程式碼存取安全性Code Access Security


程式碼存取安全性和部分信任的程式碼Code Access Security and Partially Trusted Code

.NET Framework 提供一個稱為程式碼存取安全性 (CAS) 的機制,可對在同一個應用程式中執行的不同程式碼強制執行各種信任層級。The .NET Framework provides a mechanism for the enforcement of varying levels of trust on different code running in the same application called Code Access Security (CAS). .NET Framework 中的程式碼存取安全性不應該用作一種機制,以根據程式碼來源或其他身分識別層面的來強制安全性界限。Code Access Security in .NET Framework should not be used as a mechanism for enforcing security boundaries based on code origination or other identity aspects. 我們正在更新指南,以反映程式碼存取安全性與安全性透明的程式碼,將不會如同部分程式碼受信任的安全性界限般受到支援,特別是來源不明的程式碼。We are updating our guidance to reflect that Code Access Security and Security-Transparent Code will not be supported as a security boundary with partially trusted code, especially code of unknown origin. 建議不要載入及執行未知來源的程式碼,如此便不需要使用替代的安全措施。We advise against loading and executing code of unknown origins without putting alternative security measures in place.

這項原則適用於所有 .NET Framework 版本,但不適用於 Silverlight 隨附的 .NET Framework。This policy applies to all versions of .NET Framework, but does not apply to the .NET Framework included in Silverlight.

現今高度連接的電腦系統,經常會暴露於源自各種可能未知來源的程式碼。Today's highly connected computer systems are frequently exposed to code originating from various, possibly unknown sources. 程式碼可以附加至電子郵件、包含在檔中, 或透過網際網路下載。Code can be attached to email, contained in documents, or downloaded over the Internet. 不幸的是,許多電腦使用者都直接經歷過惡意行動程式碼的效應,包括病毒和蠕蟲,它們可能會損壞或摧毀資料,並造成時間和金錢上的損失。Unfortunately, many computer users have experienced firsthand the effects of malicious mobile code, including viruses and worms, which can damage or destroy data and cost time and money.

最常見的安全性機制是根據使用者的登入認證 (通常是密碼) 來提供權限給使用者,並限制使用者可以存取的資源 (通常是目錄和檔案)。Most common security mechanisms give rights to users based on their logon credentials (usually a password) and restrict resources (often directories and files) that the user is allowed to access. 不過,這個方法無法解決幾個問題:使用者從許多來源取得程式碼,其中有些可能不可靠;程式碼可能包含 Bug 或安全性弱點,而被惡意程式碼利用;而程式碼有時會做使用者不知道它會做的事情。However, this approach fails to address several issues: users obtain code from many sources, some of which might be unreliable; code can contain bugs or vulnerabilities that enable it to be exploited by malicious code; and code sometimes does things that the user does not know it will do. 如此一來,當謹慎且值得信賴的使用者執行惡意或充滿錯誤的軟體時,就可能損害電腦系統和竊取私人資料。As a result, computer systems can be damaged and private data can be leaked when cautious and trustworthy users run malicious or error-filled software. 大部分作業系統安全性機制都會要求每個程式碼片段必須受到完全信任才能執行,但是網頁上的指令碼可能除外。Most operating system security mechanisms require that every piece of code must be completely trusted in order to run, except perhaps for scripts on a Web page. 因此,還是需要可廣泛套用的安全性機制,讓源自於一部電腦系統的程式碼,在另一個系統上執行時可以受到保護,即使系統之間沒有信任關係也一樣。Therefore, there is still a need for a widely applicable security mechanism that allows code originating from one computer system to execute with protection on another system, even when there is no trust relationship between the systems.

