views:

985

answers:

9

I am in the process of studying for the 70-536 .NET Framework - Application Development Foundation Exam, as I have been programming .net for many years, this should not be hard!

However I am having to learn about “Code Access Security” (CAS), As I have never had a need to use or configure it, I was wondering if anyone else has found a real life usage for it?

Please provide examples of when you have used CAS and it has been part of the solution rather then the problem.

(So far everything else has had some relationship to task I have had to do in my years of .NET programming)


Related questions:


Results so far.

  • CAS is useful when you are hosting 3rd party code. E.g. a web hosting company can use it to stop their customer's Asp.net code doing damage to the servers. (Office also make use of it when .NET is used as a replacement for VBA)

  • The only detailed example of it being used outside of a Microsoft application so far are:

    A recent project I did had something similar: allow the user to upload a library, and test it for performance ("who makes the best algorithm"). Needless to say, we needed CAS heavily there.

  • CAS seems to be useful to get JITDC certification, that is like by the US department of defence, however I don’t know if CAS was of any real value, or if it was just box ticking.

(If you need to bypass a host that uses CAS and you have admin rights on them machine, you can just put your assemblies in the GAC.)

Looking forward, CAS is a bit less complex in .net 4.


At least it looks like the new Microsoft exams will not have a “foundation” exam that includes CAS. I don’t know if it will make it into the new Winforms/WPF exams.

A: 

Hi Ian,

I tried to use it some time ago, but dropped it, mainly because additional steps required to build that CAS definition file. I would use it to register my assemblies into Sharepoint websites.

For this development kind, I personally prefer to register them into GAC, so I don't need to deal with CAS; however, its possible to use CAS to avoid high privileged assemblies (aka full trust) to run on your web server.

Rubens Farias
I don't understand your comment about how CAS and GAC are related. Because one is a cache of global assemblies and the other is code access security. Are you just saying that when registered in the GAC it is considered trusted so you don't have to worry about CAS? Because that is not really the purpose of CAS.
Nick Berardi
@Nick: ty for your feedback; please consider this post: http://stackoverflow.com/questions/1073347/web-part-dll-in-gac-or-bin-using-sharepoint-2007/1073830#1073830
Rubens Farias
What do you mean consider it? I was commenting on the fact that you some how equated putting an assembly in the GAC to not needing CAS. I still don't understand your comment, because it seems to be only an isolated knowledge dump pertaining to a certain practice for deploying Sharepoint sites in a way to avoid the CAS. None of which answers the original posters question.
Nick Berardi
Also the fact that you are putting it in the GAC to avoid the CAS, is just a setting of that machine. You can infact say that everything in the GAC or certain assemblies in the GAC should be treated as medium trust.
Nick Berardi
@Nick, dont get me wrong: I just wanted to explain the reasons behind my answer, since I first tried to use CAS to avoid GAC deployment
Rubens Farias
+2  A: 

The thing to understand about Code Access Security is that it is of very little use to an application developer beyond understanding how it is being used and at what permission level for API's that you may be calling. The only exception to this, that I have really found useful is a CAS called PrincipalPermission, it basically doesn't allow certain code to be executed if the right Role isn't defined for the current Principal. See this post on it:

http://www.coderjournal.com/2008/03/securing-mvc-controller-actions/

The developers that really need to pay attention to CAS and how it should be implemented in their application is the framework and code library developers. Because there is certain levels of trust that you need to demand inorder for your application to work especially when dealing with unmanaged resources such as files, network streams, serial ports, etc. Or if you are creating the code for that unmanaged resource like some speicalized server, or any kind of low level access in to your assemblies you will want to create some code access security around it so that people aren't allowed to execute something that has been strictly denied to them.

It doesn't help that Microsoft hasn't really done that great of a job explaining how CAS should be used in every day application. So that is really the reason for lack of use. However CAS is one of the many reasons that .NET is such a secure language and suffers from a lot fewer problems than its competitors.

Nick Berardi
PrincipalPermission is technically not Code Access Security, it is Role-Based Security. The difference is that Role-Based Security relies on the CurrentPrincipal as its evidence, whereas Code Access Security relies on the machine's security policy and assembly strong-naming. CurrentPrincipal is modifiable by the caller, so the trust lies in the developer's hands. Security policy is set by local adminstrator, so the trust lies in the operator's hands.
gWiz
+18  A: 
Abel
+2  A: 

I was the development lead on a project to get JITC certification (US Department of Defense) for a .NET based solution, and the CAS settings were scrutinized very closely during the certification testing.

Like most of the other certification requirements, the code could only use the privileges it needed to work and no more.

If you are planning to get security certifications CAS can definitely be important.

Dana Holt
+6  A: 

Technically, it's very useful as it allows a very fine grained permission specification. This is both good for you (as theoretically it makes exploiting security vulnerabilities a lot harder - even if an attacker gains full control over your app, he is still locked in the CAS Sandbox) and for your customer (as they can see exactly what your application can do and run their own security audit).

