Gallery

.NET security

Posted on 26 Jul 2006 at 15:16

Thomas Lee looks at the security architecture of .net and delves into code access security

As an example of evidence, here's a short C# program that prints out its own evidence:

//evidence.cs

using System;

using System.Collections;

using System.Reflection;

using System.Security;

using System.Security.Policy;

[assembly :AssemblyVersion("1.2.1123.0")]

public class ShowEvidence

{

public static void Main()

{

Assembly thisAssembly = Assembly.GetExecutingAssembly();

Evidence ev = thisAssembly.Evidence;

Console.WriteLine("Host Evidence:");

IEnumerator enumerator = ev.GetHostEnumerator();

while (enumerator.MoveNext() )

{

Console.WriteLine(enumerator.Current + Environment.NewLine);

}

Console.WriteLine(Environment.NewLine);

Console.WriteLine("Assembly Evidence:");

enumerator = ev.GetAssemblyEnumerator();

while (enumerator.MoveNext())

{

Console.WriteLine(enumerator.Current + Environment.NewLine);

}

}

}

You can compile this code two ways (with and without a key file) to see the difference in the evidence that it prints out. Simply compiling the code as csc evidence.cs allows you to see the assembly evidence without a strong name, but you can also compile it as follows (using a previously generated key stored in pcpro.key, as I described in the May column: Csc evidence.cs /keyfile:pcpro.key

When you later run the compiled program, you'll see the same evidence as previously generated, along with the strong name generated by the C# compiler.

Publishers can also sign an assembly with an X.509 certificate. To make use of this in the real world, the publisher needs to have obtained a code-signing key from a Certificate Authority that they trust, such as VeriSign or Thwaite. These don't come for free, and they require the publisher to verify their own identities offline, which can be both time-consuming and expensive. For testing purposes, you can use Microsoft's makecert.exe program to create a signing certificate. This tool is distributed as part of the .NET Framework SDK. However, makecert.exe won't be much good if you want to distribute the code, because the certificates that it creates are in effect self-signed and therefore most unlikely to be trusted by anyone outside your own organisation. They are useful, however, when you're testing the security portions of your application code: for more information about makecert.exe, see tinyurl.com and tinyurl.com

Evidence is used to provide the CLR (Common Language Runtime) with information about the identity of an assembly, and based on this evidence the CLR can make use of CAS policy to define what operations that assembly is allowed to perform.

CAS policy

By itself, evidence is interesting but not entirely useful - the real value of evidence is as an input to the policy and permission mechanism. Based on the evidence, you can apply highly granular policies to restrict the actions individual assemblies can perform. A key feature of this approach is that IT administrators can configure CAS policy themselves - you don't need programming knowledge or a compiler to do so. CAS policy can be applied at four separate levels:

• User: policy applied to one particular user. User policy is found in %userprofile\ Application Data\Microsoft\CLR Security Config\CLRVersion\security.config (that is, located in the user profile).

• Machine: policy that applies to all users on a specific host. Machine policy comes from %systemroot%\ Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.