511 Chương 13: Bảo mật >2Microsoft .NET Framework.6%C> ME!&<.IO).&( )( ` D< nNI*g&t.Microsoft Windowsh#$ &.6)=z>z z)egUser-Based Securityh8X&*. '>.. )e';I7'>8)=.* .'28!&Ã((8=&.6IJ)=i) )e> Dw9<.I&.68.S4>=6.:6' .:6'.&*Si *'.S' " .NET FrameworkI$.4%&.6&s3g=> 9I&.6 )e.Sh\ • CAS gCode Access SecurityEL.6';.Sh • RBS gRole-Based SecurityEL.6)=z>zzkh CASRBS4'I'*M&.6)5.) PGMI68>.v&.6<2 &.6s$z9zB CASO)4tD.(.&'S$6G=E<' ::gevidencehE;i;(..SF'; '>E<'9'gpermissionhP2&.6.NET FrameworkE.6 $<9'/%EiqX;*K::9'7 .NET Framework O)'>N9'gpermissiondemand'permission requesth&:v90F4&i';X" '>N& &=&.5\I.D0.M:$z&z%.S F.9'FCAS&.5\v=.Se' .:6'&*D *.StDF8:4 .:6'D )e*'.SP.>9ICAS M'6\  P  X  .S    Fzzz6'z.zN  gpartially trusted codeh  '  ;   (.&'>.*&*g.Z^Zh  u4CASg.Z^]h!J4.9'=g. Z^^h  m>N9'';.S;i;(.&=S 9'.S&*g.Z^_8Z^`8Z^a8Z^[h  w.=QIX1>&5CASg.Z^bh  {(.;X;OB::(.&'g.Z^cZ^Zdh  {OB&.6&= &5.:)g.Z^ZZZ^Z]h RBSX&*=9'IiG=gruntime decisionh)=>i) gidentityhkgroleh )e‘” ‘:)*'>)q  )e'7>Windows8<'2=9'Ii)=>>  )e WindowsF. Windows . )eF7'>8 RBS `  "&()(N..$'9.D.*F$=>D & 512 Chương 13: Bảo mật .MI&.645.)8X&* 2$&…D )eP.M'6 <'.NET RBS\  72$RBS )eWindows ;i;(.. )e F>.F.Windows F'4g.Z^Z^h  w.';I:v:))=> )e k. )e'.>g.Z^Z_h  p6. )eWindows=>) q )eFg.Z^Z`h P.>9I RBS  CAS M'%&'.D44  .&*@N=:)8GJ.4.NV v&.6.NET Frameworkl}M8&*S'.. 9''>&.6.NET Framework 1. 1. Cho phép mã l nh có-đ -tin-c y-m t-ph nệ ộ ậ ộ ầ Cho phép mã l nh có-đ -tin-c y-m t-ph nệ ộ ậ ộ ầ s d ng assembly tên m nh c a b nử ụ ạ ủ ạ s d ng assembly tên m nh c a b nử ụ ạ ủ ạ   #eAJwAD@jQOIQcff†OFY]J>@cf’fcXJ>XA^Y\s>RQHZ]vZPQLK@DE@O}YqA> J^6LI6Q@A6JN]6OIQ6d>wAiQ>†XO_JLMA>FIQ>nJQ>@s>TABJ>Xd>•dO}YqA>J^6 LI6Q@A6JN]6OIQ6d>wA  QHZ]  vZPQ  JSJ  s@tZ  D\  JSJ Q>\A>  D@CA A`O  QHXAB  OIQ cff†OFY]QCAOeA>k(   dhUABL_JQaA>  System.Security.AllowPartiallyTrustedCallersAttribute  J>X cff†OFY]J>@cf’JbcFeA( l.'M&.6).S'.&'8&=4X (.&'Fzzz6'z.zN';I(.&'>.*n*I'. .'M.S'.4D&*8D.I 6IINF 2 7(9'/8(.&'>.*$!Global Assembly CachegGACh ::v90$)eK:)l' G(.&'NET FrameworkP(.&'>.* Qx.$z<z&szzS?@5.GAC';D :)$z9zBwv)GAC 82';)r)8 N.90D:)I(.&'>.*. >FvD&:*.S'.$z 9zB 74 8.SFv'..S$*QM;EÃ((E CF&*F2g'4Fh=.u2&.6.!i8.S *'Q.'&F6'Ngfull trusth8.S$* QM;JF6'.Ngpartial trusthHv.SFzzz6'z.zN ';I(.&'>.*Tq.SFzzz6'z.zN4FM 513 Chương 13: Bảo mật O)2v(.&'.2'.84 (.&'%.#sF$Uq>8B'I'i5&* 9B2&.6.e$HI&*.SF6' N84J&…(.&'?F';(.&'>.