安全性和序列化Security and serialization


代碼啟用安全性 (CAS) 和部分信任的程式碼Code Access Security (CAS) and Partially Trusted Code

.NET Framework 提供一個稱為程式碼存取安全性 (CAS) 的機制,可對在同一個應用程式中執行的不同程式碼強制執行各種信任層級。The .NET Framework provides a mechanism for the enforcement of varying levels of trust on different code running in the same application called Code Access Security (CAS).

.NET Core、.NET 5 或更新版本中不支援 CAS。7.0 版以後的 c # 版本不支援 CAS。CAS is not supported in .NET Core, .NET 5, or later versions. CAS is not supported by versions of C# later than 7.0.

.NET Framework 中的 CAS 不應作為根據程式碼來源或其他身分識別層面來強制執行安全性界限的機制。CAS in .NET Framework should not be used as a mechanism for enforcing security boundaries based on code origination or other identity aspects. CAS 和 Security-Transparent 程式碼不支援做為具有部分信任程式碼的安全性界限,特別是未知來源的程式碼。CAS and Security-Transparent Code are not supported as a security boundary with partially trusted code, especially code of unknown origin. 建議不要載入及執行未知來源的程式碼,如此便不需要使用替代的安全措施。We advise against loading and executing code of unknown origins without putting alternative security measures in place. .NET Framework 不會針對可能針對 CAS 沙箱探索的任何權限提高攻擊,發出安全性修補程式。.NET Framework will not issue security patches for any elevation-of-privilege exploits that might be discovered against the CAS sandbox.

這項原則適用於所有 .NET Framework 版本,但不適用於 Silverlight 隨附的 .NET Framework。This policy applies to all versions of .NET Framework, but does not apply to the .NET Framework included in Silverlight.

由於序列化可允許其他程式碼看到或修改在其他情況下無法存取的物件執行個體資料,因此執行序列化的程式碼需要特殊權限: SecurityPermission ,並指定 SerializationFormatter 旗標。Because serialization can allow other code to see or modify object instance data that would otherwise be inaccessible, a special permission is required of code performing serialization: SecurityPermission with the SerializationFormatter flag specified. 依照預設原則,這個使用權限不會授與給網際網路下載或內部網路的程式碼;只有本機電腦上的程式碼才會被授與這個使用權限。Under default policy, this permission is not given to Internet-downloaded or intranet code; only code on the local computer is granted this permission.

通常會序列化物件執行個體的所有欄位,這表示資料會以執行個體的序列化資料來代表。Normally, all fields of an object instance are serialized, meaning that data is represented in the serialized data for the instance. 可以解譯格式的程式碼可以判斷資料值,而不論成員能否存取。It is possible for code that can interpret the format to determine what the data values are, independent of the accessibility of the member. 同樣地,還原序列化會從序列化表示法中擷取資料,並直接設定物件狀態,這同樣也不受存取能力規則的影響。Similarly, deserialization extracts data from the serialized representation and sets object state directly, again irrespective of accessibility rules.

如果可能的話,可能含有安全性顧慮資料的物件都應該設為不可序列化。Any object that could contain security-sensitive data should be made nonserializable, if possible. 如果必須是可序列化,請嘗試讓保存機密資料的特定欄位不可序列化。If it must be serializable, try to make specific fields that hold sensitive data nonserializable. 如果無法將這些欄位設為不可序列化,則會對具有序列化許可權的任何程式碼公開敏感性資料。If those fields cannot be made nonserializable, the sensitive data will be exposed to any code that has permission to serialize. 請確定沒有惡意程式碼可以取得此許可權。Make sure that no malicious code can get this permission.

ISerializable 介面只應該由序列化基礎結構所使用。The ISerializable interface is intended for use only by the serialization infrastructure. 不過,如果未受保護,它可能會釋出機密資訊。However, if unprotected, it can potentially release sensitive information. 如果您藉由實作 ISerializable M:System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext) 提供自訂序列化,請確認您採取下列預防措施:If you provide custom serialization by implementing ISerializable, make sure you take the following precautions:

  • GetObjectData 方法應該藉著要求 SecurityPermission 並指定 SerializationFormatter 權限,或是確定不會隨著方法輸出釋出任何機密資訊,明確地進行保護。The GetObjectData method should be explicitly secured either by demanding the SecurityPermission with SerializationFormatter permission specified or by making sure that no sensitive information is released with the method output. 例如:For example:

    Public Overrides<SecurityPermissionAttribute(SecurityAction.Demand, SerializationFormatter := True)>  _  
    Sub GetObjectData(info As SerializationInfo, context As StreamingContext)  
    End Sub  
    public override void GetObjectData(SerializationInfo info,
    StreamingContext context)  
  • 用於序列化的特殊建構函式也應該執行徹底的輸入驗證,並且應該為受保護或私用,協助防範惡意程式碼的濫用。The special constructor used for serialization should also perform thorough input validation and should be either protected or private to help protect against misuse by malicious code. 它應該強制執行以其他方式 (例如明確建立類別或透過某種處理站間接建立) 取得這種類別的執行個體時,相同的安全性檢查和必要權限。It should enforce the same security checks and permissions required to obtain an instance of such a class by any other means, such as explicitly creating the class or indirectly creating it through some kind of factory.

另請參閱See also