Home      Discussion      Topics      Dictionary      Almanac
Signup       Login
Code Access Security

Code Access Security

Overview
Code Access Security (CAS), in the Microsoft .NET framework, is Microsoft
Microsoft
Microsoft Corporation is a multinational computer technology corporation that develops, manufactures, licenses, and supports a wide range of software products for computing devices...

's solution to prevent untrusted code from performing privileged actions. When the CLR
Common Language Runtime
The Common Language Runtime is a core component of Microsoft's .NET initiative. It is Microsoft's implementation of the Common Language Infrastructure standard, which defines an execution environment for program code...

 loads an assembly it will obtain evidence for the assembly and use this to identify the code group that the assembly belongs to. A code group contains a permission set (one or more permissions). Code that performs a privileged action will perform a code access demand which will cause the CLR to walk up the call stack
Call stack
In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, control stack, function stack, or run-time stack, and is often shortened to just "the stack"...

 and examine the permission set granted to the assembly of each method
Method (computer science)
In object-oriented programming, a method is a subroutine that is exclusively associated either with a class or with an object...

 in the call stack.
The code groups and permission sets are determined by the administrator of the machine who defines the security policy.

Evidence can be any information associated with an assembly.
Discussion
Ask a question about 'Code Access Security'
Start a new discussion about 'Code Access Security'
Answer questions from other users
Full Discussion Forum
 
Encyclopedia
Code Access Security (CAS), in the Microsoft .NET framework, is Microsoft
Microsoft
Microsoft Corporation is a multinational computer technology corporation that develops, manufactures, licenses, and supports a wide range of software products for computing devices...

's solution to prevent untrusted code from performing privileged actions. When the CLR
Common Language Runtime
The Common Language Runtime is a core component of Microsoft's .NET initiative. It is Microsoft's implementation of the Common Language Infrastructure standard, which defines an execution environment for program code...

 loads an assembly it will obtain evidence for the assembly and use this to identify the code group that the assembly belongs to. A code group contains a permission set (one or more permissions). Code that performs a privileged action will perform a code access demand which will cause the CLR to walk up the call stack
Call stack
In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, control stack, function stack, or run-time stack, and is often shortened to just "the stack"...

 and examine the permission set granted to the assembly of each method
Method (computer science)
In object-oriented programming, a method is a subroutine that is exclusively associated either with a class or with an object...

 in the call stack.
The code groups and permission sets are determined by the administrator of the machine who defines the security policy.

Evidence


Evidence can be any information associated with an assembly. The default evidences that are used by .NET code access security are:
  • Application directory - The directory in which an assembly resides.
  • Publisher - The assembly's publisher's digital signature (requires the assembly to be signed via Authenticode).
  • URL
    Uniform Resource Locator
    In computing, a Uniform Resource Locator is a subset of the Uniform Resource Identifier that specifies where an identified resource is available and the mechanism for retrieving it. In popular usage and in many technical documents and verbal discussions it is often incorrectly used as a synonym...

     - the complete URL where the assembly was launched from
  • Site - The hostname of the URL/Remote Domain/VPN.
  • Zone - the security zone where the assembly resides
  • Hash
    Cryptographic hash function
    A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...

     - a cryptographic hash of the assembly, which identifies a specific version.
  • Strong Name - a combination of the assembly name, version and public key of the signing key used to sign the assembly. The signing key is not an X509 certificate, but a custom key pair generated by the strong naming tool, SN.EXE or by Visual Studio.


A developer can use custom evidence (so-called assembly evidence) but this requires writing a security assembly and in version 1.1 of .NET this facility does not work.

Evidence based on a hash of the assembly is easily obtained in code. For example in C#, evidence may be obtained by the following code clause:

this.GetType.Assembly.Evidence

Policy


A policy is a set of expressions that uses evidence to determine a code group membership. A code group gives a permission set for the assemblies within that group. There are four policies in .NET:
  • Enterprise - policy for a family of machines that are part of an Active Directory
    Active Directory
    Active Directory is a technology created by Microsoft that provides a variety of network services, including:* LDAP-like directory services* Kerberos-based authentication* DNS-based naming and other network information...

     installation.
  • Machine - policy for the current machine.
  • User - policy for the logged on user.
  • AppDomain - policy for the executing application domain.


The first three policies are stored in XML
XML
XML is a set of rules for encoding documents electronically. It is defined in the produced by the W3C and several other related specifications; all are fee-free open standards....

 files and are administered through the .NET Configuration Tool 1.1 (mscorcfg.msc). The final policy is administered through code for the current application domain.

Code access security will present an assembly's evidence to each policy and will then take the intersection (that is the permissions common to all the generated permission set) as the permissions granted to the assembly.

By default, the Enterprise, User, and AppDomain policies give full trust (that is they allow all assemblies to have all permissions) and the Machine policy is more restrictive. Since the intersection is taken this means that the final permission set is determined by the Machine policy.

Code Group


Code groups associate a piece of evidence with a named permission set. The administrator uses the .NET Configuration Tool to specify a particular type of evidence (for example, Site) and a particular value for that evidence (for example, www.mysite.com) and then identifies the permission set that the code group will be granted.

Demands


Code that performs some privileged action will make a demand for one or more permissions. The demand makes the CLR walk the call stack and for each method the CLR will ensure that the demanded permissions are in the method's assembly's granted permissions. If the permission is not granted then a security exception is thrown. This prevents downloaded code from performing privileged actions. For example, if an assembly is downloaded from an untrusted site the assembly will not have any file IO permissions and so if this assembly attempts to access a file code access security will throw an exception preventing the call.