System security policy namespace
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

System.Security.policy Namespace PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

System.Security.policy Namespace. By: Marepalli Gayathri. System.Security.policy Namespace. Security policy provides mapping between evidence and permissions. The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain.

Download Presentation

System.Security.policy Namespace

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

System security policy namespace

System.Security.policy Namespace


Marepalli Gayathri

System security policy namespace1

System.Security.policy Namespace

  • Security policy provides mapping between evidence and permissions.

  • The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain.

  • The Namespace contains 3 classes

    code groups, membership conditions, and evidence.

  • These classes are used to create the rules applied by the common language runtime (CLR) security policy system

System security policy namespace2

System.Security.policy Namespace

Security policy Levels:

.NET divides security policy into 4 levels:

  • Enterprise Policy Level

  • Machine Policy Level

  • User Policy Level

  • Application Domain Policy Level

System security policy namespace3

System.Security.policy Namespace

  • Policy Level contains 3 key elements:

    1.Code groups

    2. Named permission sets

    3. Fully trusted assemblies

    Code group: Organized in tree structure

System security policy namespace4

System.Security.policy Namespace

  • Code group contains name and a description and few elements:

    1.Membership Condition:

    2. permission set

    3.Child code groups

    4. Attributes

    a. Exclusive

    b. Level Final

System security policy namespace5

System.Security.policy Namespace

Policy Resolution:

System security policy namespace6

System.Security.policy Namespace

  • System.Security.Policy.CodeGroup class:

System security policy namespace7

System.Security.policy Namespace

  • Structure of code group class:

  • Membership Condition: An object implements from

    System.Security.Policy.IMembershipCondition interface.

  • Policy Statement: Contains

    System.Security.Policy.PolicyStatement class

    System.Security.Policy.PolicyStatementAttribute (codegroup’s attributes)


    Children: uses System.Collections.IList

System security policy namespace8

System.Security.policy Namespace

Programming Membership conditions:

These are the classes thatcontains IMembershipCondition interface

Ex: bool Check (Evidence evidence);

.NET framework includes 8 membership condition classes that are members of namespace

System security policy namespace9

System.Security.policy Namespace

System security policy namespace10

System.Security.policy Namespace

Examples to create membership conditions:

// Create a membership condition to match all code.

IMembershipCondition m1 = new AllMembershipCondition( );

// Create a membership condition to match all code with Internet Zone evidence.

IMembershipCondition m2 =new ZoneMembershipCondition(SecurityZone.Internet);

//create a membership condition to match all code from all “” sites

IMembershipCondition m3= new SiteMembershipCondition(“*”);

//create a membership condition to match all code with the same publisher certificate used to sign csFile.exe assembly

IMembershipCondition m4= new PublisherMembershipCondition(X509Certificate.CreateFromSignedFile(“csFile.exe”));

System security policy namespace11

System.Security.policy Namespace

  • Programming Policy statements:

    contains 2 enumerations



    Example to create PolicyStatement and PermissionSet objects:

    //create a policystatement that grants unrestricted access to everything

    PolicyStatement p1=new PolicyStatement(new PermissionSet(PermissionState.Unrestricted));

    //create a policyStatement that grant read access to the file “C:\g.txt” and specifies the LevelFinal attribute.

    PermissionSet pset=new PermissionSet(new FileIOPermission (FileIOPermissionAccess.Read,@”C:\g.txt”));

    PolicyStatement p2=new PolicyStatement(pset,PolicyStatementAttribute.LevelFinal);

System security policy namespace12

System.Security.policy Namespace

Creating code groups:

// create the permission set and adding unrestricted file access.

PermissionSet pset=new PermissionSet(PermissionState.None);

pset.AddPermission(new FileIOPermission(PermissionState.Unrestricted));

// create the policy statement and set the exclusive attribute.

PolicyStatement pstate= new Policystatement(pset,PolicyStatementAttribute.Exclusive);

// Create membershipCondition to match all “*” sites.

IMembershipCondition mc=new SiteMembershipCondition(“*”);

//create the UnionCodeGroup and

UnionCodeGroup cg=new unionCodeGroup(mc,pstate);

System security policy namespace13

System.Security.policy Namespace

  • Programming Policy Levels:

    contains System.Security.Policy.PolicyLevel class which contains Fully Trusted assemblies, named permission sets.

