安全透明的代码Security-Transparent Code

注意

代码访问安全性 (CA) 和部分受信任代码Code Access Security (CAS) and Partially Trusted Code

.NET Framework 提供一种机制,对在相同应用程序中运行的不同代码强制实施不同的信任级别,该机制称为代码访问安全性 (CAS)。The .NET Framework provides a mechanism for the enforcement of varying levels of trust on different code running in the same application called Code Access Security (CAS).

.NET Core、.NET 5 或更高版本中不支持 CAS。低于7.0 的 c # 版本不支持 CAS。CAS is not supported in .NET Core, .NET 5, or later versions. CAS is not supported by versions of C# later than 7.0.

.NET Framework 中的 CAS 不应作为一种机制,用于根据代码来源或其他标识方面强制实施安全边界。CAS in .NET Framework should not be used as a mechanism for enforcing security boundaries based on code origination or other identity aspects. CA 和 Security-Transparent 代码不支持用作部分受信任的代码(尤其是未知来源的代码)的安全边界。CAS and Security-Transparent Code are not supported as a security boundary with partially trusted code, especially code of unknown origin. 建议在未实施其他安全措施的情况下,不要加载和执行未知来源的代码。We advise against loading and executing code of unknown origins without putting alternative security measures in place. .NET Framework 不会为可能会针对 CAS 沙盒发现的任何特权提升攻击发出安全修补程序。.NET Framework will not issue security patches for any elevation-of-privilege exploits that might be discovered against the CAS sandbox.

此策略适用于 .NET Framework 的所有版本,但不适用于 Silverlight 中所含的 .NET Framework。This policy applies to all versions of .NET Framework, but does not apply to the .NET Framework included in Silverlight.

安全性涉及三个交互部分:沙盒处理、权限和强制。Security involves three interacting pieces: sandboxing, permissions, and enforcement. 沙盒处理是指创建隔离域的做法,在隔离域中某些代码被视为完全信任,而其他代码则被限制为沙盒授予集中的权限。Sandboxing refers to the practice of creating isolated domains where some code is treated as fully trusted and other code is restricted to the permissions in the grant set for the sandbox. 在沙盒授予集内运行的应用程序代码被视为透明的,也就是说,它不能执行任何影响安全性的操作。The application code that runs within the grant set of the sandbox is considered to be transparent; that is, it cannot perform any operations that can affect security. 沙盒的授予集由证据(Evidence 类)决定。The grant set for the sandbox is determined by evidence (Evidence class). 证据标识沙盒需要哪些特定权限,以及可以创建哪种沙盒。Evidence identifies what specific permissions are required by sandboxes, and what kinds of sandboxes can be created. 强制是指允许透明代码仅在其授予集内执行。Enforcement refers to allowing transparent code to execute only within its grant set.

重要

安全策略是旧版 .NET Framework 中的关键元素。Security policy was a key element in previous versions of the .NET Framework. 从 .NET Framework 4 开始,安全策略已过时。Starting with the .NET Framework 4, security policy is obsolete. 安全策略的取消独立于安全透明度。The elimination of security policy is separate from security transparency. 有关此更改的效果的信息,请参阅代码访问安全策略兼容性和迁移For information about the effects of this change, see Code Access Security Policy Compatibility and Migration.

透明度模型的用途Purpose of the Transparency Model

透明度是一种强制机制,用于将作为应用程序的一部分运行的代码与作为基础结构的一部分运行代码区分开来。Transparency is an enforcement mechanism that separates code that runs as part of the application from code that runs as part of the infrastructure. 透明度在可以执行特许事件(例如调用本机代码)的代码(关键代码)和无法执行的代码(透明代码)之间绘制一个屏障。Transparency draws a barrier between code that can do privileged things (critical code), such as calling native code, and code that cannot (transparent code). 透明代码可以在其运行的权限集边界内执行命令,但不能执行、派生自或包含关键代码。Transparent code can execute commands within the bounds of the permission set it is operating in, but cannot execute, derive from, or contain critical code.

透明度强制的主要目标是提供简单而有效的机制,以基于特权隔离不同的代码组。The primary goal of transparency enforcement is to provide a simple, effective mechanism for isolating different groups of code based on privilege. 在沙盒处理模型的上下文中,这些特权组是完全信任的(即不受限制)或部分信任的(即限于授予沙盒的权限集)。Within the context of the sandboxing model, these privilege groups are either fully trusted (that is, not restricted) or partially trusted (that is, restricted to the permission set granted to the sandbox).

