Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
Code access security (CAS) is a security mechanism by which the common language runtime (CLR) of the .NET framework can restrict the managed code to execute operations with a limited set of permissions.
CAS enforces security policies in the .NET framework by preventing unauthorized access to protected resources and operations. Unlike traditional security methods, where user credentials are obtained from the user, CAS is designed to address the issues faced when obtaining code from external sources, which contain bugs and vulnerabilities. These bugs and vulnerabilities may make a user's system vulnerable to malicious code, which may be performing tasks without the user knowing it. CAS actually knows and allows only those operations a given user's code can and cannot perform. This feature is applicable to all managed code targeting the CLR.
CAS provides evidence-based security built on a layer above the security provided by the Windows operating system. While Windows is based on the permissions of the user, CAS is based on the evidence for the assembly. The assembly contains the permissions defined in the security policy and forms the basis for allowing code to execute necessary actions.
CAS is built on the following elements, among others:
The code-executing privileged operation demands the CLR for one or more permissions. The actual permission is calculated using the union of permission set in the code groups and then an intersection at the policy level. The CLR ensures the demanded permissions are in the granted permissions of the method of that assembly. If permission is not granted, a security exception will be thrown.
CAS provides two security modes to define permissions for code:
CAS has limitations, including the malfunctioning of an application moved to another system when the security policy is different. In addition, there is no control on unmanaged code and no control of the development of applications to cater to the needs of different scenarios of security settings on user systems.
To effectively use the fine-grained security technology of CAS, developers should write type-safe code, use declarative or imperative syntax based on context, request permissions from run time for code to run, and use secure libraries.