system security policy namespace
Skip this Video
Download Presentation
System.Security.policy Namespace

Loading in 2 Seconds...

play fullscreen
1 / 21

System.Security.policy Namespace - PowerPoint PPT Presentation

  • Uploaded on

System.Security.policy Namespace. By: Marepalli Gayathri. System.Security.policy Namespace. Security policy provides mapping between evidence and permissions. The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' System.Security.policy Namespace' - feng

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
system security policy namespace1
System.Security.policy Namespace
  • Security policy provides mapping between evidence and permissions.
  • The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain.
  • The Namespace contains 3 classes

code groups, membership conditions, and evidence.

  • These classes are used to create the rules applied by the common language runtime (CLR) security policy system
system security policy namespace2
System.Security.policy Namespace

Security policy Levels:

.NET divides security policy into 4 levels:

  • Enterprise Policy Level
  • Machine Policy Level
  • User Policy Level
  • Application Domain Policy Level
system security policy namespace3
System.Security.policy Namespace
  • Policy Level contains 3 key elements:

1.Code groups

2. Named permission sets

3. Fully trusted assemblies

Code group: Organized in tree structure

system security policy namespace4
System.Security.policy Namespace
  • Code group contains name and a description and few elements:

1.Membership Condition:

2. permission set

3.Child code groups

4. Attributes

a. Exclusive

b. Level Final

system security policy namespace6
System.Security.policy Namespace
  • System.Security.Policy.CodeGroup class:
system security policy namespace7
System.Security.policy Namespace
  • Structure of code group class:
  • Membership Condition: An object implements from

System.Security.Policy.IMembershipCondition interface.

  • Policy Statement: Contains

System.Security.Policy.PolicyStatement class

System.Security.Policy.PolicyStatementAttribute (codegroup’s attributes)


Children: uses System.Collections.IList

system security policy namespace8
System.Security.policy Namespace

Programming Membership conditions:

These are the classes thatcontains IMembershipCondition interface

Ex: bool Check (Evidence evidence);

.NET framework includes 8 membership condition classes that are members of namespace

system security policy namespace10
System.Security.policy Namespace

Examples to create membership conditions:

// Create a membership condition to match all code.

IMembershipCondition m1 = new AllMembershipCondition( );

// Create a membership condition to match all code with Internet Zone evidence.

IMembershipCondition m2 =new ZoneMembershipCondition(SecurityZone.Internet);

//create a membership condition to match all code from all “” sites

IMembershipCondition m3= new SiteMembershipCondition(“*”);

//create a membership condition to match all code with the same publisher certificate used to sign csFile.exe assembly

IMembershipCondition m4= new PublisherMembershipCondition(X509Certificate.CreateFromSignedFile(“csFile.exe”));

system security policy namespace11
System.Security.policy Namespace
  • Programming Policy statements:

contains 2 enumerations



Example to create PolicyStatement and PermissionSet objects:

//create a policystatement that grants unrestricted access to everything

PolicyStatement p1=new PolicyStatement(new PermissionSet(PermissionState.Unrestricted));

//create a policyStatement that grant read access to the file “C:\g.txt” and specifies the LevelFinal attribute.

PermissionSet pset=new PermissionSet(new FileIOPermission (FileIOPermissionAccess.Read,@”C:\g.txt”));

PolicyStatement p2=new PolicyStatement(pset,PolicyStatementAttribute.LevelFinal);

system security policy namespace12
System.Security.policy Namespace

Creating code groups:

// create the permission set and adding unrestricted file access.

PermissionSet pset=new PermissionSet(PermissionState.None);

pset.AddPermission(new FileIOPermission(PermissionState.Unrestricted));

// create the policy statement and set the exclusive attribute.

PolicyStatement pstate= new Policystatement(pset,PolicyStatementAttribute.Exclusive);

// Create membershipCondition to match all “*” sites.

IMembershipCondition mc=new SiteMembershipCondition(“*”);

//create the UnionCodeGroup and

UnionCodeGroup cg=new unionCodeGroup(mc,pstate);

system security policy namespace13
System.Security.policy Namespace
  • Programming Policy Levels:

contains System.Security.Policy.PolicyLevel class which contains Fully Trusted assemblies, named permission sets.

