system.security.policy namespace by: marepalli gayathri

System.Security.policy Namespace

By:Marepalli Gayathri

System.Security.policy Namespace Security policy provides mapping between evidence and

permissions.

The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain.

The System.security.policy Namespace contains 3 classes code groups, membership conditions, and evidence.

These classes are used to create the rules applied by the common language runtime (CLR) security policy system


Security policy Levels: .NET divides security policy into 4 levels:1. Enterprise Policy Level2. Machine Policy Level3. User Policy Level4. Application Domain Policy Level


Policy Level contains 3 key elements: 1.Code groups 2. Named permission sets 3. Fully trusted assemblies Code group: Organized in tree structure

Code group contains name and a description and few elements:

1.Membership Condition:

2. permission set 3.Child code groups 4. Attributes a. Exclusive b. Level Final


Policy Resolution:



System.Security.Policy.CodeGroup class:

System.Security.policy Namespace Structure of code group class:

Membership Condition: An object implements from System.Security.Policy.IMembershipCondition interface.

Policy Statement: Contains System.Security.Policy.PolicyStatement class System.Security.Policy.PolicyStatementAttribute (codegroup’s attributes) System.Security.Permissionset Children: uses System.Collections.IList


Programming Membership conditions:

These are the classes that contains IMembershipCondition interface

Ex: bool Check (Evidence evidence); .NET framework includes 8 membership condition classes that

are members of System.security.Policy namespace

System.Security.policy Namespace Membership Class Membership ConditionAllMembershipCondition All code irrespective of evidence.

ApplicationDirectory Membership Condition

Evidence collection contains both Application Directory and Url evidence..

HashMembershipCondition Evidence collection contains a Hash class with the specified hash value.

PublisherMembershipCondition Evidence collection contains a Publisher class with the specified publisher certificate.

SiteMembershipCondition Evidence collection contains a Site class with the specified site name

StrongNameMembershipCondition Evidence collection contains StrongName class with the specified hash name

UrlMembershipCondition Evidence collection contains Url class with the specified URL location

ZoneMembershipCondition Evidence collection contains Zone class with the specified Security Zone


Examples to create membership conditions:// Create a membership condition to match all code. IMembershipCondition m1 = new AllMembershipCondition( );

// Create a membership condition to match all code with Internet Zone evidence. IMembershipCondition m2 =new

ZoneMembershipCondition(SecurityZone.Internet);

//create a membership condition to match all code from all “google.com” sites IMembershipCondition m3= new SiteMembershipCondition(“*.google.com”);

//create a membership condition to match all code with the same publisher certificate used to sign csFile.exe assembly

IMembershipCondition m4= new PublisherMembershipCondition(X509Certificate.CreateFromSignedFile(“csFile.exe”));

System.Security.policy Namespace Programming Policy statements: contains 2 enumerations 1. System.security.PermissionSet 2. System.security.Policy.PolicyStatementAttribute

Example to create PolicyStatement and PermissionSet objects://create a policystatement that grants unrestricted access to everything PolicyStatement p1=new PolicyStatement(new

PermissionSet(PermissionState.Unrestricted));

//create a policyStatement that grant read access to the file “C:\g.txt” and specifies the LevelFinal attribute.

PermissionSet pset=new PermissionSet(new FileIOPermission (FileIOPermissionAccess.Read,@”C:\g.txt”));

PolicyStatement p2=new PolicyStatement(pset,PolicyStatementAttribute.LevelFinal);


Creating code groups:// create the permission set and adding unrestricted file access. PermissionSet pset=new PermissionSet(PermissionState.None); pset.AddPermission(new FileIOPermission(PermissionState.Unrestricted));

// create the policy statement and set the exclusive attribute. PolicyStatement pstate= new

Policystatement(pset,PolicyStatementAttribute.Exclusive);

// Create membershipCondition to match all “*.google.com” sites. IMembershipCondition mc=new SiteMembershipCondition(“*.google.com”);

//create the UnionCodeGroup and UnionCodeGroup cg=new unionCodeGroup(mc,pstate);

System.Security.policy Namespace Programming Policy Levels: contains System.Security.Policy.PolicyLevel class which contains Fully Trusted

assemblies, named permission sets.

