Skip to content

Latest commit

 

History

History
47 lines (40 loc) · 3.93 KB

attack-surface.md

File metadata and controls

47 lines (40 loc) · 3.93 KB

Attack Surface Analysis for dotnet/roslyn

Attack Surface: Code Injection into Compilation

  • Description: An attacker injects malicious C# or VB.NET code into the source code that Roslyn compiles, leading to arbitrary code execution.
  • Roslyn Contribution: Roslyn's core function is to compile code; this inherent capability is the attack vector. Roslyn directly executes the injected code upon compilation.
  • Example:
    • A web application allows users to enter C# code snippets for "live evaluation." An attacker submits code that downloads and executes a malware payload.
    • An application uses Roslyn to generate code based on user-provided templates. The attacker injects malicious code into the template.
  • Impact: Complete system compromise; data theft; malware installation; denial of service.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Strict Input Validation: Implement rigorous validation of all input used in code generation. Reject any input that contains unexpected characters, keywords, or patterns. Prefer allow-listing (whitelisting).
    • Sandboxing: Execute the compiled code in a highly restricted environment (container, VM). This limits the damage even if code execution occurs.
    • Avoid Dynamic Compilation (if possible): If functionality can be achieved without dynamic compilation, choose that approach.
    • Template Engine Security: If using a template engine, ensure it's secure and user input is properly escaped within the template.
    • Code Signing (Post-Compilation): Digitally sign the compiled assembly to detect tampering after compilation.
    • Allow Lists (Whitelisting): Define a strict allow list of permitted code constructs, libraries, and APIs.

Attack Surface: Denial of Service (DoS) via Compilation

  • Description: An attacker submits excessively large or complex code to Roslyn, causing resource exhaustion (CPU, memory, disk) and denial of service.
  • Roslyn Contribution: Roslyn's compilation process is resource-intensive; this is exploited to cause DoS. Roslyn directly consumes the resources during the compilation attempt.
  • Example:
    • An attacker submits a C# script with deeply nested loops or a large number of classes, causing the compilation process to consume all available memory.
    • An attacker repeatedly submits code for compilation, overwhelming the server.
  • Impact: Application unavailability; service disruption.
  • Risk Severity: High
  • Mitigation Strategies:
    • Resource Limits: Impose strict limits on code size, complexity (e.g., nesting depth), and compilation time.
    • Rate Limiting: Limit the frequency of compilation requests.
    • Asynchronous Compilation: Compile code in a background process.
    • Queueing: Use a queue to manage compilation requests.
    • Input Size Limits: Enforce maximum input size limits.

Attack Surface: Vulnerabilities in Roslyn Itself

  • Description: Exploitation of vulnerabilities within the Roslyn library itself.
  • Roslyn Contribution: Roslyn, like any software, may contain vulnerabilities. The vulnerability is directly within the Roslyn codebase.
  • Example: A buffer overflow vulnerability in Roslyn's parsing logic is exploited by providing specially crafted code.
  • Impact: Varies; could range from denial of service to arbitrary code execution.
  • Risk Severity: High (Potentially Critical, depending on the vulnerability)
  • Mitigation Strategies:
    • Keep Roslyn Updated: Regularly update to the latest version of Roslyn.
    • Monitor Security Advisories: Stay informed about Roslyn security advisories.
    • Defense in Depth: Implement multiple layers of security.