安全透明的代码,级别 2Security-Transparent Code, Level 2

注意

代码访问安全性 (CA) 和部分受信任代码Code Access Security (CAS) and Partially Trusted Code

.NET Framework 提供一种机制,对在相同应用程序中运行的不同代码强制实施不同的信任级别,该机制称为代码访问安全性 (CAS)。The .NET Framework provides a mechanism for the enforcement of varying levels of trust on different code running in the same application called Code Access Security (CAS).

.NET Core、.NET 5 或更高版本中不支持 CAS。低于7.0 的 c # 版本不支持 CAS。CAS is not supported in .NET Core, .NET 5, or later versions. CAS is not supported by versions of C# later than 7.0.

.NET Framework 中的 CAS 不应作为一种机制,用于根据代码来源或其他标识方面强制实施安全边界。CAS in .NET Framework should not be used as a mechanism for enforcing security boundaries based on code origination or other identity aspects. 不支持将 CA 和安全透明代码用作部分受信任的代码(尤其是未知来源的代码)的安全边界。CAS and Security-Transparent Code are not supported as a security boundary with partially trusted code, especially code of unknown origin. 建议在未实施其他安全措施的情况下,不要加载和执行未知来源的代码。We advise against loading and executing code of unknown origins without putting alternative security measures in place.

此策略适用于 .NET Framework 的所有版本,但不适用于 Silverlight 中所含的 .NET Framework。This policy applies to all versions of .NET Framework, but does not apply to the .NET Framework included in Silverlight.

.NET Framework 4 中引入了2级透明度。Level 2 transparency was introduced in the .NET Framework 4. 此模型的三条原则是透明代码、安全可靠关键代码和安全关键代码。The three tenets of this model are transparent code, security-safe-critical code, and security-critical code.

  • 透明代码(包括以完全信任权限运行的代码)只能调用其他透明代码或安全可靠关键代码。Transparent code, including code that is running as full trust, can call other transparent code or security-safe-critical code only. 它只能执行域的部分信任权限集(如果存在)允许的操作。It can only perform actions allowed by the domain’s partial trust permission set (if one exists). 透明代码不能:Transparent code cannot do the following:

    此外,透明方法不能重写关键虚拟方法或实现关键接口方法。In addition, transparent methods cannot override critical virtual methods or implement critical interface methods.

  • 可靠关键代码是完全信任的代码,且可被透明代码调用的代码。Safe-critical code is fully trusted but is callable by transparent code. 它公开完全信任代码的有限外围应用;可靠关键代码中会进行准确性和安全性验证。It exposes a limited surface area of full-trust code; correctness and security verifications happen in safe-critical code.

  • 安全关键代码可以调用完全信任的任何代码,但不能被透明代码调用。Security-critical code can call any code and is fully trusted, but it cannot be called by transparent code.

用法示例和行为Usage Examples and Behaviors

若要指定 .NET Framework 4 个规则 (2 级透明度) ,请对程序集使用以下批注:To specify .NET Framework 4 rules (level 2 transparency), use the following annotation for an assembly:

[assembly: SecurityRules(SecurityRuleSet.Level2)]

若要锁定至 .NET Framework 2.0 规则(1 级透明度),请使用以下批注:To lock into the .NET Framework 2.0 rules (level 1 transparency), use the following annotation:

[assembly: SecurityRules(SecurityRuleSet.Level1)]

如果不对程序集添加批注,则默认情况下将使用 .NET Framework 4 规则。If you do not annotate an assembly, the .NET Framework 4 rules are used by default. 但是,建议的最佳做法是使用 SecurityRulesAttribute 属性而不是,具体取决于默认值。However, the recommended best practice is to use the SecurityRulesAttribute attribute instead of depending on the default.

程序集范围的批注Assembly-wide Annotation

以下规则适用于程序集级别的特性使用:The following rules apply to the use of attributes at the assembly level:

  • 无特性:如果不指定任何特性,则运行时会将所有代码解释为安全关键代码,除非安全关键代码违反继承规则(例如,当重写或实现透明虚拟或接口方法时)。No attributes: If you do not specify any attributes, the runtime interprets all code as security-critical, except where being security-critical violates an inheritance rule (for example, when overriding or implementing a transparent virtual or interface method). 在这些情况下,方法是可靠关键方法。In those cases, the methods are safe-critical. 指定无特性会导致公用语言运行时为你确定透明度规则。Specifying no attribute causes the common language runtime to determine the transparency rules for you.

  • SecurityTransparent:所有代码都是透明的;整个程序集不会执行任何特权代码或不安全的代码。SecurityTransparent: All code is transparent; the entire assembly will not do anything privileged or unsafe.

  • SecurityCritical:由此类型引入此程序集的所有代码都是关键代码;其他所有代码都是透明代码。SecurityCritical: All code that is introduced by types in this assembly is critical; all other code is transparent. 这种情况类似于不指定任何特性,但公共语言运行时不会自动确定透明度规则。This scenario is similar to not specifying any attributes; however, the common language runtime does not automatically determine the transparency rules. 例如,如果重写虚拟方法或抽象方法或者实现接口方法,默认情况下,该方法是透明的。For example, if you override a virtual or abstract method or implement an interface method, by default, that method is transparent. 你必须将方法显式批注为 SecurityCriticalSecuritySafeCritical;否则加载时将引发 TypeLoadExceptionYou must explicitly annotate the method as SecurityCritical or SecuritySafeCritical; otherwise, a TypeLoadException will be thrown at load time. 当基类和派生类位于相同的程序集时,此规则也适用。This rule also applies when both the base class and the derived class are in the same assembly.

  • AllowPartiallyTrustedCallers(仅 2 级):所有代码默认都是透明的。AllowPartiallyTrustedCallers (level 2 only): All code defaults to transparent. 但是,各个类型和成员可以有其他特性。However, individual types and members can have other attributes.

下表将级别2的程序集级别行为与第1级比较。The following table compares the assembly level behavior for Level 2 with Level 1.

程序集属性Assembly attribute 级别 2Level 2 级别 1Level 1
部分信任的程序集上无特性No attribute on a partially trusted assembly 类型和成员默认是透明的,但可以是安全关键或安全可靠关键的。Types and members are by default transparent, but can be security-critical or security-safe-critical. 所有类型和成员都是透明的。All types and members are transparent.
无特性No attribute 指定无特性会导致公用语言运行时为你确定透明度规则。Specifying no attribute causes the common language runtime to determine the transparency rules for you. 所有类型和成员都是安全关键的,除非安全关键违反继承规则。All types and members are security-critical, except where being security-critical violates an inheritance rule. 在完全信任的程序集上(在全局程序缓集缓存或 AppDomain 中标识为完全信任的程序集中),所有类型都是透明的,所有成员都是安全可靠关键的。On a fully trusted assembly (in the global assembly cache or identified as full trust in the AppDomain) all types are transparent and all members are security-safe-critical.
SecurityTransparent 所有类型和成员都是透明的。All types and members are transparent. 所有类型和成员都是透明的。All types and members are transparent.
SecurityCritical(SecurityCriticalScope.Everything) 不适用。Not applicable. 所有类型和成员都是安全关键的。All types and members are security-critical.
SecurityCritical 由此类型引入此程序集的所有代码都是关键代码;其他所有代码都是透明的。All code that is introduced by types in this assembly is critical; all other code is transparent. 如果重写虚拟方法或抽象方法或者实现接口方法,则必须将方法显式批注为 SecurityCriticalSecuritySafeCriticalIf you override a virtual or abstract method or implement an interface method, you must explicitly annotate the method as SecurityCritical or SecuritySafeCritical. 所有代码默认都是透明的。All code defaults to transparent. 但是,各个类型和成员可以有其他特性。However, individual types and members can have other attributes.

类型和成员批注Type and Member Annotation

适用于安全类型的安全特性也适用于该类型引入的成员。The security attributes that are applied to a type also apply to the members that are introduced by the type. 但是,这些规则不适用于基类或接口实现的虚拟或抽象重写。However, they do not apply to virtual or abstract overrides of the base class or interface implementations. 以下规则适用于类型和成员级别的特性使用:The following rules apply to the use of attributes at the type and member level:

  • SecurityCritical:类型或成员是关键的,并且只能由完全信任代码调用。SecurityCritical: The type or member is critical and can be called only by full-trust code. 安全关键类型中引入的方法是关键的。Methods that are introduced in a security-critical type are critical.

    重要

    基类或接口中引入的以及安全关键类中重写或实现的虚拟和抽象方法默认是透明的。Virtual and abstract methods that are introduced in base classes or interfaces, and overridden or implemented in a security-critical class are transparent by default. 这些方法必须标识为 SecuritySafeCriticalSecurityCriticalThey must be identified as either SecuritySafeCritical or SecurityCritical.

  • SecuritySafeCritical:类型或成员是可靠关键的。SecuritySafeCritical: The type or member is safe-critical. 但是,类型或成员可以从透明(部分信任的)代码调用,并且与任何其他关键代码一样。However, the type or member can be called from transparent (partially trusted) code and is as capable as any other critical code. 必须审核代码的安全性。The code must be audited for security.

重写模式Override Patterns

下表显示 2 级透明度允许的方法重写。The following table shows the method overrides allowed for level 2 transparency.

基虚拟/接口成员Base virtual/interface member 重写/接口Override/interface
Transparent Transparent
Transparent SafeCritical
SafeCritical Transparent
SafeCritical SafeCritical
Critical Critical

继承规则Inheritance Rules

在此部分中,基于访问权限和功能对 TransparentCriticalSafeCritical 代码指定以下顺序:In this section, the following order is assigned to Transparent, Critical, and SafeCritical code based on access and capabilities:

Transparent < SafeCritical < Critical

  • 类型的规则:从左到右访问权限受到限制。Rules for types: Going from left to right, access becomes more restrictive. 派生类型至少必须与基类型具有相同的受限访问权限。Derived types must be at least as restrictive as the base type.

