CLI Security
Security in .net
Contents
Code access permissions
Security Actions
Security Actions mit Methodengranularität:
[FileIOPermission(SecurityAction.Assert, All = @"C:\myfile.txt")]
public void sampleMethod()
{
StreamWriter TextStream = new StreamWriter(@"C:\myfile.txt");
TextStream.WriteLine("Hello world");
TextStream.Close();
}
Imperative:
FileIOPermission FilePermission = new FileIOPermission(FileIOPermissionAccess.AllAccess,@"C:\myfile.txt");
FilePermission.Assert();
Assert
The calling code can access the resource identified by the current permission object, even if callers higher in the stack have not been granted permission to access the resource. Use assertions carefully because they can open security holes and undermine the runtime's mechanism for enforcing security restrictions.
Demand
All callers higher in the call stack are required to have been granted the permission specified by the current permission object. Schlägt der Test fehl, dann wird eine SecurityException geworfen.
Deny
The ability to access the resource specified by the current permission object is denied to callers, even if they have been granted permission to access it.
Inheritance demand
The derived class inheriting the class or overriding a method is required to have been granted the specified permission.
Link demand
The immediate caller is required to have been granted the specified permission. The only demands that do not result in a stack walk are link demands, which check only the immediate caller.
Permit only
Only the resources specified by this permission object can be accessed, even if the code has been granted permission to access other resources.
Request minimum
The request for the minimum permissions required for code to run. This action can only be used within the scope of the assembly.
Request optional
The request for additional permissions that are optional (not required to run). This request implicitly refuses all other permissions not specifically requested. This action can only be used within the scope of the assembly.
Request refuse
The request that permissions that might be misused will not be granted to the calling code. This action can only be used within the scope of the assembly.
Identity persmissions
Identity Permissions sind immer im Zusammenhang mit einem Assembly und dem Loader, welcher das Assembly geladen hat. Identity Persmissions erben auch von CodeAccessPermission.
- PublisherIdentityPermission
- SiteIdenityPermission
- StrongNameIdentityPermission
- URLIdentityPermission
- ZoneIdentityPermission
Role based security
private void button1_Click(object sender, EventArgs e)
{
AppDomain myDomain = Thread.GetDomain();
myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
IPrincipal myPrincipal = Thread.CurrentPrincipal;
WindowsPrincipal wp = myPrincipal as WindowsPrincipal;
bool result = myPrincipal.IsInRole("My Role");
result = wp.IsInRole(WindowsBuiltInRole.Administrator);
}
SecurityManager, ApplicationSecurityManager
SecurityManager
bool isgranted = SecurityManager.IsGranted(new FileIOPermission(FileIOPermissionAccess.Read, @"C:\"));
ApplicationSecurityManager
Enhtält Informationen über eine manifest-based Applikation.
[SecurityPermission(SecurityAction.LinkDemand, ControlDomainPolicy=true)]
private void button1_Click(object sender, EventArgs e)
{
ActivationContext ac = AppDomain.CurrentDomain.ActivationContext;
ApplicationIdentity ai = ac.Identity;
Console.WriteLine("Full name = " + ai.FullName);
Console.WriteLine("Code base = " + ai.CodeBase);
bool result = ApplicationSecurityManager.DetermineApplicationTrust(ac, new TrustManagerContext());
Conole.WriteLine("Trust = " + result);
}
ACLs
private void button1_Click(object sender, EventArgs e)
{
FileSecurity fSecurity = File.GetAccessControl(@"C:\");
Type ntAccount = typeof(System.Security.Principal.NTAccount);
AuthorizationRuleCollection rules = fSecurity.GetAccessRules(true, true, ntAccount);
foreach (AuthorizationRule ar in rules)
{
FileSystemAccessRule far = ar as FileSystemAccessRule;
NTAccount user = far.IdentityReference.Translate(ntAccount) as System.Security.Principal.NTAccount;
}
}
Encryption, Decryption
private void button1_Click(object sender, EventArgs e)
{
//Write
this.encrypt();
//Read
this.decrypt();
}
public void encrypt()
{
RijndaelManaged cryptor = new RijndaelManaged();
byte[] Key = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 };
byte[] IV = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 };
ICryptoTransform transform = cryptor.CreateEncryptor(Key, IV);
FileStream fileStream = File.Create(@"C:\test.txt");
CryptoStream cryptoStream = new CryptoStream(fileStream, transform, CryptoStreamMode.Write);
StreamWriter writer = new StreamWriter(cryptoStream);
writer.WriteLine("Hello World");
writer.Close();
}
public void decrypt(){
RijndaelManaged cryptor = new RijndaelManaged();
byte[] Key = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 };
byte[] IV = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 };
ICryptoTransform transform = cryptor.CreateDecryptor(Key, IV);
FileStream fileStream = File.OpenRead(@"C:\test.txt");
CryptoStream cryptoStream = new CryptoStream(fileStream, transform, CryptoStreamMode.Read);
StreamReader reader = new StreamReader(cryptoStream);
string line = reader.ReadLine();
}
