Reasoning for TypeFilterLevel in remoting


Most remoting users have seen one of the following exception messages during deserialization:

Because of security restrictions, the type XXX cannot be accessed
Type XXX and the types derived from it (such as {YYY}) are not permitted to be deserialized at this security level

Here is some explanation of why these security restrictions are in place for remoting:

1. Deserialization in general isn't a safe operation since it can not only load rogue types but also execute code under the server's identity. To protect against this, by default(low typefilterlevel) only "safe" types are deserializable. These include types within assemblies in the GAC with APTCA attribute (mostly system assemblies), types within private assemblies which are not strongly named.

2. The unsafe bucket of types which are explicitly disallowed are:
            System.Runtime.Remoting.ObjRef : Serialized representation of a MarshalByRefObject
            System.DelegateSerializationHolder: Serialized representation of Delegates/Events
            System.Runtime.Remoting.IEnvoyInfo: Serialized representation of Envoy Sinks
            System.Runtime.Remoting.Lifetime.ISponsor: Serialized representation of Sponsors
- ObjRef carries a URL which points to the remote object which could be spoofed
- Delegates are dangerous since they could be tweaked to call other methods with the same signature
- Envoys let you run specific code on the server end
- Sponsors are another case of spoofing related attacks.

3. As an additional level of security the thread deserializing the incoming request is only permitted to have SerializationFormatter Permission. Thus if any type constructors are accessing code requiring other permissions it would not execute.

If you are running into these exceptions the obvious fix offcourse is to change TypeFilterLevel to Full to remove these security restrictions, but before doing so it is important to guage whether it might open any security venurabilities within your server application.

This feature has been added is included in v1.0 sp3 and v1.1 versions of the framework.


Skip to main content