What are the Changes in .NET 4.0 Security Model & What is Sandboxing?

CAS is completely deprecated in .NET 4.0 and there are 2 big changes done in .NET 4.0:

1. Granting of permission is dependent on the host and not the CAS Model.
2. Introduction of Security Transparent Model. In this .NET code is divided in 3 kinds of code:

I. Security Critical Code

A full trusted code is known as Security Critical Code and it has full access to my system. We need to ensure that this code is not called by unsafe code (Security Transparent Code).To create a code as Security Critical, we have to put “[assembly: SecurityCritical()]” attribute in Properties->Assemblyinfo.cs.

II. Security Transparent Code

A code which you feel unsafe is known as Security Transparent Code. To create a code as Security Critical, we have to put “[assembly: SecurityTransparent()]” attribute in Properties->Assemblyinfo.cs.

III Security Safe Critical Code

A Bridge between Security Transparent Code and Security Critical Code to access Security Critical Code via Security Transparent Code.

Security Transparent model is good if the code control is in our hands.

Sandboxing

If you want to execute an untrusted third party DLL, you can create your own “Appdomain” and assign permission set so that your third party DLL runs under a control environment. This process is called sandboxing.

To implement Sandboxing, first we have to create the object of “PermissionSet” and assign Permissions as per our requirement, then we have to create “AppDomain” object with the permissionset object we created and in this “AppDomain” object, we will put that class in which we want to implement Sandboxing. (See the video for a practical implementation.)