Embed Size (px)
DESCRIPTION
Old Dominion University College of Science Department of Computer Science. Presented By: Ahmed ALSUM PhD Student. System.Security.Permissions namespace. Outline. What’s a Permission. Permissions limit what an assembly can do –run if code not verifiable? –access file system? - PowerPoint PPT Presentation
Citation preview
Presented By:Ahmed ALSUMPhD Student
CS 895: .Net Security
Old Dominion UniversityOld Dominion UniversityCollege of ScienceCollege of ScienceDepartment of Computer ScienceDepartment of Computer Science
Old Dominion UniversityOld Dominion UniversityCollege of ScienceCollege of ScienceDepartment of Computer ScienceDepartment of Computer Science
OutlineOutline
What’s a PermissionWhat’s a PermissionPermissions limit what an assembly can do◦–run if code not verifiable?◦–access file system?◦–access the network?◦–access certain environment variables?◦–call native code (COM objects, DLLs)?◦–access files or printers without asking
user?
SecuritySecurityCode Access SecurityCode Access SecurityCode may require permissions to
runSecurity policy determines what
code is allowed to run◦By machine
Where did this code come from? Who authored it?
◦By userIf no permission then a SecurityException is thrown
SecuritySecurityCode Access SecurityCode Access SecurityCan specify the permissions
needed by code◦Declarative, with attributes◦Imperative
Create a permission object, then call Demand()
By default, the CLR will ensure that all code in call chain has the necessary permissions
SecuritySecurityCode Access SecurityCode Access SecuritySecurity checkVarying levels of trustBehavior constrained by least
trustworthy component
Assembly A1
Assembly A2
Assembly A3
Assembly A4
G1
G4
G3
G2
P
P
P
Call Chain
SecuritySecurityCode Access SecurityCode Access SecurityCan override security checks
◦Assert() lets you and the code you call perform actions that you have permission to do, but your callers may not.
◦Deny() lets you prevent downstream code from performing certain actions
◦PermitOnly() is like Deny(), but you specify the only permissions the downstream code will have.
SecuritySecurityPermissionsPermissionsCode access permissions
◦ Protect resources and operations◦ Ex. DnsPermission, EnvironmentPermission, WebPermission
Identity permissions◦ Characteristics of an assembly‘s identity
◦ Ex. URLIdentityPermission, ZoneIdentityPermission
Role-based permissions◦ Discover a user‘s role or identity
◦ Ex. PrincipalPermission
Custom permissions◦ Design and implement your own classes
Permissions classesPermissions classes
Resources Accessed Required Permissions
DPAPI encryption DataProtectionPermission
DNS directory DnsPermission
Environment variables EnvironmentPermission
Event log EventLogPermission
File dialog FileDialogPermission
File system FileIOPermission
Isolated file storage IsolatedStoragePermission
Key containers KeyContainerPermission
Message queues MessageQueuePermission
Network information and traffic statistics NetworkInformationPermission
OLE DB data sources OleDbPermission
Performance counters PerformanceCounterPermission
Permissions classesPermissions classes
Resources Accessed Required Permissions
Printers PrintingPermission
Reflection ReflectionPermission
Registry RegistryPermission
Security SecurityPermission
SMTP servers SmtpPermission
Sockets SocketsPermission
SQL Server notifications SqlNotificationPermission
SQL Server SqlClientPermission
Stores containing X.509 certificates StorePermission
User interfaces and clipboard UIPermission
Web services (and other HTTP Internet
resources)
WebPermission
Namespace: System.SecurityNamespace: System.Security
CodeAccessPermissionCodeAccessPermissionDefines the underlying structure
of all code access permissions When you inherit from CodeAccessPermission,
you must also implement the IUnrestrictedPermission interface.
The following CodeAccessPermission members must be overridden: Copy, Intersect, IsSubsetOf, ToXml, FromXml, and Union.
You must also define a constructor that takes a PermissionState as its only parameter.
You must apply the SerializableAttribute attribute to a class that inherits from CodeAccessPermission.
Custom Permission Example
Namespace: System.Security.PermissionsNamespace: System.Security.Permissions
CodeAccessSecurityAttribCodeAccessSecurityAttributeuteThe security information declared by
a security attribute is stored in the metadata of the attribute target and is accessed by the system at run time. Security attributes are used only for declarative security.
All permission attributes derived from this class must have only a single constructor that takes a SecurityAction as its only parameter.
Custom Attribute Example
Namespace: System.Security.PermissionsNamespace: System.Security.Permissions
PermissionState PermissionState EnumerationEnumerationSpecifies whether a permission should
have all or no access to resources at creation.