.NET Framework 提供一種名為程式碼存取安全性的安全性機制,以協助保護電腦系統免於惡意行動程式碼的傷害、允許來自未知來源的程式碼在受到防護的情況下執行,並協助防止受信任的程式碼有意或無意地危及安全性。The .NET Framework provides a security mechanism called code access security to help protect computer systems from malicious mobile code, to allow code from unknown origins to run with protection, and to help prevent trusted code from intentionally or accidentally compromising security. 程式碼存取安全性依程式碼的來源和程式碼本身的其他部分,分別給與程式碼不同程度的信任等級。Code access security enables code to be trusted to varying degrees depending on where the code originates and on other aspects of the code's identity. 程式碼存取安全性也會在程式碼上強制執行各種信任層級,這會將必須完全信任才能執行的程式碼數量降到最低。Code access security also enforces the varying levels of trust on code, which minimizes the amount of code that must be fully trusted in order to run. 使用程式碼存取安全性可以減少您的程式碼被惡意或充滿錯誤的程式碼誤用的可能性。Using code access security can reduce the likelihood that your code will be misused by malicious or error-filled code. 它可減少您的負擔,因為您可以指定一組允許您的程式碼執行的作業。It can reduce your liability, because you can specify the set of operations your code should be allowed to perform. 程式碼存取安全性也有助於減少因為您的程式碼中的安全性弱點而導致的損害。Code access security can also help minimize the damage that can result from security vulnerabilities in your code.


.NET Framework 4 中的代碼啟用安全性已進行重大變更。Major changes have been made to code access security in the .NET Framework 4. 最值得注意的變更是安全性透明度, 但也有其他會影響代碼啟用安全性的重大變更。The most notable change has been security transparency, but there are also other significant changes that affect code access security. 如需這些變更的相關資訊, 請參閱安全性變更For information about these changes, see Security Changes.

程式碼存取安全性主要會影響程式庫程式碼和部分信任的應用程式。Code access security primarily affects library code and partially trusted applications. 程式庫開發人員必須保護其程式碼,不要受到部分信任應用程式的未經授權存取。Library developers must protect their code from unauthorized access from partially trusted applications. 部分信任的應用程式是從外部來源 (例如網際網路) 載入的應用程式。Partially trusted applications are applications that are loaded from external sources such as the Internet. 安裝在桌面上或近端內部網路上的應用程式是以完全信任執行。Applications that are installed on your desktop or on the local intranet run in full trust. 完全信任的應用程式除非被標示為安全性透明, 否則不會受到代碼啟用安全性影響, 因為它們是完全受信任的。Full-trust applications are not affected by code access security unless they are marked as security-transparent, because they are fully trusted. 完全信任應用程式的唯一限制是,標示 SecurityTransparentAttribute 屬性的應用程式不能呼叫標示 SecurityCriticalAttribute 屬性的程式碼。The only limitation for full-trust applications is that applications that are marked with the SecurityTransparentAttribute attribute cannot call code that is marked with the SecurityCriticalAttribute attribute. 部分信任的應用程式必須在沙箱 (例如,在 Internet Explorer) 中執行,這樣才能套用程式碼存取安全性。Partially trusted applications must be run in a sandbox (for example, in Internet Explorer) so that code access security can be applied. 如果您從網際網路下載應用程式, 並嘗試從您的桌面執行它, 您會收到NotSupportedException含有下列訊息的:「嘗試從網路位置載入元件, 這會導致元件在舊版的 .NET Framework 中進行沙箱處理。If you download an application from the Internet and try to run it from your desktop, you will get a NotSupportedException with the message: "An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. 這一版 .NET Framework 預設不會啟用 CAS 原則,所以此載入可能有危險。」This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous." 如果您確定可以信任應用程式, 您可以使用 <loadFromRemoteSources >專案, 讓它以完全信任的方式執行。If you are sure that the application can be trusted, you can enable it to be run as full trust by using the <loadFromRemoteSources> element. 如需在沙箱中執行應用程式的詳細資訊, 請參閱如何:在沙箱中執行部分信任的程式碼中所述。For information about running an application in a sandbox, see How to: Run Partially Trusted Code in a Sandbox.

以 Common Language Runtime 為目標的所有 Managed 程式碼,皆受益於程式碼存取安全性,即使該程式碼沒有進行單一程式碼存取安全性呼叫也一樣。All managed code that targets the common language runtime receives the benefits of code access security, even if that code does not make a single code access security call. 如需詳細資訊,請參閱程式碼存取安全性基本概念For more information, see Code Access Security Basics.

