Best IT Recipes

Is "Code Access Security" for any real world?

Attention:

Newer versions of .Net and .Net kernels have removed and / or changed "Code Access Security" (CAS) because they asked this question.

The original question:

I am studying 70-536.NET Framework - Application Development Exam as I programmed. network for many years, it should not be difficult!

However, I need to learn about “code access security” (CAS), since I never had to use it or configure it, I was wondering if anyone else found a real use for it?

Please provide examples of when you used CAS, and this was part of the solution, not the problem.

(So ​​far, everything else has had something to do with the task that I had to do during the years of .NET programming)



Related questions:

  • Why use CAS (code access security)? “These are very few real world examples, other than how Microsoft uses it.”
  • Does anyone really use Code Access Security to protect their builds and / or methods?
  • What is code access security in .NET - CAS defines perfectly, but does not give real examples.
  • . Security of access to the NET-code: useful or just complicated?


Results for now.

  • CAS is useful when you accept third-party code. For example. a web hosting company can use it to stop Asp.net client code, damaging the servers. (Office also uses it when .NET is used as a replacement for VBA)

  • The only detailed example of its use outside of a Microsoft application:

    The recent project I did had something similar: allow the user to load libraries and test it for performance ("who makes the best algorithm"). Needless to say, we needed a CAS to eat.

  • CAS is apparently useful for getting JITDC certification, that is, as the US Department of Defense does, but I don't know if the CAS had any real value, or if it was just a check.

(If you need to bypass a host that uses CAS, and you have administrator rights to them, you can simply put your assemblies in the GAC.)

In anticipation, CAS is a bit more complicated in .net 4 .



At the very least, it seems that Microsoft’s new exams will not have a “basic” exam that includes CAS. I don’t know if they will add it to the new Winforms / WPF exams.

+65
security code-access-security
Oct. 14 '09 at 15:07
source share
8 answers

I often run into code access security in the "real world", often when I least expect it. And somehow SilverLight would be a great application in the real world if it weren’t for Silverlight to decide not to use CAS at all.

Hosting Providers

Where you see this in action, a secure environment is required: ASP.NET itself, but ASP.NET hosting providers use a modified security model to prevent intrusion into their precious systems. I know that Webhost4Life uses this (there is no information on it, but I worked with them, it is there, really). Looking further, other ASP.NET hosting providers do the same, but they are not very clear about this: the stream on godaddy.com does not change CAS (and there is no clarity about what is supported and what is not) or is this a related discussion 1 and 1 . Some cloud hosting sites (rackspacecloud) took this a little further and "worked with Microsoft for a modified full level of trust," whatever that is.

In short: if you find an ASP.NET host, most likely they used CAS so you don't do what you don't need to do. They can even use it, making the difference between the “basic” (many restrictions) hosting and the “enterprise” hosting (several restrictions), which gives CAS a different meaning.

Other CAS Applications

So much for a few real-life situations that I have encountered. The recent project I did had something similar: allow the user to download the library and test it for performance ("who makes the best algorithm"). Needless to say, we really need CAS. Other examples or interesting resources:

For any situation where you simply completely control yourself, you create your own application and code (or create it) and completely control your system, I don’t think that you will need CAS too often. This is more than what you would use at the moment when you can run the code from less reliable sources (which basically means everything that is not in your full control).

CAS vs ClickOnce

The default CAS settings limit the ability to run code from a network share or other non-local sources. This makes sense, but severe restrictions make it difficult to have a central repository for a distributed application .. NET 2.0 introduced ClickOnce, which was supposed to increase security ( discussion here ).

ClickOnce uses CAS so that the program does not call system functions. Therefore, I believe that this is perhaps the most famous application that uses CAS.

Point: you need to understand CAS in order to be able to create something that can be launched directly from a shared resource, or you ignore all this and use ClickOnce.

Microsoft CAS Survey

In 2005, Microsoft called a survey to find out why CAS was so unpopular, hoping to improve it so that it becomes more applicable. Unfortunately, I could not find the results of the survey, and then this post details in some detail why CAS is not used enough.

CAS in another world

This post, however, points to an intriguing niche: CAS applies to another world: Unix / Linux. They do not call it CAS, instead BitFrost . How it is for a real application: The One Laptop per Child project , which relies on BitFrost as a replacement for the traditional Unix security model.

Update: a section on CAS on Unix / Linux as BitFrost and a poll section.
Update: added CAS vs ClickOnce section
Update: Added a list of resources using CAS (and an apology for all these updates in line!)

+35
Oct. 14 '09 at 16:22
source share

Technically, this is very useful because it allows you to get a very fine specification of permissions. This is good for you (since theoretically it makes using security vulnerabilities much more difficult - even if the attacker gains full control over your application, it is still blocked in CAS Sandbox) and for your client (because they can see for sure that your application can execute and run your own security audit).