    Managing a fully trusted assembly:

    Ex: creates a StrongNameMembershipCondition object to add an entry to fully trusted assembly

    // create a byte array containing the strong name public key data

    byte[] publickey={0,36,0,0,4,128,0,0,148,0,0,0,169,206,36,4,82,66,,36,0,0,223,231,138,171,62,192…………………………………………………………………………};

    //create a strongname publickeyBlob object from the public key byte array.

    StrongNamePublicKeyBlob blob=new StrongNamePublicKeyBlob(publickey);

    //create a version object based on the assembly version number

    Version version=new Version(“”);

System security policy namespace14

System.Security.policy Namespace

//create the new StrongNameMembershipCondition

StrongNameMembershipCondition mc=new StrongNameMembershipCondition (blob,”HelloWorld”,version);

//create a new application domain policy level

PolicyLevel p=PolicyLevel.CreateAppDomianLevel();

// add the strongnamemembershipcondition to fully trusted assembly list


System security policy namespace15

System.Security.policy Namespace

Managing named permission sets:

GetNamedPermissionSet method returns a NamedPermissionSet with specified name

NamedPermissionSetsGets an IList containing set of namedPermission Objects

Ex: //create a new application domain policy level

PolicyLevel p=PolicyLevel.CreateAppDomainLevel();

//get a copy of default permission set named “Internet” and call it “NewPermissionSet”

NamedPermissionSet ps=p.GetNamedPermissionSet(“Internet”).Copy(“NewPermissionSet”);

//add the new permission set


System security policy namespace16

System.Security.policy Namespace

//Modify the permission set “NewPermissionSet” to grant unrestricted access

p.ChangeNamedPermissionSet(“NewPermissionset”,new Permissionset(PermissionState.Unrestricted));

//Remove the NewPermissionSet permission set


Managing CodeGroup tree:

Ex: // create a new application domain policy level.

PolicyLevel p=PolicyLevel.CreateAppDomainLevel();

//create the xyz named permission set as a copy of default LocalIntranet namedpermission set

p.AddNamedPermissionSet(p.GetNamedPermissionSet (“LocalIntranet”).Copy(“xyz”));

System security policy namespace17

System.Security.policy Namespace

// Create the My_Site code group that matches all code run from the" Site and grants it FullTrust.

UnionCodeGroup MySite = new UnionCodeGroup(

new SiteMembershipCondition (""),

new PolicyStatement(p.GetNamedPermissionSet("FullTrust")));

MySite.Name = "My_Site";

// Create the Work_Site code group that matches all code run from the" Site and grants it the MyCompany, permission set.

UnionCodeGroup WorkSite = new UnionCodeGroup(

new SiteMembershipCondition(""),

new PolicyStatement(p.GetNamedPermissionSet("MyCompany")));

WorkSite.Name = "Work_Site";

System security policy namespace18

System.Security.policy Namespace

// Create the Internet_Code code group that matches all code run from the Internet Zone and grants it Internet permissions.

UnionCodeGroup Internet = new UnionCodeGroup(

new ZoneMembershipCondition(SecurityZone.Internet),

new PolicyStatement(p.GetNamedPermissionSet("Internet")));


// Add the My_Site and Work_Site code groups as children of the Internet code group



System security policy namespace19

System.Security.policy Namespace

// Create the My_Code code group that matches all code run from the My_Computer Zone and grants it FullTrust.

UnionCodeGroup MyCode = new UnionCodeGroup(

new ZoneMembershipCondition(SecurityZone.MyComputer),

new PolicyStatement(p.GetNamedPermissionSet("FullTrust")));

MyCode.Name = "My_Code";

// Create the root UnionCodeGroup that matches all code, but grants no permissions.

UnionCodeGroup Root = new UnionCodeGroup(

new AllMembershipCondition( ),

new PolicyStatement(p.GetNamedPermissionSet("Nothing")));

Root.Name = "All_Code";

// Add the My_Code and Internet_Code groups as children of the root code group



// Assign the code group tree to the PolicyLevel

p.RootCodeGroup = Root;

System security policy namespace

Thank You

  • Login