| title | ms.custom | ms.date | ms.prod | ms.reviewer | ms.suite | ms.technology | ms.tgt_pltfrm | ms.topic | helpviewer_keywords | ms.assetid | caps.latest.revision | author | ms.author | manager | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SQL Server Programming and Host Protection Attributes |
03/30/2017 |
.net-framework |
|
article |
|
7dfa36b4-e773-4c75-a3ff-ff1af3ce4c4f |
13 |
mairaw |
mairaw |
wpickett |
SQL Server Programming and Host Protection Attributes
The ability to load and execute managed code in a SQL Server host requires meeting the host's requirements for both code access security and host resource protection. The code access security requirements are specified by one of three SQL Server permission sets: SAFE, EXTERNAL-ACCESS, or UNSAFE. Code executing within the SAFE or EXTERNAL-ACCESS permission sets must avoid certain types or members that have the xref:System.Security.Permissions.HostProtectionAttribute attribute applied. The xref:System.Security.Permissions.HostProtectionAttribute is not a security permission as much as a reliability guarantee in that it identifies specific code constructs, either types or methods, that the host may disallow. The use of the xref:System.Security.Permissions.HostProtectionAttribute enforces a programming model that helps protect the stability of the host.
Host Protection Attributes
Host protection attributes identify types or members that do not fit the host programming model and represent the following increasing levels of reliability threat:
-
Are otherwise benign.
-
Could lead to destabilization of server-managed user code.
-
Could lead to destabilization of the server process itself.
SQL Server disallows the use of a type or member that has a xref:System.Security.Permissions.HostProtectionAttribute that specifies a xref:System.Security.Permissions.HostProtectionResource value of xref:System.Security.Permissions.HostProtectionResource.SharedState, xref:System.Security.Permissions.HostProtectionResource.Synchronization, xref:System.Security.Permissions.HostProtectionResource.MayLeakOnAbort, or xref:System.Security.Permissions.HostProtectionResource.ExternalProcessMgmt. This prevents the assemblies from calling members that enable sharing state, perform synchronization, might cause a resource leak on termination, or affect the integrity of the SQL Server process.
Disallowed Types and Members
The following table identifies types and members whose xref:System.Security.Permissions.HostProtectionResource values are disallowed by SQL Server.
| Namespace | Type or member |
|---|---|
Microsoft.Win32 |
xref:Microsoft.Win32.PowerModeChangedEventArgs class xref:Microsoft.Win32.PowerModeChangedEventHandler delegate xref:Microsoft.Win32.SessionEndedEventArgs class xref:Microsoft.Win32.SessionEndedEventHandler delegate xref:Microsoft.Win32.SessionEndingEventArgs class xref:Microsoft.Win32.SessionEndingEventHandler delegate xref:Microsoft.Win32.SessionSwitchEventArgs class xref:Microsoft.Win32.SessionSwitchEventHandler delegate xref:Microsoft.Win32.SystemEvents class xref:Microsoft.Win32.TimerElapsedEventArgs class xref:Microsoft.Win32.TimerElapsedEventHandler delegate xref:Microsoft.Win32.UserPreferenceChangedEventArgs class xref:Microsoft.Win32.UserPreferenceChangingEventArgs class |
System.Collections |
xref:System.Collections.ArrayList.Synchronized%2A?displayProperty=nameWithType method xref:System.Collections.Hashtable.Synchronized%2A?displayProperty=nameWithType method xref:System.Collections.Queue.Synchronized%2A?displayProperty=nameWithType method xref:System.Collections.SortedList.Synchronized%2A?displayProperty=nameWithType method xref:System.Collections.Stack.Synchronized%2A?displayProperty=nameWithType method |
System.ComponentModel |
