LinkDemands, JIT and Exceptions

Ran across another little problem today that I figured I'd mention.  To many people security is nothing but a pain in the butt so you just do what you have to do to make your code run.  If you're one of those people, you probably should stop reading this now and either polish up your resume' (you'll probably need it in the near future) or go learn why that's not a great long term survival strategy.

Anyway, it's a common misconception to think that when your application starts, all of the code contained therein is JITed.  If this were really the case, then it wouldn't really be JIT as much as RunOnStartAndQueuedTillYaNeedIt - since that makes such a sh1tty acronym - Microsoft went with JIT.  Actually, there are a few other reasons but I won't bore you now.  So if SomeObject.SomeMethod never gets called in an applicatiion - guess what - it's not JITTed.   Makes perfect sense when you think about it but a lot of people don't realize when things actually get JITTED.

So I was using LinkDemands in a certain part of my application.  If you don't understand the difference between Demands and LinkDemands - here it is in a nutshell.  Demands cause a Stack Walk to verify that every piece of the chain has all of the required permissions needed to execute the code.  LinkDemands don't walk the stack - instead they just verify the immediate caller.  So yes, LinkDemands aren't as safe as Demands.  However because they don't have to stick the 4n4l probe quite so far up your applicaton's a33 - you should realize a performance increase in many cases. When you're needing to squeeze out every single piece of performance, LinkDemands are the way to go in many cases.  Also, if you're pretty sure that everything that will call this assembly has done it's homework security wise - then they MAY, MAY, be a good alternative.  If somehow you got the impression “Hey, LinkDemands are faster, faster always == good, LinkDemands are always better”  -  NO, that's not the case.  Like everything else in programming and life -there are trade offs.  If you aren't careful with these - ie you didn't make sure that every other caller that can call it has done a LinkDemand - then you may be opening yourself up for an Escalation of Privilege attack - and those usually suck. [BTW, you can minimize your exposure here as well by using an StrongNameIdentity and sign it with your company's key but I'm starting to get into a recursive loop here].

Anyway, I had some LinkDemands in my code that wasn't getting called and all was well.  But today I called the method - kaboom - I had an issue.  Why?  Because these checks are done at JIT Time, not startup, not after 10 seconds, not after the CLR issues a Fatwa to get it done - it's right before JIT time.  So if your code don't be getting jitted - then the check don't be getting done.  Just something to keep in mind.