Security in Microsoft .Net Framework: Part I

What is CAS?

CAS stands for Code Access security. CAS is a process that controls the access that code has to protected resources and operations. CAS allows code to be trusted to varying degrees, depending on where the code originates and on other aspects of the code's identity. CAS also enforces the varying levels of trust on code, which minimizes the amount of code that must be fully trusted in order to run.

Why need of Code Access Security

  • Using CAS can reduce the chances that your code can be misused by cruel or error-filled code. 
  • You can specify the operations to your code. That code should be allowed to perform or never allowed to perform hence CAS can help you to reduce your problems. 
  • Code access security also helps to reduce the damage that can result from security vulnerabilities in your code.
  • It also helps to set the permission and set of permission to access the code.
  • CAS supports number of operations which code can or cannot do. Some of them are listed at bottom.

Code Access Permission:

All code access permission is derived from the CodeAccessPermission class.

This class contains some important methods:

Method Name Description
Assert The calling code can access the permission that protected by permission demand through the code.
Demand Forces a Security Permission run time if all callers higher in the call stack have not been granted the permission specified by the current instance.
Deny Prevents callers higher in the call stack from using the code that calls this method to access the resource specified by the current instance.
Permit Only Prevents callers higher in the call stack from using the code that calls this method to access all resources except for the resource specified by the current instance.
RevertAll  Causes all previous overrides for the current frame to be removed and no longer in effect.
RevertAsset It reverts the Asset.
RevertDeny Revert the deny.

The .NET Framework provides the following code access permissions.

Code access permission Resource protected
DirectoryServicesPermission Directory services
DNS services
EnvironmentPermission Environment variables
EventLogPermission Event logs
FileDialogPermission File dialog boxes in the UI
FileIOPermission Files and folders on the file system
IsolatedStorgeFilePermission Isolated storage
MessageQueuePermission Message queues
OleDbPermission Databases accessed by the OLEDB data access provider
PerformanceCounterPermission Performance counters
PrintingPermission Printers
ReflectionPermission Type information at run time
RegistryPermission Registry
SecurityPermission Execute code, assert permissions, call unmanaged code, skip verification, and other rights
ServiceControllerPermission Running or stopping services
SocketPermission Connections to other computers via sockets
SqlClientPermission Databases accessed by the SQL Server data access provider
UIPermission Windows and other UI elements
WebPermission Connections to other computers via HTTP

What is Stack Wall?

With help of stack wall CLR determines what code access permission exists on all stack frames and stack wall done runtime by the CLR. Stack wall generates the permission set with the help of imperative and declarative security call.

In Part II, We will see how to create Code Groups, set Permissions and CAS Tool.