Permalink
Fetching contributors…
Cannot retrieve contributors at this time
85 lines (68 sloc) 19.3 KB
title ms.custom ms.date ms.prod ms.reviewer ms.suite ms.technology ms.tgt_pltfrm ms.topic helpviewer_keywords ms.assetid caps.latest.revision author ms.author manager
SQL Server Programming and Host Protection Attributes
03/30/2017
.net-framework
dotnet-clr
article
SQL Server [.NET Framework]
permission sets, SQL Server
SQL Server Programming and Host Protection Attributes
managed code, SQL Server
reliability [.NET Framework]
writing reliable code
hosts, reliability
host protection attributes
HostProtectionAttribute class, reliability
7dfa36b4-e773-4c75-a3ff-ff1af3ce4c4f
13
mairaw
mairaw
wpickett

SQL Server Programming and Host Protection Attributes

The ability to load and execute managed code in a SQL Server host requires meeting the host's requirements for both code access security and host resource protection. The code access security requirements are specified by one of three SQL Server permission sets: SAFE, EXTERNAL-ACCESS, or UNSAFE. Code executing within the SAFE or EXTERNAL-ACCESS permission sets must avoid certain types or members that have the xref:System.Security.Permissions.HostProtectionAttribute attribute applied. The xref:System.Security.Permissions.HostProtectionAttribute is not a security permission as much as a reliability guarantee in that it identifies specific code constructs, either types or methods, that the host may disallow. The use of the xref:System.Security.Permissions.HostProtectionAttribute enforces a programming model that helps protect the stability of the host.

Host Protection Attributes

Host protection attributes identify types or members that do not fit the host programming model and represent the following increasing levels of reliability threat:

  • Are otherwise benign.

  • Could lead to destabilization of server-managed user code.

  • Could lead to destabilization of the server process itself.

SQL Server disallows the use of a type or member that has a xref:System.Security.Permissions.HostProtectionAttribute that specifies a xref:System.Security.Permissions.HostProtectionResource value of xref:System.Security.Permissions.HostProtectionResource.SharedState, xref:System.Security.Permissions.HostProtectionResource.Synchronization, xref:System.Security.Permissions.HostProtectionResource.MayLeakOnAbort, or xref:System.Security.Permissions.HostProtectionResource.ExternalProcessMgmt. This prevents the assemblies from calling members that enable sharing state, perform synchronization, might cause a resource leak on termination, or affect the integrity of the SQL Server process.

Disallowed Types and Members

The following table identifies types and members whose xref:System.Security.Permissions.HostProtectionResource values are disallowed by SQL Server.

Namespace Type or member
Microsoft.Win32 xref:Microsoft.Win32.PowerModeChangedEventArgs class

xref:Microsoft.Win32.PowerModeChangedEventHandler delegate

xref:Microsoft.Win32.SessionEndedEventArgs class

xref:Microsoft.Win32.SessionEndedEventHandler delegate

xref:Microsoft.Win32.SessionEndingEventArgs class

xref:Microsoft.Win32.SessionEndingEventHandler delegate

xref:Microsoft.Win32.SessionSwitchEventArgs class

xref:Microsoft.Win32.SessionSwitchEventHandler delegate

xref:Microsoft.Win32.SystemEvents class

xref:Microsoft.Win32.TimerElapsedEventArgs class

xref:Microsoft.Win32.TimerElapsedEventHandler delegate

xref:Microsoft.Win32.UserPreferenceChangedEventArgs class

xref:Microsoft.Win32.UserPreferenceChangingEventArgs class
System.Collections xref:System.Collections.ArrayList.Synchronized%2A?displayProperty=nameWithType method

xref:System.Collections.Hashtable.Synchronized%2A?displayProperty=nameWithType method

xref:System.Collections.Queue.Synchronized%2A?displayProperty=nameWithType method

xref:System.Collections.SortedList.Synchronized%2A?displayProperty=nameWithType method

xref:System.Collections.Stack.Synchronized%2A?displayProperty=nameWithType method
System.ComponentModel xref:System.ComponentModel.AddingNewEventArgs class

