Hi Jesper,
"Jesper" <no@spam.com> wrote in message
news:ej**************@TK2MSFTNGP14.phx.gbl...
"Nick Malik [Microsoft]" Interfaces are there to encapsulate code, not protect it. Breaking
encapsulation isn't criminal... it's stupid.
Why protect yourself from stupid programmers?
Im not trying to protect myself from stupid programmers. I'm trying to
protect myself from *malicious* programmers, and in my case, it makes good
sense:
My host application is being written to accept user-created plugins. And I
can't trust those. I require that they support a specified interface, and
as mentioned I'm giving them their own AppDomain to run in. My problem is,
however, that I want to give them read access to alot of data in my host
process. Giving them an interface wrapping of my data was just mentioned
because thats the 'solution' I had seen others give to replace 'const'.
I'll take other solutions.
Perhaps I just need to understand a little better.
When I approach security concerns, I use a technique called "Threat
Modeling". In this technique, I first identify the things that need
protection, and the I identify the different approaches to "harming" these
things, and then I characterize an attack that will effect that harm. In
other words, it a technique to make programmers think like hackers. :-)
So, let me understand the threat that reflection poses for you.
You have an object that you use for returning and updating a sizable set of
data. You want to share this object with plug-ins written by users. You
said something about synchronization, so I assume you want to allow these
users, in some cases, to update the data... but not all of it. Some of the
data should not be updatable. (I'm guessing here... please correct me).
The threat, if I understand correctly, is that your application has the
ability to modify a great deal of data. You want to share the data but not
the ability to modify it. The threat scenario would then be: malicious
programmer writes plug-in to access your objects, and uses reflection to get
access to data items that you don't want him or her to change, changes those
data items, and your class will react by writing that data back to the
server.
This leads to a few questions. I can see a couple of different designs, but
I don't know which to recommend without further info...
How many of the fields in your data structure do you want the compliant
(non-malicious) user to be able to change?
Is the data structured in a hierarchy of objects, or is this a single object
with many fields?
Does your application have a data access layer that is composed of objects
using non-static methods?
--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik
Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--