I'm implementing an application which will load and execute 3rd party code.
While .NET Sandboxing is fine, I can't find a way to prevent code from starting new threads.
This is a problem because AFAIK we can't enumerate and abort them safely to unload the sandbox AppDomain - we have to exit the whole process.
How could I ban Thread.Start, or (better) whitelist/blacklist specific CLR APIs?
You would need to create a scripting environment rather than run compiled code. In this environment you could parse out unsupported/unwanted keywords.
http://msdn.microsoft.com/en-us/library/ms974577.aspx
http://osherove.com/blog/2004/2/17/make-your-net-application-support-scripting-a-practical-appr.html
http://www.codeproject.com/KB/library/Dotnet_Scriptor.aspx
There might be some way of limiting permissions of code running within an AppDomain, is this what you are talking about with Sandboxing?
Good example of use of AppDomain
You could potentially force unloading of an AppDomain if "bad stuff" was occuring with cpu and memory.
more recently in .net 4 I have noticed but not investigated HostProtection Permissions ...
System.Security.Permissions hostprotectionattribute
=== EDIT ===
It looks like CLR Hosting with Security Permission being set would be the way to go. Links...
http://msdn.microsoft.com/en-us/library/hbzz1a9a(v=vs.90).aspx
http://msdn.microsoft.com/en-us/library/h846e9b3(v=vs.90).aspx
http://msdn.microsoft.com/en-us/library/system.security.permissions.securitypermission(v=vs.90).aspx