*&*8. .S'kF';:vNETFrameworkl'@ .0&.6æ  jZFeAQ>@jQsj>@qAQ>nJD\Q>gAB>@qOcff†OFY]J>@cf’JbcFeAOIQJSJ> d>r>WdF`AB CAS LtB@E@>eAD@qJQHZ]vZPQLjAJSJQ>\A>D@CA‚ZcAQH•ABFeA s>TABJwASdL_QOIQ>eAJ>jFcXQHrOLtAB‡AO}YqA>J^6LI6Q@A6JN]6OIQ6 d>wAfghUABcff†OFY]JbcFeA(Z]A>@CALK@DE@OIQcff†OFY]FPQs•s>TAB Q>tJ>~ABO@A>H`ABs>TABJ^Yx>‘ABFRXONQA\XLtO}ABZ]>@tOJ^Q>tYW@ hUAB(XL^FeAACAv†Ov•QJ«AQ>NAA>ZJwZJ>Xd>•dO}YqA>J^6LI6Q@A6JN]6 OIQ6d>wA  QHZ]  vZPQ  cff†OFY]  QCA  OeA>  QHVEJ  s>@  Sd  hUAB  L_J  QaA> AllowPartiallyTrustedCallersAttribute ( L=v.SFzzz6'z.zN';(.&'>.*&5 ! LinkDemand 69' FullTrust >.0>4zgpublich$z&z gprotectedh.#z'z;z4z$iq(.&'l ' F q  J K (.&' $   9' M  M   6 9' FullTrust %.F';>(.&'>.*u ) AllowPartiallyTrustedCallersAttribute (.&'>.*&&= 4& LinkDemand F=>>&>  #IQ>nJQ>@J>MZQHSJ>A>@qOFZIJJSJ>XeQLIABFRXONQABwO LinkDemand J^ >@qZYnJLtFRXDqJSJcff†OFY] QCAOeA>‹ C# assembler s>TABf@A>HcJSJYqA> s>c@FSX LinkDemand Y•JF@CAhMJ>( l*  .S  )  <'  %  &'  .  :  )  F  O  )  !  2 AllowPartiallyTrustedCallersAttribute PGB58&*O)D assembly:  &%&>)i52!2'(.&'gk$0!2 Eglobal attributehH84N>.N Attribute >!2E.! )e&*F>.I.Du%&*/.I(.&'>!2'$!  using .:>8&4> using System.Security; [assembly:AllowPartiallyTrustedCallers] public class AllowPartiallyTrustedCallersExample { § }  >nJQjQPQJRJSJL_JQaA>QX\AJUJLGZA`OQHXABOIQ…@Y†LIJYNdDE@d>wAO} YqA>JyAYe@Jbc~ABhUAB( Microsoft Visual Studio .NET fghUABJSJ>Q@jdJNA A\]zQeXOIQ…@Y†J^QCAY\ AssemblyInfo.cs LtJ>~cQPQJRJSJL_JQaA>QX\AJUJ( 514 Chương 13: Bảo mật HI) AllowPartiallyTrustedCallersAttribute (.&'8&*.D.S Fzzz6'z.zN J0 $. D  >  F8 &* N&s  LinkDemand 69' FullTrust >>NI8$%&' *.S)<'\ [System.Security.Permissions.PermissionSetAttribute (System.Security.Permissions.SecurityAction.LinkDemand, Name="FullTrust")] public void SomeMethod() { § } 2. 2. Vô hi u b o m t truy xu t mã l nhệ ả ậ ấ ệ Vô hi u b o m t truy xu t mã l nhệ ả ậ ấ ệ   #eAJwADT>@qZ CAS (   >@jQYNdQ>ZIJQaA> SecurityEnabled JbcYEd System.Security.SecurityManager Y\ false D\YVZYe@F`ABd>V[ABQ>~J SecurityManager.SavePolicy (#eAJ“ABJ^Q>t fghUABJTABJU Code Access Security Policy i Caspol.exe kD\Q>nJQ>@YqA> caspol –s off ( CASN(D.4%&.6&= NET8?N! NET.4F"!)eCAS$;<')=>2 .&v=S$O).x0 NET83F.2.#'>N&.6gsecurity demandhŠ gI9h.&== l4G8&.6.:z.SzF4&*&6<.8!NvF $9NCAS7 $'8&*F4CAS *&V2.&.6.:z.Szu4CASF).S v=&….NET Framework#$gMM 69' FullTrust h8&t.v*.S80'>8 O)V=I';&  #eAJ>ˆACADT>@qZ CAS DlJSJYŠhX>@qZA‡ABfcZs>@L}Q@CZ>jQQPQJRJSJ J>ƒABOnJJ^Q>ts>SJLtLeQLVWJJSJL_JL@tO>@qZA‡ABO\~ABhUABJbc FeALy@>Ž@(@qJYNddHX…@Y†J>XO}YqA>Q>VoABfmA>NAF@jQA>?ABDrABO\ FeAJ^Q>tJR@Q>@qALSABst>@qZA‡ABA>VABs>TABd>R@DT>@qZ CAS (BX\@Hc FeAJwAFRXLROJSJQ\@ABZ]CA>qQ>KABL}LVWJFRXDqF`ABJSJJ[J>jFRX ONQJbc>qL@GZ>\A>iA>V Windows ACLs kQHVEJs>@DT>@qZ CAS ( Caspol.exe.2$eNET Framework8X&*%2 &.6';.SQ)kw&*6 caspol –s off ! caspol –s on 82'@ ;6 2  SecurityEnabled    SecurityManager y SecurityManager 6M:q';)K:v& 515 Chương 13: Bảo mật .690l*.S)<'%&'O)2 SecurityEnabled 4 2*CAS\ // Vô hiệu CAS. System.Security.SecurityManager.SecurityEnabled = false; // Lưu cấu hình. System.Security.SecurityManager.SavePolicy(); // Kích hoạt CAS. System.Security.SecurityManager.SecurityEnabled = true; // Lưu cấu hình. System.Security.SecurityManager.SavePolicy(); l  4   CAS8  .S      &*    F  N  O  ControlPolicy   System.Security.Permissions.SecurityPermission l2*CAS8&*4N F9' 7's SecurityEnabled @4CI*CASI% F8?4CII%.I&*0M: SavePolicy * SecurityEnabled WindowsRegistrylI8.NET Framework4&.K's SecurityEnabled @GI* CASI%UF8&*'s SecurityEnabled t.C .I%.F$*G..D Hình 13.1 Registry Editor (CAS đã bị vô hiệu)  HeAB  Q>S@  >@qA  >\A>  Jbc  CAS  i on - off k  LVWJ  YVZ  QHXAB  s>^c  HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy Jbc Windows Registry (jZs>^cA\]s>TABQ€AQe@O_JLMA> CAS Y\ on ( 516 Chương 13: Bảo mật 3. 3. Vô hi u vi c ki m tra quy n th c thiệ ệ ể ề ự Vô hi u vi c ki m tra quy n th c thiệ ệ ể ề ự   #eAJwAAB‡AFIQ>nJQ>@s@tOQHcOx@cff†OFY]LVWJAedD\XJ^‚Z]GAQ>nJQ>@ i execution permission k>c]s>TAB(   >@jQ  YNd  Q>ZIJ  QaA>  CheckExecutionRights  Jbc  YEd  System.Security. SecurityManager  Y\  false  H€@  YVZ  Ye@  F`AB  d>V[AB  Q>~J  SecurityManager. SavePolicy (  #eA  J“AB  J^  Q>t fg hUAB JTAB  JU  Code Access Security Policy i Caspol.exe kD\Q>nJQ>@YqA> caspol –e off ( "#*(.&'8&= &.z((.&' ' F:NO Execution  SecurityPermission L==.9%<2 + -glazy policy resolution processh8qz( .(.&' 4$2 IF.'>N&.6gsecurity demandh$=>(.&'' u.9'=4J&&=..#(.&'F9'= '48.kI*<2D.#(.&'$ *86$2<2+ -P'ID'F<'=% S(.&'$*8!&&=*(.&'e .G 7 $8X.S**'4.'M .r*'>90S$&&5CAS &5MI&.6L=.NETX&*4= .9'='&>.S8'&54Caspol.exe w&*6  caspol –e off  !  caspol –e on 8 Caspol.exe @ ;6 2 CheckExecutionRights    SecurityManager L*F=4'&> .S\ // Vô hiệu việc kiểm tra quyền thực thi. System.Security.SecurityManager.CheckExecutionRights = false; // Lưu cấu hình. System.Security.SecurityManager.SavePolicy(); // Kích hoạt việc kiểm tra quyền thực thi. System.Security.SecurityManager.CheckExecutionRights = true; // Lưu cấu hình. System.Security.SecurityManager.SavePolicy(); l  '  s    i   CheckExecutionRights  %  .S     &*    F  N  O ControlPolicy  SecurityPermission 7's'@F)I% ':%8X&**(.&'G=.&=4 517 Chương 13: Bảo mật .GF9'='47'>8's'@4CI I%FU6'8&*'sWindows Registryg&5M: SavePolicy hFF)I%. 4. 