I'm trying to build a sandbox using an app-domain to isolate execution of potentially bad code.
Among other things I'd like to restrict reflection.
I'm building the sandbox this way:
AppDomainSetup sandboxSetup = new AppDomainSetup
{
ApplicationBase = "."
};
PermissionSet permissions = new PermissionSet(PermissionState.None);
permissions.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
AppDomain sandbox = AppDomain.CreateDomain("sandbox", null, sandboxSetup, permissions);
It's working fine with private instance fields and private properties: any attempts to access them in the sandbox is rejected by the runtime.
But I've noticed that it doesn't works with literal fields (const in C#): it's always possible to get the value of a literal field, even if private:
private const string PASSWORD = "secret";
private string password = "secret";
private string Password
{
get
{
return "secret";
}
}
password and Password are correctly protected but any code can get the value of PASSWORD with basic reflection:
string password = typeof(User).GetField("PASSWORD", BindingFlags.NonPublic | BindingFlags.Static).GetValue(currentUser) as string; // OK no problem take it, it's free!
I'd like to understand the rationales behind this behavior: is it because a literal value would always be "easily" visible in an assembly so preventing reflection is a losing battle, or because a final value is not really "invoked" so there is no security check or...?
This example is not really relevant, because a password would not be shared, but imagine the secret value is a salt value used for cryptography or something like that...
Thanks for your help.