xref:System.ComponentModel.AddingNewEventArgs class xref:System.ComponentModel.AddingNewEventHandler delegate xref:System.ComponentModel.ArrayConverter class xref:System.ComponentModel.AsyncCompletedEventArgs class xref:System.ComponentModel.AsyncCompletedEventHandler delegate xref:System.ComponentModel.AsyncOperation class xref:System.ComponentModel.AsyncOperationManager class xref:System.ComponentModel.AttributeCollection class xref:System.ComponentModel.BackgroundWorker class xref:System.ComponentModel.BaseNumberConverter class xref:System.ComponentModel.BindingList%601 class xref:System.ComponentModel.BooleanConverter class xref:System.ComponentModel.ByteConverter class xref:System.ComponentModel.CancelEventArgs class xref:System.ComponentModel.CancelEventHandler delegate xref:System.ComponentModel.CharConverter class xref:System.ComponentModel.CollectionChangeEventArgs class xref:System.ComponentModel.CollectionChangeEventHandler delegate xref:System.ComponentModel.CollectionConverter class xref:System.ComponentModel.ComponentCollection class xref:System.ComponentModel.ComponentConverter class xref:System.ComponentModel.ComponentEditor class xref:System.ComponentModel.ComponentResourceManager class xref:System.ComponentModel.Container class xref:System.ComponentModel.ContainerFilterService class xref:System.ComponentModel.CultureInfoConverter class xref:System.ComponentModel.CustomTypeDescriptor class xref:System.ComponentModel.DateTimeConverter class xref:System.ComponentModel.DecimalConverter class xref:System.ComponentModel.Design.ActiveDesignerEventArgs class xref:System.ComponentModel.Design.ActiveDesignerEventHandler delegate xref:System.ComponentModel.Design.CheckoutException class xref:System.ComponentModel.Design.CommandID class xref:System.ComponentModel.Design.ComponentChangedEventArgs class xref:System.ComponentModel.Design.ComponentChangedEventHandler delegate xref:System.ComponentModel.Design.ComponentChangingEventArgs class xref:System.ComponentModel.Design.ComponentChangingEventHandler delegate xref:System.ComponentModel.Design.ComponentEventArgs class xref:System.ComponentModel.Design.ComponentEventHandler delegate xref:System.ComponentModel.Design.ComponentRenameEventArgs class xref:System.ComponentModel.Design.ComponentRenameEventHandler delegate xref:System.ComponentModel.Design.DesignerCollection class xref:System.ComponentModel.Design.DesignerEventArgs class xref:System.ComponentModel.Design.DesignerEventHandler delegate xref:System.ComponentModel.Design.DesignerOptionService class xref:System.ComponentModel.Design.DesignerTransaction class xref:System.ComponentModel.Design.DesignerTransactionCloseEventArgs class xref:System.ComponentModel.Design.DesignerTransactionCloseEventHandler delegate xref:System.ComponentModel.Design.DesignerVerb class xref:System.ComponentModel.Design.DesignerVerbCollection class xref:System.ComponentModel.Design.DesigntimeLicenseContext class xref:System.ComponentModel.Design.DesigntimeLicenseContextSerializer class xref:System.ComponentModel.Design.MenuCommand class xref:System.ComponentModel.Design.Serialization.ComponentSerializationService class xref:System.ComponentModel.Design.Serialization.ContextStack class xref:System.ComponentModel.Design.Serialization.DesignerLoader class xref:System.ComponentModel.Design.Serialization.InstanceDescriptor class xref:System.ComponentModel.Design.Serialization.MemberRelationshipService class xref:System.ComponentModel.Design.Serialization.ResolveNameEventArgs class xref:System.ComponentModel.Design.Serialization.ResolveNameEventHandler delegate xref:System.ComponentModel.Design.Serialization.SerializationStore class xref:System.ComponentModel.Design.ServiceContainer class xref:System.ComponentModel.Design.ServiceCreatorCallback delegate xref:System.ComponentModel.Design.StandardCommands class xref:System.ComponentModel.Design.StandardToolWindows class xref:System.ComponentModel.DoubleConverter class xref:System.ComponentModel.DoWorkEventArgs class xref:System.ComponentModel.DoWorkEventHandler delegate xref:System.ComponentModel.EnumConverter class xref:System.ComponentModel.EventDescriptor class xref:System.ComponentModel.EventDescriptorCollection class xref:System.ComponentModel.EventHandlerList class xref:System.ComponentModel.ExpandableObjectConverter class xref:System.ComponentModel.HandledEventArgs class xref:System.ComponentModel.HandledEventHandler delegate xref:System.ComponentModel.InstanceCreationEditor class xref:System.ComponentModel.Int16Converter class