Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Code Access Security is a joke?

Tags:

.net

security

clr

code-access-security

I have just read about this article about Code Access Security. It has such an example in it:

using System.Security.Permissions;
public class MyFileAccessor 
{
  public MyFileAccessor(String path, bool readOnly)
  {
    path = MakeFullPath(path); // helper fcn
    FileIOPermissionAccess desiredAccess = readOnly
      ? FileIOPermissionAccess.Read
      : FileIOPermissionAccess.AllAccess;
    FileIOPermission p = new FileIOPermission(desiredAccess, path);
    p.Demand();
    // 
    ••• 
    open the file
   }
   // •••
}

What if I didn't use the FileIOPermissionAccess type and never includ code like p.Demand() in my code at all? In other words, if I want to do something bad, why should I bother to ask permission for that? Isn't it kind of a joke? OR did I take it wrong?

like image 680
smwikipedia Avatar asked Oct 18 '10 16:10

smwikipedia

People also ask

What do u mean by code access security?

Code Access Security (CAS), in the Microsoft . NET framework, is Microsoft's solution to prevent untrusted code from performing privileged actions. When the CLR loads an assembly it will obtain evidence for the assembly and use this to identify the code group that the assembly belongs to.

What is the difference between code access security and evidence?

CAS provides evidence-based security built on a layer above the security provided by the Windows operating system. While Windows is based on the permissions of the user, CAS is based on the evidence for the assembly.

What is CAS policy?

The Code Access Security (CAS) Policy tool (Caspol.exe) enables users and administrators to modify security policy for the machine policy level, the user policy level, and the enterprise policy level.

What are some key features of link demands?

A link demand only checks the immediate caller (direct caller) of your code. That means it doesn't perform a stack walk. Linking occurs when your code is bound to a type reference, including function pointer references and method calls. A link demand can only be applied declaratively.

1 Answers

Well, yes, the example is a bit of a joke, you'd never write something like this yourself. What's missing is the really important part, the code that // opens the file. A realistic version of it would, say, pinvoke CreateFile().

The point being that Windows doesn't know anything about CAS. So if you provide a utility function like this and you want to enforce the CAS rules then you have to verify that your calling code has the required permission. Of course, this kind of code really only belongs in the .NET framework. Have a look-see at FileStream.Init() and note FileIOPermission being demanded there before the CreateFile call.

like image 184
Hans Passant Avatar answered Sep 22 '22 22:09

Hans Passant
Sign in to Comment

Related questions

How to make WebKit or IE call your application (.NET) from HTML page opened in browser?
Interacting with java code from C#
.NET Ascertaining mouse is on line drawn between two arbitrary points
Where can I learn the ins and outs of enumerators in C#? [closed]
Why won't my WPF XAML Grid TranslateTransform.X?
Service Unavaiable - ApplicationPool won't start
Library to work with XAdES digital signatures
How is the default constructor of System.Drawing.Graphics removed?
Generic SQL builder .NET
Using Rx to synchronize asynchronous events
DropDown Menu with ScrollBar in .NET
DataGridView.Editmode = EditOnEnter. How to Select the row to Delete it?
Extending Type Safety to prevent dirty data coming from being used against functions that require "clean" data [closed]
C# compiler: /nostdlib option
Why is the result of Decimal.MaxValue - 0.5 an integer?
What Exceptions Could string = string throw besides System.OutOfMemoryException?
Irregular PNG button's click event in WPF
Windbg with SOS, How to dump a c# struct
How to allow user to move a control on the form
Download the first 1000 bytes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!