View
220
Download
2
Category
Preview:
Citation preview
System.Security.Policy namespace
Chinmay Lokesh .NET Security CS 795 Summer 2010
Concepts Covered
Security Policy Introduction Policy Level – Code groups, Named
Permission Sets, Fully Trusted Assemblies Policy Resolution Configuring Security Policy System.Security.Policy
namespace
Introduction
How the runtime uses security policy to determine which permissions to grant an assembly or application domain based on its identity?
High-level explanation of security policy structure of security policy how the component elements interact at runtime
manipulate security policy programmatically – Topic of Concern
Security Policy : Intro
Security policy is the set of configurable rules that provide a mapping between evidence and permissions
Runtime uses security policy to determine which code-access permissions to grant an assembly or application domain based on the set of evidence that the assembly or application domain presents—a process known as policy resolution
Flexible and extensible
Confidently run managed code from any source
Security Policy Levels
Policy Level (Continued)
Enterprise , machine and user levels are configurable by admin tools
Configure Application Domain programmatically
Runtime loads assembly and application domain and determines permission granted
In case of assembly the permissions granted by the application domain to which the assembly is loaded
Each policy level contains three key elements: Code groups, Named permission sets, Fully trusted assemblies
Code groups
Code Groups (Continued)
code groups provide the mapping between evidence and permissions that the policy resolution process uses to determine which code-access permissions to grant an assembly or application domain
Each policy level consists of set of code groups organized into a tree structure
If the evidence meets the code group's membership condition, then the runtime grants the assembly or application domain the permissions contained in the code group's permission set.
Code Groups
Each code group has a name and a description and contains the following elements
Membership Conditions
Code Groups
Permission set The permission set is the set of permissions to grant an
assembly or application domain that qualifies for membership of the code group
Child code groups each policy level consists of a single tree of code
groups with each code group having one or more child code groups
use of code group trees and simple membership conditions is a flexible model that allows you to create complex security policies
Code Groups
Attributes two optional attributes that you can assign to a code
group in order to modify the normal policy resolution process
Exclusive The code group's permission set defines the maximum set
of permissions that the assembly or application domain can get from the current policy level regardless of what other code groups it is a member of.
LevelFinal The runtime will not evaluate any policy level below the
current level other than the application domain level
Named permission sets
Permission sets are simply groups of permissions to which you assign a name. Each policy level maintains its own set of named permission sets that are valid only within the scope of that policy level.
Fully trusted assemblies
each policy level contains a list of fully trusted assemblies. When the runtime loads any of these assemblies during policy resolution, it automatically assigns them full trust within that policy level; they are not subject to the normal policy resolution process
Why?
Under normal circumstances, as the runtime loads these assemblies, it would need to resolve the policy for each one to determine their permissions. However, if the policy resolution of these assemblies required the runtime to instantiate security classes contained within the same assemblies, the runtime would need to resolve the policy for the same assembly again, resulting in a never-ending policy resolution loop
Policy Resolution
I am talking only about Assemblies
When resolving policy for an assembly, the runtime starts at the enterprise policy's root code group and checks the assembly's evidence against the code group's embership condition.
The runtime then traverses the code group tree by comparing the assembly's evidence with each child code group of the current code group. At any stage, if the assembly does not qualify for membership of a code group, then the runtime does not grant the code group's permission set to the assembly, and policy resolution moves on to the next peer-level code group, ignoring the current code group's children.
Calculating Policy Level Permissions
The runtime uses this process to determine the permissions granted by each policy level and thenintersects them to calculate the final code-access permission set for the assembly
Intersecting policy level grant sets
Configuring Security Policy
Using the .NET Framework Configuration tool (Mscorcfg.msc), a Microsoft Management Console (MMC) plug-in provided with the .NET Framework that provides a graphical interface with which to administer security policy
Using the Code Access Security Policy tool (Caspol.exe), a command-line tool provided with the .NET Framework
Programmatically, using the security classes contained in the .NET class library - Topic of Concern
Manually, by editing the XML contained in the individual security policy files
Programming Security Policy
To have complete control over all security policy features
How to program the key components of security policy, starting with code groups and membership conditions, then moving on to policy levels
Covering Code Groups and PolicyLevel
Programming Code Groups
Programming Code Groups
The abstract system.Security.Policy.CodeGroup class provides the base representation of a code group and defines the functionality that lies at the heart of the policy resolution process
Four noninheritable subclasses
CodeGroup is a container for all of the elements discussed in previous slides
Programming Code Groups
Membership condition An object that implements the
System.Security.Policy.IMembershipCondition interface provides the functionality to determine whether an assembly or application domain qualifies for membership to the code group, for eg – Zone= Internet
Policy statement The policy statement contains values that specify
the effect the CodeGroup has on assemblies and application domains that are members of the group. The System.Security.Policy.PolicyStatement class represents a code group's policy statement
Code Groups
ChildrenEach CodeGroup contains an ordered list of child CodeGroup
objects
Code Group Resolve
The most important method of the CodeGroup class is Resolve, which takes an Evidence collection as an argument, called at runtime
The key difference between each of the CodeGroup subclasses is how they process the Resolve method
In the Resolve method, the CodeGroup is responsible for determining if the assembly's evidence qualifies it for membership, how to apply any attributes, and how or if the CodeGroup should use its children to continue the policy resolution process.
