Demand vs. LinkDemand
Declarative security offers two kinds of security checks that are similar but perform very different checks. You should understand both forms because the wrong choice can result in weak security or performance loss. For more information, see Security Demands.
Declarative security offers the following security checks:
- Demand specifies the code access security stack walk. All callers on the stack must have the specified permission or identity to pass. Demand occurs on every call because the stack might contain different callers. If you call a method repeatedly, this security check occurs each time. Demand is good protection against luring attacks; unauthorized code trying to get through it will be detected.
- LinkDemand happens at just-in-time (JIT) compilation time and checks only the immediate caller. This security check does not check the caller's caller. Once this check passes, there is no additional security overhead no matter how many times the caller might call. However, there is also no protection from luring attacks. With LinkDemand, any code that passes the test and can reference your code can potentially break security by allowing malicious code to call using the authorized code. Therefore, do not use LinkDemand unless all the possible weaknesses can be thoroughly avoided.
The extra precautions required when using LinkDemand must be programmed individually; the security system can help with enforcement. Any mistake opens a security weakness. All authorized code that uses your code must be responsible for implementing additional security by doing the following:
- Restricting the calling code's access to the class or assembly.
- Placing the same security checks on the calling code that appear on the code being called and obligating its callers to do so. For example, if you write code that calls a method that is protected with a LinkDemand for the SecurityPermission with the UnmanagedCode flag specified, your method should also make a LinkDemand (or Demand, which is stronger) for this permission. The exception is if your code uses the LinkDemand-protected method in a limited way that you decide is safe, given other security protection mechanisms (such as demands) in your code. In this exceptional case, the caller takes responsibility in weakening the security protection on the underlying code.
- Ensuring that your code's callers cannot trick your code into calling the protected code on their behalf. In other words, callers cannot force the authorized code to pass specific parameters to the protected code, or to get results back from it.
Interfaces and Link Demands
If a virtual method, property, or event with LinkDemand overrides a base class method, the base class method must also have the same LinkDemand for the overridden method in order to be effective. It is possible for malicious code to cast back to the base type and call the base class method. Also note that link demands can be added implicitly to assemblies that do not have the AllowPartiallyTrustedCallersAttribute assembly-level attribute.
It is a good practice to protect method implementations with link demands when interface methods also have link demands. Note the following about using link demands with interfaces:
- The AllowPartiallyTrustedCallersAttribute attribute also applies to interfaces.
- You can place link demands on interfaces to selectively protect certain interfaces from being used by partially trusted code, such as when using the AllowPartiallyTrustedCallersAttribute attribute.
- If you have an interface defined in an assembly that does not contain the AllowPartiallyTrustedCallersAttribute attribute, you can implement that interface on a partially trusted class.
- If you place a LinkDemand on a public method of a class that implements an interface method, the LinkDemand will not be enforced if you then cast to the interface and call the method. In this case, because you linked against the interface, only the LinkDemand on the interface is honored.
Review the following items for security issues:
- Explicit link demands on interface methods. Make sure these link demands offer the expected protection. Determine whether malicious code can use a cast to get around the link demands as described previously.
- Virtual methods with link demands applied.
- Types and the interfaces they implement. These should use link demands consistently.