|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Code Access Security - EvidenceI am reading a book "Programming Dot Net Security" and have a general
question - Runtime uses Assembly evidence to get Permissions through Policy resolution, then why does it allow assigning Evidence while loading an assembly? I think assigning Evidence is a way of presenting false evidence. Any help? Thanks in advance. Another way to think of it is that yes, you can present evidence, but
evidence alone can't circumvent policy. So if "false" evidence prevails, then the policy wasn't restrictive enough and needs to be tightened. --Mary On 8 Sep 2006 07:19:54 -0700, YangXiao***@gmail.com wrote: Show quoteHide quote >I am reading a book "Programming Dot Net Security" and have a general >question - > >Runtime uses Assembly evidence to get Permissions through Policy >resolution, then why does it allow assigning Evidence while loading an >assembly? I think assigning Evidence is a way of presenting false >evidence. > >Any help? Thanks in advance. Sept. 13, 2006
Hey Yang... yes, an assembly could present "false" evidence about itself to get more permissions. This is why it is IMPERATIVE that you have a very strong CAS policy for which assemblies get the CAS permission to modify assembly evidence. (Because basically... if they have that permission, you are stating you completely trust that assembly 100% to do the right thing, and if it presents false evidence to get more permissions... then it isn't going to use those permissions to do wrong.) .... As Mary almost but didn't say fully ...... if you are worried about assemblies presenting false evidence (which means you don't trust that assembly for presenting the correct evidence), then your CAS policy isn't tight enough because your CAS policy is probably giving that permission to non-trusted assemblies. So carefully review your policy to see the various ways an assembly could get that permission, and if your policy isn't specific enough in picking out only the assemblies which you have 100% trust in, then you need to tighten it up. Hope this helps! -- Show quoteHide quoteJoseph Bittman Microsoft Certified Solution Developer Microsoft Most Valuable Professional -- DPM Blog/Web Site: http://CactiDevelopers.ResDev.Net/ <YangXiao***@gmail.com> wrote in message news:1157725194.579255.314850@i3g2000cwc.googlegroups.com... >I am reading a book "Programming Dot Net Security" and have a general > question - > > Runtime uses Assembly evidence to get Permissions through Policy > resolution, then why does it allow assigning Evidence while loading an > assembly? I think assigning Evidence is a way of presenting false > evidence. > > Any help? Thanks in advance. > 
Other interesting topics
Generating RSA key with different public exponent
Encrypt/Decrypt Username Password using Public Key RSACryptoServiceProvider Accessing certificate services with .net security problem with xp_cmdshell What User/Security Principal Is Needed to Access Network Via Serv what about LDAP? IOPermission while saving configuration file security related topics SendKeys throws "Hook cannot be created" security exception in Vista Beta 2 |
|||||||||||||||||||||||