重要

透明度模型优于代码访问安全性。The transparency model transcends code access security. 透明度由实时编译器强制执行,并保持有效,而不考虑程序集的授予集(包括完全信任)。Transparency is enforced by the just-in-time compiler and remains in effect regardless of the grant set for an assembly, including full trust.

.NET Framework 2.0 版中引入了透明度,用于简化安全模型,使其更易于编写和部署安全库和应用程序。Transparency was introduced in the .NET Framework version 2.0 to simplify the security model, and to make it easier to write and deploy secure libraries and applications. Microsoft Silverlight 中也使用了透明代码,用于简化部分信任的应用程序的开发。Transparent code is also used in Microsoft Silverlight, to simplify the development of partially trusted applications.

备注

当开发部分信任的应用程序时,必须知道目标主机的权限要求。When you develop a partially trusted application, you have to be aware of the permission requirements for your target hosts. 你可以开发使用某些主机不允许的资源的应用程序。You can develop an application that uses resources that are not allowed by some hosts. 此应用程序编译时不会出错,但将无法加载到托管环境中。This application will compile without error, but will fail when it is loaded into the hosted environment. 如果已使用 Visual Studio 开发了应用程序,就可以在部分信任的环境中启用调试或在开发环境中启用受限的权限集。If you have developed your application using Visual Studio, you can enable debugging in partial trust or in a restricted permission set from the development environment. 有关更多信息,请参见 如何:使用受限权限对 ClickOnce 应用程序进行调试For more information, see How to: Debug a ClickOnce Application with Restricted Permissions. 为 ClickOnce 应用程序提供的计算权限功能也可用于部分信任的任何应用程序。The Calculate Permissions feature provided for ClickOnce applications is also available for any partially trusted application.

指定透明度级别Specifying the Transparency Level

程序集级别的 SecurityRulesAttribute 特性显式选择该程序集将遵循的 SecurityRuleSet 规则。The assembly-level SecurityRulesAttribute attribute explicitly selects the SecurityRuleSet rules that the assembly will follow. 这些规则在数字级别系统下组织,级别越高表示安全规则的强制性越高。The rules are organized under a numeric level system, where higher levels mean tighter enforcement of security rules.

级别如下:The levels are as follows:

  • Level 2 ( Level2 )– .NET Framework 4 透明度规则。Level 2 (Level2) – the .NET Framework 4 transparency rules.

  • 1 级 (Level1) –.NET Framework 2.0 透明度规则。Level 1 (Level1) – the .NET Framework 2.0 transparency rules.

这两个透明度级别之间的主要区别是 1 级不对程序集外部的调用强制实施透明度规则,并且预期仅用于实现兼容性。The primary difference between the two transparency levels is that level 1 does not enforce transparency rules for calls from outside the assembly and is intended only for compatibility.

重要

你应仅出于兼容性目的指定 1 级透明度,也就是说,仅为使用 .NET Framework 3.5 或更早版本(这些版本使用 AllowPartiallyTrustedCallersAttribute 属性或不使用透明度模型)开发的代码指定 1 级。You should specify level 1 transparency for compatibility only; that is, specify level 1 only for code that was developed with the .NET Framework 3.5 or earlier that uses the AllowPartiallyTrustedCallersAttribute attribute or does not use the transparency model. 例如,对允许从部分信任的调用方 (APTCA) 调用的 .NET Framework 2.0 程序集使用 1 级透明度。For example, use level 1 transparency for .NET Framework 2.0 assemblies that allow calls from partially trusted callers (APTCA). 对于为 .NET Framework 4 开发的代码,请始终使用2级透明度。For code that is developed for the .NET Framework 4, always use level 2 transparency.

2 级透明度Level 2 Transparency

.NET Framework 4 中引入了2级透明度。Level 2 transparency was introduced in the .NET Framework 4. 此模型的三条原则是透明代码、安全可靠关键代码和安全关键代码。The three tenets of this model are transparent code, security-safe-critical code, and security-critical code.

  • 透明代码(无论授予什么样的权限)可以调用其他透明代码或安全可靠关键代码。Transparent code, regardless of the permissions it is granted (including full trust), can call only other transparent code or security-safe-critical code. 如果代码是部分信任的代码,那么它只能执行域权限集允许的操作。If the code is partially trusted, it can only perform actions that are allowed by the domain’s permission set. 透明代码不能:Transparent code cannot do the following:

    • 执行 Assert 操作或特权提升。Perform an Assert operation or elevation of privilege.

    • 包含不安全或不可验证的代码。Contain unsafe or unverifiable code.

    • 直接调用关键代码。Directly call critical code.

