Code Access Security
Encyclopedia
Code Access Security in the Microsoft .NET framework, is Microsoft
's solution to prevent untrusted code from performing privileged actions. When the CLR
loads an assembly it will obtain evidence for the assembly and use this to identify the code group that the assembly belongs to. A code group contains a permission set (one or more permissions). Code that performs a privileged action will perform a code access demand which will cause the CLR to walk up the call stack
and examine the permission set granted to the assembly of each method
in the call stack.
The code groups and permission sets are determined by the administrator of the machine who defines the security policy.
A developer can use custom evidence (so-called assembly evidence) but this requires writing a security assembly and in version 1.1 of .NET this facility does not work.
Evidence based on a hash of the assembly is easily obtained in code. For example in C#, evidence may be obtained by the following code clause:
this.GetType.Assembly.Evidence
The first three policies are stored in XML
files and are administered through the .NET Configuration Tool 1.1 (mscorcfg.msc). The final policy is administered through code for the current application domain.
Code access security will present an assembly's evidence to each policy and will then take the intersection (that is the permissions common to all the generated permission set) as the permissions granted to the assembly.
By default, the Enterprise, User, and AppDomain policies give full trust (that is they allow all assemblies to have all permissions) and the Machine policy is more restrictive. Since the intersection is taken this means that the final permission set is determined by the Machine policy.
Note that the policy system has been eliminated in .NET Framework 4.0.
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
's solution to prevent untrusted code from performing privileged actions. When the CLR
Common Language Runtime
The Common Language Runtime is the virtual machine component of Microsoft's .NET framework and is responsible for managing the execution of .NET programs. In a process known as just-in-time compilation, the CLR compiles the intermediate language code known as CIL into the machine instructions...
loads an assembly it will obtain evidence for the assembly and use this to identify the code group that the assembly belongs to. A code group contains a permission set (one or more permissions). Code that performs a privileged action will perform a code access demand which will cause the CLR to walk up the call stack
Call stack
In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, control stack, run-time stack, or machine stack, and is often shortened to just "the stack"...
and examine the permission set granted to the assembly of each method
Method (computer science)
In object-oriented programming, a method is a subroutine associated with a class. Methods define the behavior to be exhibited by instances of the associated class at program run time...
in the call stack.
The code groups and permission sets are determined by the administrator of the machine who defines the security policy.
Evidence
Evidence can be any information associated with an assembly. The default evidences that are used by .NET code access security are:- Application directory - The directory in which an assembly resides.
- Publisher - The assembly's publisher's digital signature (requires the assembly to be signed via Authenticode).
- URLUniform Resource LocatorIn computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
- the complete URL where the assembly was launched from - Site - The hostname of the URL/Remote Domain/VPN.
- Zone - the security zone where the assembly resides
- HashCryptographic hash functionA cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
- a cryptographic hash of the assembly, which identifies a specific version. - Strong Name - a combination of the assembly name, version and public key of the signing key used to sign the assembly. The signing key is not an X509 certificate, but a custom key pair generated by the strong naming tool, SN.EXE or by Visual Studio.
A developer can use custom evidence (so-called assembly evidence) but this requires writing a security assembly and in version 1.1 of .NET this facility does not work.
Evidence based on a hash of the assembly is easily obtained in code. For example in C#, evidence may be obtained by the following code clause:
this.GetType.Assembly.Evidence
Policy
A policy is a set of expressions that uses evidence to determine a code group membership. A code group gives a permission set for the assemblies within that group. There are four policies in .NET:- Enterprise - policy for a family of machines that are part of an Active DirectoryActive DirectoryActive Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
installation. - Machine - policy for the current machine.
- User - policy for the logged on user.
- AppDomain - policy for the executing application domain.
The first three policies are stored in XML
XML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
files and are administered through the .NET Configuration Tool 1.1 (mscorcfg.msc). The final policy is administered through code for the current application domain.
Code access security will present an assembly's evidence to each policy and will then take the intersection (that is the permissions common to all the generated permission set) as the permissions granted to the assembly.
By default, the Enterprise, User, and AppDomain policies give full trust (that is they allow all assemblies to have all permissions) and the Machine policy is more restrictive. Since the intersection is taken this means that the final permission set is determined by the Machine policy.
Note that the policy system has been eliminated in .NET Framework 4.0.