The .Net Security Model

1
The .NetSecurity Model
(c) Allan C. Milne School of Computing Creative
Technologies University of Abertay Dundee
Last updated 26th July 2006
2
Agenda

• The security system
• Role-based security
• Evidence-based security
• Evidence permissions
• Policy management

3
Introduction

• In addition to type verification the CLR also
  implements a security model.
• In this presentation we provide an overview of
  the security model adopted by the .Net Framework.
• The technical details of the operation of the
  model is outwith the scope of this presentation.

4
The Security Model

• The security system uses two models.
• Role-based security based on roles and
  identities.
• Evidence-based security based on the code, not
  the user executing the code.
• Most aspects of the security system can be set by
  an administrator.

5
Role-Based Security

• Similar to users and groups in the o/s.
• Uses two abstractions
• Identity represents the logical user.
• Principal representation of the roles belonging
  to the user.
• Each thread has only one principal and each
  principal has one identity.

6
Evidence-Based Security

• Assigns permissions to an assembly based on
  evidence.
• The source location of the assembly is used as a
  primary factor in determining evidence.
• Evidence determines the assembly's permission to
  use resources.

7
Outline Process

• The CLR of the hosting environment attaches
  evidence to an assembly when it is loaded (either
  from the GAC, download cache or storage).
• This evidence is then mapped onto a set of
  permissions.
• These permissions determine access to specific
  resources.

8
Evidence

• presented to the security system by the hosting
  environment includes
• zone (similar to that of IE)
• URL
• site
• source directory
• is matched against CLR policies to ascertain
  permissions for the assembly.

9
Permissions

• represent authority to perform operations on
  resources.
• can be
• granted when loading an assembly, or
• demanded to check if permission has been granted
  for a resource.
• are collected into sets that can be combined in
  various ways.

10
Policy Management

• The creation of permission sets from evidence is
  performed by the policy manager.
• This CLR component creates the permissions set
  for the program by looking at policies set for
  different levels of the environment.
• Policies can be set by an administrator or
  inspected and set programmatically.

11
Policy Levels

• There are four policy levels
• Enterprise
• Machine
• User
• Application domain
• Each level produces a permission set and these
  are intersected to produce the permission set for
  the program.
• A higher level can override the requirement for
  intersection of a lower level.

12
Policy Manager The CLR
Common Language Runtime
Assembly
Permission Sets
13
Stack Walks

• This is an essential but expensive part of the
  security system.
• When certain system resources are accessed a
  stack walk may be demanded.
• This verifies that all calls in the call chain
  have appropriate permissions.

14
Activation Records

• A new activation record is put on the stack every
  time a method is called.
• An activation record contains parameters, return
  address, and local variables.
• In a stack walk each activation record in the
  call chain is checked for appropriate permissions.