Evidence is important, even if it grants no permissions

In a comment to my old VSTO security blog entry, Enrico Sabbadin asks why we can't just remove the Zone evidence from an assembly before creating the AppDomain. Good question, and Siew Moi bugged me about blogging this a long time ago as well, so I guess now is as good a time as any (it's a blogging kind of weekend...)

Let's start with an analogy (oh boy do us geeks like our analogies):

Say Microsoft designed cars, and.... no wait, wrong analogy.

Say that in order to get a driver's license, you have to be at least sixteen years old and have good eyesight. (Replace "sixteen" with whatever makes sense in your neck of the woods). It is hopefully pretty clear that you must meet both requirements to get a driver's license -- we don't hand out licenses to twenty-year-old blind people, and we don't hand them out to six-year-olds with 20/20 vision, either.

Aside: I've always wondered whether it was "driver's license" (a license belonging to the specific driver), a "drivers' license" (a kind of license applying to all drivers) or just "drivers license" (a generic term with no connotation of ownership). The Washington DOL simply refers to it as a "driver license" -- perhaps they couldn't figure it out either?

Let's say you're the clerk filling out license forms at the licensing office, and the form looks something like this:

[ ] Applicant is at least sixteen years old

[ ] Applicant has good vision

Now some PFY comes into the office to get a license and you start to fill out the form. The youth hands you their birth certificate and their latest medical report from the optometrist (their evidence) and you have to fill out the form.

Question: Since being sixteen isn't (by itself) a good enough reason to get a license, should you as the license-application-filler-outerer ignore the youth's birth certificate? Surely since the evidence grants no permissions, it is unnecessary? Right?


Evidence is critically important! You should never throw away any evidence, even if in and of itself it doesn't appear to buy you anything. If you've ever watched any movies or TV shows involving police investigations, you should know this 🙂

Just to make it painfully clear why this is unacceptable, let's say you've been working at the license office long enough to figure out a time-saving optimisation: As soon as you fail to check any check box in the form, you know that the applicant will not be eligible to get a license and so you terminate the application without asking any more questions. So if you ignore the birth certificate, you won't check the "Applicant is at least sixteen years old" check box and will send the youth back home without a license even though they also had the optometrist's report.

And they you'll get sued <g>

It's the same in the CLR. Let's say that instead of the application form with the two checkboxes, you have policy like this (look familiar? 🙂 ):

LocalIntranet Zone: Nothing

  ACME Corporate Key: FullTrust

Now VSTO tries to load an assembly from http://appserver/ that is signed by ACME Corp's key.

As is hopefully clear from the above discussion, we can't throw away the LocalIntranet zone evidence -- even though it grants no permissions -- because if we do we'll never evaluate the ACME Corporate key and thus fail to load the assembly.

Comments (4)

  1. Wow, looks like you had a very prolific blogging weekend. Thanks Peter for the great blog entries!

  2. Peter, you are definitely right.

    You cannot remove an evidence due to the hierarchical way permissions are evaluated and assigned.

    thanks for the explanation.

  3. So even though LocalIntranet is set to nothing, the assembly will still load because of the key having full trust?

  4. Peter Torr says:

    Yes Chris, that is correct. But it won’t be trusted if it comes from another Zone (like the Internet).

Skip to main content