Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
26 Cards in this Set
- Front
- Back
|
How to determine which code groups grant permissions to an assembly?
|
- Configuration tool
- Runtime Security Policy - Evaluate Assembly - Select File, Type of evaluation, policy level to evaluate |
|
|
What is "Walking-the-call-stack" check?
|
It ensures that an assembly that does not have a required permission cannot use one that does to illegaly perform an operation
|
|
|
What exception is thrown if an assembly is trying to peform an action which is not allowed?
|
System.Security.SecurityException
|
|
|
What is a Permission Set?
Name them |
Is a set of permission which can be created and applied programmatically by creating and adding individual permission objects to a PermissionSet. Nothing, Execution, Internet, LocalIntranet, Eveything, FullTrust
|
|
|
What is a Security Policy?
|
Defines how assembly evidence is evaluated to determine the permissions that are granted to the assembly
|
|
|
What is an evidence?
|
Evidence is a collection class that holds two sets. Host evidence and assembly evidence. The host evidence describes the origin can include URL, Hash, Publisher, Site etc. Assembly evidence is custom user- or developer provided evidence. It is used by the runtime to determine which code groups the assembly belongs
|
|
|
What is a CAS permission?
|
A permission is a CAS access control entry. Like FileDialog, Isolated Storage File etc. Every permission can have different attributes, like Read or Write etc. It is used in sets lik the PermissionSet LocalIntranet
|
|
|
Can CAS controll fully trusted and unmanaged code?
|
No, only partly trusted managed code.
|
|
|
What is a permission set? List some of the default permission sets. What is the nothing permission set?
|
A permission set is a collection of permissions.
- Full Trust, Internet etc. Nothing - No permission to an assembly. The assembly is not even allowed to run. Permission sets are assigned to Code groups |
|
|
What are code groups?
|
Its a logical grouping of code that has a specified condition for membership. Any code that meets the membership condition (Evidence types, URL, Site, Publisher...) is included in the group. The code group has a permission set
|
|
|
Explain the logic behing Permission, PermissionSet, Code Group, Evidence, Security Policy and an Assembly.
|
The Code group groups code logically which match a special condition. This condition is the Evidence type provided by the assembly. Can be by origin or signature. The code group then gets a permission set which consists of 0 or more permissions. The Security Policy groups those groups for User, Machine, Enterprise, Application Domain.
|
|
|
How to add a new code group and assign a NEW permission set
|
Open mscorcfg.msc and go to
"Runtime Security Policy" choose a Securit Policy and right click on ALL_CODE and a new code group. Choose a condition to logically group the code and click next and create a new permission set |
|
|
What is caspol.exe?
|
Code Access Security Policy command line tool.
|
|
|
What are the 3 reasons to use CAS declarations?
|
1. Least Priviledge
2. Application doesn't run application if not enough rights are assigned 3. To verify that the application can run with the limited CAS permissions and can therefore run in partially trusted environment |
|
|
What CAS declarations has to be made to debug an assembly
|
[assembly:UIPermission(SecurityAction.RequestMinimum, Unrestricted = true]
|
|
|
What a the CAS declaration classes and what is the base class? What is the namespace?
|
CAS declaration classes are declared before the namespace declaration/class in a source code file. Each class has unique members but they all have Action and Unrestricted members as they derive from the CodeAccessSecurityAttribute class. System.Security.Permission
|
|
|
What are the 3 types for Assembly security actions?
|
SecurityAction.RequestMinimum - Requires a permission, if not it throws a SecurityException
SecurityAction.RequestOptional - "Refuse except" - does not throw an exception before the actual action. SecuritAction.RequestRefuse - Refuses the permission assigned to the application. No excpetion before action |
|
|
WHat is the best practise for security declarations in assemblies?
|
Use SecurityAction.RequestOPtional and SecurityAction.RequestMinimum. So an exception is thrown before the assembly is loaded when it doesn't have enough rights and it refuses all other right and hence it can't be missused by other assemblies
|
|
|
What are the 6 Types of Permission Requests? What is the base class?
|
Assert - The calling code can access the resource identified by the current permission object, even if callers higher in the stack have not been granted permission to access the resource
Demand - Throws exception if caller and all callers higher in the stack lack the specified permission. Deny - Causes the runtime to reduce the method's access by removing the specified permission InheritanceDemand - Instructs the runtime to throw an exception if the assembly inheriting from the class lacks the specified permission LinkDemand - Causes the runtime to throw an exception if the immediate caller but no callers higher in the stack, lack the specified permission PermitOnly - Instructs the runtime to reduce the method's access by removing all permissions except for the specified permissions CodeAccessPermission |
|
|
What is the difference between declarative and imperative Security for classes and methods?
|
Declarative security performs security checks prior to running the code but imperative security the code checks itselfs the permissions and handles the results/exception
|
|
|
How to analyse granted permissions with imperative security?
|
use the static method System.Security.SecurityManager.
IsGranted(myPermission) |
|
|
Avoid redundant demands?
|
Most classes in .NET use demands to ensure the callers have the permissions. Like StreamWriter
|
|
|
Can declarative security creteria be dynamic?
|
No, it must be static. Use imperative declarations instead
|
|
|
How to imperatvely limit a permission? deny access to c:\windows
|
FileIOPermission myPermission = new FileIOPermission(FileIOPermissionAccess.AllAccess,
@"c:\Windows"); myPermission.Deny(); |
|
|
What must the assembly have to use the SecurityAction.Assert action and how often can you use assert in a method?
|
1. SecurityPermissionFlag.Assertion as well as being the privilege being asserted.
2. Only once, use Permission sets instead |
|
|
How to use permission sets for imperative security?
|
PermissionSet mySet = new PermissionSet(PermissionState.None);
mySet.Add(new FileIOPermission(FileIOPermissionAccess.Read, @"C:\Windows")); mySet.Demand(); |