In practical use, it's mostly meaningless. I think it's too complex, too little supported by the available dev tools and most users don't care anyway.

There are exceptions of course (Governments and customers who really know .net/CAS) and I would love to say that CAS is absolutely useful and mandatory, but the reality speaks a clear language.

Michael Stum
So yet another good ideal that does not pass the “real life” test, pity we all have to learn it to pass the exams…
Ian Ringrose
Sadly yes. I see the main problem with the fact that there simply is no tooling for it. I simply do not know which permissions I need (at least not their internal names) and the stuff is quite complex. Ideally I would like to execute my app in a "Sandbox" and then get a report "Your app needed these permissions" so that I can review them and create the CAS policy from it, but such a sandbox does (AFAIK) not exist.
Michael Stum
+3  A: 

Note to reader: see the two comments below; it sounds like I'm accidentally inflating the definition of CAS to (incorrectly) include RBS. I'll leave the answer here for reference, but note the distinction.


There are two havles to CAS; the thing you'll see most about in that exam is all the nuances for code calling other code, which may be useful for partial trust, but most of the time it is simply a pain - and worse: if your code has full trust (which most / too-much does) none of it actually executes (it is skipped entirely).

The useful part of CAS RBS is principal permission, which is used; of course, your UI should verify access to features, but you can put (in your low-down logic):

[PrincipalPermission(SecurityAction.Demand, Role = "ADMIN")]
static void DeleteOrder(int id) { ... }

This will be enforced even in full trust; you can define your own principal (tied to the user) by implementing IPrincipal (look at IsInRole()). And since principals are supported in most environments (winforms, webforms, mvc, wcf, etc) this can make for a very flexible way to double-check security at the business layer without having to reference the specific security model. Note that the above check would work in any environment.

You can also perhaps use this to drive your UI. I did have a usenet post that enabled / disabled winforms controls based on the principal (using runtime properties to specify the role per control, a bit like ToolTip etc) - I can't find it at the minute, though (edit: maybe this one).

Marc Gravell
AFAIK, PrincipalPermission does not fall under CAS, but instead under Role-Based Security. CAS places the trust determination in the hands of the site administrator. RBS places the trust determination in the hands of the developer. Huge fundamental difference.
gWiz
I don't think CAS includes securing code based on Principal or user identity. In fact according to the definition of CAS from microsoft (http://msdn.microsoft.com/en-us/library/930b76w0.aspx) it is explicitly described as something *beyond* giving permissions based on user identity, which is characterized as useful but not nearly sufficient.
Cheeso
@gWiz, @Cheeso - OK; thanks for the clarification. They are, then, merely *related* concepts. In which case, I guess my answer could be a lot shorter: "IMO, not so much" ;-p
Marc Gravell
A: 

We used CAS for our Applications was not really to hard, since we'd only tried to stop unauthuorized code execution. Problems came up once using our software from local network share, but a cas-policy cleaned the problem out.

  1. We secured all our assemblies using a strong name.
  2. We created a cas-policy for all assemblies with our strong name and allowed code signed with our strong name to start from local area network and locally placed code.
  3. Assemblies loaded from local area network needing local file access (component for burning data cds) needed to get the link-demand attribute on all public classes.

Since update of .NET3.5 our problems were not existent anymore, since code on local area network is now handled like local code.

BeowulfOF
+1  A: 

One thing you should know is that Code Access Security is pretty much broken as a method for tamper-proofing. See:

CAS Tamper-Proofing is Broken: Consequences for Software Licensing

...

Code Access Security can no longer be relied upon to prevent the use of tampered assemblies in shipped products. This means that if your application is dependent upon Code Access Security to perform licensing checks, it is trivial for an attacker to replace your licensing assembly with another, thereby gaining free access to your application.

...

Duncan Bayne
This is more about removing the requirement for digitally signed "childed" assemblies rather then CAS. You have always been able to disassemble the host remove the signing checks and then reassemble it. How you can do it with a few mouse clicks... +1 for pointing out that CAS is only as good as the protection you have on the host.
Ian Ringrose
A: 

Although I've never used it, my understanding of CAS was that it could also be used to expand object-oriented design mechanics. For example, say you are developing a massive data access package for a bank that must implement database access and caching. Even though they are part of the same deployment package, given the hypothetical size of the project, the logic should be implemented in separate assemblies since they are sufficiently different problem sets that hinge on different external forces (database infrastructure vs consumer usage).

However, the caching code might need to access some sensitive classes or methods in the data access assembly that consumers of the overall package shouldn't have access to. Therefore these data access classes and methods can't simply be public. Protected methods in the data access assembly with subclasses in the caching assembly could get around some cases, but often times it's an abuse of inheritance. It might simply be more elegant to leave them public with LinkDemands placed on callers for a custom Permission (e.g. DataPackagePermisson) that administrators would only grant to the caching assembly.

gWiz