Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...


First CAS sample in Mono

I've been working on Mono's Code Access Security (CAS) since being back from vacations. This is, like cryptography, not a very visual-friendly task - but there's still some progress to be shown ;-)

If you compile the following source file...

using System; using System.Security; using System.Security.Permissions; using System.Security.Policy; public class Program { static void Demand (SecurityZone zone) { try { new ZoneIdentityPermission (zone).Demand (); Console.WriteLine ("Zone {0}: GRANTED", zone); } catch (Exception e) { Console.WriteLine ("Zone {0}: {1}", zone, e.GetType ()); } } static public void Main (string[] args) { Demand (SecurityZone.Internet); Demand (SecurityZone.Intranet); Demand (SecurityZone.MyComputer); Demand (SecurityZone.NoZone); Demand (SecurityZone.Trusted); Demand (SecurityZone.Untrusted); Demand ((SecurityZone)128); } }

... you will get the following output using either Microsoft's runtime or Mono (CVS):

Zone Internet: System.Security.SecurityException Zone Intranet: System.Security.SecurityException Zone MyComputer: GRANTED Zone NoZone: GRANTED Zone Trusted: System.Security.SecurityException Zone Untrusted: System.Security.SecurityException Zone 128: System.ArgumentException

Now while we're still a very long way from complete CAS support but this little subset is an important milestone because:

  • it shows that (a least a subset) of the security policy can be resolved;
  • it use the host provided evidences to get the current zone (MyComputer) from which the code is being executed;
  • it works using a partial (assembly-based) stack walk.

Best of all it allows to tests many security classes, like permissions, using different policies - something not easily achievable using NUnit. It also open up the doors for more people to start experimenting with CAS, albeit in a very limited form right now, with the next Mono release (1.1.1).

Still missing...

  • full stack walk - required to support modifiers like Assert, Deny and PermitOnly;
  • support for declarative security (attributes);
  • tests;
  • tools like caspol.exe and permview.exe;
  • more tests;
  • the class librairies audit - to ensure correct security attributes are applied;
  • and even more tests.

8/17/2004 09:32:28 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.