Chapter 4. User- and Code-Identity–Based Security: Two Complementary Security Paradigms

By Sebastian Lange

IN THIS CHAPTER

• A Little Anatomy of Computer Security Systems

• A Review of User-Identity–Based Security

• Entering a New Paradigm: Code-Identity–Based Security

• How User- and Code-Identity–Based Security Systems Complement Each Other

Security is a core component of the .NET Framework infrastructure. All managed code run on the .NET Framework Common Language Runtime (CLR) is subject to the scrutiny and restrictions that the Code Access Security (CAS) system imposes. However, this security system differs in its fundamental design from many other security systems, such as the Windows Security system. Code Access Security is based on code identity, whereas chances are, most security systems you have encountered are based on user identity. This chapter will explain this paradigmatic difference in more detail. In particular, the following key points will be covered:

• A survey of common features of computer security systems

• An explanation of what constitutes a user-identity–based security system

• A look at Windows Access protection and authorization as an example of user-identity–based security

• A definition of code-identity–based security systems

• An explanation of the scenarios that only code-identity, not user-identity, security systems could cover

• An explanation of how the .NET Framework's Code Access Security system constitutes a code-identity–based security system

• Some thoughts on how code- and user-identity–based security can complement each other

Before delving right into the differences between user and code identity security, it will be helpful to look at some general characteristics that define computer security systems. That conceptual apparatus will make it easier to compare the specific approaches to computer security.