Managing a fully trusted assembly: Ex: creates a StrongNameMembershipCondition object to add an entry to fully trusted assembly

// create a byte array containing the strong name public key data byte[]

publickey={0,36,0,0,4,128,0,0,148,0,0,0,169,206,36,4,82,66,,36,0,0,223,231,138,171,62,192…………………………………………………………………………};

//create a strongname publickeyBlob object from the public key byte array. StrongNamePublicKeyBlob blob=new StrongNamePublicKeyBlob(publickey);

//create a version object based on the assembly version number Version version=new Version(“1.230.1.1”);


//create the new StrongNameMembershipCondition StrongNameMembershipCondition mc=new StrongNameMembershipCondition

(blob,”HelloWorld”,version);

//create a new application domain policy level PolicyLevel p=PolicyLevel.CreateAppDomianLevel();

// add the strongnamemembershipcondition to fully trusted assembly list p.AddFullTrustAssembly(mc);


Managing named permission sets: GetNamedPermissionSet method returns a NamedPermissionSet with

specified name NamedPermissionSetsGets an IList containing set of

namedPermission ObjectsEx: //create a new application domain policy level PolicyLevel p=PolicyLevel.CreateAppDomainLevel();//get a copy of default permission set named “Internet” and call it

“NewPermissionSet”NamedPermissionSet

ps=p.GetNamedPermissionSet(“Internet”).Copy(“NewPermissionSet”);//add the new permission set p.AddNamedPermissionset(ps);

System.Security.policy Namespace//Modify the permission set “NewPermissionSet” to grant unrestricted access p.ChangeNamedPermissionSet(“NewPermissionset”,new

Permissionset(PermissionState.Unrestricted));

//Remove the NewPermissionSet permission set p.RemoveNamedPermissionSet(“NewPermissionSet”);

Managing CodeGroup tree:Ex: // create a new application domain policy level. PolicyLevel p=PolicyLevel.CreateAppDomainLevel();

//create the xyz named permission set as a copy of default LocalIntranet namedpermission set

p.AddNamedPermissionSet(p.GetNamedPermissionSet (“LocalIntranet”).Copy(“xyz”));

System.Security.policy Namespace // Create the My_Site code group that matches all code run from the

www.mysite.com" Site and grants it FullTrust. UnionCodeGroup MySite = new UnionCodeGroup( new SiteMembershipCondition ("www.mysite.com"), new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))); MySite.Name = "My_Site";

// Create the Work_Site code group that matches all code run from the www.company.com" Site and grants it the MyCompany, permission set.

UnionCodeGroup WorkSite = new UnionCodeGroup( new SiteMembershipCondition("www.company.com"), new PolicyStatement(p.GetNamedPermissionSet("MyCompany"))); WorkSite.Name = "Work_Site";

System.Security.policy Namespace// Create the Internet_Code code group that matches all code run from the Internet

Zone and grants it Internet permissions. UnionCodeGroup Internet = new UnionCodeGroup( new ZoneMembershipCondition(SecurityZone.Internet), new PolicyStatement(p.GetNamedPermissionSet("Internet")));Internet.Name=“Internet_Code”;

// Add the My_Site and Work_Site code groups as children of the Internet code group

Internet.AddChild(MySite); Internet.AddChild(WorkSite);

System.Security.policy Namespace// Create the My_Code code group that matches all code run from the My_Computer

Zone and grants it FullTrust. UnionCodeGroup MyCode = new UnionCodeGroup( new ZoneMembershipCondition(SecurityZone.MyComputer), new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))); MyCode.Name = "My_Code";

// Create the root UnionCodeGroup that matches all code, but grants no permissions.

UnionCodeGroup Root = new UnionCodeGroup( new AllMembershipCondition( ), new PolicyStatement(p.GetNamedPermissionSet("Nothing")));Root.Name = "All_Code";

// Add the My_Code and Internet_Code groups as children of the root code group Root.AddChild(MyCode); Root.AddChild(Internet);// Assign the code group tree to the PolicyLevel p.RootCodeGroup = Root;

Thank You

system.security.policy namespace by: marepalli gayathri

Documents