Code access security is a feature of .NET that manages code, dependent on our level of trust. If the CLR trusts the code enough to allow it to run, it will begin executing the code. Depending on the permissions provided to the assembly, however, it might run within a restricted environment. If the code is not trusted enough to run, or if it runs but then attempts to perform an action, for which it does not have the relevant permissions, a security exception (of type Security Exception, or a subclass of it) is thrown. The code access security system means that we can stop malicious code running, but we can also allow code to run within a protected environment, where we are confident that it cannot do any damage.

CAS is part of .Net security model that determines whether or not a piece of code is allowed to run and what resources it can use while running. CAS grants rights to program depending on the security configuration of the machine. For e.g. the program has rights to edit or create a new file but the security configuration of machine does not allow the program to delete a file.

Code access security is based on two concepts:

•  Code Groups

•  Permissions

Code Groups

Bring together code with similar characteristics, although the most important property is usually where the code came from. Two examples for code groups are Internet and Intranet. The group Internet defines code that is sourced from the Internet, the group Intranet defines code sourced from the LAN. Code groups have an entry requirement called membership condition. Each code group has one, and only one, membership condition.

Following is the available list of code groups memberships:

1. Zone:- The region from which the code originated. A zone is one of the commonly used condition. A zone is the region of origin of a piece of code and refers to one of the following: My Computer, Internet, Intranet, Trusted, or Untrusted.


2. Site:- The Web site from which the code originated.


3. Strong Name:- A unique, verifiable name for the code.


4. Publisher:- The publisher of the code.


5. URL:- The specific location from which the code originated.


6. Hash Value:- The hash value for the assembly.


7. Skip Verification:- This condition requests that it bypasses code verification checks.


8. Application Directory:- The location of the assembly within the application.


9. All Code:- All code fulfills this condition.


10. Custom:- A user-specified condition.

Code groups are arranged hierarchically with the All Code membership condition at the root.

Permissions

Permissions are the actions we allow each code group to perform? For example, permissions include “able to access the user interface” and “able to access local storage.” The system administrator usually manages the permissions at the enterprise, machine, and user levels.

Caspol.exe [Code Access Security Policy Tool]

To get the list of options available with the tool, run the following command from the command prompt: caspol.exe -?

Output:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727> caspol.exe -?

Microsoft (R) .NET Framework CasPol 2.0.50727.42

Copyright (c) Microsoft Corporation. All rights reserved.

Help screen requested

Usage: caspol <option> <args> ...

caspol -m [achine]

Modifier that makes additional commands act on the machine level

caspol –u [ser]

Modifier that makes additional commands act on the user level

caspol –en [terprise]

Modifier that makes additional commands act on the enterprise level

caspol –cu

caspol -customuser <path>

Modifier that makes additional commands act on the custom user level

caspol –a [ll]

Set all policy levels as the active levels

Press <enter> to continue....

To view code group available on the machine. Here after running this command, we will be available to view the code groups on the machine, and next to each group is a description of the code group. Type this command: Caspol.exe -list description

Output:

Microsoft (R) .NET Framework CasPol 1.1.4322.535

Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.

Security is ON

Execution checking is ON

Policy change prompt is ON

Level = Machine

Full Trust Assemblies:

1. All_Code: Code group grants no permissions and forms the root of the code group tree.

1.1. My_Computer_Zone: Code group grants full trust to all code originating on the local computer

1.1.1. Microsoft_Strong_Name: Code group grants full trust to code signed with the Microsoft strong name.

1.1.2. ECMA_Strong_Name: Code group grants full trust to code signed with the ECMA strong name.

1.2. LocalIntranet_Zone: Code group grants the intranet permission set to code from the intranet zone. This permission set grants intranet code the right to use isolated storage, full UI access, some capability to do reflection, and limited access to environment variables.

1.2.1. Intranet_Same_Site_Access: All intranet code gets the right to connect back to the site of its origin.

1.2.2. Intranet_Same_Directory_Access: All intranet code gets the right to read from its install directory.

1.3. Internet_Zone: Code group grants code from the Internet zone the Internet permission set. This permission set grants Internet code the right to use isolated storage and limited UI access.

1.3.1. Internet_Same_Site_Access: All Internet code gets the right to connect back to the site of its origin.

1.4. Restricted_Zone: Code coming from a restricted zone does not receive any permissions.

1.5. Trusted_Zone: Code from a trusted zone is granted the Internet permission set. This permission set grants the right to use isolated storage and limited UI access.

1.5.1. Trusted_Same_Site_Access: All Trusted Code gets the right to connect back to the site of its origin.

Success

Viewing an Assembly Code Group

Assemblies are matched to code groups dependent on the membership conditions they match. You can easily view the code groups that an assembly is a member of using this command: caspol.exe –resolve group firstApplication.dll

Output:

Running this command on an assembly on the local drive produces this output:

Microsoft (R) .NET Framework CasPol 1.1.4322.535

Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.

Level = Enterprise

Code Groups:

1. All code: FullTrust

Level = Machine

Code Groups:

1. All code: Nothing

1.1. Zone - MyComputer: FullTrust

Level = User

Code Groups:

1. All code: FullTrust

Success

• Printer Friendly
• Email to a friend
• Add to my Favourites
• Download PDF version
• Report Bad Submissions
• Submit Feedback