ASP.NET 1.1 app breaks when moved to shared webhosting with medium trust level

Discussion in 'ASP .Net' started by Andy, Dec 15, 2006.

  1. Andy

    Andy Guest

    Hi, how do you allow strongly type cast parameters to be passed to C#
    functions that use weakly type cast parameters while running under the
    "Medium" Trust Level security policy shipped with the ASP.NET 1.1

    I've written a general error reporting routine that formats and returns

    error messages for various exceptions. The routine accepts a
    System.Object which it then typecasts into the correct exception object

    using the object's name property.

    When I run this under the "Full" Trust Level security policy, the
    routine works and no errors are reported.

    When I run this under the "Medium" Trust Level security policy on our
    shared webhosting provider, the routine fails to compile because the
    ..NET code verifier flags all the calls to this error routine as
    "unsafe", because the data types of the expected and passed parameters
    do not match.

    The actual error reported is "System.Security.VerificationException:
    Operation could destabilize the runtime". The problem line in the
    stack trace points to the function definition line for rptError that
    contains the expected System.Object parameter.

    The shared webhosting provider has not modified the "Medium" Trust
    Level security policy, and has used it "as-is" from the .NET 1.1

    Sample code of the call and function appears below:


    ... arbitrary code that may throw an exception ...

    }catch (Exception e){

    result = rptError((System.Object) e);


    public System.String rptError(System.Object objError)
    string result="";
    case "Exception":
    Exception e=(FormatException)objError;
    result = "exception: " + Environment.NewLine +
    e.Message + Environment.NewLine +
    e.Source + Environment.NewLine +


    Can anyone see what is going wrong here?

    Andy, Dec 15, 2006
    1. Advertisements

  2. Andy

    Andy Guest

    Here's what I found out

    Medium Trust is a default security policy Microsoft ships with its .NET
    framework that is intentionally designed to protect shared web hosting
    service providers. The design allows such providers to be confident
    that clients cannot defeat their security and drop themselves out of
    any imposed settings or constraints.

    Part of this trust policy is meant to prevent buffer over-run attacks
    (a common hacking technique used to load executible code into unused
    memory by passing more data into a variable than the variable can
    hold). It enforces code verification and type checking to ensure that
    only well-defined fixed length parameter passing occurs between

    The policy also prevents an application from having a mechanisim to
    access external resources such as webservices since internal resources
    on the providers LAN can also be on the same backbone that their
    hosting service is. The URI parameter on the <trust> tag actually
    takes a regular expression which is used to match the description of
    any piece of equipment or webservice on a network, and passing the
    regular expression ".*" could give access to anything (internal
    printers, hard drives, etc).

    This problem isn't really a bug with the Medium Trust Policy, as much
    as it is really an indication that the web application was deployed on
    the wrong type of web hosting service architecture.

    Most often, people choose shared hosting because it is a less costly
    alternative to paying for a dedicated server hosting service. In
    between these two extremes is Virtual Personal Server (VPS) hosting
    where you get the advantages of full administrative rights to what
    appears to be a physical dedicated server while enjoying the cost
    advantages gained from a shared hosting enviromnent.

    VPS hosting services allow full admin rights because each account runs
    in its own emulated server, and it is the server emulations that run in
    a shared environment (rather than the end-user programs that are now
    running within the server emulations). In effect, each VPS server is a
    sandbox for its account, and each account user cannot administer
    somebody else's emulated server. This is different from a shared
    hosting service where user code awaits to be run on demand within a
    single gigantic shared resource environment.

    VPS has been available for UNIX based hosting for more than 10 years.
    But, only recently has VPS started to become available for Windows
    hosting environments.

    Although a VPS server can be a software emulation of a pentium class
    computer, it is usually a physical server that is assigned to a fixed
    handful of customers. The processor time on the server is time sliced
    across the clients, and the drive space is partitioned with real
    harddrive partitions. Most VPS servers are always running, so there
    aren't usually any timeout restrictions impossed on the user accounts.

    With todays RAID technology, and multi-processor servers, a lot of
    customers can share the cost of a single dedicated physical server
    bringing the price point for VPS very close to what plain shared
    hosting offers.
    Andy, Dec 21, 2006
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul Hatcher

    Medium Level Trust and Reflection

    Paul Hatcher, Feb 25, 2005, in forum: ASP .Net
    Paul Hatcher
    Feb 25, 2005
  2. Mukesh
    Steven Cheng[MSFT]
    Jul 10, 2007
  3. Steven Voordijk

    Marshal.Copy (in medium trust level environment)

    Steven Voordijk, Jan 16, 2008, in forum: ASP .Net
    Alvin Bruney [ASP.NET MVP]
    Jan 19, 2008
  4. Shukri

    database error on host with medium trust level

    Shukri, Nov 18, 2005, in forum: ASP .Net Security
    Nicole Calinoiu
    Nov 20, 2005
  5. Mr.Cyber
    Nicole Calinoiu
    Dec 16, 2005
  6. Ondrej Valenta

    GetCompiledPageInstance and Medium trust application level

    Ondrej Valenta, Jun 28, 2006, in forum: ASP .Net Security
    Dominick Baier [DevelopMentor]
    Jun 28, 2006
  7. Linda
    Dominick Baier
    Aug 31, 2006
  8. Shahar Nechmad

    EnterpriseLibrary.Security and medium trust level

    Shahar Nechmad, Oct 18, 2006, in forum: ASP .Net Security
    Shahar Nechmad
    Oct 18, 2006