xref:System.ComponentModel.AddingNewEventHandler delegate

xref:System.ComponentModel.ArrayConverter class

xref:System.ComponentModel.AsyncCompletedEventArgs class

xref:System.ComponentModel.AsyncCompletedEventHandler delegate

xref:System.ComponentModel.AsyncOperation class

xref:System.ComponentModel.AsyncOperationManager class

xref:System.ComponentModel.AttributeCollection class

xref:System.ComponentModel.BackgroundWorker class

xref:System.ComponentModel.BaseNumberConverter class

xref:System.ComponentModel.BindingList%601 class

xref:System.ComponentModel.BooleanConverter class

xref:System.ComponentModel.ByteConverter class

xref:System.ComponentModel.CancelEventArgs class

xref:System.ComponentModel.CancelEventHandler delegate

xref:System.ComponentModel.CharConverter class

xref:System.ComponentModel.CollectionChangeEventArgs class

xref:System.ComponentModel.CollectionChangeEventHandler delegate

xref:System.ComponentModel.CollectionConverter class

xref:System.ComponentModel.ComponentCollection class

xref:System.ComponentModel.ComponentConverter class

xref:System.ComponentModel.ComponentEditor class

xref:System.ComponentModel.ComponentResourceManager class

xref:System.ComponentModel.Container class

xref:System.ComponentModel.ContainerFilterService class

xref:System.ComponentModel.CultureInfoConverter class

xref:System.ComponentModel.CustomTypeDescriptor class

xref:System.ComponentModel.DateTimeConverter class

xref:System.ComponentModel.DecimalConverter class

xref:System.ComponentModel.Design.ActiveDesignerEventArgs class

xref:System.ComponentModel.Design.ActiveDesignerEventHandler delegate

xref:System.ComponentModel.Design.CheckoutException class

xref:System.ComponentModel.Design.CommandID class

xref:System.ComponentModel.Design.ComponentChangedEventArgs class

xref:System.ComponentModel.Design.ComponentChangedEventHandler delegate

xref:System.ComponentModel.Design.ComponentChangingEventArgs class

xref:System.ComponentModel.Design.ComponentChangingEventHandler delegate

xref:System.ComponentModel.Design.ComponentEventArgs class

xref:System.ComponentModel.Design.ComponentEventHandler delegate

xref:System.ComponentModel.Design.ComponentRenameEventArgs class

xref:System.ComponentModel.Design.ComponentRenameEventHandler delegate

xref:System.ComponentModel.Design.DesignerCollection class

xref:System.ComponentModel.Design.DesignerEventArgs class

xref:System.ComponentModel.Design.DesignerEventHandler delegate

xref:System.ComponentModel.Design.DesignerOptionService class

xref:System.ComponentModel.Design.DesignerTransaction class

xref:System.ComponentModel.Design.DesignerTransactionCloseEventArgs class

xref:System.ComponentModel.Design.DesignerTransactionCloseEventHandler delegate

xref:System.ComponentModel.Design.DesignerVerb class

xref:System.ComponentModel.Design.DesignerVerbCollection class

xref:System.ComponentModel.Design.DesigntimeLicenseContext class

xref:System.ComponentModel.Design.DesigntimeLicenseContextSerializer class

xref:System.ComponentModel.Design.MenuCommand class

xref:System.ComponentModel.Design.Serialization.ComponentSerializationService class

