When you sign an assembly the assembly is protected from tampering through the strong name signature (a signed hash of the assembly). If the assembly has external resource files those are protected too because the hash of the external resource is stored in the manifest of the assembly and the manifest is part of the file that is hashed to form the strong name signature. The only person able to change any file that is part of the assembly is someone with the private key who can re-sign the assembly. One quirky aspect of this procedure is that the check is only performed when the manifest resource stream is accessed, rather when the assembly is loaded. So far so good.
When you create a publisher policy file it must be a resource-only library that is signed with the publisher's private key and the policy is given in an external (linked) resource file. However, it does not appear that the runtime uses the same API to access the policy file as it does with other external resources because you *can* change the policy configuration file and no exception is thrown at runtime. Here's the steps: 1 Create a library, version it, and give it a strong name 2 Create a process that uses the specific version of the library 3 Change the library to have a different version and only compile the library, thus the process expects a different version of the library 4 Create a policy config file redirecting the old version to the new version 5 Create a policy assembly with al.exe that links to the policy configuration file ansd is signed with the same key as the library 6 Install the library and policy file into the GAC, delete everything in the local folder except the process that use the library 7 Run the process to confirm that the policy file works. 8 At the command line go to the folder where the policy library was stored in the GAC (%systemroot%\assembly\GAC\<assemName>\<version__publickeytoken> where <assemName> is the name of the policy assembly and <version__publickeytoken> identifies the version and publisher). Now edit the policy file to redirect to a different version of the library. 9 Run the app. You'll find that an exception si thrown because the version of the assembly cannot be found, *not* because the policy file was tampered 10 Now compile a version of the library with the version that you put in the policy file when you tampered it, install this in the GAC. Run the process to confirm that the new version of the library is loaded. 11 You have successfully redirected Fusion to use a different version of the library without having access to the publisher's private key. I admit that this is a minor security risk because you have to be a Power User or Administrator to be able to modify the files in the GAC. However, Trojans can get admin access and so could iterate through the GAC altering policy files and wreaking havoc. This could be prevented if Fusion would check the signed hash before loading a policy assembly. Richard =================================== This list is hosted by DevelopMentorŪ http://www.develop.com Some .NET courses you may be interested in: NEW! Guerrilla ASP.NET, 17 May 2004, in Los Angeles http://www.develop.com/courses/gaspdotnetls View archives and manage your subscription(s) at http://discuss.develop.com
