Writing Secure Code Using C#

Mobile Code, which comes from various sources like e-mail, documents and downloaded code over the Internet, are the main cause for damaged, destroyed or copied private data. So to help protect computer systems from malicious mobile code and to provide a way to allow mobile code to run safely, the .NET Framework provides a security mechanism called code access security.

Code access security is a mechanism that controls the access code to protect resources and operations. In NET Framework, code access security performs functions like defining permission, enabling administrators to configure security policy, allowing code to request the permissions it requires in order to run, granting permissions to each assembly that is loaded, based on the permissions requested by the code and it enables code to demand that its callers have specific permissions.

Code access security is a mechanism that grants/denies access to resources within a method call. For example, code written by a person may be allowed to write to the disk while code from another one may be forbidden from accessing the disk. This control can be enforced even if the code written by both of them is used within a single application.

System.Security Namespace Provides the underlying structure of the .NET Framework security system, including interfaces, attributes, exceptions, and base classes for permissions and CodeAccessPermission class defines the underlying structure of all code access permissions.

Let see a sample application, which attempts to access a disk file and an environment variable .

The code shown below will create permission to set read access to the temp environment and grant full access to some files. Before changing every file will have a default permission set.

  1. // Create a permission set that allows read access to the TEMP  
  2. // environment variable and read, write, and append access to SomeFile from   
  3. //default permission   
  4. PermissionSet ps = new PermissionSet(PermissionState.None);  
  5. ps.AddPermission(  
  6. new EnvironmentPermission(EnvironmentPermissionAccess.Read, "TEMP"));   
  7. //adding various type of file level permission  
  8. ps.AddPermission(  
  9. new FileIOPermission(FileIOPermissionAccess.Read |   
  10. FileIOPermissionAccess.Write | FileIOPermissionAccess.Append,   
  11. "SomeFile"));  
  12. // Make the permissions indicate all that we're allowed to do.  
  13. ps.Assert();   
PermissionSet class (in System.security) represents a collection and it contains many different kinds of permissions, and supports the methods that use and modify those permissions. We can add, remove, assert, deny and copy permission.
  1. // Deny access to the resources we specify  
  2. ps.Deny();   
  3. // Make the permissions indicate the only things that we're allowed to do.  
  4. ps.PermitOnly();  
  5. // Remove the FileIOPermissions from the permission set  
  6. ps.RemovePermission(typeof(FileIOPermission))  
  7. // Remove the EnvironmentPermission from the permission set  
  8. ps.RemovePermission(typeof(EnvironmentPermission));   

Deny method prevents callers from accessing the protected resource even if they have been granted permission to access it. PemitOnly Ensures that only the resources specified by this permission object can be accessed, even if the code has been granted permission to access other resources. FileIOPermissionAccess specifies the actions that can be performed on the file or folder. EnvironmentPermission Class has the ability to query and modify system and user environment variables.


We have seen how to write a secure code using the publicly available .Net SDK. Although what I have shown you is simple in functionality you can even create your own code access permission and much more advanced security futures in your code.