Code Access Security in .NET
In this blog, I’m explaining about Code
Access security in .NET
What is Code Access Security?
The .Net framework provides a security
mechanism to protect computer system from malicious to protect computer system
from malicious code and to provide a way to allow mobile code to run safely,
mechanism called code Access security (CAS).
CAS allows code to be trusted to varying
degrees, as determined by security policy, depending on where the code comes
from and on other aspects of the code’s identity, such as its strong assembly
name. CAS reduces the likelihood of our code being misused by other malicious code.
It allows us to specifically set of operations our code should be allowed to
perform as well as the operations our code should never allow to perform.
Specifically, CAS supports a permission
support mechanism by which code can explicitly request particular permission
and explicitly refuse others.
Components of Code Access Security
Evidence Based Security
Evidence represents the origin of code. At run time, the
.NET common language Runtime(CLR) gathers evidence on an assembly that it uses
for security as the application executes. .NET calculates evidence at run time
because it cannot resolve the origin of an assembly until that assembly is
Evidence is the input to CAS policy and permissions are the
output. Permissions specify what a piece of code is allowed to do. Code can
only perform actions for the permissions.
CAS provides two security modes to define permissions for code.
Declarative and imperative security
security (method metadata)
security (method implementation)
This kind of security could be used to
perform demands and overrides. This helps in situation where you want to check
the permissions at runtime. However, this kind of security cannot be used to
perform requests. In imperative syntax, a new instance of the security permission object needs to be
created before calling. Also, you need to initialize the permission set to
invoke a security object. A permission set consists of a group of permissions;
initializing a permission group provides means to perform assert calls on
multiple permissions in one method. For this purpose you could use the
NamedPermissionSet and PermissionSet class for grouping of permissions. You can
then call the required method to invoke the appropriate security call.
of method Permission Requests:
Instructs the runtime to ignore the fact that callers might not have the
specified permission. Assemblies must have the Assert any permission that has
been granted security permission setting.
Instruction the runtime to throw an exception if the caller and all
callers higher in the stack lack the specified permission.
Causes the runtime to reduce the method’s access by removing the
Instructs the runtime to throw an exception if an assembly inheriting
from the class lacks the specified permissions.
Causes the runtime to throw an exception if the immediate caller, but not
callers higher in the stack, lack the specified permission.
the runtime to reduce the method’s access by removing all permissions except
for the specified permission.
Declarative security (method metadata)
Declarative security is
Part of a method’s metadata
Implemented with custom attributes
Processed by CLR
only three types of CAS assembly declarations (RequestOptional, RequestMinimum
public class RestrictPF
//security call protects the constructor.
public void SomeMethod()
//security call also protects this