Code Group Resolve
UnionCodeGroup Members are tested against all child code groups for
membership. The resulting PolicyStatement contains the union of the code group's permission set and the permission sets of each child of which the assembly is also a member
FileCodeGroup FileCodeGroup does not support attributes and does not
contain a statically defined permission set. With each call to Resolve, if the evidence of the assembly contains "file://"-based Url evidence, the FileCodeGroup dynamically generates a permission set that contains a System.Security.Permissions.FileIOPermission granting access to the directory specified in the Url evidence.
Code Group Resolve
NetCodeGroup if the evidence of the assembly contains "http://" or
"https://" Url (or Site) evidence, the NetCodeGroup dynamically generates a permission set
FirstMatchCodeGroup This operates the same UnionCodeGroup but
evaluates members against its children only until it finds the first matching child group.
Members of the code group classes
Programming membership conditions
Membership conditions are classes that implement the IMembershipCondition interface
you can get and set the IMembershipCondition through the CodeGroup.MembershipCondition property after construction
# C# bool Check(Evidence evidence);
membership condition classes
# C#// Create a membership condition to match all code.IMembershipCondition m1 = new AllMembershipCondition( );// Create a membership condition to match all code with// Internet Zone evidence.IMembershipCondition m2 =new ZoneMembershipCondition(SecurityZone.Internet);// Create a membership condition to match all code from// all "oreilly.com" Sites.IMembershipCondition m3 =new SiteMembershipCondition("*.oreilly.com");// Create a membership condition to match all code with// the same Publisher certificate as was used to sign// the SomeFile.exe assembly.IMembershipCondition m4 =new PublisherMembershipCondition(X509Certificate.CreateFromSignedFile("SomeFile.exe"));
Programming policy statements
Provide a PolicyStatement as an argument to the UnionCodeGroup and FirstMatchCodeGroup constructors, and you can get and set the PolicyStatement after construction through the CodeGroup.PolicyStatement property.
The FileCodeGroup and NetCodeGroup classes do not require you to set a policy statement, because they generate their permission sets dynamically and do not support attributes
The PolicyStatement class provides two constructors
PolicyStatementAttribute enumeration
The PolicyStatement class provides two constructors. The first takes a System.Security.PermissionSet argument specifying the permissions a code group grants to its members. The second constructor takes both a PermissionSet and a member of the System.Security.Policy.PolicyStatementAttribute enumeration
how to create PolicyStatement objects
# C#// Create a PolicyStatement that grants Unrestricted access// to everythingPolicyStatement p1 = new PolicyStatement(new PermissionSet(PermissionState.Unrestricted));// Create a PolicyStatement that grants read access to the// file "C:\File.txt" and specifies the LevelFinal attribute.PermissionSet pset = new PermissionSet(newFileIOPermission(FileIOPermissionAccess.Read,@"C:\File.txt"));PolicyStatement p2 = new PolicyStatement(pset, PolicyStatementAttribute.LevelFinal);
Creating code groups
UnionCodeGroup with the Exclusive attribute that matches all code downloaded from any web site in the oreilly.com domain and grants it unrestricted access to the filesystem
C#// Create the permission set and add unrestricted file access.PermissionSet pset = newPermissionSet(PermissionState.None);pset.AddPermission(newFileIOPermission(PermissionState.Unrestricted));// Create the policy statement and set the Exclusive attribute.PolicyStatement pstate =new PolicyStatement(pset, PolicyStatementAttribute.Exclusive);// Create the membership condition to match all "*.oreilly.com"
sites.IMembershipCondition mcon =new SiteMembershipCondition("*.oreilly.com")
Programming Policy Levels
The .NET class library contains the System.Security.Policy.PolicyLevel class to represent all security policy levels: enterprise, machine, user, and application domain.
The PolicyLevel class is a container for the component elements we described in "Security Policy Levels": fully trusted assemblies, named permission sets, and code groups
Members of the PolicyLevel class
Managing named permission sets
//Create a new application domain policy levelPolicyLevel p = PolicyLevel.CreateAppDomainLevel( );// Get a copy of the default permission set named "Internet" and// call it "NewPermissionSet"NamedPermissionSet ps =p.GetNamedPermissionSet("Internet").Copy("NewPermissionSet")
;// Add the new permission setp.AddNamedPermissionSet(ps);// Modify the permission set "NewPermissionSet" to grant
unrestricted// accessp.ChangeNamedPermissionSet("NewPermissionSet",new PermissionSet(PermissionState.Unrestricted));// Remove the NewPermissionSet permission setp.RemoveNamedPermissionSet("NewPermissionSet");
Managing the code group tree
get and set the root code group of the policy level's code group tree using the RootCodeGroup property
Links
http://www.cs.odu.edu/~clokesh/tree.txt
http://msdn.microsoft.com/en-us/library/system.security.policy.aspx
Recommended