Improving Web Application Security: Threats and - CGISecurity

188 Part III: Building Secure Web ApplicationsFigure 8.2 shows how the intersection operation means that the resulting permissiongrant is determined by all levels of policy in the policy hierarchy.Policy LevelsEnterpriseP1 P2 P3 P4 P5MachineUserP1 P2 P3P1 P2 P3 P4 P5App Domain(ASP. NET)P1P3P4IntersectionResulting Policy Grant = P1 + P3Figure 8.2Policy intersection across policy levelsIn Figure 8.2, you can see that the intersection operation ensures that only thosepermissions granted by each level form part of the final permission grant.How Do Permission Requests Affect the Policy Grant?You can add security attributes to your assembly to specify its permissionrequirements. You can specify the minimal set of permissions that your assemblymust be granted in order to run. These do not affect the permission grant. You canalso specify the optional permissions your assembly could make use of but does notabsolutely require, and what permissions you want to refuse. Refused permissionsare those permissions you want to ensure your assembly never has, even if they aregranted by security policy.If you request optional permissions, the combined optional and minimal permissionsare intersected with the policy grant, to further reduce it. Then, any specificallyrefused permissions are taken away from the policy grant. This is summarized by thefollowing formula where PG is the policy grant from administrator defined securitypolicy and P min, P opt, and P refusedare permission requests added to the assembly by thedeveloper.Resulting Permission Grant = (PG ∩ (P min∪ P opt)) – PrefusedFor more information about how to use permission requests, their implications, andwhen to use them, see the “Requesting Permissions” section later in this chapter.