Code-Access Security in the Real World


As you might have experienced firsthand, e-mail–borne viruses such as the infamous “I Love You” virus flourish because the technical security measures in place to stop such attacks are insufficient. In response to such attacks, Web browsers and e-mail applications such as Microsoft Internet Explorer and Microsoft Exchange have stepped up security measures by offering warnings when you open an attachment or navigate to a Web page that attempts to run code. For example, if you open an e-mail attachment, you might be presented with a message such as the one shown in Figure 3-3.

click to expand
Figure 3-3: The Opening Mail Attachment warning dialog box

However, such notifications are ineffective because human restraint is required for them to be successful—and who can restrain themselves from opening an e-mail attachment from your mom titled “I love you”? E-mail threads that degenerate to a never-ending stream of replies, which plead “Please stop responding to this message,” are further evidence that a security system should not be designed to depend on human restraint or sound judgment.

Code-access security is a technology that allows us as humans to interact with applications in a natural manner without having to make security decisions on behalf of the applications we are running. We should be free to open e-mail attachments and browse to Web sites without fear that all the personal information on our computer will be sent back to an attacker, or that our computer will spontaneously send an embarrassing e-mail message to all our friends. If an e-mail attachment or Web page attempts to misbehave, code-access security should be there to deny the attachment or Web-page access to the resources it needs to inflict harm. However, until code-access security is made a part of e-mail applications, plan on seeing the warning dialog box shown in Figure 3-3 quite frequently.

Code-access security represents the security model in which all .NET applications run. When the next generation of applications and operating systems—such as Microsoft Office (based on Microsoft .NET) and Microsoft Windows Server 2003 based on Microsoft .NET—become commonplace, you’ll no longer need to deal with annoying dialog boxes that ask your permission to open an attachment or use a Web site you know little or nothing about. You can rest assured that any code that can be executed as a result of opening an attachment will be restricted to performing innocuous tasks.

In the case of your own applications, you should immediately start developing new Visual Basic .NET applications or porting your existing Microsoft Visual Basic applications to Visual Basic .NET. Target your application to the security zone—such as the Intranet zone or Internet zone—in which you want it to run. Once you have your Visual Basic .NET application up and running, your users will automatically benefit because code-access security is there to prevent your application from doing harm or being used to do harm.




Security for Microsoft Visual Basic  .NET
Security for Microsoft Visual Basic .NET
ISBN: 735619190
EAN: N/A
Year: 2003
Pages: 168

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net