Tiny Tip: Improve Security with InternalsVisibleTo Attribute

In projects that span over multiple teams and for other very reasonable architecture reasons you end up with multiple assembles for your current project or even if you want to reuse a library one of the other teams wrote you will find yourself using code from other assembly, now you have couple of choices A. design the methods you want to expose to other assemblies as public methods for them to be able to access but be aware that once they are public even a comparator can get benefit from the same library you invested in. B. you can use the InternalsVisibleTo attribute.

You can (Optional) improve your security by adding a PuplicKey/PublicKeyToken to the InternalsVisibleTo attribute assembly definition by doing this you will tell the compiler to enforce that any assembly want to gain access to these internal types must have a matching key. 

What InternalsVisibleTo dos is that it ties your assembly to the valuable library using assembly public key so you can access it’s internal types.

the good news is it’s very very easy to implement, you just must have a strong name assembly in place. Lets say we have two dev teams TeamA and TeamB, TeamA develop this assembly that later on one of the TeamB projects they will need the same functionality, this code snippet will show you how to allow external assembly to access internal types on another.

//AssemblyInfo.cs

Using System.Runtime.CompilerServices;

[assembly:InternalsVisibleTo("CriticalSites, PublicKeyToken=123456789")]

not only that but you can also enforce a version number of the assembly so that a client assembly can only bind to the right version.

[assembly:InternalsVisibleTo("CriticalSites, PublicKeyToken=123456789,Version=1.2.3.4")]

4 thoughts on “Tiny Tip: Improve Security with InternalsVisibleTo Attribute”

  1. It’s a tiny tip, but an excellent one! I’m developing on the compact framework and that doesn’t support the StrongNameIdentityPermission attribute. It didn’t occur to me to use the InternalsVisibleTo until I read your post.

    Thanks,
    Jeffry

  2. if you don’t have internal keyword or you don’t know how to use it with the InternalsVisibleTo attribute you will end up forced to have most of your types declared as public so you can take advantage from that specific assembly, and that allow any other code to access those assemblies as well.

    When you design with security on mind you have to work with least permission sets, least visibility .. and so on.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>