Assuring trust in .NET assemblies by instrumentation
MetadataVis full innførsel
SuperOffice is a software company developing SuperOffice CRM software. The traditionalhosting option is the on-site solution where the customer is responsible forhosting and maintenance. SuperOffice CRM is quite extensible due to differencesbetween enterprises requirements and processes. The move from an on-site installationto an online installation reduces the level of customization available. Especially,executing custom code written by third parties in on-site solutions was thecustomer s responsibility. The shift to online moves this responsibility to SuperOf-fice, resulting in unacceptable risk towards the installation, other installations andthe online environment. Is it possible to trust the custom code written by thirdparties?If so, how? This thesis looks at how instrumentation techniques can beused for analyzing and instrumenting .NET assemblies in order to get assurancethey do behave in a predictable manner and with acceptable risk to the customerinstallation, other installations and the environment. Analyzing the custom assemblieswith static analysis techniques reveal the potential interactions between thecustom assembly, the .NET runtime and the rest of the system. Runtime enforcerscan be added to calls to methods which can only be conditionally executed.However, there are several threats to an instrumentation engine such as this.There are indeed many ways of fooling it; Platform Invoke, ForwardedTypes andMixed-Mode assemblies to mention a few.