<h3>Warning:</h3> Newer versions of .Net and .Net core has have removed and/or changed “Code Access Security” (CAS) since this question was asked. <h3>Original Question:</h3> I am in the process of studying for the 70-536 .NET Framework - Application Development Foundation Exam, as I have been programming .net for many years, this should not be hard! However I am having to learn about “Code Access Security” (CAS), As I have never had a need to use or configure it, I was wondering if anyone else has found a real life usage for it? Please provide examples of when you have used CAS and it has been part of the solution rather then the problem. (So far everything else has had some relationship to task I have had to do in my years of .NET programming) <hr> Related questions: <ul> <li> Why to use CAS (Code Access Security)? - This has very few real world examples apart from how Microsoft uses it.</li> <li>Anyone really using Code Access Security to protect their assemblies and/or methods?</li> <li> What is Code Access Security in .NET - Defines CAS well, but does not give real examples.</li> <li>.NET Code Access Security: Useful or just overcomplicated? </li> </ul> <hr> Results so far. <ul> <li>CAS is useful when you are hosting 3rd party code. E.g. a web hosting company can use it to stop their customer's Asp.net code doing damage to the servers. (Office also make use of it when .NET is used as a replacement for VBA)</li> <li> The only detailed example of it being used outside of a Microsoft application so far are: <blockquote> A recent project I did had something similar: allow the user to upload a library, and test it for performance ("who makes the best algorithm"). Needless to say, we needed CAS heavily there. </blockquote> </li> <li>CAS seems to be useful to get JITDC certification, that is like by the US department of defence, however I don’t know if CAS was of any real value, or if it was just box ticking.</li> </ul> (If you need to bypass a host that uses CAS and you have admin rights on them machine, you can just put your assemblies in the GAC.) Looking forward, CAS is a bit less complex in .net 4. <hr> At least it looks like the new Microsoft exams will not have a “foundation” exam that includes CAS. I don’t know if it will make it into the new Winforms/WPF exams.

I encounter code access security quite often in the "real world", often when I least expect it. And in a way, SilverLight would be an excellent real-world application of it, were it not that SilverLight chose not to employ CAS at all in the end. <h3>Hosting providers</h3> The places where you see it in action is where a secured environment is needed: ASP.NET itself of course, but ASP.NET hosting providers use a modified security model to prevent intrusion in their precious systems. I know for a fact that Webhost4Life uses this (no information on their site about it, but I've worked with them, it's there, really). Looking further, other ASP.NET hosting providers do the same, but they are not very clear about it either: thread on godaddy.com not wanting to change the CAS (and no clarity what's supported and what not) or this related discussion on 1&1. Some cloud hosting sites (rackspacecloud) took it a bit further and "worked with Microsoft for a modified full trust level" whatever that may be. In short: if you find an ASP.NET host, most likely they've used CAS to prevent you from doing things they don't want you to do. They can even use it make difference between "basic" (many restrictions) hosting and "enterprise" (few restrictions) hosting which gives a whole other meaning to CAS. <h3>Other applications of CAS</h3> So much for a few real-world situations that I encountered myself. A recent project I did had something similar: allow the user to upload a library, and test it for performance ("who makes the best algorithm"). Needless to say, we needed CAS heavily there. Other examples or interesting resources: <ul> <li> NAR Loader (a codeproject application) uses it's own CAS</li> <li> LR Evaluator (also codeproject app) uses CAS</li> <li>ClickOnce (see below) uses CAS</li> <li> CAS Design Patterns: it's popularity "assumes" CAS is being used</li> <li> Understanding CAS: even greater popularity and some comments imply applications</li> <li>Microsoft SharePoint uses CAS all the way, it seems (sorry, I'm not an SP specialist)</li> </ul> For any situation where you are simply in full control yourself, you build your own app and code (or have it built) and are in complete control of your system, I don't think you'll need CAS too often. It's more something you'd use the minute you get to run code from lesser trusted sources (which is basically everything that's not in your full control). <h3>CAS vs ClickOnce</h3> Default CAS settings limit the capabilities of code run from a network share or other non-local sources. This makes sense but the stringent restrictions make it hard to have a central repository for distributed application. .NET 2.0 introduced ClickOnce, which was supposed to elevate the security (discussion here). ClickOnce itself uses CAS, to prevent the installer from calling into system functions. As such, I believe it is arguably the best well known application that relies on CAS. Point being: you need to understand CAS to be able to create something that can run directly from a share, or you ignore it all and use ClickOnce. <h3>Microsoft's Survey on CAS</h3> In 2005, Microsoft summoned a survey to find out why CAS was so unpopular, hoping to improve it to make it better applicable. Unfortunately, I couldn't find the actual survey results, other then this post somewhat detailing why CAS is underused. <h3>CAS in another world</h3> That post, however, does point at an intriguing niche: CAS applied to another world: Unix / Linux. They don't call it CAS, instead it's BitFrost. How's that for a real-world application: the "One Laptop Per Child" project, which relies on BitFrost as a replacement for the traditional Unix security model. Update: section on CAS in Unix/Linux as BitFrost and section on survey. Update: added CAS vs ClickOnce section Update: added list of resources using CAS (and apologies for all these updates in a row!)

