Breaking change notification: Most Code Access Security APIs are obsolete

[GrabYourPitchforks]

Most Code Access Security APIs are obsolete

Most Code Access Security (CAS)-related types in .NET are now obsolete as warning. This includes CAS attributes (e.g., SecurityPermissionAttribute), CAS permission objects (e.g., SocketPermission), most EvidenceBase-derived types, and other supporting APIs.

Version introduced

.NET 5.0 RC1

Old behavior

In .NET Framework 2.x - 4.x, CAS attributes and APIs can influence the course of code execution, including ensuring that CAS demand stack walks succeed or fail.

/* .NET Framework only */

// The attribute below causes CAS stack walks to terminate successfully when this permission is demanded.
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")]
public void DoSomething()
{
    // open a socket to contoso.com:443
}

In .NET Core 2.x - 3.x, the runtime does not honor CAS attributes or CAS APIs. The runtime ignores attributes on method entry, and most programmatic APIs have no effect.

/* .NET Core only */

// The .NET Core runtime ignores the below attribute.
[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")]
public void DoSomething()
{
    // open a socket to contoso.com:443
}

Additionally, programmatic calls to expansive APIs (Assert) always succeed, while programmatic calls to restrictive APIs (Deny, PermitOnly) always throw an exception at runtime.

PrincipalPermission is an exception to this rule. See the section Recommended action below.

/* .NET Core only */

public void DoAssert()
{
    // The line below has no effect at runtime.
    new SocketPermision(PermissionState.Unrestricted).Assert();
}

public void DoDeny()
{
    // The line below throws PlatformNotSupportedException at runtime.
    new SocketPermision(PermissionState.Unrestricted).Deny();
}

New behavior

Beginning with .NET 5.0, most CAS-related APIs are obsolete as warning. Using them will result in compile-time warnings.

/* .NET 5.0+ only */

[SocketPermission(SecurityAction.Assert, Host = "contoso.com", Port = "443")] // warning SYSLIB0003
public void DoSomething()
{
    new SocketPermision(PermissionState.Unrestricted).Assert(); // warning SYSLIB0003
    new SocketPermision(PermissionState.Unrestricted).Deny(); // warning SYSLIB0003
}

This is a compile-time only change. There is no runtime change from previous versions of .NET Core. Method that performed no operation in .NET Core 2.x - 3.x will continue to perform no operation at runtime; methods that threw PlatformNotSupportedException in .NET Core 2.x - 3.x will continue to throw PlatformNotSupportedException at runtime.

Reason for change

Code Access Security (CAS) is an unsupported legacy technology. The infrastructure to enable CAS exists only in .NET Framework 2.x - 4.x, but the infrastructure is deprecated and is not receiving servicing or security fixes.

Due to CAS's deprecation, the runtime supporting infrastructure was not brought forward to .NET Core or .NET 5.0. See the document .NET Framework technologies unavailable on .NET Core for more information. However, the APIs were brought forward so that applications could cross-compile against .NET Framework and .NET Core.

This led to "fail open" scenarios, where some CAS-related APIs exist and are callable but perform no action at runtime. This can lead to security issues for components which expect the runtime to honor CAS-related attributes or programmatic API calls. To better communicate that the runtime does not respect these attributes or APIs, we have obsoleted the majority of them in .NET 5.0.

Recommended action

If you are asserting any security permission, remove the attribute or call which asserts the permission.

// REMOVE the attribute below
[SecurityPermission(SecurityAction.Assert, ControlThread = true)]
public void DoSomething()
{
}

public void DoAssert()
{
    // REMOVE the line below
    new SecurityPermission(SecurityPermissionFlag.ControlThread).Assert();
}

If you are denying or restricting (via PermitOnly) any permission, contact your security advisor. Because CAS attributes are not honored by the .NET 5.0+ runtime, your application could have a security hole if it incorrectly relies on the CAS infrastructure restricting access to these methods.

// REVIEW the attribute below; could indicate security vulnerability
[SecurityPermission(SecurityAction.Deny, ControlThread = true)]
public void DoSomething()
{
}

public void DoPermitOnly()
{
    // REVIEW the line below; could indicate security vulnerability
    new SecurityPermission(SecurityPermissionFlag.ControlThread).PermitOnly();
}

If you are demanding any permission (except PrincipalPermision), remove the demand. All demands will succeed at runtime.

// REMOVE the attribute below; it will always succeed
[SecurityPermission(SecurityAction.Demand, ControlThread = true)]
public void DoSomething()
{
}

public void DoDemand()
{
    // REMOVE the line below; it will always succeed
    new SecurityPermission(SecurityPermissionFlag.ControlThread).Demand();
}

If you are demanding PrincipalPermission, consult the guidance in the Recommended action section at https://aka.ms/dotnet-warnings/SYSLIB0002. That guidance applies both for PrincipalPermission and for PrincipalPermissionAttribute.

If you absolutely must disable these warnings (not recommended), you can suppress the SYSLIB0003 warning in code, as shown below.

#pragma warning disable SYSLIB0003 // disable the warning
[SecurityPermission(SecurityAction.Demand, ControlThread = true)]
#pragma warning restore SYSLIB0003 // re-enable the warning
public void DoSomething()
{
}

public void DoDemand()
{
#pragma warning disable SYSLIB0003 // disable the warning
    new SecurityPermission(SecurityPermissionFlag.ControlThread).Demand();
#pragma warning restore SYSLIB0003 // re-enable the warning
}

The warning can also be suppressed within the .csproj. Doing so will disable the warning for all source files within the project.