xref:System.ComponentModel.Design.Serialization.ContextStack class

xref:System.ComponentModel.Design.Serialization.DesignerLoader class

xref:System.ComponentModel.Design.Serialization.InstanceDescriptor class

xref:System.ComponentModel.Design.Serialization.MemberRelationshipService class

xref:System.ComponentModel.Design.Serialization.ResolveNameEventArgs class

xref:System.ComponentModel.Design.Serialization.ResolveNameEventHandler delegate

xref:System.ComponentModel.Design.Serialization.SerializationStore class

xref:System.ComponentModel.Design.ServiceContainer class

xref:System.ComponentModel.Design.ServiceCreatorCallback delegate

xref:System.ComponentModel.Design.StandardCommands class

xref:System.ComponentModel.Design.StandardToolWindows class

xref:System.ComponentModel.DoubleConverter class

xref:System.ComponentModel.DoWorkEventArgs class

xref:System.ComponentModel.DoWorkEventHandler delegate

xref:System.ComponentModel.EnumConverter class

xref:System.ComponentModel.EventDescriptor class

xref:System.ComponentModel.EventDescriptorCollection class

xref:System.ComponentModel.EventHandlerList class

xref:System.ComponentModel.ExpandableObjectConverter class

xref:System.ComponentModel.HandledEventArgs class

xref:System.ComponentModel.HandledEventHandler delegate

xref:System.ComponentModel.InstanceCreationEditor class

xref:System.ComponentModel.Int16Converter class

xref:System.ComponentModel.Int32Converter class

xref:System.ComponentModel.Int64Converter class

xref:System.ComponentModel.InvalidAsynchronousStateException class

xref:System.ComponentModel.InvalidEnumArgumentException class

xref:System.ComponentModel.ISynchronizeInvoke.BeginInvoke%2A method

xref:System.ComponentModel.License class

xref:System.ComponentModel.LicenseContext class

xref:System.ComponentModel.LicenseException class

xref:System.ComponentModel.LicenseManager class

xref:System.ComponentModel.LicenseProvider class

xref:System.ComponentModel.LicFileLicenseProvider class

xref:System.ComponentModel.ListChangedEventArgs class

xref:System.ComponentModel.ListChangedEventHandler delegate

xref:System.ComponentModel.ListSortDescription class

xref:System.ComponentModel.ListSortDescriptionCollection class

xref:System.ComponentModel.MaskedTextProvider class

xref:System.ComponentModel.MemberDescriptor class

xref:System.ComponentModel.MultilineStringConverter class

xref:System.ComponentModel.NestedContainer class

xref:System.ComponentModel.NullableConverter class

xref:System.ComponentModel.ProgressChangedEventArgs class

xref:System.ComponentModel.ProgressChangedEventHandler delegate

xref:System.ComponentModel.PropertyChangedEventArgs class

xref:System.ComponentModel.PropertyChangedEventHandler delegate

xref:System.ComponentModel.PropertyDescriptor class

xref:System.ComponentModel.PropertyDescriptorCollection class

xref:System.ComponentModel.ReferenceConverter class

xref:System.ComponentModel.RefreshEventArgs class

xref:System.ComponentModel.RefreshEventHandler delegate

xref:System.ComponentModel.RunWorkerCompletedEventArgs class

xref:System.ComponentModel.RunWorkerCompletedEventHandler delegate

xref:System.ComponentModel.SByteConverter class

xref:System.ComponentModel.SingleConverter class

xref:System.ComponentModel.StringConverter class

xref:System.ComponentModel.SyntaxCheck class

xref:System.ComponentModel.TimeSpanConverter class

xref:System.ComponentModel.TypeConverter class

xref:System.ComponentModel.TypeDescriptionProvider class

xref:System.ComponentModel.TypeDescriptor class

xref:System.ComponentModel.TypeListConverter class

xref:System.ComponentModel.UInt16Converter class

xref:System.ComponentModel.UInt32Converter class

xref:System.ComponentModel.UInt64Converter class

xref:System.ComponentModel.WarningException class

xref:System.ComponentModel.Win32Exception class
System.Diagnostics xref:System.Diagnostics.Debug.Listeners%2A?displayProperty=nameWithType property

xref:System.Diagnostics.Trace.Listeners%2A?displayProperty=nameWithType property

xref:System.Diagnostics.EventLog.SynchronizingObject%2A?displayProperty=nameWithType property

xref:System.Diagnostics.ConsoleTraceListener class

xref:System.Diagnostics.DefaultTraceListener class

xref:System.Diagnostics.DelimitedListTraceListener class

xref:System.Diagnostics.EventLogTraceListener class

xref:System.Diagnostics.PerformanceCounter class

xref:System.Diagnostics.PerformanceCounterCategory class

xref:System.Diagnostics.Process class

xref:System.Diagnostics.ProcessStartInfo class

xref:System.Diagnostics.TextWriterTraceListener class

xref:System.Diagnostics.TraceListener class

xref:System.Diagnostics.XmlWriterTraceListener class

xref:System.Diagnostics.TraceSource.Listeners%2A?displayProperty=nameWithType property
System.IO xref:System.IO.Stream.Synchronized%2A?displayProperty=nameWithType method