Is “Code Access Security” of any real world use?

Warning:

Newer versions of .Net and .Net core has have removed and/or changed “Code Access Security” (CAS) since this question was asked.

Original Question:

I am in the process of studying for the 70-536 .NET Framework - Application Development Foundation Exam, as I have been programming .net for many years, this should not be hard!

However I am having to learn about “Code Access Security” (CAS), As I have never had a need to use or configure it, I was wondering if anyone else has found a real life usage for it?

Please provide examples of when you have used CAS and it has been part of the solution rather then the problem.

(So far everything else has had some relationship to task I have had to do in my years of .NET programming)

Related questions:

Why to use CAS (Code Access Security)? - This has very few real world examples apart from how Microsoft uses it.
Anyone really using Code Access Security to protect their assemblies and/or methods?
What is Code Access Security in .NET - Defines CAS well, but does not give real examples.
.NET Code Access Security: Useful or just overcomplicated?

Results so far.

CAS is useful when you are hosting 3rd party code. E.g. a web hosting company can use it to stop their customer's Asp.net code doing damage to the servers. (Office also make use of it when .NET is used as a replacement for VBA)
The only detailed example of it being used outside of a Microsoft application so far are:

A recent project I did had something similar: allow the user to upload a library, and test it for performance ("who makes the best algorithm"). Needless to say, we needed CAS heavily there.
CAS seems to be useful to get JITDC certification, that is like by the US department of defence, however I don’t know if CAS was of any real value, or if it was just box ticking.

(If you need to bypass a host that uses CAS and you have admin rights on them machine, you can just put your assemblies in the GAC.)

Looking forward, CAS is a bit less complex in .net 4.

At least it looks like the new Microsoft exams will not have a “foundation” exam that includes CAS. I don’t know if it will make it into the new Winforms/WPF exams.

How do I use code access security?

Code Access Security Tools (caspol.exe) . NET includes a command line utility "caspol.exe" to configure or view the security policy of a particular assembly. Using caspol.exe you can specify what level of trust you have for each code access group as well as managing code groups and permissions in more granular fashion.

What are the element of code Access Security?

There are three main components of code access security; evidence, code group and permissions.

What does security transparent code allows you to do?

Applying this attribute to an assembly allows the assembly to access only transparent and security-safe-critical types and members regardless of its permission set, including full trust. Transparent code that accesses a security-critical type or member results in a MethodAccessException being thrown.

I encounter code access security quite often in the "real world", often when I least expect it. And in a way, SilverLight would be an excellent real-world application of it, were it not that SilverLight chose not to employ CAS at all in the end.

