EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Silverlight environments: Security and permissions specifics

Silverlight environments require special attention to security critical code, such as the code that attempts to access local file system, make p/invoke calls or access system certificates.

Under normal circumstances, Silverlight applications run in a standard (non-elevated) environment. Such applications have no access to security critical resources. When trying to access such resources, various exceptions (dependent on the operation) are thrown. For example, one can get a 'System.MethodAccessException: Attempt by security transparent method 'SBCryptoProvWin32.TElWin32ProviderInfo.AcquireProvider()' to call native code through method...' exception when making a p/invoke call.

Silverlight applications can also run in 'elevated trust' environments. When running in such environments they can access virtually all kinds of resources allowed for a generic .NET application. However, the 'elevated trust' option must be explicitly configured for a Silverlight application by the developer and the user:

1. Elevated trust for out-of-browser applications can be set at the project properties page (a check box on the 'out-of-browser settings' dialog, 'Silverlight' tab). This is enough.

2. Configuring an in-browser application is a bit more sophisticated task. The following steps should be taken: - the corresponding checkbox must be switched on on a 'Silverlight' tab of the project properties, - the XAP file and referenced third-party assemblies must be signed with a certificate, which should be added to the 'Trusted Publishers' system store.

The above two steps are enough for running and debugging in-browser applications originating from the 'localhost' address (and ONLY THEM). If you need to run/debug Silverlight applications residing on remote web sites OR LOCALLY (file:///...) you must perform an additional step:

- set the AllowElevatedTrustAppsInBrowser (DWORD) value of the HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\ registry key (use the relevant Wow6432Node key for 64 bit SL environments) to 0x00000001.

More details are available here.

Besides configuring your Silverlight application in the above way, you should also tell SecureBlackbox that it is running in an elevated environment. This is done by setting a global ElevatedPermissionsAvailable property to true:

SBUtils.Unit.ElevatedPermissionsAvailable = true;

Finally, a couple of useful references to Microsoft's resources:

How to: Enable Trusted Applications to Run Inside the Browser. A good guidance on creating a trusted in-browser Silverlight applications.
Trusted Applications. Mainly useful due to its guidance on assembly signing.

Return to the list


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!