In practical use, this is basically meaningless. I think this is too complicated, too little supported by accessible tools for developers, and most users still don't care.

Of course, there are exceptions (governments and clients who really know .net / CAS), and I would like to say that CAS is absolutely useful and necessary, but reality speaks a clear language.

+10
Oct 14 '09 at 16:37
source share

Note to the reader: see two comments below; it sounds like I accidentally inflated the definition of CAS (wrong), including RBS. I will leave the answer here for reference, but note the difference.



There are two cases in CAS: what you will see most in this exam is all the nuances for the code that calls another code, which can be useful for partial trust, but most of the time it is just a pain - and even worse: if your the code has full trust (which is the most / too much) none of them actually execute (it is completely skipped).

A useful part of CAS RBS is the basic resolution that is used; Of course, your user interface should check for access to functions, but you can put (in your low-level logic):

[PrincipalPermission(SecurityAction.Demand, Role = "ADMIN")] static void DeleteOrder(int id) { ... }

This will be respected even in full confidence; you can define your own principal (user-bound) by doing IPrincipal (see IsInRole() ). And since principles are supported in most environments (winforms, webforms, mvc, wcf, etc.), this can make it a very flexible way to double-check security at a business level without having to refer to a specific security model . Please note that the above verification will work in any environment.

You can also use this to control your user interface. I had a Usenet mail that turned on / off principle-based winforms controls (using runtime properties to specify a role for the control, a bit like ToolTip , etc.) - I can't find it in a minute though (( edit: maybe this one ).

+5
Oct 18 '09 at 8:49
source share

What you need to know about the security of access to the code is that it is used very little by the application developer, not understanding how it is used, and at what level of permission for the API you can call. The only exception to this that I really found useful is a CAS called PrincipalPermission, which basically does not allow you to execute certain code if the correct role is not defined for the current Principal. See this post on it:

http://www.coderjournal.com/2008/03/securing-mvc-controller-actions/

Developers who really need to pay attention to CAS and how they should be implemented in their application are developers of infrastructure and code. Since there is a certain level of trust that is required to require the application to work, especially when working with unmanaged resources such as files, network streams, serial ports, etc. Or, if you are creating code for this unmanaged resource, for example, with a server or with any kind of low-level access to your assemblies, you will want to create some protection of access to the code around it, so that people are not allowed to do something that they were strictly forbidden.

It doesn’t help that Microsoft didn’t actually do a great job explaining how CAS should be used in a daily application. So this is really the reason for the lack of use. However, CAS is one of the many reasons that .NET is such a secure language and suffers from far fewer problems than its competitors.

+2
Oct. 14 '09 at 16:06
source share

I was the initiator of the project development to get JITC certification (US Department of Defense) for the solution based on .NET and CAS settings were carefully analyzed during certification tests.

Like most other certification requirements, the code can only use the privileges necessary for work, and nothing more.

If you plan on getting security certificates, CAS can definitely be important.

+2
Oct 14 '09 at 16:31
source share

One thing you should know is that access code security is largely compromised as a method of protection against unauthorized access. Cm:

CAS Tamper-Proofing Error: Implications for Software Licensing

...

Access code protection can no longer be used to prevent the use of unauthorized assemblies in shipped products. This means that if your application depends on the security of access to the code to perform licensing checks, it is trivial for an attacker to replace your licensed assembly with another, thereby gaining free access to your application.

...

+1
Oct 21 '09 at 23:14
source share

Although I never used it, my understanding of CAS was that it could also be used to extend object-oriented design mechanics. For example, let's say you are developing a massive data access package for a bank that should implement database access and caching. Despite the fact that they are part of the same deployment package, given the hypothetical size of the project, the logic should be implemented in separate assemblies, since they are quite different sets of tasks depending on different external forces (database infrastructure and consumer use) .

However, caching code may require access to some sensitive classes or methods in a data access assembly that consumers of the general package should not have access to. Therefore, these classes and data access methods cannot be public . Protected methods in a data access assembly with subclasses in a caching assembly may circumvent some cases, but often this leads to abuse of inheritance. It might be more elegant to leave them public using LinkDemands hosted by callers for a user permission (like DataPackagePermisson ) that administrators would only provide to the cached assembly.

+1
Oct 22 '09 at 23:38
source share

We used CAS for our applications not very hard, since we were only trying to stop the execution of unauthorized code. Problems arose after using our software from a shared resource on the local network, but the casino policy cleared the problem.

  • We have assembled all our assemblies using a strong name.
  • We created a cas-policy for all assemblies with our strong name and allowed code signed with our strong name to run from the local network and locally hosted code.
  • Assemblies downloaded from the local network, requiring local access to files (a component for writing data), necessary to obtain the link-demand attribute for all open classes.

Since the update of .NET3.5, our problems no longer existed, since the code on the local network is now treated as local code.

0
Oct 18 '09 at 9:04
source share


More articles:


All Articles