xref:System.ComponentModel.Int32Converter class xref:System.ComponentModel.Int64Converter class xref:System.ComponentModel.InvalidAsynchronousStateException class xref:System.ComponentModel.InvalidEnumArgumentException class xref:System.ComponentModel.ISynchronizeInvoke.BeginInvoke%2A method xref:System.ComponentModel.License class xref:System.ComponentModel.LicenseContext class xref:System.ComponentModel.LicenseException class xref:System.ComponentModel.LicenseManager class xref:System.ComponentModel.LicenseProvider class xref:System.ComponentModel.LicFileLicenseProvider class xref:System.ComponentModel.ListChangedEventArgs class xref:System.ComponentModel.ListChangedEventHandler delegate xref:System.ComponentModel.ListSortDescription class xref:System.ComponentModel.ListSortDescriptionCollection class xref:System.ComponentModel.MaskedTextProvider class xref:System.ComponentModel.MemberDescriptor class xref:System.ComponentModel.MultilineStringConverter class xref:System.ComponentModel.NestedContainer class xref:System.ComponentModel.NullableConverter class xref:System.ComponentModel.ProgressChangedEventArgs class xref:System.ComponentModel.ProgressChangedEventHandler delegate xref:System.ComponentModel.PropertyChangedEventArgs class xref:System.ComponentModel.PropertyChangedEventHandler delegate xref:System.ComponentModel.PropertyDescriptor class xref:System.ComponentModel.PropertyDescriptorCollection class xref:System.ComponentModel.ReferenceConverter class xref:System.ComponentModel.RefreshEventArgs class xref:System.ComponentModel.RefreshEventHandler delegate xref:System.ComponentModel.RunWorkerCompletedEventArgs class xref:System.ComponentModel.RunWorkerCompletedEventHandler delegate xref:System.ComponentModel.SByteConverter class xref:System.ComponentModel.SingleConverter class xref:System.ComponentModel.StringConverter class xref:System.ComponentModel.SyntaxCheck class xref:System.ComponentModel.TimeSpanConverter class xref:System.ComponentModel.TypeConverter class xref:System.ComponentModel.TypeDescriptionProvider class xref:System.ComponentModel.TypeDescriptor class xref:System.ComponentModel.TypeListConverter class xref:System.ComponentModel.UInt16Converter class xref:System.ComponentModel.UInt32Converter class xref:System.ComponentModel.UInt64Converter class xref:System.ComponentModel.WarningException class xref:System.ComponentModel.Win32Exception class |
System.Diagnostics |
xref:System.Diagnostics.Debug.Listeners%2A?displayProperty=nameWithType property xref:System.Diagnostics.Trace.Listeners%2A?displayProperty=nameWithType property xref:System.Diagnostics.EventLog.SynchronizingObject%2A?displayProperty=nameWithType property xref:System.Diagnostics.ConsoleTraceListener class xref:System.Diagnostics.DefaultTraceListener class xref:System.Diagnostics.DelimitedListTraceListener class xref:System.Diagnostics.EventLogTraceListener class xref:System.Diagnostics.PerformanceCounter class xref:System.Diagnostics.PerformanceCounterCategory class xref:System.Diagnostics.Process class xref:System.Diagnostics.ProcessStartInfo class xref:System.Diagnostics.TextWriterTraceListener class xref:System.Diagnostics.TraceListener class xref:System.Diagnostics.XmlWriterTraceListener class xref:System.Diagnostics.TraceSource.Listeners%2A?displayProperty=nameWithType property |
System.IO |
xref:System.IO.Stream.Synchronized%2A?displayProperty=nameWithType method xref:System.IO.TextReader.Synchronized%2A?displayProperty=nameWithType method xref:System.IO.TextWriter.Synchronized%2A?displayProperty=nameWithType method |
System.Reflection.Emit |
xref:System.Reflection.Emit.ConstructorBuilder class xref:System.Reflection.Emit.EventBuilder class xref:System.Reflection.Emit.FieldBuilder class xref:System.Reflection.Emit.MethodBuilder class xref:System.Reflection.Emit.CustomAttributeBuilder class xref:System.Reflection.Emit.MethodRental class xref:System.Reflection.Emit.ModuleBuilder class xref:System.Reflection.Emit.PropertyBuilder class xref:System.Reflection.Emit.TypeBuilder class xref:System.Reflection.Emit.UnmanagedMarshal class |
System.Text |
