Thursday, 15 October 2009

Code Access Security (CAS)

In the .NET framework all assemblies (which run managed code) is running in their own security scope. Which doesn't just depend on the user running the assembly(in respect to the Role-Based security (RBS)) but also on the Code Access Security (CAS).

The CAS system gathers evidence to identify assemblies to determine which code group the assembly belongs.


Evidence is data which the CAS collects at runtime to determined the assembly's security level, like a user is identified by username and password.

Examples of Evidence is:

  1. Applications directory

  2. Hash

  3. Publisher

  4. Site

  5. Strong Name

  6. URL

  7. Zone: The zone in which the assembly is running(Internet Zone, Intranet Zone, or Trusted Zone)


There is a long list of things an assembly needs to have permission to do, like sending web requests, read or write files ect. for a complete list look here: (System.Security.Permissions Namespace)

A specific example could be the File dialog permission(link), which specifies whether an assembly may present one to the user. Another permission can be File IO which restricts access to files and folders(link)

Permission set

So, this seems pretty straight forward, a permission set is a set of permissions right, it is a so called ACL (Accesss Control List), which means it is a list of permissions, used by the CAS to verify whether it should give permission/access to an assembly.

A well known permission set is the Internet default permission set, which contains the following permissions:

  1. File Dialog

  2. Isolated Storage File

  3. Security

  4. User Interface

  5. Printing

Most are self describing, even if it is worth noting that the Security permission gives the permission to execute, but as with all permissions there are many levels of a permission, look further here SecurityPermissionFlag

.Net framework contains seven default permission sets.

Code group

Based on the evidence, an Assembly is places in a specific code group. A code group is a user groups provided to RBS, its connects the assemblies with permission sets. A group membership condition is determined by one piece evidence which the assembly should have.

An assembly can be member of several groups, if so the assembly will receive the union of the permissions in the permission sets.

Code groups can also be nested inside each other, which allows the manager to make arbitrary complex structures. An example of such a hierarchy is: assemblies with Microsoft strong names is placed in a group called Microsoft_Strong_Name code group, which is contained in My_Computer_Zone code group which again is contained inside All_Code. (in short All_Code->My_Computer_Zone->Microsoft_Strong_Name)


Security Policy

Okay so all these things together, should also have a term, so we can make different sets of all these things, and these sets is called a security policy.

A security policy is a logical grouping of code groups and permission sets. The security policy is used to group the security into levels. There are four default security policy levels; Enterprise, machine, User and Application Domain.

Since these overlap an assembly's permission set is the intersection of the policies.

By default, the Enterprise and User security policies grant all code full trust.

Put It All Together

The system administrator can make security policies for the hole network (enterprise security policy), for each computer, for each user, and application domain.

Inside each policy he might look at the different code groups (fx. My_Computer_Zone, LocalIntranet_Zone, Internet_Zone) and check permission set of the groups.

When an assembly is loaded, the system will look at the evidence, and figure out which groups the assembly is in. then all the permissions of these groups are joined, but then you have to take the intersection of the policies, meaning that the policy which is most restrictive sets the permissions. when all this is finished the CAS will compare notes with the RBS of the operation system, and again choose the most restrictive set of permissions. This is also called Security stack walk

No comments: