System.Security.policy Namespace

1
System.Security.policy Namespace

• By
• Marepalli Gayathri

2
System.Security.policy Namespace

• Security policy provides mapping between evidence
  and permissions.
• The runtime uses security policy to determine
  which code-access permissions to grant an
  assembly or application domain.
• The System.security.policy Namespace contains 3
  classes
• code groups, membership conditions, and
  evidence.
• These classes are used to create the rules
  applied by the common language runtime (CLR)
  security policy system

3
System.Security.policy Namespace

• Security policy Levels
• .NET divides security policy into 4 levels
• Enterprise Policy Level
• Machine Policy Level
• User Policy Level
• Application Domain Policy Level

4
System.Security.policy Namespace

• Policy Level contains 3 key elements
• 1.Code groups
• 2. Named permission sets
• 3. Fully trusted assemblies
• Code group Organized in tree structure

5
System.Security.policy Namespace

• Code group contains name and a description and
  few elements
• 1.Membership Condition
• 2. permission set
• 3.Child code groups
• 4. Attributes
• a. Exclusive
• b. Level Final
• 
  

6
System.Security.policy Namespace

• Policy Resolution

7
System.Security.policy Namespace

• System.Security.Policy.CodeGroup class

8
System.Security.policy Namespace

• Structure of code group class
• Membership Condition An object implements from
• System.Security.Policy.IMembershipCo
  ndition interface.
• Policy Statement Contains
• System.Security.Policy.PolicyStatement
  class
• System.Security.Policy.PolicyStatementAttrib
  ute (codegroups attributes)
• System.Security.Permissionset

9
System.Security.policy Namespace

• Programming Membership conditions
• These are the classes that contains
  IMembershipCondition
  interface
  
• Ex bool Check (Evidence evidence)
• .NET framework includes 8 membership
  condition classes that are members of
• System.security.Policy namespace

10
System.Security.policy Namespace
Membership Class Membership Condition
AllMembershipCondition All code irrespective of evidence.
ApplicationDirectory Membership Condition Evidence collection contains both Application Directory and Url evidence..
HashMembershipCondition Evidence collection contains a Hash class with the specified hash value.
PublisherMembershipCondition Evidence collection contains a Publisher class with the specified publisher certificate.
SiteMembershipCondition Evidence collection contains a Site class with the specified site name
StrongNameMembershipCondition Evidence collection contains StrongName class with the specified hash name
UrlMembershipCondition Evidence collection contains Url class with the specified URL location
ZoneMembershipCondition Evidence collection contains Zone class with the specified Security Zone
11
System.Security.policy Namespace

• Examples to create membership conditions
• // Create a membership condition to match all
  code.
• IMembershipCondition m1 new
  AllMembershipCondition( )
• // Create a membership condition to match all
  code with Internet Zone evidence.
• IMembershipCondition m2 new
  ZoneMembershipCondition(SecurityZone.Internet)
• //create a membership condition to match all code
  from all google.com sites
• IMembershipCondition m3 new SiteMembershipCondi
  tion(.google.com)
• //create a membership condition to match all code
  with the same publisher certificate used to sign
  csFile.exe assembly
• IMembershipCondition m4 new
  PublisherMembershipCondition(X509Certificate.Creat
  eFromSignedFile(csFile.exe))

12
System.Security.policy Namespace

• Programming Policy statements
• contains 2 enumerations
• 1. System.security.PermissionSet
• 2. System.security.Policy.PolicyStatementAttrib
  ute
• Example to create PolicyStatement and
  PermissionSet objects
• //create a policystatement that grants
  unrestricted access to everything
• PolicyStatement p1new PolicyStatement(new
  PermissionSet(PermissionState.Unrestricted))
• //create a policyStatement that grant read access
  to the file C\g.txt and specifies the
  LevelFinal attribute.
• PermissionSet psetnew PermissionSet(new
  FileIOPermission (FileIOPermissionAccess.Read,_at_C
  \g.txt))
• PolicyStatement p2new PolicyStatement(pset,Pol
  icyStatementAttribute.LevelFinal)

13
System.Security.policy Namespace

• Creating code groups
• // create the permission set and adding
  unrestricted file access.
• PermissionSet psetnew PermissionSet(PermissionSt
  ate.None)
• pset.AddPermission(new FileIOPermission(Permissio
  nState.Unrestricted))
• // create the policy statement and set the
  exclusive attribute.
• PolicyStatement pstate new Policystatement(pset,
  PolicyStatementAttribute.Exclusive)
• // Create membershipCondition to match all
  .google.com sites.
• IMembershipCondition mcnew SiteMembershipConditi
  on(.google.com)
• //create the UnionCodeGroup and
• UnionCodeGroup cgnew unionCodeGroup(mc,pstate)
  

