What is CAS?
CAS stands for Code Access security. CAS is a process that controls the access that code has to protected resources and operations. CAS allows code to be trusted to varying degrees, depending on where the code originates and on other aspects of the code's identity. CAS also enforces the varying levels of trust on code, which minimizes the amount of code that must be fully trusted in order to run.
Why need of Code Access Security
- Using CAS can reduce the chances that your code can be misused by cruel or error-filled code.
- You can specify the operations to your code. That code should be allowed to perform or never allowed to perform hence CAS can help you to reduce your problems.
- Code access security also helps to reduce the damage that can result from security vulnerabilities in your code.
- It also helps to set the permission and set of permission to access the code.
- CAS supports number of operations which code can or cannot do. Some of them are listed at bottom.
Code Access Permission:
All code access permission is derived from the CodeAccessPermission class.
This class contains some important methods:
Method Name |
Description |
Assert |
The calling code can access the permission that protected by permission demand through the code. |
Demand |
Forces a Security Permission run time if all callers higher in the call stack have not been granted the permission specified by the current instance. |
Deny |
Prevents callers higher in the call stack from using the code that calls this method to access the resource specified by the current instance. |
Permit |
Only Prevents callers higher in the call stack from using the code that calls this method to access all resources except for the resource specified by the current instance. |
RevertAll |
Causes all previous overrides for the current frame to be removed and no longer in effect. |
RevertAsset |
It reverts the Asset. |
RevertDeny |
Revert the deny. |
The .NET Framework provides the following code access permissions.
Code access permission |
Resource protected |
DirectoryServicesPermission |
Directory services |
|
DNS services |
EnvironmentPermission |
Environment variables |
EventLogPermission |
Event logs |
FileDialogPermission |
File dialog boxes in the UI |
FileIOPermission |
Files and folders on the file system |
IsolatedStorgeFilePermission |
Isolated storage |
MessageQueuePermission |
Message queues |
OleDbPermission |
Databases accessed by the OLEDB data access provider |
PerformanceCounterPermission |
Performance counters |
PrintingPermission |
Printers |
ReflectionPermission |
Type information at run time |
RegistryPermission |
Registry |
SecurityPermission |
Execute code, assert permissions, call unmanaged code, skip verification, and other rights |
ServiceControllerPermission |
Running or stopping services |
SocketPermission |
Connections to other computers via sockets |
SqlClientPermission |
Databases accessed by the SQL Server data access provider |
UIPermission |
Windows and other UI elements |
WebPermission |
Connections to other computers via HTTP |
What is Stack Wall?
With help of stack wall CLR determines what code access permission exists on all stack frames and stack wall done runtime by the CLR. Stack wall generates the permission set with the help of imperative and declarative security call.
In Part II, We will see how to create Code Groups, set Permissions and CAS Tool.