xref:System.Text.RegularExpressions.Group.Synchronized%2A?displayProperty=nameWithType method xref:System.Text.RegularExpressions.Match.Synchronized%2A?displayProperty=nameWithType method |
System.Threading |
xref:System.Threading.AutoResetEvent class xref:System.Threading.EventWaitHandle class xref:System.Threading.ManualResetEvent class xref:System.Threading.Monitor class xref:System.Threading.Mutex class xref:System.Threading.ReaderWriterLock class xref:System.Threading.Semaphore class xref:System.Threading.Thread.AllocateNamedDataSlot%2A?displayProperty=nameWithType method xref:System.Threading.Thread.BeginCriticalRegion%2A?displayProperty=nameWithType method xref:System.Threading.Thread.EndCriticalRegion%2A?displayProperty=nameWithType method xref:System.Threading.Thread.FreeNamedDataSlot%2A?displayProperty=nameWithType method xref:System.Threading.Thread.GetData%2A?displayProperty=nameWithType method xref:System.Threading.Thread.Join%2A?displayProperty=nameWithType method xref:System.Threading.Thread.SetApartmentState%2A?displayProperty=nameWithType method xref:System.Threading.Thread.SetData%2A?displayProperty=nameWithType method xref:System.Threading.Thread.SpinWait%2A?displayProperty=nameWithType method xref:System.Threading.Thread.Start%2A?displayProperty=nameWithType method xref:System.Threading.Thread.TrySetApartmentState%2A?displayProperty=nameWithType method xref:System.Threading.ThreadPool class xref:System.Threading.Timer class |
System.Timers |
xref:System.Timers.Timer class |
System.Web.Configuration |
xref:System.Web.Configuration.MachineKeyValidationConverter class |
System.Windows.Forms |
xref:System.Windows.Forms.AutoCompleteStringCollection.SyncRoot%2A?displayProperty=nameWithType property |
SQL Server Permission Sets
SQL Server allows users to specify the reliability requirements for code deployed into a database. When assemblies are uploaded into the database, the author of the assembly can specify one of three permission sets for that assembly: SAFE, EXTERNAL-ACCESS, or UNSAFE.
| Permission set | SAFE | EXTERNAL-ACCESS | UNSAFE |
|---|---|---|---|
| Code access security | Execute only | Execute + access to external resources | Unrestricted |
| Programming model restrictions | Yes | Yes | No restrictions |
| Verifiability requirement | Yes | Yes | No |
| Ability to call native code | No | No | Yes |
SAFE is the most reliable and secure mode with associated restrictions in terms of the allowed programming model. SAFE code has high reliability and security features. SAFE assemblies are given enough permission to run, perform computations, and have access to the local database. SAFE assemblies need to be verifiably type safe and are not allowed to call unmanaged code.
EXTERNAL-ACCESS provides an intermediate security option, allowing code to access resources external to the database but still having the reliability and safety of SAFE.
UNSAFE is for highly trusted code that can only be created by database administrators. This trusted code has no code access restrictions, and it can call unmanaged (native) code.
SQL Server uses the host-level code access security policy layer to set up a host policy that grants one of the three sets of permissions based on the permission set stored in SQL Server catalogs. Managed code running inside the database always gets one of these code access permission sets.
Programming Model Restrictions
The programming model for managed code in SQL Server requires functions, procedures, and types which do not require the use of state held across multiple invocations or the sharing of state across multiple user sessions. Further, as described earlier, the presence of shared state can cause critical exceptions that impact the scalability and the reliability of the application.
Given these considerations, SQL Server disallows the use of static variables and static data members. For SAFE and EXTERNAL-ACCESS assemblies, SQL Server examines the metadata of the assembly at CREATE ASSEMBLY time, and fails the creation of such assemblies if it finds the use of static data members and variables.
See Also
xref:System.Security.Permissions.HostProtectionAttribute
xref:System.Security.Permissions.HostProtectionResource