4. B o đ m b th c thi c p cho assembly m t s quy n nào đóả ả ộ ự ấ ộ ố ề B o đ m b th c thi c p cho assembly m t s quy n nào đóả ả ộ ự ấ ộ ố ề   #eAJwAFRXLROFIQ>nJQ>@JPdJ>Xcff†OFY]JbcFeAJSJ‚Z]GAQHZ]vZPQO} YqA>i code access permission kO\JSJ‚Z]GAA\]‚Z]jQLMA>fnQ>\A>JTABQHXAB >XeQLIABJbc~ABhUAB(   ghUABJSJ]CZJwZ‚Z]GAi permission request kLtJ>ˆLMA>JSJ‚Z]GAQHZ]vZPQ O}YqA>O\cff†OFY]JwAd>R@J^(#eAs>c@FSXJSJ]CZJwZ‚Z]GAF`ABJSJL_J QaA>‚Z]GAQHZ]vZPQO}YqA>‰O~Jcff†OFY]( P'>N9'&I9'..SF%.F*'$u2)8 I&*I.%;(.. )eFO)F;(..Q .((86*I2&.6 )e4XM% '.C.ID.*I((PM%&*@**'8  )e  I  D  I  ((    ;(.  .8  M  %  @      *   System.Security.SecurityException p(.&''>N9'NI   F    .C  .  I  D  .*  I  ((  g System.Net.WebPermission  ' System.Net.SocketPermission 8e'ID&*N.Ch L=='>N9''>/\*.S8'DM *.S&*=..F4F9'u%6'8 I 9% <2&.68 &=;i$z( (.&'4:'>N9'(.&'8F@4*(.&' X.* System.Security.Policy.PolicyException  l&.'>N9'8&*O)&!2gattribute counterparth 9'';.S&*N79'';.SF.&! 2 .  &*F O  )*&.6  & gdeclarative security statementhE&t.'>N9'u2)8&!2 SocketPermission  SocketPermissionAttribute 8    &    !  2    WebPermission   WebPermissionAttribute E79'&!2Ge(9' !>>e4> ‚  )  PermissionRequestExample  )  <'  F    '>  N  9'\  .   SocketPermission . SecurityPermission L*N\ • L*&'>N9'&… using .:>& …&'4> • l!2/.I(.&'>&*>.D assembly: >!2 • w4N>.N Attribute >!2E.!)e&*F>.I .D • L*Ji SecurityAction.RequestMinimum DDN>!2E i'&I<'.'>N9' 518 Chương 13: Bảo mật • L*%!2.49'';.S.&*N&5 2!2L*S'.NET Framework SDK&I>. I2).#!2&.6';.S= • P'>N9'4$IG&5).x'gTh • l*'>N9'8JN>.'>N9'$%&' 2))<'\ using System.Net; using System.Security.Permissions; // Yêu cầu SocketPermission (cho phép mở một kết nối // TCP đến host và port được chỉ định). [assembly:SocketPermission(SecurityAction.RequestMinimum, Access = "Connect", Host = "www.fabrikam.com", Port = "3538", Transport = "Tcp")] // Yêu cầu phần tử UnmanagedCode của SecurityPermission, // (kiểm soát khả năng thực thi mã lệnh không-được-quản-lý). [assembly:SecurityPermission(SecurityAction.RequestMinimum, UnmanagedCode = true)] public class PermissionRequestExample { public static void Main() { // Làm gì đó } } HI&*=:) PermissionRequestExample 2&.64 (.&''9'$'>N8&*@6$* PolicyException ) <':)@4=wO)2&.6.!i8'@;' I&**'(.&'Q..* )e %(.&'$*QÃ( 4$ SocketPermission  Unhandled Exception: System.Security.Policy.PolicyException: Required permission cannot be acquired. w&**.(.&'Q&>.Sg='&5'h8(.&''F :'>N9'.2&.64:%M:.&*O )*(.&'@X.* PolicyException 8)F&*Be $ 519 Chng 13: Bo mt 5. 