Is CAS dead in .NET 4?

re: Is CAS dead in .NET 4?

Sviver — Mon, 26 Sep 2011 10:12:13 GMT

Hello Shawn,

Though there has recently been no activity on the blog, I hope you are still getting a notification about my new post and will read it.

I have read a lot about CAS now, your blog was one of the most understandable ones. However, there are a few things I still don't get - or actually I fear I get it, and what I want to achieve is not possible...

Currently we have a .NET 2.0 solution which looks like this:

- A signed ActiveX component written in .NET which needs permission to access local files

- ActiveX is embedded in intranet site

- Assembly is not installed to the GAC but downloaded directly from the server so we can easily roll out updates

- An MSI package setting .NET runtime security polcies so that the assembly has local file access permission based on the certificate it is signed with. This package only needs to be installed once of course.

All is running fine.

Now if I change to .NET 4.0, including the new security model, the permissions granted to the assembly are decided by the host, in this case Internet Explorer. Any policies defined with caspol.exe will not be taken into account. My ActiveX will be run in a sandbox without any file local access permission.

I have not yet found any way to let Internet Explorer know, that my partical assembly shall be executed in a "privileged sandbox".

Is there any way to achieve this? Can SRP be parametrized in a way that it will not restrict software, but instead allow extra permissions? Does it work within Internet Explorer also?

Or do I have to stay with the <NetFx40_LegacySecurityPolicy> forever? Will that be supported in future, or will it be obsolete and run out with time?

Thanks,

Oliver

re: Is CAS dead in .NET 4?

Sviver — Mon, 26 Sep 2011 10:11:51 GMT

Hello Shawn,

Though there has recently been no activity on the blog, I hope you are still getting a notification about my new post and will read it.

Currently we have a .NET 2.0 solution which looks like this:

- A signed ActiveX component written in .NET which needs permission to access local files

- ActiveX is embedded in intranet site

- Assembly is not installed to the GAC but downloaded directly from the server so we can easily roll out updates

All is running fine.

I have not yet found any way to let Internet Explorer know, that my partical assembly shall be executed in a "privileged sandbox".

Is there any way to achieve this? Can SRP be parametrized in a way that it will not restrict software, but instead allow extra permissions? Does it work within Internet Explorer also?

Or do I have to stay with the <NetFx40_LegacySecurityPolicy> forever? Will that be supported in future, or will it be obsolete and run out with time?

Thanks,

Oliver

re: Is CAS dead in .NET 4?

Jim — Thu, 01 Apr 2010 16:41:34 GMT

Thanks Shawn, so it was OK pre-v4 because only the VS designer (full trust) would use our designer code.

But now, even though asp.net doesn't use the designer code, that inheritance check is still performed.

Sounds like will have to separate out the designer stuff into a different assembly.

Thanks

Jim

re: Is CAS dead in .NET 4?

shawnfa — Wed, 31 Mar 2010 22:58:34 GMT

Hi Jim,

If your control assembly is partially trusted (for instance, it loads into the partial trust web app but is not loaded from the GAC), then it can never contain security critical or safe critical code. In fact, the CLR will ignore all transparency attributes it finds in the code itself and treat the assembly as if it were marked [assembly: SecurityTransparent].

Therefore, if you mark your type wtih [SecurityCritical] it's really having no effect at all - although if you were a fully trusted APTCA library that would be exactly the correct solution.

The reason that the legacy level 1 rule makes this error go away is that level 1 transparency did not enforce any sort of inheritance rules at all - since level 1 is ther to be compatible with the v2 transparency model, it also cannot enforce inheritance rules.

-Shawn

re: Is CAS dead in .NET 4?

Jim — Wed, 31 Mar 2010 18:21:57 GMT

Shawn, a question if you don't mind.

Let's say you build an ASP.NET control library, for use in less than full trust level web apps.

Your only exposure to SecurityCritical code is through your inheritance of the framework's ControlDesigner class.

When running the app. you'll see the exception

"Inheritance security rules violated by type: 'ABC'. Derived types must either match the security accessibility of the base type or be less accessible"

This means you should add SecurityCritical to your type ABC - however it doesn't resolve the problem.

If however you mark the assembly with "level 1" transparency, it will work (regardless of marking SecurityCritical on the type 'ABC'.

APTCA is also set.

If Level 1 is legacy, then what would be the correct way to do this for v4?

Initially I thought that this situation was the same as bridging between transparent and securitycritical, using securitysafecritical, but making that doesn't seem to apply to subclasses.

It seems like the runtime is saying "your subclass needs to be securitycritical", but, when we set the assembly to level 2, that's when the check kicks in and it decides "if the app. is partially trusted, it cannot use this assembly".

Am I understanding it correctly?

If I just leave the assembly as level 1, then it all seems to be OK - but what's the drawback? Level 1 might be dropped in next ver?

Thanks

Jim

re: Is CAS dead in .NET 4?

shawnfa — Thu, 25 Feb 2010 22:05:06 GMT

The security model is a pretty large topic ... I'd recommend this blog as a starting point, it's got a lot of information about how things used to be and I've been writing recently about what we're changing in v4. You could also check out MSDN (for instnace http://msdn.microsoft.com/en-us/library/dd233103(VS.100).aspx) for some other details.

-Shawn

re: Is CAS dead in .NET 4?

Ben — Thu, 25 Feb 2010 01:16:17 GMT

Reading this interesting blog post, I realized there is a lot of things I didn't know. Could you point me to some resources explaining how the security model in .NET 2.0 (and 3.5 I guess) works and how it works in .NET 4.0. I would greatly appreciate!