14
System.Security.policy Namespace

• Programming Policy Levels
• contains System.Security.Policy.PolicyLev
  el class which contains Fully Trusted assemblies,
  named permission sets.
• Managing a fully trusted assembly
• Ex creates a StrongNameMembershipCondition
  object to add an entry to fully trusted assembly
• // create a byte array containing the strong name
  public key data
• byte publickey0,36,0,0,4,128,0,0,148,0,0,
  0,169,206,36,4,82,66,,36,0,0,223,231,138,171,62,19
  2
• //create a strongname publickeyBlob object from
  the public key byte array.
• StrongNamePublicKeyBlob blobnew
  StrongNamePublicKeyBlob(publickey)
• //create a version object based on the assembly
  version number
• Version versionnew Version(1.230.1.1)

15
System.Security.policy Namespace

• //create the new StrongNameMembershipCondition
• StrongNameMembershipCondition mcnew
  StrongNameMembershipCondition (blob,HelloWorld,v
  ersion)
• //create a new application domain policy level
• PolicyLevel pPolicyLevel.CreateAppDomianLev
  el()
• // add the strongnamemembershipcondition to fully
  trusted assembly list
• p.AddFullTrustAssembly(mc)

16
System.Security.policy Namespace

• Managing named permission sets
• GetNamedPermissionSet? method returns a
  NamedPermissionSet with specified name
• NamedPermissionSets?Gets an IList containing
  set of namedPermission Objects
• Ex //create a new application domain policy
  level
• PolicyLevel pPolicyLevel.CreateAppDomainLevel()
  
• //get a copy of default permission set named
  Internet and call it NewPermissionSet
• NamedPermissionSet psp.GetNamedPermissionSet(Int
  ernet).Copy(NewPermissionSet)
• //add the new permission set
• p.AddNamedPermissionset(ps)

17
System.Security.policy Namespace

• //Modify the permission set NewPermissionSet to
  grant unrestricted access
• p.ChangeNamedPermissionSet(NewPermissionset,new
  Permissionset(PermissionState.Unrestricted))
• //Remove the NewPermissionSet permission set
• p.RemoveNamedPermissionSet(NewPermissionSet)
• Managing CodeGroup tree
• Ex // create a new application domain policy
  level.
• PolicyLevel pPolicyLevel.CreateAppDomainLevel()
  
• //create the xyz named permission set as a copy
  of default LocalIntranet namedpermission set
• p.AddNamedPermissionSet(p.GetNamedPermissionSet
  (LocalIntranet).Copy(xyz))

18
System.Security.policy Namespace

• // Create the My_Site code group that matches
  all code run from the www.mysite.com" Site and
  grants it FullTrust.
• UnionCodeGroup MySite new UnionCodeGroup(
• new SiteMembershipCondition
  ("www.mysite.com"),
• new PolicyStatement(p.GetNamedPermissio
  nSet("FullTrust")))
• MySite.Name "My_Site"
• // Create the Work_Site code group that matches
  all code run from the www.company.com" Site and
  grants it the MyCompany, permission set.
• UnionCodeGroup WorkSite new
  UnionCodeGroup(
• new SiteMembershipCondition("www.company
  .com"),
• new PolicyStatement(p.GetNamedPermissionS
  et("MyCompany")))
• WorkSite.Name "Work_Site"

19
System.Security.policy Namespace

• // Create the Internet_Code code group that
  matches all code run from the Internet Zone and
  grants it Internet permissions.
• UnionCodeGroup Internet new UnionCodeGroup(
• new ZoneMembershipCondition(Security
  Zone.Internet),
• new PolicyStatement(p.GetNamedPermis
  sionSet("Internet")))
• Internet.NameInternet_Code
• // Add the My_Site and Work_Site code groups as
  children of the Internet code group
• Internet.AddChild(MySite)
• Internet.AddChild(WorkSite)

20
System.Security.policy Namespace

• // Create the My_Code code group that matches all
  code run from the My_Computer Zone and grants it
  FullTrust.
• UnionCodeGroup MyCode new UnionCodeGroup(
• new ZoneMembershipCondition(Security
  Zone.MyComputer),
• new PolicyStatement(p.GetNamedPermis
  sionSet("FullTrust")))
• MyCode.Name "My_Code"
• // Create the root UnionCodeGroup that matches
  all code, but grants no permissions.
• UnionCodeGroup Root new UnionCodeGroup(
• new AllMembershipCondition( ),
• new PolicyStatement(p.GetNamedPermissio
  nSet("Nothing")))
• Root.Name "All_Code"
• // Add the My_Code and Internet_Code groups as
  children of the root code group
• Root.AddChild(MyCode)
• Root.AddChild(Internet)
• // Assign the code group tree to the PolicyLevel
• p.RootCodeGroup Root

21

• Thank You