程式碼存取安全性的主要功能Key Functions of Code Access Security

程式碼存取安全性有助於限制程式碼存取受保護的資源和作業。Code access security helps limit the access that code has to protected resources and operations. 在 .NET Framework 中,程式碼存取安全性可執行下列功能:In the .NET Framework, code access security performs the following functions:

  • 定義代表存取各種系統資源之權利的權限和權限集合。Defines permissions and permission sets that represent the right to access various system resources.

  • 讓程式碼得以要求其呼叫端必須具備特定的權限。Enables code to demand that its callers have specific permissions.

  • 使程式碼要求它的呼叫端處理數位簽章,而只允許特定組織或站台的呼叫端可以呼叫受保護的程式碼。Enables code to demand that its callers possess a digital signature, thus allowing only callers from a particular organization or site to call the protected code.

  • 藉由比較呼叫堆疊上授與每個呼叫端的權限與呼叫端必須具備的權限,在執行階段對程式碼強制執行限制。Enforces restrictions on code at run time by comparing the granted permissions of every caller on the call stack to the permissions that callers must have.

查核呼叫堆疊Walking the Call Stack

為了判斷程式碼是否經授權可存取資源或執行某項作業,執行階段的安全性系統會查核呼叫堆疊,並比較每個呼叫端被授與的權限與要求的權限。To determine whether code is authorized to access a resource or perform an operation, the runtime's security system walks the call stack, comparing the granted permissions of each caller to the permission being demanded. 如果呼叫堆疊中的任何呼叫端沒有所要求的權限,系統就會擲回安全性例外狀況,並拒絕存取。If any caller in the call stack does not have the demanded permission, a security exception is thrown and access is refused. 堆疊查核行程的設計是為了協助防止引誘攻擊,在這些攻擊中,信任度較低的程式碼會呼叫受高度信任的程式碼,並使用它來執行未經授權的動作。The stack walk is designed to help prevent luring attacks, in which less-trusted code calls highly trusted code and uses it to perform unauthorized actions. 在執行階段要求所有呼叫端的權限會影響效能,但這是基本的防護措施,可協助保護程式碼不會引誘信任度較低的程式碼攻擊。Demanding permissions of all callers at run time affects performance, but it is essential to help protect code from luring attacks by less-trusted code. 為了最佳化效能,您可以讓您的程式碼執行較少堆疊查核行程;不過,您必須確認,每當您執行這項操作時,不會暴露安全性弱點。To optimize performance, you can have your code perform fewer stack walks; however, you must be sure that you do not expose a security weakness whenever you do this.

下圖顯示當組件 A4 中的方法要求其呼叫端擁有權限 P 時,堆疊查核行程所造成的結果。The following illustration shows the stack walk that results when a method in Assembly A4 demands that its callers have permission P.

代碼啟用安全性Code access security
安全性堆疊查核行程Security stack walk

標題Title 說明Description
程式碼存取安全性的基本概念Code Access Security Basics 說明程式碼存取安全性及其最常見的用法。Describes code access security and its most common uses.
安全性透明的程式碼, 層級2Security-Transparent Code, Level 2 描述 .NET Framework 4 中的安全性透明度模型。Describes the security transparency model in the .NET Framework 4.
從部分受信任程式碼使用程式庫Using Libraries from Partially Trusted Code 說明如何讓程式庫能夠與 Unmanaged 程式碼搭配使用,以及如何使用來自 Unmanaged 程式碼的程式庫。Describes how to enable libraries for use with unmanaged code and how to use libraries from unmanaged code.
重要的安全性概念Key Security Concepts 提供 .NET Framework 安全性系統中所使用之許多主要詞彙和概念的概觀。Provides an overview of many of the key terms and concepts used in the .NET Framework security system.
以角色為基礎的安全性Role-Based Security 說明如何依據角色來納入安全性。Describes how to incorporate security based on roles.
The signature is validCryptographic Services 說明如何將密碼編譯納入您的應用程式中。Describes how to incorporate cryptography into your applications.