EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Silverlight environments: Security and permissions specifics

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#22276
Posted: 10/30/2012 17:09:57
by Ken Ivanov (EldoS Corp.)

Silverlight environments require special attention to security critical code, such as the code that attempts to access local file system, make p/invoke calls or access system certificates.

Under normal circumstances, Silverlight applications run in a standard (non-elevated) environment. Such applications have no access to security critical resources. When trying to access such resources, various exceptions (dependent on the operation) are thrown. For example, one can get a
'System.MethodAccessException: Attempt by security transparent method 'SBCryptoProvWin32.TElWin32ProviderInfo.AcquireProvider()' to call native code through method...' exception when making a p/invoke call.

Silverlight applications can also run in 'elevated trust' environments. When running in such environments they can access virtually all kinds of resources allowed for a generic .NET application. However, the 'elevated trust' option must be explicitly configured for a Silverlight application by the developer and the user:

1. Elevated trust for out-of-browser applications can be set at the project properties page (a check box on the 'out-of-browser settings' dialog, 'Silverlight' tab). This is enough.

2. Configuring an in-browser application is a bit more sophisticated task. The following steps should be taken:
- the corresponding checkbox must be switched on on a 'Silverlight' tab of the project properties,
- the XAP file and referenced third-party assemblies must be signed with a certificate, which should be added to the 'Trusted Publishers' system store,

the above two steps are enough for running and debugging in-browser applications originating from the 'localhost' address (and ONLY THEM). If you need to run/debug Silverlight applications residing on remote web sites OR LOCALLY (file:///...) you must perform an additional step:

- set the AllowElevatedTrustAppsInBrowser (DWORD) value of the HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\ registry key (use the relevant Wow6432Node key for 64 bit SL environments) to 0x00000001.

More details are available here:
http://www.pitorque.de/MisterGoodcat/...tions.aspx

Besides configuring your Silverlight application in the above way, you should also tell SecureBlackbox that it is running in an elevated environment. This is done by setting a global ElevatedPermissionsAvailable property to true:

Code
SBUtils.Unit.ElevatedPermissionsAvailable = true;


Finally, a couple of useful references to Microsoft's resources:

How to: Enable Trusted Applications to Run Inside the Browser. A good guidance on creating a trusted in-browser Silverlight applications.

Trusted Applications. Mainly useful due to its guidance on assembly signing.

Reply

Statistics

Topic viewed 1506 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!