Code Access Security

Code Access Security (CAS) is the foundation of security in the .NET Framework. It is a key part of this book, but the following description will only cover CAS at a high level.

CAS is based on the assumption that different code should have different levels of trust. For instance, code loaded from some random place on the Internet should probably be less trusted than an application you install on your computer. Code with more trust should be allowed to do more on your computer. For instance, perhaps you want the installed application to be able to read your personal data. However, you almost certainly don't want all code from the Internet to be able to do that.

One problem with a scheme of differing trust levels is its susceptibility to luring attacks. A luring attack occurs when less trusted code gets code with greater trust to do something on its behalf . For example, code from the Internet may not be able to read your personal data, but perhaps it can get your installed application to do it and return the information. To prevent this problem, CAS uses a stack walk to ensure that everyone in the call chain is trusted. See Chapter 7, "Walking the Stack," for more on stack walks.

Even though CAS has a scheme for protecting against luring attacks, it is still vulnerable to type safety problems. For example, if untrusted code can read and write to arbitrary points in memory, it can simply call in to unmanaged code and bypass the security stack walk. To protect against this kind of attack, the .NET Framework verifies MSIL and its metadata against numerous rules before execution. Code that doesn't have complete trust must meet all the rules or the .NET Framework will refuse to execute it.

It is impossible for the .NET Framework creators to know what code people or organizations will want to trust. One organization may choose to distrust all code that doesn't reside in its internal network, while another organization may want to completely trust code from certain Internet sites. To accommodate this difference, CAS has a completely configurable policy system. Organizations can tailor CAS policy to their wishes and deploy that policy through the organization. However, the default policy is meant to be a generally secure and useful place to start.