Article : Code Access Security Part - 1 (.Net FrameWork Tools Series)

Discussion in 'ASP .Net' started by Namratha Shah \(Nasha\), Nov 6, 2004.

  1. Hey Guys,

    Today we are going to look at Code Access Security.

    Code access security is a feature of .NET that manages code depending on its
    trust level. If the CLS trusts the code enough to allow it ro run then it
    will execute, the code execution depends on the permission provided to the
    assembly. If the code is not trusted wnough to run or it attempts to perform
    an action which doe not have the required permissions then its execution is
    stop and the application exits.

    Code access security is primarily about protecting resources like your
    local disk,netwoek, user interface from malicious code and not a tool for
    protecting software from users which is a general misbelief.

    Code access security is based upon Code Groups and Permissions.

    Code Groups :- In windows we have user groups and every user belongs to a
    group. We do not give permissions to users on indiviual basis but rather it
    is more convient to create a group and give permissions to this group. In
    the same way we have code groups bring code that has similar characteristics
    and execution permissions togather.

    E.g. One of the predefined code groups is Internet. If we say that this code
    belongs to Internet code group this code has only those permissions which
    are defined by this group. Like the Internet code group does not have access
    to your local access hence all the applications executing under this code
    group will not have permissions to access the local hard disk.

    Permissions :- They are actions that each code group is allowed to perform
    e.g. Permissions to access the user interface. This permission management
    can be done at 3 levels Enterprise,Machine and User level.

    "All Code" code group is the root group. All the code groups is under this
    code group. If an assembly does not match a code group in the hierarchy code
    groups below it are not searched.

    For an assembly to be a member of any code group it need to fulfill its
    membership condition.Each code group has one and only one membership
    condition. This is the list of membership conditions in which "All code"
    membership condition is at the root.

    Let us view all the available code group membership conditions :

    1) Go to Visual Studio Command promt and type caspol /help
    2) Scroll at the bottom and you will see the following membership or "mship"

    where "<mship>" can be:

    -allcode All code
    -appdir Application directory
    -custom <xml_file> Custom membership condition
    -hash <hashAlg> {-hex <hashValue>|-file <assembly_name>} Assembly hash
    -pub {-cert <cert_file_name> | -file <signed_file_name> | -hex
    <hex_string>} Software publisher
    -site <website> Site
    -strong -file <assemblyfile_name> {<name> | -noname}{<version>
    | -noversion} Strong name
    -url <url> URL
    -zone <zone_name> Zone, where zone can be: (MyComputer,

    Zone is the most commonly used membersip condition.These zones are managed
    from IE using the security options

    3) Go to IE. ... Tools ... Options ... Security Tab ... And you will see all
    these options.

    Note :- These options are set from IE they apply to the whole machine.

    4) Type caspol.exe - lg. This command will list all the code groups without
    the descriptions. If you want to see the desriptions
    Type caspol.exe -ld.

    5) To view the code groups of an assembly e.g. Type caspol -resolvegroups
    <DLLName>.dll. It will show a similar output

    Level = Enterprise
    Code Groups:
    1. All code: FullTrust

    Level = Machine
    Code Groups:
    1. All code: Nothing
    1.1. Zone - MyComputer: FullTrust

    Level = User
    Code Groups:
    1. All code: FullTrust


    6) In order to understand code access security completely we need to
    understand Permission sets very well.

    Type caspol -lp | more.

    You will see an entire list of permissions in the form of xml tags.

    We will look a few most frequently used permission sets :

    SQLCLientPermission :-- Permission to access SQL Database.
    UIPermission :- Permission to access user interface.
    FileIOPermission : - Permission to read,writing or append to file as well as
    creating folders.
    Printing Permission :- Permission to print
    WebPermission :- Prmission to make or accept connetions to/from the web.

    ..Net has provided us with predefined permission sets a.k.a. named permssion
    sets. They are :-


    Note : Only the last 3 can be modified the first three cannot altered.

    You can also view assembly premissions with caspol :-

    caspil.exe -rp <Your Assembly>.dll

    Note :- In one of my previous articles we had seen hoow to view assembly
    permissions with permview.exe.

    Now lets view the current permission sets for each code groups at various
    policy levels.
    CAS policy levels exists either at enterprise, user or machine level.

    By deffault when you listgroups using caspol machine level policy details
    are displayed to you. If you want to see user and enterprise policy details
    type -u or -en as follows :-

    caspol -u -lg // for user

    caspol -en -lg // for enterprise

    By Default .Net gives FullTrust permissions to "ALL Code " Code group at
    enterprise and user level.

    The question now is ow we determine which policy level will be used. Well
    CAS takes an intersection of all the 3 policy levels i.e. user enterprise
    and machine. Hence if you have made any changes on your machine's policy you
    administrator can easily override it by changing the user or enterprise

    Today we have seen the code access groups, permission sets and the
    different policy levels. In my tommorrow's article we will create a sample
    app and see how we can manage security policy.

    -- Please post your queries and comments for my articles in the usergroup
    for the benefit of all. I hope this step from my end is helpful to all of


    Namratha (Nasha)
    Namratha Shah \(Nasha\), Nov 6, 2004
    1. Advertisements

  2. You should talk about evidence in this article. Evidence is gathered by the assembly loader based on the origins of the code: what zone is it from? what URL?, what is the hash of the file? has the file got a strong name? It is this evidence that is compared to the membership conditions of the code groups. You can look at the evidence for an assembly via the Assembly.Evidence property.


    Richard Blewett - DevelopMentor

    Hey Guys,

    Today we are going to look at Code Access Security.

    Richard Blewett [DevelopMentor], Nov 8, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Namratha Shah \(Nasha\)
    Namratha Shah \(Nasha\)
    Nov 6, 2004
  2. Namratha Shah \(Nasha\)
    Namratha Shah \(Nasha\)
    Nov 23, 2004
  3. Namratha Shah \(Nasha\)

    Article : Security Tools Part -- 2 (.Net FrameWork Tools Series)

    Namratha Shah \(Nasha\), Nov 23, 2004, in forum: ASP .Net Datagrid Control
    Namratha Shah \(Nasha\)
    Nov 23, 2004
  4. Namratha Shah \(Nasha\)

    Article : Security Tools Part -- 2 (.Net FrameWork Tools Series)

    Namratha Shah \(Nasha\), Nov 23, 2004, in forum: ASP .Net Mobile
    Namratha Shah \(Nasha\)
    Nov 23, 2004
  5. Namratha Shah \(Nasha\)

    Article : Security Tools Part -- 2 (.Net FrameWork Tools Series)

    Namratha Shah \(Nasha\), Nov 23, 2004, in forum: ASP .Net Security
    Namratha Shah \(Nasha\)
    Nov 23, 2004