Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/26

Click to flip

26 Cards in this Set

  • Front
  • Back
How to determine which code groups grant permissions to an assembly?
- Configuration tool
- Runtime Security Policy
- Evaluate Assembly
- Select File, Type of evaluation, policy level to evaluate
What is "Walking-the-call-stack" check?
It ensures that an assembly that does not have a required permission cannot use one that does to illegaly perform an operation
What exception is thrown if an assembly is trying to peform an action which is not allowed?
System.Security.SecurityException
What is a Permission Set?
Name them
Is a set of permission which can be created and applied programmatically by creating and adding individual permission objects to a PermissionSet. Nothing, Execution, Internet, LocalIntranet, Eveything, FullTrust
What is a Security Policy?
Defines how assembly evidence is evaluated to determine the permissions that are granted to the assembly
What is an evidence?
Evidence is a collection class that holds two sets. Host evidence and assembly evidence. The host evidence describes the origin can include URL, Hash, Publisher, Site etc. Assembly evidence is custom user- or developer provided evidence. It is used by the runtime to determine which code groups the assembly belongs
What is a CAS permission?
A permission is a CAS access control entry. Like FileDialog, Isolated Storage File etc. Every permission can have different attributes, like Read or Write etc. It is used in sets lik the PermissionSet LocalIntranet
Can CAS controll fully trusted and unmanaged code?
No, only partly trusted managed code.
What is a permission set? List some of the default permission sets. What is the nothing permission set?
A permission set is a collection of permissions.
- Full Trust, Internet etc.
Nothing - No permission to an assembly. The assembly is not even allowed to run. Permission sets are assigned to Code groups
What are code groups?
Its a logical grouping of code that has a specified condition for membership. Any code that meets the membership condition (Evidence types, URL, Site, Publisher...) is included in the group. The code group has a permission set
Explain the logic behing Permission, PermissionSet, Code Group, Evidence, Security Policy and an Assembly.
The Code group groups code logically which match a special condition. This condition is the Evidence type provided by the assembly. Can be by origin or signature. The code group then gets a permission set which consists of 0 or more permissions. The Security Policy groups those groups for User, Machine, Enterprise, Application Domain.
How to add a new code group and assign a NEW permission set
Open mscorcfg.msc and go to
"Runtime Security Policy" choose a Securit Policy and right click on ALL_CODE and a new code group. Choose a condition to logically group the code and click next and create a new permission set
What is caspol.exe?
Code Access Security Policy command line tool.
What are the 3 reasons to use CAS declarations?
1. Least Priviledge
2. Application doesn't run application if not enough rights are assigned
3. To verify that the application can run with the limited CAS permissions and can therefore run in partially trusted environment
What CAS declarations has to be made to debug an assembly
[assembly:UIPermission(SecurityAction.RequestMinimum, Unrestricted = true]
What a the CAS declaration classes and what is the base class? What is the namespace?
CAS declaration classes are declared before the namespace declaration/class in a source code file. Each class has unique members but they all have Action and Unrestricted members as they derive from the CodeAccessSecurityAttribute class. System.Security.Permission
What are the 3 types for Assembly security actions?
SecurityAction.RequestMinimum - Requires a permission, if not it throws a SecurityException
SecurityAction.RequestOptional -
"Refuse except" - does not throw an exception before the actual action.
SecuritAction.RequestRefuse - Refuses the permission assigned to the application. No excpetion before action
WHat is the best practise for security declarations in assemblies?
Use SecurityAction.RequestOPtional and SecurityAction.RequestMinimum. So an exception is thrown before the assembly is loaded when it doesn't have enough rights and it refuses all other right and hence it can't be missused by other assemblies
What are the 6 Types of Permission Requests? What is the base class?
Assert - The calling code can access the resource identified by the current permission object, even if callers higher in the stack have not been granted permission to access the resource
Demand - Throws exception if caller and all callers higher in the stack lack the specified permission.
Deny - Causes the runtime to reduce the method's access by removing the specified permission
InheritanceDemand - Instructs the runtime to throw an exception if the assembly inheriting from the class lacks the specified permission
LinkDemand - Causes the runtime to throw an exception if the immediate caller but no callers higher in the stack, lack the specified permission
PermitOnly - Instructs the runtime to reduce the method's access by removing all permissions except for the specified permissions

CodeAccessPermission
What is the difference between declarative and imperative Security for classes and methods?
Declarative security performs security checks prior to running the code but imperative security the code checks itselfs the permissions and handles the results/exception
How to analyse granted permissions with imperative security?
use the static method System.Security.SecurityManager.
IsGranted(myPermission)
Avoid redundant demands?
Most classes in .NET use demands to ensure the callers have the permissions. Like StreamWriter
Can declarative security creteria be dynamic?
No, it must be static. Use imperative declarations instead
How to imperatvely limit a permission? deny access to c:\windows
FileIOPermission myPermission = new FileIOPermission(FileIOPermissionAccess.AllAccess,
@"c:\Windows");
myPermission.Deny();
What must the assembly have to use the SecurityAction.Assert action and how often can you use assert in a method?
1. SecurityPermissionFlag.Assertion as well as being the privilege being asserted.
2. Only once, use Permission sets instead
How to use permission sets for imperative security?
PermissionSet mySet = new PermissionSet(PermissionState.None);
mySet.Add(new FileIOPermission(FileIOPermissionAccess.Read, @"C:\Windows"));
mySet.Demand();