在那里运行的代码受到您设置的限制。但第一次执行此过程时可能会感到困惑,并且仍然可能让您容易受到漏洞的影响。
使用 AppDomains 隔离程序集是一个有趣的过程。您可能认为将插件加载到其他 AppDomain 中,然后通过 AppDomain 中的代理使用它们,但事实恰恰相反。他们需要在他们的 AppDomain 中使用您的代理。如果您无法理解并正确执行此操作,您最终将在主 AppDomain 中加载插件代码并在那里执行它,而不是在受限域中。如果您没有正确执行操作,您会遇到很多问题(订阅事件会产生一些有趣的副作用)。
我建议进行原型设计,温习 CLR Via C# 中的 AppDomain 章节,并尽可能多地阅读有关该主题的内容。
这是我为调查跨应用程序域事件而制作的测试应用程序。
http://cid-f8be9de57b85cc35.skydrive.live.com/ self.aspx/Public/appdomainevents.rar
Safest way would be to load that plugin into a separate AppDomain which you configure with the security evidence for the requirements you have.
When you create an AppDomain, you can specify exactly the kinds of things code can do in this sandbox. Code that runs there is restricted to the limits you set. But this process can be confusing the first time you do it and may still leave you open to vulnerabilities.
Using AppDomains to isolate assemblies is an interesting process. You'd think you load your plugins into the other AppDomain then use them via proxies in your AppDomain, but its the other way around. They need to use your proxies in their AppDomain. If you fail to understand and do this right, you'll end up loading your plugin code within your main AppDomain and executing it there instead of in the restricted domain. There are lots of gotchas that you'll get bit by (subscribing to events has some interesting side effects) if you don't do things correctly.
I'd suggest prototyping, brush up on the AppDomain chapter in CLR Via C#, and read as much as you can on the subject.
Here's a test app I made to investigate cross-appdomain events.
http://cid-f8be9de57b85cc35.skydrive.live.com/self.aspx/Public/appdomainevents.rar