Code Access Security
Code Access Security (CAS), in the
Evidence
Evidence can be any information associated with an assembly. The default evidences that are used by .NET code access security are:
- Application directory: the directory in which an assembly resides.
- Publisher: the assembly's publisher's digital signature (requires the assembly to be signed via Authenticode).
- URL: the complete URL where the assembly was launched from
- Site: the hostname of the URL/Remote Domain/VPN.
- Zone: the security zone where the assembly resides
- Hash: a cryptographic hash of the assembly, which identifies a specific version.
- Strong Name: a combination of the assembly name, version and public key of the signing key used to sign the assembly. The signing key is not an X.509 certificate, but a custom key pair generated by the strong naming tool, SN.EXE or by Visual Studio.
A developer can use custom evidence (so-called assembly evidence) but this requires writing a security assembly and in version 1.1 [clarification needed] of .NET this facility does not work.
Evidence based on a hash of the assembly is easily obtained in code. For example, in C#, evidence may be obtained by the following code clause:
this.GetType().Assembly.Evidence
Policy
A policy is a set of expressions that uses evidence to determine a code group membership. A code group gives a permission set for the assemblies within that group. There are four policies in .NET:
- Enterprise: policy for a family of machines that are part of an Active Directory installation.
- Machine: policy for the current machine.
- User: policy for the logged on user.
- AppDomain: policy for the executing application domain.
The first three policies are stored in XML files and are administered through the .NET Configuration Tool 1.1 (mscorcfg.msc). The final policy is administered through code for the current application domain.
Code access security will present an assembly's evidence to each policy and will then take the intersection (that is the permissions common to all the generated permission sets) as the permissions granted to the assembly.
By default, the Enterprise, User, and AppDomain policies give full trust (that is they allow all assemblies to have all permissions) and the Machine policy is more restrictive. Since the intersection is taken, this means that the final permission set is determined by the Machine policy.
Note that the policy system has been eliminated in .NET Framework 4.0.[2]
Code group
Code groups associate a piece of evidence with a named permission set. The administrator uses the .NET Configuration Tool to specify a particular type of evidence (for example, Site) and a particular value for that evidence (for example, www.mysite.com) and then identifies the permission set that the code group will be granted.
Demands
Code that performs some privileged action will make a demand for one or more permissions. The demand makes the CLR walk the call stack and for each method the CLR will ensure that the demanded permissions are in the method's assembly's granted permissions. If the permission is not granted then a security