Security Attribute Declaration

Security Attribute Declaration

ILAsm syntax offers two forms of security attribute declaration: as separate permissions and as permission sets. The owner of the security attribute is the item whose scope contains the security attribute declaration. The syntax for the permission declaration is as follows:

.permission  <sec_action>  <class_ref>  [(<name_value_pairs>)]

where <sec_action> is one of the security action keywords listed in the preceding section, <class_ref> is a class reference to the attribute class associated with the permission class, and optional <name_value_pairs> define the values of the attribute class’s properties, as shown here:

<name_value_pairs>  ::=  <nv_pair>[,<nv_pair>*] <nv_pair>  ::=  <prop_name>  =  <prop_value>

<prop_name> is the property name of the attribute class, specified as a quoted string. The form of <prop_value> depends on the type of property:

<prop_value>  ::=  true     false  //  For  Boolean  properties          <int32>     int32(<int32>)  //  For  integer  properties       <class_ref>  (<int32>)  //  For  enumerated  properties,                    //  <class_ref> specifies  the  enumerator       <class_ref>(<int_type>  :  <int32>)  //  <int_type>::=int8                                              //     int16     int32       <quoted_string>  //  For  string  properties

For example:

.method  private  void  WriteToSystemDrive(string  Str2BWritten) {       .permission  demand         [mscorlib]System.Security.Permissions.FileIOPermissionAttribute               =  ("Write"="C:\\")      }

The ILAsm compiler combines separate .permission declarations into permission sets before emitting the DeclSecurity metadata. However, a permission set can be declared explicitly using

.permissionset  <sec_action>  =  (  <hexbytes>  )

where <hexbytes> is a byte array representing the PermissionSet blob. This byte array is usually fairly long—a “live” example would take a couple of pages. To see such an example, you can simply disassemble any .NET Framework assembly (Mscorlib.dll or System.dll, for instance) and have a look.

Given that the PermissionSet blob is in fact a Unicode-encoded XML representation of the permission set, use of <hexbytes> in the permission set declaration is another obvious shortcoming of ILAsm, which should be corrected in future releases.

The IL Disassembler always uses the .permissionset directive to reflect the DeclSecurity metadata records.