System security policy namespace
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

System.Security.policy Namespace PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on
  • Presentation posted in: General

System.Security.policy Namespace. By: Marepalli Gayathri. System.Security.policy Namespace. Security policy provides mapping between evidence and permissions. The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain.

Download Presentation

System.Security.policy Namespace

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


System security policy namespace

System.Security.policy Namespace

By:

Marepalli Gayathri


System security policy namespace1

System.Security.policy Namespace

  • Security policy provides mapping between evidence and permissions.

  • The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain.

  • The System.security.policy Namespace contains 3 classes

    code groups, membership conditions, and evidence.

  • These classes are used to create the rules applied by the common language runtime (CLR) security policy system


System security policy namespace2

System.Security.policy Namespace

Security policy Levels:

.NET divides security policy into 4 levels:

  • Enterprise Policy Level

  • Machine Policy Level

  • User Policy Level

  • Application Domain Policy Level


System security policy namespace3

System.Security.policy Namespace

  • Policy Level contains 3 key elements:

    1.Code groups

    2. Named permission sets

    3. Fully trusted assemblies

    Code group: Organized in tree structure


System security policy namespace4

System.Security.policy Namespace

  • Code group contains name and a description and few elements:

    1.Membership Condition:

    2. permission set

    3.Child code groups

    4. Attributes

    a. Exclusive

    b. Level Final


System security policy namespace5

System.Security.policy Namespace

Policy Resolution:


System security policy namespace6

System.Security.policy Namespace

  • System.Security.Policy.CodeGroup class:


System security policy namespace7

System.Security.policy Namespace

  • Structure of code group class:

  • Membership Condition: An object implements from

    System.Security.Policy.IMembershipCondition interface.

  • Policy Statement: Contains

    System.Security.Policy.PolicyStatement class

    System.Security.Policy.PolicyStatementAttribute (codegroup’s attributes)

    System.Security.Permissionset

    Children: uses System.Collections.IList


System security policy namespace8

System.Security.policy Namespace

Programming Membership conditions:

These are the classes thatcontains IMembershipCondition interface

Ex: bool Check (Evidence evidence);

.NET framework includes 8 membership condition classes that are members of

System.security.Policy namespace


System security policy namespace9

System.Security.policy Namespace


System security policy namespace10

System.Security.policy Namespace

Examples to create membership conditions:

// Create a membership condition to match all code.

IMembershipCondition m1 = new AllMembershipCondition( );

// Create a membership condition to match all code with Internet Zone evidence.

IMembershipCondition m2 =new ZoneMembershipCondition(SecurityZone.Internet);

//create a membership condition to match all code from all “google.com” sites

IMembershipCondition m3= new SiteMembershipCondition(“*.google.com”);

//create a membership condition to match all code with the same publisher certificate used to sign csFile.exe assembly

IMembershipCondition m4= new PublisherMembershipCondition(X509Certificate.CreateFromSignedFile(“csFile.exe”));


System security policy namespace11

System.Security.policy Namespace

  • Programming Policy statements:

    contains 2 enumerations

    1. System.security.PermissionSet

    2. System.security.Policy.PolicyStatementAttribute

    Example to create PolicyStatement and PermissionSet objects:

    //create a policystatement that grants unrestricted access to everything

    PolicyStatement p1=new PolicyStatement(new PermissionSet(PermissionState.Unrestricted));

    //create a policyStatement that grant read access to the file “C:\g.txt” and specifies the LevelFinal attribute.

    PermissionSet pset=new PermissionSet(new FileIOPermission (FileIOPermissionAccess.Read,@”C:\g.txt”));

    PolicyStatement p2=new PolicyStatement(pset,PolicyStatementAttribute.LevelFinal);


System security policy namespace12

System.Security.policy Namespace

Creating code groups:

// create the permission set and adding unrestricted file access.

PermissionSet pset=new PermissionSet(PermissionState.None);

pset.AddPermission(new FileIOPermission(PermissionState.Unrestricted));

// create the policy statement and set the exclusive attribute.

PolicyStatement pstate= new Policystatement(pset,PolicyStatementAttribute.Exclusive);

// Create membershipCondition to match all “*.google.com” sites.

IMembershipCondition mc=new SiteMembershipCondition(“*.google.com”);

//create the UnionCodeGroup and

UnionCodeGroup cg=new unionCodeGroup(mc,pstate);


System security policy namespace13

System.Security.policy Namespace

  • Programming Policy Levels:

    contains System.Security.Policy.PolicyLevel class which contains Fully Trusted assemblies, named permission sets.

    Managing a fully trusted assembly:

    Ex: creates a StrongNameMembershipCondition object to add an entry to fully trusted assembly

    // create a byte array containing the strong name public key data

    byte[] publickey={0,36,0,0,4,128,0,0,148,0,0,0,169,206,36,4,82,66,,36,0,0,223,231,138,171,62,192…………………………………………………………………………};

    //create a strongname publickeyBlob object from the public key byte array.

    StrongNamePublicKeyBlob blob=new StrongNamePublicKeyBlob(publickey);

    //create a version object based on the assembly version number

    Version version=new Version(“1.230.1.1”);


System security policy namespace14

System.Security.policy Namespace

//create the new StrongNameMembershipCondition

StrongNameMembershipCondition mc=new StrongNameMembershipCondition (blob,”HelloWorld”,version);

//create a new application domain policy level

PolicyLevel p=PolicyLevel.CreateAppDomianLevel();

// add the strongnamemembershipcondition to fully trusted assembly list

p.AddFullTrustAssembly(mc);


System security policy namespace15

System.Security.policy Namespace

Managing named permission sets:

GetNamedPermissionSet method returns a NamedPermissionSet with specified name

NamedPermissionSetsGets an IList containing set of namedPermission Objects

Ex: //create a new application domain policy level

PolicyLevel p=PolicyLevel.CreateAppDomainLevel();

//get a copy of default permission set named “Internet” and call it “NewPermissionSet”

NamedPermissionSet ps=p.GetNamedPermissionSet(“Internet”).Copy(“NewPermissionSet”);

//add the new permission set

p.AddNamedPermissionset(ps);


System security policy namespace16

System.Security.policy Namespace

//Modify the permission set “NewPermissionSet” to grant unrestricted access

p.ChangeNamedPermissionSet(“NewPermissionset”,new Permissionset(PermissionState.Unrestricted));

//Remove the NewPermissionSet permission set

p.RemoveNamedPermissionSet(“NewPermissionSet”);

Managing CodeGroup tree:

Ex: // create a new application domain policy level.

PolicyLevel p=PolicyLevel.CreateAppDomainLevel();

//create the xyz named permission set as a copy of default LocalIntranet namedpermission set

p.AddNamedPermissionSet(p.GetNamedPermissionSet (“LocalIntranet”).Copy(“xyz”));


System security policy namespace17

System.Security.policy Namespace

// Create the My_Site code group that matches all code run from the www.mysite.com" Site and grants it FullTrust.

UnionCodeGroup MySite = new UnionCodeGroup(

new SiteMembershipCondition ("www.mysite.com"),

new PolicyStatement(p.GetNamedPermissionSet("FullTrust")));

MySite.Name = "My_Site";

// Create the Work_Site code group that matches all code run from the www.company.com" Site and grants it the MyCompany, permission set.

UnionCodeGroup WorkSite = new UnionCodeGroup(

new SiteMembershipCondition("www.company.com"),

new PolicyStatement(p.GetNamedPermissionSet("MyCompany")));

WorkSite.Name = "Work_Site";


System security policy namespace18

System.Security.policy Namespace

// Create the Internet_Code code group that matches all code run from the Internet Zone and grants it Internet permissions.

UnionCodeGroup Internet = new UnionCodeGroup(

new ZoneMembershipCondition(SecurityZone.Internet),

new PolicyStatement(p.GetNamedPermissionSet("Internet")));

Internet.Name=“Internet_Code”;

// Add the My_Site and Work_Site code groups as children of the Internet code group

Internet.AddChild(MySite);

Internet.AddChild(WorkSite);


System security policy namespace19

System.Security.policy Namespace

// Create the My_Code code group that matches all code run from the My_Computer Zone and grants it FullTrust.

UnionCodeGroup MyCode = new UnionCodeGroup(

new ZoneMembershipCondition(SecurityZone.MyComputer),

new PolicyStatement(p.GetNamedPermissionSet("FullTrust")));

MyCode.Name = "My_Code";

// Create the root UnionCodeGroup that matches all code, but grants no permissions.

UnionCodeGroup Root = new UnionCodeGroup(

new AllMembershipCondition( ),

new PolicyStatement(p.GetNamedPermissionSet("Nothing")));

Root.Name = "All_Code";

// Add the My_Code and Internet_Code groups as children of the root code group

Root.AddChild(MyCode);

Root.AddChild(Internet);

// Assign the code group tree to the PolicyLevel

p.RootCodeGroup = Root;


System security policy namespace

Thank You


  • Login