C# 代碼標準 .NET2.0版(七)Security 編碼指導方針

1.Always demand your own strong name on assemblies and components that are private to the application, but are public (so that only you can use them):

public class PublicKeys
{
   public const string MyCompany = "1234567894800000940000000602000000240000"+
                                   "52534131000400000100010007D1FA57C4AED9F0"+
                                   "A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C83"+
                                   "4C99921EB23BE79AD9D5DCC1DD9AD23613210290"+
                                   "0B723CF980957FC4E177108FC607774F29E8320E"+
                                   "92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99"+
                                   "285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF"+
                                   "0FC4963D261C8A12436518206DC093344D5AD293";
}

[StrongNameIdentityPermission(SecurityAction.LinkDemand,
                              PublicKey = PublicKeys.MyCompany)]
public class MyClass
{...}

 

2.Apply encryption and security protection on application configuration files.

3.When importing an interop method, assert unmanaged code permission and demand appropriate permission instead:

[DllImport("user32",EntryPoint="MessageBoxA")]
private static extern int Show(IntPtr handle,string text,string caption,
                                                                     int msgType);
[SecurityPermission(SecurityAction.Assert,UnmanagedCode = true)]
[UIPermission(SecurityAction.Demand,
                                  Window = UIPermissionWindow.SafeTopLevelWindows)]
public static void Show(string text,string caption)
{ 
   Show(IntPtr.Zero,text,caption,0);
}

 

4.Do not suppress unmanaged code access via the SuppressUnmanagedCodeSecurity attribute.

5.Do not use the /unsafe switch of TlbImp.exe. Wrap the RCW in managed code so that you can assert and demand permissions declaratively on the wrapper.

6.On server machines, deploy a code access security policy that grants only Microsoft, ECMA, and self (identified by a strong name) full trust. Code originating from anywhere else is implicitly granted nothing.

7.On client machines, deploy a security policy that grants client application only the permissions to execute, to call back the server, and to potentially display user interface. When not using ClickOnce, client application should be identified by a strong name in the code groups.

8.To counter a luring attack, always refuse at the assembly level all permissions not required to perform the task at hand:

[assembly:UIPermission(SecurityAction.RequestRefuse,
                       Window=UIPermissionWindow.AllWindows)]

 

9.Always set the principal policy in every Main( ) method to Windows:

public class MyClass
{
   static void Main( )
   {
      AppDomain currentDomain = AppDomain.CurrentDomain;
      currentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
   }
   //other methods
}

 

10.Never assert a permission without demanding a different permission in its place.