Prior to .NET frame work any application would have access to all the resources of our system.Imagine how dangerous it is. In .Net framework we have an important functionality called as CAS (Code Access security). For example we download a code or exe from a website which may contain malware, so if it is executed in our system it may cause harm to our system. So in order to avoid this we have something called as CAS in .NET framework. Whenever anything is downloaded or setup CAS identifies the source from where it is downloaded and based on that the permission to our system resources are given. Code access security also enforces the varying levels of trust on code, which minimizes the amount of code that must be fully trusted in order to run. It is a security model that grants or denies the permission based on the evidences,source, strong names etc. To know about CAS we should be familiar with terms like, evidence, permission, permission set, code group
Evidence
When you want to execute any program you would like to know from where did the code came from, who is the publisher based on that you will give the access, say the code developed in your local machine will have more access when compared to the code downloaded from internet.In order to know the above details we should explore that assembly /dll/exe and assign the permissions.
Permission
Once the evidence is gathered then you would like to assign permissions to code. for example the permission can be, open a dialog box, can write to registry, etc.
Code Group
Code groups are nothing but categories of code. These categories are defined by permissions and evidence values. When the .Net code runs it is assigned to a code group based on the evidence which are collected during runtime. For instance the various default code groups are my computer zone, intranet zone, internet zone, etc.
Working of CAS
When any assembly runs following steps take place,
- Evidence are gathered
- Based on the evidence the assembly is assigned to a code group
- based on the code group the rights are given, which resource the assembly can have access.
- and the assembly can access only the resources in system for which the access is granted in code group.
CASPOL
Caspol.exe is a tool that can be used to assign the permission to the assembly or exe, it is CLI based so writing the commands can be irritating, to ease this we have .Net Configuration tool which sits on the top of caspol