  • 方法的规则:派生方法的可访问性不能从基方法更改。Rules for methods: Derived methods cannot change accessibility from the base method. 对于默认行为,不带批注的所有派生方法都是 TransparentFor default behavior, all derived methods that are not annotated are Transparent. 如果重写方法未显示批注为 SecurityCritical,则派生关键类型会导致引发异常。Derivatives of critical types cause an exception to be thrown if the overridden method is not explicitly annotated as SecurityCritical.

下表显示允许的类型继承模式。The following table shows the allowed type inheritance patterns.

基类Base class 派生类可以是Derived class can be
Transparent Transparent
Transparent SafeCritical
Transparent Critical
SafeCritical SafeCritical
SafeCritical Critical
Critical Critical

下表显示不允许的类型继承模式。The following table shows the disallowed type inheritance patterns.

基类Base class 派生类不可以是Derived class cannot be
SafeCritical Transparent
Critical Transparent
Critical SafeCritical

下表显示允许的方法继承模式。The following table shows the allowed method inheritance patterns.

基方法Base method 派生方法可以是Derived method can be
Transparent Transparent
Transparent SafeCritical
SafeCritical Transparent
SafeCritical SafeCritical
Critical Critical

下表显示不允许的方法继承模式。The following table shows the disallowed method inheritance patterns.

基方法Base method 派生方法不可以是Derived method cannot be
Transparent Critical
SafeCritical Critical
Critical Transparent
Critical SafeCritical

备注

这些继承规则适用于 2 级类型和成员。These inheritance rules apply to level 2 types and members. 1 级程序集中的类型可以从 2 级安全关键类型和成员继承。Types in level 1 assemblies can inherit from level 2 security-critical types and members. 因此,2 级类型和成员必须与 1 级继承者具有不同的继承需求。Therefore, level 2 types and members must have separate inheritance demands for level 1 inheritors.

其他信息和规则Additional Information and Rules

LinkDemand 支持LinkDemand Support

2 级透明度模型将 LinkDemand 替换为 SecurityCriticalAttribute 特性。The level 2 transparency model replaces the LinkDemand with the SecurityCriticalAttribute attribute. 在遗留(1 级)代码中,LinkDemand 自动被视为 DemandIn legacy (level 1) code, a LinkDemand is automatically treated as a Demand.

反射Reflection

调用关键方法或读取关键字段会触发对完全信任权限的要求(就像调用私有方法或字段一样)。Invoking a critical method or reading a critical field triggers a demand for full trust (just as if you were invoking a private method or field). 因此,完全信任的代码可以调用关键方法,而部分信任的代码则不能。Therefore, full-trust code can invoke a critical method, whereas partial-trust code cannot.

以下属性已添加到 System.Reflection 命名空间,以确定类型、方法或字段是否为 SecurityCritical``SecuritySafeCriticalSecurityTransparentIsSecurityCriticalIsSecuritySafeCriticalIsSecurityTransparentThe following properties have been added to the System.Reflection namespace to determine whether the type, method, or field is SecurityCritical, SecuritySafeCritical, or SecurityTransparent: IsSecurityCritical, IsSecuritySafeCritical, and IsSecurityTransparent. 使用这些属性可通过反射而非检查特性是否存在确定透明度。Use these properties to determine transparency by using reflection instead of checking for the presence of the attribute. 透明度规则比较复杂,检查特性可能不够充分。The transparency rules are complex, and checking for the attribute may not be sufficient.

备注

SafeCritical方法 true 对于和都是返回的 IsSecurityCritical IsSecuritySafeCritical ,因为 SafeCritical 确实是关键的 (它具有与关键代码相同的功能,但可以从透明代码) 调用它。A SafeCritical method returns true for both IsSecurityCritical and IsSecuritySafeCritical, because SafeCritical is indeed critical (it has the same capabilities as critical code, but it can be called from transparent code).

动态方法继承其附加到的模块的透明度;他们不继承类型的透明度(如果它们附加到一个类型)。Dynamic methods inherit the transparency of the modules they are attached to; they do not inherit the transparency of the type (if they are attached to a type).

在完全信任的环境中跳过验证Skip Verification in Full Trust

你可以通过在 SecurityRulesAttribute 特性中将 SkipVerificationInFullTrust 属性设置为 true,跳过完全信任的透明程序集的验证。You can skip verification for fully trusted transparent assemblies by setting the SkipVerificationInFullTrust property to true in the SecurityRulesAttribute attribute:

[assembly: SecurityRules(SecurityRuleSet.Level2, SkipVerificationInFullTrust = true)]

SkipVerificationInFullTrust 属性默认为 false,因此该属性必须设置为 true 才能跳过验证。The SkipVerificationInFullTrust property is false by default, so the property must be set to true to skip verification. 只能出于优化目的跳过验证。This should be done for optimization purposes only. 应使用 transparent peverify.exe 工具中的选项确保程序集中的透明代码是可验证的。You should ensure that the transparent code in the assembly is verifiable by using the transparent option in the PEVerify tool.

请参阅See also