1 / 21

System.Security.policy Namespace

System.Security.policy Namespace. By: Marepalli Gayathri. System.Security.policy Namespace. Security policy provides mapping between evidence and permissions. The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain.

feng
Download Presentation

System.Security.policy Namespace

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. System.Security.policy Namespace By: Marepalli Gayathri

  2. System.Security.policy Namespace • Security policy provides mapping between evidence and permissions. • The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain. • The System.security.policy Namespace contains 3 classes code groups, membership conditions, and evidence. • These classes are used to create the rules applied by the common language runtime (CLR) security policy system

  3. System.Security.policy Namespace Security policy Levels: .NET divides security policy into 4 levels: • Enterprise Policy Level • Machine Policy Level • User Policy Level • Application Domain Policy Level

  4. System.Security.policy Namespace • Policy Level contains 3 key elements: 1.Code groups 2. Named permission sets 3. Fully trusted assemblies Code group: Organized in tree structure

  5. System.Security.policy Namespace • Code group contains name and a description and few elements: 1.Membership Condition: 2. permission set 3.Child code groups 4. Attributes a. Exclusive b. Level Final

  6. System.Security.policy Namespace Policy Resolution:

  7. System.Security.policy Namespace • System.Security.Policy.CodeGroup class:

  8. System.Security.policy Namespace • Structure of code group class: • Membership Condition: An object implements from System.Security.Policy.IMembershipCondition interface. • Policy Statement: Contains System.Security.Policy.PolicyStatement class System.Security.Policy.PolicyStatementAttribute (codegroup’s attributes) System.Security.Permissionset Children: uses System.Collections.IList

  9. System.Security.policy Namespace Programming Membership conditions: These are the classes thatcontains IMembershipCondition interface Ex: bool Check (Evidence evidence); .NET framework includes 8 membership condition classes that are members of System.security.Policy namespace

  10. System.Security.policy Namespace

  11. System.Security.policy Namespace Examples to create membership conditions: // Create a membership condition to match all code. IMembershipCondition m1 = new AllMembershipCondition( ); // Create a membership condition to match all code with Internet Zone evidence. IMembershipCondition m2 =new ZoneMembershipCondition(SecurityZone.Internet); //create a membership condition to match all code from all “google.com” sites IMembershipCondition m3= new SiteMembershipCondition(“*.google.com”); //create a membership condition to match all code with the same publisher certificate used to sign csFile.exe assembly IMembershipCondition m4= new PublisherMembershipCondition(X509Certificate.CreateFromSignedFile(“csFile.exe”));

  12. System.Security.policy Namespace • Programming Policy statements: contains 2 enumerations 1. System.security.PermissionSet 2. System.security.Policy.PolicyStatementAttribute Example to create PolicyStatement and PermissionSet objects: //create a policystatement that grants unrestricted access to everything PolicyStatement p1=new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)); //create a policyStatement that grant read access to the file “C:\g.txt” and specifies the LevelFinal attribute. PermissionSet pset=new PermissionSet(new FileIOPermission (FileIOPermissionAccess.Read,@”C:\g.txt”)); PolicyStatement p2=new PolicyStatement(pset,PolicyStatementAttribute.LevelFinal);

  13. System.Security.policy Namespace Creating code groups: // create the permission set and adding unrestricted file access. PermissionSet pset=new PermissionSet(PermissionState.None); pset.AddPermission(new FileIOPermission(PermissionState.Unrestricted)); // create the policy statement and set the exclusive attribute. PolicyStatement pstate= new Policystatement(pset,PolicyStatementAttribute.Exclusive); // Create membershipCondition to match all “*.google.com” sites. IMembershipCondition mc=new SiteMembershipCondition(“*.google.com”); //create the UnionCodeGroup and UnionCodeGroup cg=new unionCodeGroup(mc,pstate);