Managing a fully trusted assembly:

Ex: creates a StrongNameMembershipCondition object to add an entry to fully trusted assembly

// create a byte array containing the strong name public key data

byte[] publickey={0,36,0,0,4,128,0,0,148,0,0,0,169,206,36,4,82,66,,36,0,0,223,231,138,171,62,192…………………………………………………………………………};

//create a strongname publickeyBlob object from the public key byte array.

StrongNamePublicKeyBlob blob=new StrongNamePublicKeyBlob(publickey);

//create a version object based on the assembly version number

Version version=new Version(“”);

system security policy namespace14
System.Security.policy Namespace

//create the new StrongNameMembershipCondition

StrongNameMembershipCondition mc=new StrongNameMembershipCondition (blob,”HelloWorld”,version);

//create a new application domain policy level

PolicyLevel p=PolicyLevel.CreateAppDomianLevel();

// add the strongnamemembershipcondition to fully trusted assembly list


system security policy namespace15
System.Security.policy Namespace

Managing named permission sets:

GetNamedPermissionSet method returns a NamedPermissionSet with specified name

NamedPermissionSetsGets an IList containing set of namedPermission Objects

Ex: //create a new application domain policy level

PolicyLevel p=PolicyLevel.CreateAppDomainLevel();

//get a copy of default permission set named “Internet” and call it “NewPermissionSet”

NamedPermissionSet ps=p.GetNamedPermissionSet(“Internet”).Copy(“NewPermissionSet”);

//add the new permission set


system security policy namespace16
System.Security.policy Namespace

//Modify the permission set “NewPermissionSet” to grant unrestricted access

p.ChangeNamedPermissionSet(“NewPermissionset”,new Permissionset(PermissionState.Unrestricted));

//Remove the NewPermissionSet permission set


Managing CodeGroup tree:

Ex: // create a new application domain policy level.

PolicyLevel p=PolicyLevel.CreateAppDomainLevel();

//create the xyz named permission set as a copy of default LocalIntranet namedpermission set

p.AddNamedPermissionSet(p.GetNamedPermissionSet (“LocalIntranet”).Copy(“xyz”));

system security policy namespace17
System.Security.policy Namespace

// Create the My_Site code group that matches all code run from the" Site and grants it FullTrust.

UnionCodeGroup MySite = new UnionCodeGroup(

new SiteMembershipCondition (""),

new PolicyStatement(p.GetNamedPermissionSet("FullTrust")));

MySite.Name = "My_Site";

// Create the Work_Site code group that matches all code run from the" Site and grants it the MyCompany, permission set.

UnionCodeGroup WorkSite = new UnionCodeGroup(

new SiteMembershipCondition(""),

new PolicyStatement(p.GetNamedPermissionSet("MyCompany")));

WorkSite.Name = "Work_Site";

system security policy namespace18
System.Security.policy Namespace

// Create the Internet_Code code group that matches all code run from the Internet Zone and grants it Internet permissions.

UnionCodeGroup Internet = new UnionCodeGroup(

new ZoneMembershipCondition(SecurityZone.Internet),

new PolicyStatement(p.GetNamedPermissionSet("Internet")));


// Add the My_Site and Work_Site code groups as children of the Internet code group



system security policy namespace19
System.Security.policy Namespace

// Create the My_Code code group that matches all code run from the My_Computer Zone and grants it FullTrust.

UnionCodeGroup MyCode = new UnionCodeGroup(

new ZoneMembershipCondition(SecurityZone.MyComputer),

new PolicyStatement(p.GetNamedPermissionSet("FullTrust")));

MyCode.Name = "My_Code";

// Create the root UnionCodeGroup that matches all code, but grants no permissions.

UnionCodeGroup Root = new UnionCodeGroup(

new AllMembershipCondition( ),

new PolicyStatement(p.GetNamedPermissionSet("Nothing")));

Root.Name = "All_Code";

// Add the My_Code and Internet_Code groups as children of the root code group



// Assign the code group tree to the PolicyLevel

p.RootCodeGroup = Root;