xref:System.IO.TextReader.Synchronized%2A?displayProperty=nameWithType method

xref:System.IO.TextWriter.Synchronized%2A?displayProperty=nameWithType method
System.Reflection.Emit xref:System.Reflection.Emit.ConstructorBuilder class

xref:System.Reflection.Emit.EventBuilder class

xref:System.Reflection.Emit.FieldBuilder class

xref:System.Reflection.Emit.MethodBuilder class

xref:System.Reflection.Emit.CustomAttributeBuilder class

xref:System.Reflection.Emit.MethodRental class

xref:System.Reflection.Emit.ModuleBuilder class

xref:System.Reflection.Emit.PropertyBuilder class

xref:System.Reflection.Emit.TypeBuilder class

xref:System.Reflection.Emit.UnmanagedMarshal class
System.Text xref:System.Text.RegularExpressions.Group.Synchronized%2A?displayProperty=nameWithType method

xref:System.Text.RegularExpressions.Match.Synchronized%2A?displayProperty=nameWithType method
System.Threading xref:System.Threading.AutoResetEvent class

xref:System.Threading.EventWaitHandle class

xref:System.Threading.ManualResetEvent class

xref:System.Threading.Monitor class

xref:System.Threading.Mutex class

xref:System.Threading.ReaderWriterLock class

xref:System.Threading.Semaphore class

xref:System.Threading.Thread.AllocateNamedDataSlot%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.BeginCriticalRegion%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.EndCriticalRegion%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.FreeNamedDataSlot%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.GetData%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.Join%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.SetApartmentState%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.SetData%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.SpinWait%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.Start%2A?displayProperty=nameWithType method

xref:System.Threading.Thread.TrySetApartmentState%2A?displayProperty=nameWithType method

xref:System.Threading.ThreadPool class

xref:System.Threading.Timer class
System.Timers xref:System.Timers.Timer class
System.Web.Configuration xref:System.Web.Configuration.MachineKeyValidationConverter class
System.Windows.Forms xref:System.Windows.Forms.AutoCompleteStringCollection.SyncRoot%2A?displayProperty=nameWithType property

SQL Server Permission Sets

SQL Server allows users to specify the reliability requirements for code deployed into a database. When assemblies are uploaded into the database, the author of the assembly can specify one of three permission sets for that assembly: SAFE, EXTERNAL-ACCESS, or UNSAFE.

Permission set SAFE EXTERNAL-ACCESS UNSAFE
Code access security Execute only Execute + access to external resources Unrestricted
Programming model restrictions Yes Yes No restrictions
Verifiability requirement Yes Yes No
Ability to call native code No No Yes

SAFE is the most reliable and secure mode with associated restrictions in terms of the allowed programming model. SAFE code has high reliability and security features. SAFE assemblies are given enough permission to run, perform computations, and have access to the local database. SAFE assemblies need to be verifiably type safe and are not allowed to call unmanaged code.

EXTERNAL-ACCESS provides an intermediate security option, allowing code to access resources external to the database but still having the reliability and safety of SAFE.

UNSAFE is for highly trusted code that can only be created by database administrators. This trusted code has no code access restrictions, and it can call unmanaged (native) code.

SQL Server uses the host-level code access security policy layer to set up a host policy that grants one of the three sets of permissions based on the permission set stored in SQL Server catalogs. Managed code running inside the database always gets one of these code access permission sets.

Programming Model Restrictions

The programming model for managed code in SQL Server requires functions, procedures, and types which do not require the use of state held across multiple invocations or the sharing of state across multiple user sessions. Further, as described earlier, the presence of shared state can cause critical exceptions that impact the scalability and the reliability of the application.

Given these considerations, SQL Server disallows the use of static variables and static data members. For SAFE and EXTERNAL-ACCESS assemblies, SQL Server examines the metadata of the assembly at CREATE ASSEMBLY time, and fails the creation of such assemblies if it finds the use of static data members and variables.

See Also

xref:System.Security.Permissions.HostProtectionAttribute
xref:System.Security.Permissions.HostProtectionResource