5. Gi i h n cỏc quy n c c p cho assembly Gi i h n cỏc quy n c c p cho assembly #eAJwA>eAJ>jJSJZ]GAQHZ]vZPQO}YqA>LVWJJPdJ>XcffOFY] JbcFeA LROFRXABVo@s>SJD\d>wAOGOs>SJs>TABQ>tãáÂO}YqA>JbcFeAƯÔạÂÔ OIQJ[J>jO\Q>TABZcL^LtQ>nJ>@qAJSJ>\A>LIABABZ]>@tO>c]s>TAB OXABOZKA( ghUABJSJYqA>FRXONQs>c@FSXi declarative security statement kLtJ>LMA> JSJ]CZJwZZ]GAQr]J>Ai optional permission request kD\JSJ]CZJwZYXe@QH Z]GAi permission refusal request kQHXABcffOFY]JbcFeA(SJ]CZJwZZ]GA Qr]J>ALMA>AB>cQNdQK@LcJSJZ]GAO\FIQ>nJQ>@fmJPdJ>XcffOFY]( SJ]CZJwZYXe@QHZ]GAJ>LMA>JSJZ]GAJUQ>tO\FIQ>nJQ>@fms>TAB JPdJ>XcffOFY]( HI9<.I&.686BC.S&*JF9'';.S NƠĐ=:vFl'.'M .S O).S&*='.'4. .Du8&=<9'.(.&'&52&.6 g). )eF' 9i%hP2&.6F *.#M.:)*'8&*4.9'.2& .6i.S&* "!)e&*4.2&.6*M S*'8 .NET FrameworkMI.49F8&*F*&V9'$ (.&'&*\'>N*Qgrefuse requesth'>Ne'0goptional requesthm>N*QX&*J9'.&*4.D&= (.&'| 9%<28Iz(.(.&' :&9'S$Ji.'>N*Q8&=@*&V 9'Fm>Ne'0iq6D9'.&=F (.&'HIz(.(.&':&9'9'S$ Ji'>Ne'08&=@*&V9'Fw'>N9'D gS$6.Z^_h8&=@4QD*(.&'êă IF49'S$Ji'>Ne'0 L*F'>N*Q'>Ne'00=$eI 9T.&*O)e'D$9'&*.D*&VHI.D*&V ầ29'8&*S'0'>N*Q7'>8I.D*&V9'8&* S'0'>Ne'0ẵÔÊÊ Ôỗ.ầôÊÔăƯƠôÊÔố ăảãăắ L*>.'>Ne'0'>N*Q.S&5&.6 &GD'>N9'DS$6.Z^_ l.&)'i System.Security.Permissions.SecurityAction .&* ' M : C )= ! 2 9' |O ) SecurityAction.RequestOptional & . '> N e' 0 SecurityAction.RequestRefuse &.'>N*QP?D'> N9'D8&*&'>Ne'0'>N*Q!2 &5>.D assembly: >!2H8'>N 520 Chương 13: Bảo mật ;&… using .:>&…&'4 > u2))<'.0.'>N9'e'069' Internet l<'6 9'  $  i  q  &C  2    &  .6  .!  i  w  &  =    * OptionalRequestExample 8F@4(.&''&:9'45. 69' Internet g.NET Framework SDK&I>.I 9'69' Internet h using System.Security.Permissions; [assembly:PermissionSet(SecurityAction.RequestOptional, Name = "Internet")] public class OptionalRequestExample { public static void Main() { // Làm gì đó } } 7 OptionalRequestExample 82))<'O).'>N*Q*&V 9' System.Security.Permissions.FileIOPermission g.49'';Ds qCh\ using System.Security.Permissions; [assembly:FileIOPermission(SecurityAction.RequestRefuse, Write = @"C:\")] public class RefuseRequestExample { public static void Main() { // Làm gì đó } } 6. 6. Xem các yêu c u quy n đ c t o b i m t assemblyầ ề ượ ạ ở ộ Xem các yêu c u quy n đ c t o b i m t assemblyầ ề ượ ạ ở ộ   #eAJwAv†OJSJJSJYXe@QHƒD\JSJ]CZJwZ‚Z]GAs>c@FSXLVWJQeXFCAQHXAB OIQcff†OFY]LtJ^Q>tJPZ>lA>J>aA>fSJ>FRXONQOIQJSJ>d>r>Wd>X_J . RefuseRequestExample { public static void Main() { // Làm gì đó } } 6. 6. Xem các yêu c u quy n đ c t o b i m t assemblyầ ề ượ ạ ở ộ Xem các yêu c u quy n đ c t o b i m t assemblyầ ề ượ ạ ở ộ   #eAJwAv†OJSJJSJYXe@QHƒDJSJ]CZJwZ‚Z]GAs>c@FSXLVWJQeXFCAQHXAB OIQcff†OFY]LtJ^Q>tJPZ>lA>J>aA>fSJ>FRXONQOIQJSJ>d>r>Wd>X_J