Login/Register
What causes an interface (or assembly?) to become marked security critical?
Asked Answered
c#.netsecurityxamarin.androidmvvmcross
M

0

7

Background

I have a class - MobileLogging - that implements MvvmCross' IMvxTrace interface (from reference Cirrious.MvvmCross.Droid, packages\MvvmCross.HotTuna.CrossCore.3.5.0\lib\MonoAndroid\Cirrious.CrossCore.dll):

namespace Cirrious.CrossCore.Platform
{
    public interface IMvxTrace
    {
        void Trace(MvxTraceLevel level, string tag, Func<string> message);
        void Trace(MvxTraceLevel level, string tag, string message);
        void Trace(MvxTraceLevel level, string tag, string message, params object[] args);
    }
}

and from a the-code-works-perspective everything is fine. However when choosing "Run Code Analysis on Solution" it produces a lot of security warnings:

  • CA2140 Transparent code must not reference security critical items
  • CA2151 Fields with critical types should be security critical.
  • CA2146 Types must be at least as critical as their base types and interfaces
  • CA2123 Override link demands should be identical to base
  • CA2134 Methods must keep consistent transparency when overriding base methods

Running SecAnnotate.exe produces a TransparencyAnnotations.xml that contains among other things

  <type name="<...mynamespace...>.MobileLogging">
    <annotations>
      <critical>
        <rule name="TypesMustBeAtLeastAsCriticalAsBaseTypes">
          <reason pass="1">Transparent or safe-critical type 'MobileLogging' derives from
          critical type 'IMvxTrace' in violation of the transparency inheritance rules.
          'MobileLogging' must be critical to derive from a critical type or implement a
          critical interface.</reason>
          <reason pass="1">Transparent or safe-critical type 'MobileLogging' derives from
          critical type 'IMobileLogging' in violation of the transparency inheritance
           rules. 'MobileLogging' must be critical to derive from a critical type or
          implement a critical interface.</reason>
        </rule>
      </critical>
    </annotations>

At first I just assumed that ok, the logging functions are supposed to possibly at some point possibly call some native (unmanaged) logging function, so it does not seem too far off that this is marked as security critical. But now I am beginning to think that the fact that IMvxTrace is considered security critical is wrong.

First of all because when looking into the MvvmCross' code base there is nothing there that indicates any specifications of security level or anything, in fact searching for the string "secur" only matches two lines

SecureTextEntry = isPassword,
using System.Security.Cryptography;

And searching for "IMvxTrace critical" on google returns only 5 matches, none of which is relevant to me.

Question

So, assuming that IMvxTrace is erroneously marked as security critical, what are possible causes for this and how do I fix that?

Metts answered 2/2, 2015 at 15:0 Comment(2)
Did you ever figure out what was the issue?Vally
No, I did not find out.Metts

© 2022 - 2024 — McMap. All rights reserved.