If I provide Evidence to the .net framework on which code group my assembly belongs to, couldn't I provide false evidence stating that I belong in the Trusted Zone code group?
I know what security policies are, permission sets but I don't understand how the framework checks the Evidence and then based on that evidence, determines the code group.
Any explanation would be appreciated.
Thanks 🙂
Best Answer
The evidence can be assembly strong name, code base and other stuff. It certainly can verify those stuff. You manually trust assemblies based on the evidence. Basically, you tell the framework if an assembly has the following properties, grant it that permission set. I don't see a way you could provide false evidence. Can you provide an example?
PS. Yes, you could, for example steal someone's key pair and sign your assembly with that. Like any other security system, it relies on a trust chain. If you break a part of the chain, you've screwed up. There's no real way you could circumvent these stuff in a security system. After all, you could compromise the system with a buffer overflow or something and add your assembly to the full trust list.