    • 调用本机代码或具有 SuppressUnmanagedCodeSecurityAttribute 特性的代码。Call native code or code that has the SuppressUnmanagedCodeSecurityAttribute attribute.

    • 调用受 LinkDemand 保护的成员。Call a member that is protected by a LinkDemand.

    • 从关键类型继承。Inherit from critical types.

      此外,透明方法不能重写关键虚拟方法或实现关键接口方法。In addition, transparent methods cannot override critical virtual methods or implement critical interface methods.

  • 安全可靠关键代码是完全信任的代码,且可被透明代码调用的代码。Security-safe-critical code is fully trusted but is callable by transparent code. 它公开完全信任代码的有限外围应用。It exposes a limited surface area of full-trust code. 可靠关键代码中会进行正确性和安全性验证。Correctness and security verifications happen in safe-critical code.

  • 安全关键代码可以调用完全信任的任何代码,但不能被透明代码调用。Security-critical code can call any code and is fully trusted, but it cannot be called by transparent code.

1 级透明度Level 1 Transparency

.NET Framework 2.0 版中引入了 1 级透明度模型,目的是便于开发人员减少需要接受安全性审核的代码数量。The level 1 transparency model was introduced in the .NET Framework version 2.0 to enable developers to reduce the amount of code that is subject to a security audit. 虽然 1 级透明度在 2.0 版中公开提供,但它主要仅在 Microsoft 内部用于安全性审核目的。Although level 1 transparency was publicly available in version 2.0, it was primarily used only within Microsoft for security auditing purposes. 开发人员可以通过批注声明哪些类型和成员可以执行安全提升和其他信任操作(安全关键),哪些不能执行(安全透明)。Through annotations, developers are able to declare which types and members can perform security elevations and other trusted actions (security-critical) and which cannot (security-transparent). 标识为透明的代码不需要高度的安全性审核。Code that is identified as transparent does not require a high degree of security auditing. 1 级透明度表明透明度强制仅限于程序集内部。Level 1 transparency states that the transparency enforcement is limited to within the assembly. 换而言之,标识为安全关键的任何公共类型或成员仅在该程序集内部是安全关键的。In other words, any public types or members that are identified as security-critical are security-critical only within the assembly. 如果希望在从程序集外部调用这些类型和成员时对它们强制实施安全性,则必须使用完全信任的链接要求。If you want to enforce security for those types and members when they are called from outside the assembly, you must use link demands for full trust. 如果不这样做,则公开可见的安全关键类型和成员将被视为安全可靠关键,并且可在程序集外部被部分信任的代码调用。If you do not, publicly visible security-critical types and members are treated as security-safe-critical and can be called by partially trusted code outside the assembly.

1 级透明度模型具有以下限制:The level 1 transparency model has the following limitations:

  • 安全关键类型和成员是公开的,可从安全透明代码访问。Security-critical types and members that are public are accessible from security-transparent code.

  • 只能在程序集内部强制进行透明度批注。The transparency annotations are enforced only within an assembly.

  • 安全关键类型和成员必须使用链接要求才能对程序集外部的调用强制实施安全性。Security-critical types and members must use link demands to enforce security for calls from outside the assembly.

  • 不会强制执行继承规则。Inheritance rules are not enforced.

  • 在完全信任模式下运行时,透明代码可能会执行有害的操作。The potential exists for transparent code to do harmful things when run in full trust.

透明度强制Transparency Enforcement

在计算透明度之前,不会强制执行透明度规则。Transparency rules are not enforced until transparency is calculated. 那时,如果违反了透明度规则,则将引发 InvalidOperationExceptionAt that time, an InvalidOperationException is thrown if a transparency rule is violated. 计算透明度的时间取决于多种因素,并且无法预测。The time that transparency is calculated depends on multiple factors and cannot be predicted. 应尽可能晚地计算。It is calculated as late as possible. 在 .NET Framework 4 中,程序集级别的透明度计算比 .NET Framework 2.0 更早。In the .NET Framework 4, assembly-level transparency calculation occurs sooner than it does in the .NET Framework 2.0. 只能保证透明度计算将在需要的时间之前发生。The only guarantee is that transparency calculation will occur by the time it is needed. 这类似于在编译某种方法且在该方法中检测到错误时实时 (JIT) 编译器将如何更改时间点。This is similar to how the just-in-time (JIT) compiler can change the point when a method is compiled and any errors in that method are detected. 如果你的代码没有透明度错误,则透明度计算是不可见的。Transparency calculation is invisible if your code does not have any transparency errors.

另请参阅See also