Presentation is loading. Please wait.

Presentation is loading. Please wait.

System.Security.policy Namespace By: Marepalli Gayathri.

Published byJessie Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "System.Security.policy Namespace By: Marepalli Gayathri."— Presentation transcript:

1 System.Security.policy Namespace By: Marepalli Gayathri

2 System.Security.policy Namespace Security policy provides mapping between evidence and permissions. The runtime uses security policy to determine which code- access permissions to grant an assembly or application domain. The System.security.policy Namespace contains 3 classes code groups, membership conditions, and evidence. These classes are used to create the rules applied by the common language runtime (CLR) security policy system

3 System.Security.policy Namespace Security policy Levels:.NET divides security policy into 4 levels: 1. Enterprise Policy Level 2. Machine Policy Level 3. User Policy Level 4. Application Domain Policy Level

4 System.Security.policy Namespace Policy Level contains 3 key elements: 1.Code groups 2. Named permission sets 3. Fully trusted assemblies Code group: Organized in tree structure

5 Code group contains name and a description and few elements: 1. Membership Condition: 2. permission set 3.Child code groups 4. Attributes a. Exclusive b. Level Final System.Security.policy Namespace

6 Policy Resolution: System.Security.policy Namespace

7 System.Security.Policy.CodeGroup class:

8 System.Security.policy Namespace Structure of code group class: Membership Condition: An object implements from System.Security.Policy.IMembershipCondition interface. Policy Statement: Contains System.Security.Policy.PolicyStatement class System.Security.Policy.PolicyStatementAttribute (codegroup’s attributes) System.Security.Permissionset Children: uses System.Collections.IList

9 System.Security.policy Namespace Programming Membership conditions : These are the classes that contains IMembershipCondition interface Ex: bool Check (Evidence evidence);.NET framework includes 8 membership condition classes that are members of System.security.Policy namespace

10 System.Security.policy Namespace Membership Class Membership Condition AllMembershipConditionAll code irrespective of evidence. ApplicationDirectory Membership Condition Evidence collection contains both Application Directory and Url evidence.. HashMembershipCondition Evidence collection contains a Hash class with the specified hash value. PublisherMembershipCondition Evidence collection contains a Publisher class with the specified publisher certificate. SiteMembershipCondition Evidence collection contains a Site class with the specified site name StrongNameMembershipCondition Evidence collection contains StrongName class with the specified hash name UrlMembershipCondition Evidence collection contains Url class with the specified URL location ZoneMembershipCondition Evidence collection contains Zone class with the specified Security Zone

11 System.Security.policy Namespace Examples to create membership conditions: // Create a membership condition to match all code. IMembershipCondition m1 = new AllMembershipCondition( ); // Create a membership condition to match all code with Internet Zone evidence. IMembershipCondition m2 =new ZoneMembershipCondition(SecurityZone.Internet); //create a membership condition to match all code from all “google.com” sites IMembershipCondition m3= new SiteMembershipCondition(“*.google.com”); //c reate a membership condition to match all code with the same publisher certificate used to sign csFile.exe assembly IMembershipCondition m4= new PublisherMembershipCondition(X509Certificate.CreateFromSignedFile(“csFile.exe”));

12 System.Security.policy Namespace Programming Policy statements: contains 2 enumerations 1. System.security.PermissionSet 2. System.security.Policy.PolicyStatementAttribute Example to create PolicyStatement and PermissionSet objects: //create a policystatement that grants unrestricted access to everything PolicyStatement p1=new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)); //create a policyStatement that grant read access to the file “C:\g.txt” and specifies the LevelFinal attribute. PermissionSet pset=new PermissionSet(new FileIOPermission (FileIOPermissionAccess.Read,@”C:\g.txt”)); PolicyStatement p2=new PolicyStatement(pset,PolicyStatementAttribute.LevelFinal);

13 System.Security.policy Namespace Creating code groups: // create the permission set and adding unrestricted file access. PermissionSet pset=new PermissionSet(PermissionState.None); pset.AddPermission(new FileIOPermission(PermissionState.Unrestricted)); // create the policy statement and set the exclusive attribute. PolicyStatement pstate= new Policystatement(pset,PolicyStatementAttribute.Exclusive); // Create membershipCondition to match all “*.google.com” sites. IMembershipCondition mc=new SiteMembershipCondition(“*.google.com”); //create the UnionCodeGroup and UnionCodeGroup cg=new unionCodeGroup(mc,pstate);

14 System.Security.policy Namespace Programming Policy Levels: contains System.Security.Policy.PolicyLevel class which contains Fully Trusted assemblies, named permission sets. Managing a fully trusted assembly: Ex: creates a StrongNameMembershipCondition object to add an entry to fully trusted assembly // create a byte array containing the strong name public key data byte[] publickey={0,36,0,0,4,128,0,0,148,0,0,0,169,206,36,4,82,66,,36,0,0,223,231,138,171,62,192…… ……………………………………………………………………}; //create a strongname publickeyBlob object from the public key byte array. StrongNamePublicKeyBlob blob=new StrongNamePublicKeyBlob(publickey); //create a version object based on the assembly version number Version version=new Version(“1.230.1.1”);