Hosting providers

The places where you see it in action is where a secured environment is needed: ASP.NET itself of course, but ASP.NET hosting providers use a modified security model to prevent intrusion in their precious systems. I know for a fact that Webhost4Life uses this (no information on their site about it, but I've worked with them, it's there, really). Looking further, other ASP.NET hosting providers do the same, but they are not very clear about it either: thread on godaddy.com not wanting to change the CAS (and no clarity what's supported and what not) or this related discussion on 1&1. Some cloud hosting sites (rackspacecloud) took it a bit further and "worked with Microsoft for a modified full trust level" whatever that may be.

In short: if you find an ASP.NET host, most likely they've used CAS to prevent you from doing things they don't want you to do. They can even use it make difference between "basic" (many restrictions) hosting and "enterprise" (few restrictions) hosting which gives a whole other meaning to CAS.

Other applications of CAS

So much for a few real-world situations that I encountered myself. A recent project I did had something similar: allow the user to upload a library, and test it for performance ("who makes the best algorithm"). Needless to say, we needed CAS heavily there. Other examples or interesting resources:

NAR Loader (a codeproject application) uses it's own CAS
LR Evaluator (also codeproject app) uses CAS
ClickOnce (see below) uses CAS
CAS Design Patterns: it's popularity "assumes" CAS is being used
Understanding CAS: even greater popularity and some comments imply applications
Microsoft SharePoint uses CAS all the way, it seems (sorry, I'm not an SP specialist)

For any situation where you are simply in full control yourself, you build your own app and code (or have it built) and are in complete control of your system, I don't think you'll need CAS too often. It's more something you'd use the minute you get to run code from lesser trusted sources (which is basically everything that's not in your full control).

CAS vs ClickOnce

Default CAS settings limit the capabilities of code run from a network share or other non-local sources. This makes sense but the stringent restrictions make it hard to have a central repository for distributed application. .NET 2.0 introduced ClickOnce, which was supposed to elevate the security (discussion here).

ClickOnce itself uses CAS, to prevent the installer from calling into system functions. As such, I believe it is arguably the best well known application that relies on CAS.

Point being: you need to understand CAS to be able to create something that can run directly from a share, or you ignore it all and use ClickOnce.

Microsoft's Survey on CAS

In 2005, Microsoft summoned a survey to find out why CAS was so unpopular, hoping to improve it to make it better applicable. Unfortunately, I couldn't find the actual survey results, other then this post somewhat detailing why CAS is underused.

CAS in another world

That post, however, does point at an intriguing niche: CAS applied to another world: Unix / Linux. They don't call it CAS, instead it's BitFrost. How's that for a real-world application: the "One Laptop Per Child" project, which relies on BitFrost as a replacement for the traditional Unix security model.

Update: section on CAS in Unix/Linux as BitFrost and section on survey.
Update: added CAS vs ClickOnce section
Update: added list of resources using CAS (and apologies for all these updates in a row!)

Technically, it's very useful as it allows a very fine grained permission specification. This is both good for you (as theoretically it makes exploiting security vulnerabilities a lot harder - even if an attacker gains full control over your app, he is still locked in the CAS Sandbox) and for your customer (as they can see exactly what your application can do and run their own security audit).

In practical use, it's mostly meaningless. I think it's too complex, too little supported by the available dev tools and most users don't care anyway.

There are exceptions of course (Governments and customers who really know .net/CAS) and I would love to say that CAS is absolutely useful and mandatory, but the reality speaks a clear language.

Is “Code Access Security” of any real world use?

Tags:

.net

security

code-access-security

Warning:

Original Question:

Ian Ringrose

People also ask

2 Answers

Hosting providers

Other applications of CAS

CAS vs ClickOnce

Microsoft's Survey on CAS

CAS in another world

Abel

Michael Stum

Recent Activity

Donate For Us