Skip to main content

Security in Assemblies

Code Security is all about allowing and preventing code from running.

The .NET Security Model works by the assemblies each having their own Evidence embedded in the Assembly by the Assembly writer.
When the CLR loads the assembly it then reads and applies this Evidence to a Security model and this in turn returns Permissions, depending on what Permissions are returned will determine is the assembly is permitted to execute or not.
So it's Evidence in (on the assembly) -> Code Groups -> Permissions.

Code Access Security (CAS) is the the mechanism used by .NET to manage all of this. It's function is to process assemblies and determine the runtime permissions they should have, e.g. should they code within a certain assembly be allowed to run or not.

All assemblies have Evidence. As the CLR is loading the assembly it looks at this Evidence and processes it using the current machines .NET Code Group. Depending on where the assembly is being loaded from, the Evidence it has, the Code Group configuration on the current machine; will determine the Permissions that assembly gets.

Evidence: Evidence takes into account the assemblies strong name, publisher. There are 2 types of evidence Host Evidence and Assembly Evidence. Host Evidence is all about where the code is being loaded from, internet, local machine these are identified by URI, Site and Zones (Zones are for non internet)

Code Group: You can group permissions for assemblies i.e. all assemblies that have Internet permissions can do such and such. These are setup on the machine, when the CLR is processing the assemblies Evidence it tries to match the output with a Code Group.

Permissions: FullTrust, Internet. Have special meaning to the CLR, these restrict the access of code to resources, resources such as printers, applications etc.


Labels:

Comments

Post a Comment

Popular posts from this blog

Installer CustomAction, Debugging the CustomAction, InstallState

Custom Action The Custom Action is added to the Setup Project, select the Project node and hit the Custom Action button. This allows you add an Action to a particular phase in the Installation. But first you must create the Custom Action. To Add a Custom Action you must first have a Custom Action created, this is usually in the form of a Installer Class, this should be created in a seperate project, the Installer Class is actually one of the File Templates in the C# Projects. So it's File->New Project and select Visual C# Projects. Then add a Class Library, this will prompt you for the Class Library Types , select "Installer Class". Walkthrough - Creating Custom Action (msdn). Also here's a more comprehensive document on Setup/Installer implementations, it delves into the Registry etc Getting Started with Setup Projects (SimpleTalk). Visual Studio Setup Projects and Custom Actions (Simple Talk). Create your Installer Class and then add it as a Custom Action to the ...
3 comments
Read more

dotNET - Debugging

Debugging with .NET MSIL assemblies Visual Studio and debugging the CLR are different, I'll talk about both. MSIL Assemblies Assemblies compiled with .NET tools such as the CLR compiler are compiled into a file which contains MSIL (Microsoft Intermediate Language). At runtime the contents of the assembly are loaded into the CLR and ran as machine code. When you compile an assembly in debug a PDB file is generated alongside the DLL or EXE you've just created. The link between these 2 files is that the PDB contains the line numbers of the methods and classes as well as the file names of the original source code that created the assembly. When you launch the debugger in Visual Studio the assembly is loaded into the Debugger (similar to the CLR) along with the PDB file. The debugger now uses your PDB file contents to match the running code found in the assembly to locations in source files (hopefully in your present project). CLR CLR Inside Out (msdn magazine) .NET Framework Tools:...
7 comments
Read more

BootStrapper BootStrapping

Bootstrapping is the creation of a wrapper installer around already existing installars or files. It's useful if you have multiple installation files that you'll like the user to install in on step. The Bootstrapper itself is a .exe installer file, it also may have .SED file which contains details of the contents of the .exe. There are a few applications out there to generate a bootstrapper, the most simple I've seen is the an app called IEXpress . IExpress Is actually installed on windows (System32/iexpress.exe). This creates an installer, you tell it what files you wish it to include in the installation. I've only played with this so far and it appears to me that the isntaller can only install upto 2 setup.exes. You can include as many files as you like, but the files cannot have the same name, because of this you will probably need to rename your setup.exes to something else because you cannot have 2 files with the same name. After you've included all the files...
1 comment
Read more