15 System.Security.policy Namespace //create the new StrongNameMembershipCondition StrongNameMembershipCondition mc=new StrongNameMembershipCondition (blob,”HelloWorld”,version); //create a new application domain policy level PolicyLevel p=PolicyLevel.CreateAppDomianLevel(); // add the strongnamemembershipcondition to fully trusted assembly list p.AddFullTrustAssembly(mc);

16 System.Security.policy Namespace Managing named permission sets : GetNamedPermissionSet  method returns a NamedPermissionSet with specified name NamedPermissionSets  Gets an IList containing set of namedPermission Objects Ex: //create a new application domain policy level PolicyLevel p=PolicyLevel.CreateAppDomainLevel(); //get a copy of default permission set named “Internet” and call it “NewPermissionSet” NamedPermissionSet ps=p.GetNamedPermissionSet(“Internet”).Copy(“NewPermissionSet”); //add the new permission set p.AddNamedPermissionset(ps);

17 System.Security.policy Namespace //Modify the permission set “NewPermissionSet” to grant unrestricted access p.ChangeNamedPermissionSet(“NewPermissionset”,new Permissionset(PermissionState.Unrestricted)); //Remove the NewPermissionSet permission set p.RemoveNamedPermissionSet(“NewPermissionSet”); Managing CodeGroup tree: Ex: // create a new application domain policy level. PolicyLevel p=PolicyLevel.CreateAppDomainLevel(); //create the xyz named permission set as a copy of default LocalIntranet namedpermission set p.AddNamedPermissionSet(p.GetNamedPermissionSet (“LocalIntranet”).Copy(“xyz”));

18 System.Security.policy Namespace // Create the My_Site code group that matches all code run from the www.mysite.com" Site and grants it FullTrust. UnionCodeGroup MySite = new UnionCodeGroup( new SiteMembershipCondition ("www.mysite.com"), new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))); MySite.Name = "My_Site"; // Create the Work_Site code group that matches all code run from the www.company.com" Site and grants it the MyCompany, permission set. UnionCodeGroup WorkSite = new UnionCodeGroup( new SiteMembershipCondition("www.company.com"), new PolicyStatement(p.GetNamedPermissionSet("MyCompany"))); WorkSite.Name = "Work_Site";

19 System.Security.policy Namespace // Create the Internet_Code code group that matches all code run from the Internet Zone and grants it Internet permissions. UnionCodeGroup Internet = new UnionCodeGroup( new ZoneMembershipCondition(SecurityZone.Internet), new PolicyStatement(p.GetNamedPermissionSet("Internet"))); Internet.Name=“Internet_Code”; // Add the My_Site and Work_Site code groups as children of the Internet code group Internet.AddChild(MySite); Internet.AddChild(WorkSite);

20 System.Security.policy Namespace // Create the My_Code code group that matches all code run from the My_Computer Zone and grants it FullTrust. UnionCodeGroup MyCode = new UnionCodeGroup( new ZoneMembershipCondition(SecurityZone.MyComputer), new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))); MyCode.Name = "My_Code"; // Create the root UnionCodeGroup that matches all code, but grants no permissions. UnionCodeGroup Root = new UnionCodeGroup( new AllMembershipCondition( ), new PolicyStatement(p.GetNamedPermissionSet("Nothing"))); Root.Name = "All_Code"; // Add the My_Code and Internet_Code groups as children of the root code group Root.AddChild(MyCode); Root.AddChild(Internet); // Assign the code group tree to the PolicyLevel p.RootCodeGroup = Root;

21 Thank You

Download ppt "System.Security.policy Namespace By: Marepalli Gayathri."

Similar presentations

Security for Developers Code Access Security Steven Borg & Richard Hundhausen Accentient, Inc.

Security for Developers Code Access Security Steven Borg & Richard Hundhausen Accentient, Inc.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 17 Secure Coding in Java and.NET Part 2: Code Access Control.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
ASP.Net Security: Fundamentals Chapters 1-4 Freeman and Jones Book.

ASP.Net Security: Fundamentals Chapters 1-4 Freeman and Jones Book.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Performing Software Installation with Group Policy

Performing Software Installation with Group Policy
Module 1: Introduction to Active Directory

Module 1: Introduction to Active Directory
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Module 15 Configuring and Deploying Windows Client Applications.

Module 15 Configuring and Deploying Windows Client Applications.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Deployment of web Site. Preparing the web site for deployment you now have two versions of web site 1 -one running in the production environment 2-one.

Deployment of web Site. Preparing the web site for deployment you now have two versions of web site 1 -one running in the production environment 2-one.
.NET Framework Introduction: Metadata

.NET Framework Introduction: Metadata

Similar presentations

Ads by Google