  14. System.Security.policy Namespace • Programming Policy Levels: contains System.Security.Policy.PolicyLevel class which contains Fully Trusted assemblies, named permission sets. Managing a fully trusted assembly: Ex: creates a StrongNameMembershipCondition object to add an entry to fully trusted assembly // create a byte array containing the strong name public key data byte[] publickey={0,36,0,0,4,128,0,0,148,0,0,0,169,206,36,4,82,66,,36,0,0,223,231,138,171,62,192…………………………………………………………………………}; //create a strongname publickeyBlob object from the public key byte array. StrongNamePublicKeyBlob blob=new StrongNamePublicKeyBlob(publickey); //create a version object based on the assembly version number Version version=new Version(“1.230.1.1”);

  15. System.Security.policy Namespace //create the new StrongNameMembershipCondition StrongNameMembershipCondition mc=new StrongNameMembershipCondition (blob,”HelloWorld”,version); //create a new application domain policy level PolicyLevel p=PolicyLevel.CreateAppDomianLevel(); // add the strongnamemembershipcondition to fully trusted assembly list p.AddFullTrustAssembly(mc);

  16. System.Security.policy Namespace Managing named permission sets: GetNamedPermissionSet method returns a NamedPermissionSet with specified name NamedPermissionSetsGets an IList containing set of namedPermission Objects Ex: //create a new application domain policy level PolicyLevel p=PolicyLevel.CreateAppDomainLevel(); //get a copy of default permission set named “Internet” and call it “NewPermissionSet” NamedPermissionSet ps=p.GetNamedPermissionSet(“Internet”).Copy(“NewPermissionSet”); //add the new permission set p.AddNamedPermissionset(ps);

  17. System.Security.policy Namespace //Modify the permission set “NewPermissionSet” to grant unrestricted access p.ChangeNamedPermissionSet(“NewPermissionset”,new Permissionset(PermissionState.Unrestricted)); //Remove the NewPermissionSet permission set p.RemoveNamedPermissionSet(“NewPermissionSet”); Managing CodeGroup tree: Ex: // create a new application domain policy level. PolicyLevel p=PolicyLevel.CreateAppDomainLevel(); //create the xyz named permission set as a copy of default LocalIntranet namedpermission set p.AddNamedPermissionSet(p.GetNamedPermissionSet (“LocalIntranet”).Copy(“xyz”));

  18. System.Security.policy Namespace // Create the My_Site code group that matches all code run from the www.mysite.com" Site and grants it FullTrust. UnionCodeGroup MySite = new UnionCodeGroup( new SiteMembershipCondition ("www.mysite.com"), new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))); MySite.Name = "My_Site"; // Create the Work_Site code group that matches all code run from the www.company.com" Site and grants it the MyCompany, permission set. UnionCodeGroup WorkSite = new UnionCodeGroup( new SiteMembershipCondition("www.company.com"), new PolicyStatement(p.GetNamedPermissionSet("MyCompany"))); WorkSite.Name = "Work_Site";

  19. System.Security.policy Namespace // Create the Internet_Code code group that matches all code run from the Internet Zone and grants it Internet permissions. UnionCodeGroup Internet = new UnionCodeGroup( new ZoneMembershipCondition(SecurityZone.Internet), new PolicyStatement(p.GetNamedPermissionSet("Internet"))); Internet.Name=“Internet_Code”; // Add the My_Site and Work_Site code groups as children of the Internet code group Internet.AddChild(MySite); Internet.AddChild(WorkSite);

  20. System.Security.policy Namespace // Create the My_Code code group that matches all code run from the My_Computer Zone and grants it FullTrust. UnionCodeGroup MyCode = new UnionCodeGroup( new ZoneMembershipCondition(SecurityZone.MyComputer), new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))); MyCode.Name = "My_Code"; // Create the root UnionCodeGroup that matches all code, but grants no permissions. UnionCodeGroup Root = new UnionCodeGroup( new AllMembershipCondition( ), new PolicyStatement(p.GetNamedPermissionSet("Nothing"))); Root.Name = "All_Code"; // Add the My_Code and Internet_Code groups as children of the root code group Root.AddChild(MyCode); Root.AddChild(Internet); // Assign the code group tree to the PolicyLevel p.RootCodeGroup = Root;

  21. Thank You

More Related