To really get a better idea of .NET security we first have to talk a little about the CLR. The CLR plays a major role in security when deploying an application.

These are the steps of a deployment:

  • Retrieve the assembly's evidence (assembly's strong name, digital signature, sign code signature, and Internet zone where executed.
  • Referencing the security policy - Determines the actions the code is allowed to perform.
  • Executing the code - If it has permissions it has access to execute the code.

A digital signature or internet zone can both be used as evidence of an assembly. In simple words it is the assembly's information.

Evidence Based Security:

The security policy can use evidence from the host or assembly itself to evaluate whether an assembly must be granted permissions or not. It uses the host evidence by default, which consists of the URI from which the assembly originates (internet zone) or the assembly's digital signature. An assembly evidence is customized evidence you can attach to an assembly to extend its evidence set. The security policy only uses evidence it's explicitly configured to accept.

An application may use several methods to enable evidence-based security. A common way is to include a permission request that forces code to only have permission it expects.

Some methods of the Evidence class:

AddAssemblyEvidence: Take an evidence as a parameter and adds it to the Evidence.

Count: Counts the number of evidences in a Evidence object.

System.Security  - contains permission based classes and base signature of CLR security System.

System.Security.Policy  - Contains Evidence class

System.Reflection  - Contains classes that provide the loaded view of an assembly.

Code Sample:

1
2
3
Type type = Type.GetType("System.Object");
Assembly assembly = Assembly.GetAssembly(type);
Evidence evidence = assembly.Evidence;</pre>

This code snippet will get the assembly of System.Object and add it to you Evidence object.