CAS (Code access security) & .NET 4.0 Security model FAQ



Many developers understand the concept of CAS (Code access security) but very few know how to implement the same. This article will discuss and demonstrate practically all those aspects of CAS which you have ready only in theory till today.

This article first starts with the basic concepts of CAS like evidence, permission, code groups and caspol.exe. It then moves ahead to demonstrate how CAS can be implemented in real world. This article further talks about ground up changes made in .NET 4.0 for CAS. In those regards it discusses about security transparent model and sandboxing.

Code Access security is a security model which grants or denies permission to your assembly depending on evidences like from where the code has emerged, who the publisher is? , strong names etc.

What is evidence in CAS?

When you want to execute any code in your environment you would first like to know from where the code came from. Depending from where it came from, you would then would like to give him access rights. For instance a code compiled from your own computer would have greater rights than code downloaded from the internet.

In order to know the same we need to probe the assembly / exe / dll and get evidences like who is the publisher of the code , from which site has this code from , from which zone has it come from ( internet , intranet etc) etc.

Once you have gathered the evidences about the code you would like to assign permission to the code. There are various permissions which you can assign to the code like Can the code create a file, can we write to registry, can the code execute reflection, can the code open file dialog box etc. 

These permissions are collect permission sets and those permission sets are allocated to the code.

What is code group?

Code groups are nothing but categories of code. These categories are defined by permissions and evidence values. When .NET code runs it’s assigned to a code group by the evidences which are collected during runtime. 

For instance there are various default code groups like My computer zone , internet zone , intranet zone etc. 

My computer zone code group is allocated to code who evidence says that they are assemblies which are installed on the computer and they have permission set ‘internet’ which has various permissions like file dialog , execute , user interface , printing etc.

So how does CAS work on runtime?

When the assembly runs following steps takes place:-

• Evidences are gathered about the assembly. In other words from where did this assembly come?
• Depending on evidences the assembly is assigned to a code group. In other words what rights does the assembly depending on the evidence gathered.
• Depending on code group the assembly is allocated security rights.
• Using the security rights the assembly is run with in those rights.


If you want to allocate rights to an assembly we need to install the .NET configuration tool and click on trust assembly menu as shown in the below figure.