Evidence and the Base Class Library

Previous page
Table of content
Next page
for RuBoard

There are several evidence classes that the .NET Framework uses by default. They are listed and described in Table 5.2. All of the classes listed in Table 5.2 are contained in the System.Security.Policy namespace.

Table 5.2. Full List of Default Evidence Classes Used by the .NET Framework
Evidence Class Description
ApplicationDirectory This is the directory that contains the primary executing code. The .NET Framework will use this evidence along with URL evidence to determine if some assembly is in the application directory. It is very useful for ASP.NET, which sets this to the directory containing the base Web page for a Web application.
Hash This is a generic class that represents a hash value for an assembly. For multifile assemblies, this value will be the hash of the manifest file. Hashes using the MD5 and SHA1 algorithms are provided by default through this class, but it can easily accommodate other hash algorithms. Chapter 30 covers hash algorithms in the System.Security.Cryptography namespace and how to extend the default cryptography classes.
PermissionRequestEvidence This evidence is a representation of assembly permission requests. Assembly permission requests can state what permissions an assembly must have in order to run, what permissions it can be granted optionally , and what permissions it should never be granted. For more information on assembly permission requests, see Chapter 6. Note that this evidence is only visible on an assembly during policy resolution. You cannot examine this evidence after an assembly has finished loading. Policy resolution is explained in Chapter 8 and Chapter 12, "Security Through the Lifetime of a Managed Process: Fitting It All Together."
Publisher Publisher evidence gives information regarding Authenticode signatures on assemblies. The .NET Framework SDK ships with tools such as signcode.exe and chktrust.exe that can be used to sign and verify files with Authenticode signatures. For more information on Authenticode, see http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/intro_authenticode.asp.
Site Site information gives the Web site of origin for an executing assembly. Note that this can only be determined when an assembly is directly loaded from a site. If you download an assembly from some Web site and run it from your local machine at a later time, the .NET Framework will not record the original site of origin.
StrongName Basically, a strong name is a cryptographically strong binding of a name, version, and culture for some assembly. For more detailed information on strong names , see Chapter 9, "Understanding the Concepts of Strong Naming Assemblies."
Url This gives the URL of origin for an assembly. Similar to Site evidence, Url evidence is only useful when you directly run an assembly from a network location. If you download an assembly and run it at a later time, the .NET Framework will not know the URL of origin. URLs provided as evidence should be encoded. For example, a space (" ") would be represented as %20 . The System.Web.HttpUtility.HtmlEncode() method can be used to encode a raw URL.
Zone Security zone evidence is a use of Internet Explorer security zones. As mentioned earlier, this is one possible way two different users might observe different evidence for the same assembly. This is because two users may have assigned the same site to different security zones. Given the users from Figure 5.1, if Alice has the site www.microsoft.com in her trusted sites while Bob does not, an assembly loaded from the URL http://www.microsoft.com/SomeAssembly.dll will be in the Trusted Sites zone for Alice and the Internet zone for Bob.

I have one additional note about PermissionRequestEvidence . There is another way to view permission requests on an assembly rather than looking for PermisisonRequestEvidence . The unmanaged DLL mscoree.dll exports the GetPermissionRequests function. The returned byte blobs from this API are Unicode strings containing the permission requests. Consequently, you could simply call this API to get the same information that the .NET Framework uses to create PermissionRequestEvidence . The .NET Framework SDK tool permview .exe simply calls this API to display the permission requests on a given assembly.

for RuBoard

Previous page
Table of content
Next page
. NET Framework Security
.NET Framework Security
ISBN: 067232184X
EAN: 2147483647
Year: 2000
Pages: 235
Authors: Brian A. LaMacchia, Sebastian Lange, Matthew Lyons, Rudi Martin, Kevin T. Price
BUY ON AMAZON
Qshell for iSeries
101 Microsoft Visual Basic .NET Applications
Programming Microsoft ASP.NET 3.5
GO! with Microsoft Office 2003 Brief (2nd Edition)
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy