CLI Security

From no name for this wiki
Jump to: navigation, search

Security in .net

Code access permissions

Security Actions

Security Actions mit Methodengranularität:

[FileIOPermission(SecurityAction.Assert, All = @"C:\myfile.txt")]
public void sampleMethod()
{
 StreamWriter TextStream = new StreamWriter(@"C:\myfile.txt");
 TextStream.WriteLine("Hello world");
 TextStream.Close();       
}

Imperative:

FileIOPermission FilePermission = new FileIOPermission(FileIOPermissionAccess.AllAccess,@"C:\myfile.txt"); 
FilePermission.Assert();

Assert

The calling code can access the resource identified by the current permission object, even if callers higher in the stack have not been granted permission to access the resource. Use assertions carefully because they can open security holes and undermine the runtime's mechanism for enforcing security restrictions.

Demand

All callers higher in the call stack are required to have been granted the permission specified by the current permission object. Schlägt der Test fehl, dann wird eine SecurityException geworfen.

Deny

The ability to access the resource specified by the current permission object is denied to callers, even if they have been granted permission to access it.

Inheritance demand

The derived class inheriting the class or overriding a method is required to have been granted the specified permission.

Link demand

The immediate caller is required to have been granted the specified permission. The only demands that do not result in a stack walk are link demands, which check only the immediate caller.

Permit only

Only the resources specified by this permission object can be accessed, even if the code has been granted permission to access other resources.

Request minimum

The request for the minimum permissions required for code to run. This action can only be used within the scope of the assembly.

Request optional

The request for additional permissions that are optional (not required to run). This request implicitly refuses all other permissions not specifically requested. This action can only be used within the scope of the assembly.

Request refuse

The request that permissions that might be misused will not be granted to the calling code. This action can only be used within the scope of the assembly.

Identity persmissions

Identity Permissions sind immer im Zusammenhang mit einem Assembly und dem Loader, welcher das Assembly geladen hat. Identity Persmissions erben auch von CodeAccessPermission.

  • PublisherIdentityPermission
  • SiteIdenityPermission
  • StrongNameIdentityPermission
  • URLIdentityPermission
  • ZoneIdentityPermission

Role based security

private void button1_Click(object sender, EventArgs e)
{
            AppDomain myDomain = Thread.GetDomain();
 
            myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
            IPrincipal myPrincipal = Thread.CurrentPrincipal;
            WindowsPrincipal wp = myPrincipal as WindowsPrincipal;
 
            bool result = myPrincipal.IsInRole("My Role");
            result = wp.IsInRole(WindowsBuiltInRole.Administrator);
 
 
}

SecurityManager, ApplicationSecurityManager

SecurityManager

bool isgranted =    SecurityManager.IsGranted(new FileIOPermission(FileIOPermissionAccess.Read, @"C:\"));

ApplicationSecurityManager

Enhtält Informationen über eine manifest-based Applikation.

[SecurityPermission(SecurityAction.LinkDemand, ControlDomainPolicy=true)]
private void button1_Click(object sender, EventArgs e)
{
    ActivationContext ac = AppDomain.CurrentDomain.ActivationContext;
    ApplicationIdentity ai = ac.Identity;
    Console.WriteLine("Full name = " + ai.FullName);
    Console.WriteLine("Code base = " + ai.CodeBase);  
    bool result = ApplicationSecurityManager.DetermineApplicationTrust(ac, new TrustManagerContext());  
    Conole.WriteLine("Trust = " + result);    
}

ACLs

private void button1_Click(object sender, EventArgs e)
{
    FileSecurity fSecurity = File.GetAccessControl(@"C:\");
    Type ntAccount = typeof(System.Security.Principal.NTAccount);
    AuthorizationRuleCollection rules = fSecurity.GetAccessRules(true, true, ntAccount);
    foreach (AuthorizationRule ar in rules)
    {
      FileSystemAccessRule far = ar as FileSystemAccessRule;
      NTAccount user = far.IdentityReference.Translate(ntAccount) as System.Security.Principal.NTAccount;
    }            
}

Encryption, Decryption

        private void button1_Click(object sender, EventArgs e)
        {
            //Write
            this.encrypt();
 
            //Read
            this.decrypt();
 
        }
 
        public void encrypt()
        {
            RijndaelManaged cryptor = new RijndaelManaged();
            byte[] Key = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 };
            byte[] IV = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 };
 
            ICryptoTransform transform = cryptor.CreateEncryptor(Key, IV);
            FileStream fileStream = File.Create(@"C:\test.txt");
 
            CryptoStream cryptoStream = new CryptoStream(fileStream, transform, CryptoStreamMode.Write);
            StreamWriter writer = new StreamWriter(cryptoStream);
 
            writer.WriteLine("Hello World");
 
            writer.Close();                      
        }
 
        public void decrypt(){
            RijndaelManaged cryptor = new RijndaelManaged();
            byte[] Key = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 };
            byte[] IV = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 };
 
            ICryptoTransform transform = cryptor.CreateDecryptor(Key, IV);
            FileStream fileStream = File.OpenRead(@"C:\test.txt");
            CryptoStream cryptoStream = new CryptoStream(fileStream, transform, CryptoStreamMode.Read);
            StreamReader reader = new StreamReader(cryptoStream);
            string line = reader.ReadLine();
        }