Unrestricted: Full access to the resource protected by the permission.
None: No access to the resource protected by the permission.
Ex, the file permission constructor could create an object representing either no access to any files or all access to all files.
Intermediate states can be set according to the specific permission semantics.
EnvironmentPermissionEnvironmentPermissionEnvironment variable names are
designated by one or more case-insensitive name lists separated by semicolons, with separate lists for read and write access to the named variables.
EnvironmentPermission class controls access to system and user environment variables.
EnvironmentPermission tmpVariable = new EnvironmentPermission( EnvironmentPermissionAccess.Read, "TEMP");
tmpVariable.Deny();
FileIOPermissionFileIOPermissionControls the ability to access files
and folders.This permission distinguishes
between: Read, Write, Append, and PathDiscovery.
All these permissions are independent, meaning that rights to one do not imply rights to another.
FileIOPermission fp = new FileIOPermission(PermissionState.None); fp.AllLocalFiles = FileIOPermissionAccess.Read; fp.Demand();
WebBrowserPermissionWebBrowserPermissionIt controls the ability to create
the WebBrowser control.In the Windows Presentation
Foundation (WPF), the Web browser control enables frames to navigate HTML.
This permission uses the values of the WebBrowserPermission enumerations.
WebBrowserPermission webBrowserPermission = new WebBrowserPermission(WebBrowserPermissionLevel.Unrestricted);
MediaPermissionMediaPermissionThe MediaPermission describes a
set of security permissions that controls the ability for audio, image, and video media to work in a partial-trust Windows Presentation Foundation (WPF) application.
RegistryPermissionRegistryPermissionRegistryPermission describes
protected operations on registry variables. Registry variables should not be stored in memory locations where code without RegistryPermission can access them. If the registry object is passed to an untrusted caller it can be misused.
RegistryPermission f = new RegistryPermission( RegistryPermissionAccess.Read, "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0");
PrincipalPermissionPrincipalPermissionBy passing identity information (user name
and role) to the constructor, PrincipalPermission can be used to demand that the identity of the active principal matches this information.
It implements the IPermission interface. This is because PrincipalPermission is not a code access permission; that is, it is not granted based on the identity of the executing assembly. Instead, it allows code to perform actions (Demand, Union, Intersect, and so on) against the current user identity.AppDomain.CurrentDomain.SetPrincipalPolicy(
PrincipalPolicy.WindowsPrincipal); PrincipalPermission principalPerm =
new PrincipalPermission(null, "Administrators"); principalPerm.Demand();
Namespace: System.NetNamespace: System.Net
WebPermissionWebPermissionWebPermission provides a set of
methods and properties to control access to Internet resources. You can use a WebPermission to provide either restricted or unrestricted access to your resource, based on the PermissionState that is set when the WebPermission is created.Regex myRegex = new Regex(@"http://www\.microsoft\.com/.*");
WebPermission wp = new WebPermission(NetworkAccess.Connect,myRegex);wp.AddPermission(NetworkAccess.Accept, "http://www.odu.edu/");wp.Demand();
Namespace: System.Data.OleDbNamespace: System.Data.OleDb
OleDbPermissionOleDbPermissionEnables the .NET Framework
Data Provider for OLE DB to help make sure that a user has a security level sufficient to access an OLE DB data source
Namespace: System.NetNamespace: System.Net
DnsPermissionDnsPermissionControls rights to access Domain
Name System (DNS) servers on the network.
The default permissions allow all local and Intranet zone applications to access DNS services, and no DNS permission for Internet zone applications.
DnsPermission permission = new DnsPermission(PermissionState.Unrestricted);
permission.Demand();
ReferencesReferencesProgramming .NET Security, O’Reilly
by Adam Freeman, Allen Jones .NET Framework Class Library -
System.Security.Permissions Namespace URL: http://msdn.microsoft.com/en-us/library/24ed02w7.aspx
.NET Framework Developer's Guide - Key Security Concepts URL: http://msdn.microsoft.com/en-us/library/z164t8hs(v=VS.71).aspx
QUESTIONSQUESTIONS??
![XSL Transformations (XSLT) Version 1 · belonging to a specific XML namespace (see [2.1 XSLT Namespace]), which is referred to in this specification as the XSLT namespace. Thus this](https://img.dokumen.tips/doc/110x75/5e6be3fc3160165d82646b66/xsl-transformations-xslt-version-1-belonging-to-a-specific-xml-namespace-see.jpg)
