Code Identity

Previous page
Table of content
Next page
for RuBoard

The characteristics by which a particular assembly can be identified are its identity permissions. An example would be an assembly's strong name or the Web site that generated the code. Based on the evidence provided by the loader or trusted host, identity permissions are granted by the CLR.

Identity Permission Classes

To identity running code, there are several identity permission classes.

  • PublisherIdentityPermission models the software publisher's digital signature.

  • SiteIdentityPermission models the Web site where code originated.

  • StrongNameIdentityPermission models the strong name of an assembly.

  • ZoneIdentityPermission models the zone where the code originated.

  • URLIdentityPermission models the URL and the protocol where the code originated.

These permissions represent evidence that can be used to determine security policy. Identity permissions are not code access permissions.

Evidence

Security policy is based on a set of rules that administrators can set. The .NET security system can use those rules to enforce the policy. The evidence, represented by the identity permissions, is used to determine which policy to apply.

The AppDomain class has a function ExecuteAssembly which causes an assembly to run. One argument to the method is an Evidence instance argument. This Evidence class is a collection of objects that represent the identity of the assembly. This class is a collection of objects that represent evidence.

The Evidence example illustrates this. This example gets the collection of evidence associated with a strongly named assembly and prints out the associated values. 

 Evidence ev = AppDomain.CurrentDomain.Evidence;  IEnumerator iEnum = ev.GetEnumerator();  bool bNext;  Console.WriteLine("Evidence Enumerator has {0} members",                                                   ev.Count);  bNext = iEnum.MoveNext();  while (bNext == true)  {    object x = iEnum.Current;    Type t = x.GetType();    Console.WriteLine(t.ToString());    if (t == typeof(System.Security.Policy.Zone))    {      Zone zone = x as Zone;      Console.WriteLine("   " +                            zone.SecurityZone.ToString());  }  else if (t == typeof(System.Security.Policy.Url))  {    Url url = x as Url;    Console.WriteLine("   " + url.Value.ToString());  }  else if (t == typeof(System.Security.Policy.Hash))  {    Hash hash = x as Hash;    byte[] md5Hash = hash.MD5;    byte[] sha1Hash = hash.SHA1;    Console.WriteLine("    MD5 Hash of Assembly:");        Console.Write("      ");    for(int i = 0; i < md5Hash.Length; i++)         Console.Write(md5Hash[i]);      Console.WriteLine();      Console.WriteLine("    SHA1 Hash of Assembly:");      Console.Write("      ");      for(int i = 0; i < sha1Hash.Length; i++)        Console.Write(sha1Hash[i]);      Console.WriteLine();    }  else if (t == typeof(System.Security.Policy.StrongName))  {      StrongName sn = x as StrongName;      Console.WriteLine("    StrongName of Assembly is: {0}                      version: {1}", sn.Name, sn.Version);      Console.WriteLine("    Assembly public key:");      Console.Write("        ");      Console.WriteLine(sn.PublicKey.ToString());    }    bNext = iEnum.MoveNext();  }

The example's output would look something like this: 

 Evidence Enumerator has 3 members  System.Security.Policy.Zone     MyComputer  System.Security.Policy.Url    file:///F:/Book/Chap12/Evidence/bin/Debug/Evidence.exe  System.Security.Policy.StrongName      StrongName of Assembly is: Evidence version: 1.0.0.0      Assembly public key:          0024000004800000940...          ...D4E1C67A3509E6C9B385EA897BA  System.Security.Policy.Hash      MD5 Hash of Assembly:        14332230461041081341241322151846823019516744      SHA1 Hash of Assembly:       821331711844749119991571111431431822382322311431771        39171

The evidence associated with the Zone for this assembly is MyComputer. The Url evidence is the location on disk of the assembly. The Hash evidence can give us the MD5 and SHA1 hashes of the assembly. The StrongName evidence tells us information about the unique assembly name.

Some of this evidence is convertible to the associated identity permissions. For example, the Zone class has a CreateIdentityPermission method which returns an IPermission interface that represents the ZoneIdentityPermission instance associated with this piece of evidence. The Url and StrongName classes have similar methods .

Another way of looking at the identity permissions is that they answer a series of questions:

  • Who published (signed) it?

  • What is the name of the assembly?

  • What Web site or URL did it come from?

  • What zone did the code originate from?

The creator of the application domain (host) can also provide evidence by passing in an Evidence collection when the ExecuteAssembly method is called. Of course, that code must have the ControlEvidence permission. The CLR is also trusted to add evidence, since after all, it enforces the security policy. Evidence is extensible; you can define evidence types and use it in security policy.

for RuBoard

Previous page
Table of content
Next page
Application Development Using C# and .NET
Application Development Using C# and .NET
ISBN: 013093383X
EAN: 2147483647
Year: 2001
Pages: 158
Authors: Michael Stiefel, Robert J. Oberg
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Network Security Architectures
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy