System.Activator.CreateInstance() - evidence? 
Author Message
 System.Activator.CreateInstance() - evidence?

We are calling System.Activator.CreateInstance(...) and passing "null" into
the Evidence parameter.  Is this a safe/secure way to call this method?  I
couldn't find any info on MSDN or on the web.


Wed, 27 Apr 2005 06:14:56 GMT  
 System.Activator.CreateInstance() - evidence?
Hello Bryant,

This is related with evidence-based security in .NET Framework. You may get
a overview of this from the following article:

Secure Coding Guidelines for the .NET Framework
http://msdn.microsoft.com/library/en-us/dnnetsec/html/seccodeguide.asp

Here is what happens when you provide evidence:

- If an assembly is loaded form the byte array, the provided evidence will
be _the_ evidence of that assembly;
- If an assembly is loaded from a file or from the GAC, the provided
evidence will be merged with the evidence supplied by the loader;
- If an assembly you are trying to load with evidence is already loaded,
you get a reference to the already loaded assembly and your evidence
parameter is thrown away.

If you don' use the overload with evidence argument:

- If you are loading an assembly from a byte array, it will inherit the
calling assembly's evidence;
- If you are loading from file/GAC it will get its evidence from the loader.

The only security problem I see in these scenarios is when an assembly is
loaded from a byte array without providing any evidence. In general, you
may just use an overload of CreateInstance method without Evidence argument.

I hope this information is helpful for you.

Best regards,

Lion Shi [MS]
MCSE, MCSD
Microsoft Support Engineer

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.  2001 Microsoft Corporation. All rights
reserved.
--------------------

    Subject: System.Activator.CreateInstance() - evidence?
    Date: Fri, 8 Nov 2002 14:14:56 -0800
    Lines: 5
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

    Newsgroups: microsoft.public.dotnet.languages.CSharp
    NNTP-Posting-Host: 207.46.225.251
    Path: cpmsftngxa06!tkmsftngp01!tkmsftngp08
    Xref: cpmsftngxa06 microsoft.public.dotnet.languages.csharp:106748
    X-Tomcat-NG: microsoft.public.dotnet.languages.csharp

    We are calling System.Activator.CreateInstance(...) and passing "null"
into
    the Evidence parameter.  Is this a safe/secure way to call this method?
 I
    couldn't find any info on MSDN or on the web.



Sat, 30 Apr 2005 11:14:25 GMT  
 
 [ 2 post ] 

 Relevant Pages 

1. System::Activator::CreateInstance?

2. System.Activator.CreateInstance failed on internal class in the same assembly.

3. Unhandled Exception: System.Configuration.ConfigurationException: Could not create System Configuration.NameValueSectionHandler, System

4. ? HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_

5. System.Runtime.InteropServices.VTableCallsNotSupportedException

6. bufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbufferoverrunbuf

7. System.Drawing.Bitmap.FromResource throwing System.ArgumentException

8. CABLE BOX DESCRAMBLER PLANS ((LEGAL)),.,.,,.,,,,,,,,,,,,,,,.,.,.,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,.,.,,,,,,,,,,,.,,,,,,, 8077

9. System.Security.Cryptography.CryptographicException: Bad Data.

10. C# System.UnauthorizedAccessException

11. System.ExecutionEngineException - framework bug?

12. System.Management.ManagementObject problem

 

 
Powered by phpBB® Forum Software