Article ID: 831687 - Last Review: May 10, 2007 - Revision: 1.13

Description of the Type Filtering feature in the Microsoft .NET Framework

View products that this article applies to.

On This Page

Expand all | Collapse all

SUMMARY

In the Microsoft .NET Framework 1.1, the Type Filtering feature is included with the .NET Framework Remoting infrastructure. By default, Type Filtering is enabled. Type Filtering limits the type of objects that a .NET Framework Remoting client can marshal to a .NET Framework Remoting server. Type Filtering prevents the server from deserializing instances of common language runtime types that may serve as vectors of attack.

There are two levels of Type Filtering, as follows:
  • Full
  • Low

    By default, Type Filtering is set to the Low level. The Low level provides more stringent security restrictions than the Full level.
Back to the top

MORE INFORMATION

Any .NET Framework Remoting system that depends on run-time validation must deserialize a remote stream to start using the stream. This dependency on run-time validation may be exploited by malicious clients during serialization or during deserialization. The .NET Framework 1.1 includes a new, constrained .NET Framework Remoting model. In the .NET Framework 1.1, the most secure level of deserialization is set as the default level. However, you can still use a less secure level in the .NET Framework 1.1. The difference in the .NET Framework Remoting security levels may break existing implementations of the .NET Framework Remoting models because the default behavior in the .NET Framework 1.1 is different from the default behavior in the .NET Framework 1.0.

Back to the top

Side effects of the Type Filtering feature

The following table describes several of the side effects that may occur if the typeFilterLevel property of the Type Filtering feature is set to the Low level:

Collapse this tableExpand this table
FunctionalitySide Effect
Expose a .NET Framework Remoting server with a method or with a member that takes a delegate.You can use delegates to call methods on other types of objects that have the same signature.
Expose a .NET Framework Remoting server that has a method or a member that takes a MarshalByRefObject type.The serialized form of a MarshalByRefObject type contains a mutable URL.
Expose a .NET Framework Remoting server with a method or with a member that takes an ISerializable type.Deserialization of an ISerializable type causes the .NET Framework Remoting infrastructure to run the code of the type.
Expose a .NET Framework Remoting server with a method or with a member that takes a type from the Global Assembly Cache (GAC) on the server computer in an assembly that does not have the AllowPartiallyTrustedCallers (APTCA) attribute.A malicious user may know the types in the GAC. Therefore, you incur a potential risk if you use these types with a .NET Framework Remoting server.
Expose a .NET Framework Remoting server that enables remote clients to register sponsors.There is no limit to the number of sponsors that can be registered.
Back to the top

REFERENCES

The .NET Framework Remoting deserialization

For additional information about automatic deserialization in .NET Remoting (.NET Framework Developer's Guide), visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/en-us/library/5dxse167(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/5dxse167(vs.71).aspx)
Back to the top

The typeFilterLevel property

For additional information about the BinaryServerFormatterSink.TypeFilterLevel property, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/library/system.runtime.remoting.channels.binaryserverformattersink.typefilterlevel(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/system.runtime.remoting.channels.binaryserverformattersink.typefilterlevel(vs.71).aspx)

For additional information about the BinaryServerFormatterSinkProvider.TypeFilterLevel property, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/library/system.runtime.remoting.channels.binaryserverformattersinkprovider.typefilterlevel(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/system.runtime.remoting.channels.binaryserverformattersinkprovider.typefilterlevel(vs.71).aspx)

For additional information about the SoapServerFormatterSink.TypeFilterLevel property, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/library/system.runtime.remoting.channels.soapserverformattersink.typefilterlevel(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/system.runtime.remoting.channels.soapserverformattersink.typefilterlevel(vs.71).aspx)

For additional information about the SoapServerFormatterSinkProvider.TypeFilterLevel property, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/library/system.runtime.remoting.channels.soapserverformattersinkprovider.typefilterlevel(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/system.runtime.remoting.channels.soapserverformattersinkprovider.typefilterlevel(vs.71).aspx)
Back to the top
APPLIES TO
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.0
  • Microsoft Visual Studio .NET 2003 Academic Edition
  • Microsoft Visual Studio .NET 2003 Enterprise Architect
  • Microsoft Visual Studio .NET 2003 Enterprise Developer
  • Microsoft Visual Studio .NET 2002 Academic Edition
  • Microsoft Visual Studio .NET 2002 Enterprise Architect
  • Microsoft Visual Studio .NET 2002 Enterprise Developer
  • Microsoft Visual Studio .NET 2002 Professional Edition
Back to the top
Keywords: 
kbinterop kbsecurityservices kbremoting kbserial kbinfo KB831687
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations