Hacking the Code: ASP.NET Web Application Security

The .NET Framework is based on the concept of distributed applications, in which an application does not necessarily have a single owner. To circumvent the problem of which parts of the application (being assemblies) to trust, code access security is introduced. This is a very powerful way to protect the system from code that may be malicious or just unstable. Remember that it is always active, even if you do not use it in your own code. CAS helps you with the following tasks:
Limiting access permissions of assemblies by applying security policies
Protecting the code from obtaining more permissions than the security policy initially permits
Managing and configuring permission sets within security policies to reflect the specific security needs
Granting assemblies specific permissions that they request
Enabling assemblies in demanding specific permissions from the caller
Using the caller s identity and credentials to access protected resources and code
The .NET Code Access Security (CAS) model is based on a number of features:
Stack walking
Code identity
Code groups
Declarative and imperative security
Requesting permissions
Demanding permissions
Overriding security checks
Custom permissions
The following discussion will give you a better understanding of how CAS works in general and how it can work for you as you design and implement .NET applications.
Perhaps stack walking is the most important mechanism within CAS to ensure that assemblies cannot gain access to protected resources and code during the course of the execution. As we...