Control Code Privileges

A quick refresher about the security policies of the .NET Framework:

  1. Security Policy Levels
  2. A Hierarchy of Code Groups
  3. Named Permission Sets associated with Code Groups
  4. Evidences of an assembly
  5. Application Domain hosts that provide evidences to the CLR

Don’t worry if you can’t recall all of these, check out the MSDN link at the bottom, called Security Policy Management. This post will be about the namespace System.Secuirty.Policy. This namespace contains code groups, membership conditions and evidences. The previous three types are used to create the rules applied by the CLR. Evidence classes are the inputs of security policies, and the membership conditions are switches of it. The policy levels and code groups are the structure of a policy hierarchy. Code groups are the encapsulation of a rule and are members of the policy level.

First let’s take a look at the classes working with the membership conditions:

AllMembershipCondition A membership condition used in the root which represents a condition that matches all code.
ApplicationDirectoryMembershipCollection Determines whether an assembly belongs to a code group by testing the application directory.

Code that lacks ApplicationDirectory or Url evidence always fails this condition.

GacMembershipCondition Determines whether an assembly belongs to a code group by testing its GAC membership.
HashMembershipCondition Determines whether an assembly belongs to a code group by checking its hash value.
PublisherMembershipCondition Checks the publisher’s digital signature.
SiteMembershipCondition Checks the site from which the code was originated.
StrongNameMembershipCondition Checks the strong name of the assembly.
UrlMembershipCondition Checks the URL from which the assembly originates.
ZoneMembershipCondition Checks the zone of the assembly’s origin.


A quick check for a given zone membership condition:

Zone z = Zone.CreateFromUrl(@”C:”);
Object[] hostEvidence = new Object[] { z };
Evidence theEvidence = new Evidence(hostEvidence, null);
ZoneMembershipCondition zmc = new ZoneMembershipCondition(SecurityZone.MyComputer);

Because C: is a path on your computer, it will be the member of the MyComputer security zone, so the code above will return true.

The evidence classes in System.Security.Policy are the following ones:

ApplicationDirectory, GacInstalled, Hash, Publisher, Site, StrongName, Url, Zone. To use these classes, simply create an instance of them, pass them to an object array, create an Evidence class, and call the Check method on that Evidence instance of a MebershipCondition class. Example was above.

An Evidence class accepts two kinds of evidences: host and assembly. Assembly evidences are part of the assembly, and by default, they are ignored. Host evidence is provided by the host, typically these are Url, Site or Zone evidences.

There is much more on this topic, but I haven’t found a damn word about it in the Training Kit, so I suggest you to read through MSDN. I’ve done it, but there’s so much there and with so many repeats that I wouldn’t like to even try to reproduce it.

Further Readings:

Security Policy Management


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s