RequestOptional and RequestRefuse

The other day Eric Wilson asked how to ensure his code never ran with FullTrust. I replied that the "best" way was to refuse permissions you didn't want, and then Nicole Calinoiu replied that maybe requesting optional permissions was better.

Nicole is right -- requesting optional permissions is the "better" way to do this because you are "white listing" the permissions you need, not "black listing" the permissions you don't need, and from a security perspective white listing is always safer. The idea is that you do know what permissions you do need (it's a fixed set, determined by you) but you don't know all the permissions you don't need (it's a potentially infinite set, determined by the CLR and any 3rd party code installed on your system).

The trade-off, of course, is that white listing tends to be harder to manage then black listing, which is why most security measures use black lists even though they are less secure. The idea here is that users prefer functionality over security, and so it's better to assume that all unknown entities are "safe" and let them get their job done (with some amount of additional risk) rather than have them get frustrated and just turn off the system altogether (a really secure system that is turned off is much worse than a somewhat-secure system turned on!). For example, think of a virus scanner that blocks "known bad" code rather than allowing "known good" code, or an e-mail client that blocks "known bad" file extensions rather than allowing "known good" file extensions. How many people would leave their virus scanner or e-mail attachment blocker on if it didn't let you get any work done?

So, back to the point at hand, if you have some code that does various privileged things (read a database, display dialogs on the screen, etc.) but you know you never need to access the file system, maybe it is easier for you to just refuse FileIOPermission and be done with it. Yes, you take on some risk that somewhere, somehow your code can be tricked into doing bad stuff with (eg) the Registry, but if the rest of your code is well written it is unlikely.

On the other hand, if you have some code that only does one privileged thing (like display a message box) it is probably easier to simple request UIPermissionWindow.SafeSubWindows and be done with it. Now you will be secure against any potential luring attacks, but if you later decide to add more functionality to your application you may have to go back and re-visit your requests (although some of the new tools in Whidbey should help here -- argh! no links for permcalc.exe).

One thing to note is that RequesOptional will always grant you Execution (permission to execute), even if you don't ask for it. You'd be out of luck otherwise ;-)

Thanks Nicole!