Deciding When To Enable Partially Trusted Callers

Article
02/04/2013

The implicit LinkDemand for full trust that shared libraries perform by default helps provide your code a high level of protection by not allowing untrusted, potentially malicious code to call your code and exploit weaknesses. If you do not expect that your code will be called from partially trusted code, you should consider leaving the AllowPartiallyTrustedCallersAttribute Class off your shared libraries.

Important
In the .NET Framework version 4, partially trusted code has been redefined as transparent code. The transparency model draws a barrier between code that can do privileged things (critical code), such as calling native code, and code that cannot (transparent code). Transparency eliminates the use of the LinkDemand to identify fully trusted code, and affects the rules for running partially trusted code. For more information about this and other changes, see Security Changes in the .NET Framework 4.

In the .NET Framework version 4, partially trusted code has been redefined as transparent code. The transparency model draws a barrier between code that can do privileged things (critical code), such as calling native code, and code that cannot (transparent code). Transparency eliminates the use of the LinkDemand to identify fully trusted code, and affects the rules for running partially trusted code. For more information about this and other changes, see Security Changes in the .NET Framework 4.

Note

The .NET Framework 4 introduces the conditional use of the AllowPartiallyTrustedCallersAttribute (APTCA) attribute. Conditional APTCA enables hosts to identify which assemblies they want to expose to partial-trust callers that are loaded within the context of the host. The candidate assemblies must already be designed for partial trust; that is, they must either be APCTA (security-safe-critical in the transparency model) or fully transparent. A new constructor for the AllowPartiallyTrustedCallersAttribute class enables the host to specify the level of visibility for an APTCA assembly by using the PartialTrustVisibilityLevel enumeration in the constructor call.

However, there are certain scenarios in which you might want your shared library to be called by mobile or partially trusted code. For example, enterprise applications might want to support managed controls hosted in Microsoft Internet Explorer that run from Web sites on a local intranet. The AllowPartiallyTrustedCallersAttribute attribute should be applied only after you have considered the security implications and taken the necessary precautions, including code review against the secure coding guidelines for managed code. This attribute should be applied to assemblies only if the following criteria are met:

Partially trusted code use is important to support.
The assemblies have been designed and built with explicit attention to security considerations to make them robust against all callers, including potentially malicious callers.
Appropriate security testing with partially trusted code is done before releasing the code.

Deciding When To Enable Partially Trusted Callers

See Also

Concepts

Other Resources

Additional resources