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
   <TargetFramework>net5.0</TargetFramework>
   <!-- NoWarn below will suppress SYSLIB0003 project-wide -->
   <NoWarn>$(NoWarn);SYSLIB0003</NoWarn>
  </PropertyGroup>
</Project>

Suppressing SYSLIB0003 disables only the CAS-related obsoletion warnings. It does not disable any other warnings. It does not change the behavior of the .NET 5.0+ runtime.

Category

• Core .NET libraries

Affected APIs

• System.AppDomain.PermissionSet
• System.Configuration.ConfigurationPermission
• System.Configuration.ConfigurationPermissionAttribute
• System.Data.Common.DBDataPermission
• System.Data.Common.DBDataPermissionAttribute
• System.Data.Odbc.OdbcPermission
• System.Data.Odbc.OdbcPermissionAttribute
• System.Data.OleDb.OleDbPermission
• System.Data.OleDb.OleDbPermissionAttribute
• System.Data.OracleClient.OraclePermission
• System.Data.OracleClient.OraclePermissionAttribute
• System.Data.SqlClient.SqlClientPermission
• System.Data.SqlClient.SqlClientPermissionAttribute
• System.Diagnostics.EventLogPermission
• System.Diagnostics.EventLogPermissionAttribute
• System.Diagnostics.PerformanceCounterPermission
• System.Diagnostics.PerformanceCounterPermissionAttribute
• System.DirectoryServices.DirectoryServicesPermission
• System.DirectoryServices.DirectoryServicesPermissionAttribute
• System.Drawing.Printing.PrintingPermission
• System.Drawing.Printing.PrintingPermissionAttribute
• System.Net.DnsPermission
• System.Net.DnsPermissionAttribute
• System.Net.Mail.SmtpPermission
• System.Net.Mail.SmtpPermissionAttribute
• System.Net.NetworkInformation.NetworkInformationPermission
• System.Net.NetworkInformation.NetworkInformationPermissionAttribute
• System.Net.PeerToPeer.Collaboration.PeerCollaborationPermission
• System.Net.PeerToPeer.Collaboration.PeerCollaborationPermissionAttribute
• System.Net.PeerToPeer.PnrpPermission
• System.Net.PeerToPeer.PnrpPermissionAttribute
• System.Net.SocketPermission
• System.Net.SocketPermissionAttribute
• System.Net.WebPermission
• System.Net.WebPermissionAttribute
• System.Runtime.InteropServices.AllowReversePInvokeCallsAttribute
• System.Security.CodeAccessPermission
• System.Security.HostProtectionException
• System.Security.IPermission
• System.Security.IStackWalk
• System.Security.NamedPermissionSet
• System.Security.PermissionSet
• System.Security.Permissions.CodeAccessSecurityAttribute
• System.Security.Permissions.DataProtectionPermission
• System.Security.Permissions.DataProtectionPermissionAttribute
• System.Security.Permissions.DataProtectionPermissionFlags
• System.Security.Permissions.EnvironmentPermission
• System.Security.Permissions.EnvironmentPermissionAccess
• System.Security.Permissions.EnvironmentPermissionAttribute
• System.Security.Permissions.FileDialogPermission
• System.Security.Permissions.FileDialogPermissionAccess
• System.Security.Permissions.FileDialogPermissionAttribute
• System.Security.Permissions.FileIOPermission
• System.Security.Permissions.FileIOPermissionAccess
• System.Security.Permissions.FileIOPermissionAttribute
• System.Security.Permissions.GacIdentityPermission
• System.Security.Permissions.GacIdentityPermissionAttribute
• System.Security.Permissions.HostProtectionAttribute
• System.Security.Permissions.HostProtectionResource
• System.Security.Permissions.IUnrestrictedPermission
• System.Security.Permissions.IsolatedStorageContainment
• System.Security.Permissions.IsolatedStorageFilePermission
• System.Security.Permissions.IsolatedStorageFilePermissionAttribute
• System.Security.Permissions.IsolatedStoragePermission
• System.Security.Permissions.IsolatedStoragePermissionAttribute
• System.Security.Permissions.KeyContainerPermission
• System.Security.Permissions.KeyContainerPermissionAccessEntry
• System.Security.Permissions.KeyContainerPermissionAccessEntryCollection
• System.Security.Permissions.KeyContainerPermissionAccessEntryEnumerator
• System.Security.Permissions.KeyContainerPermissionAttribute
• System.Security.Permissions.KeyContainerPermissionFlags
• System.Security.Permissions.MediaPermission
• System.Security.Permissions.MediaPermissionAttribute
• System.Security.Permissions.MediaPermissionAudio
• System.Security.Permissions.MediaPermissionImage
• System.Security.Permissions.MediaPermissionVideo
• System.Security.Permissions.PermissionSetAttribute
• System.Security.Permissions.PermissionState
• System.Security.Permissions.PrincipalPermission
• System.Security.Permissions.PrincipalPermissionAttribute
• System.Security.Permissions.PublisherIdentityPermission
• System.Security.Permissions.PublisherIdentityPermissionAttribute
• System.Security.Permissions.ReflectionPermission
• System.Security.Permissions.ReflectionPermissionAttribute
• System.Security.Permissions.ReflectionPermissionFlag
• System.Security.Permissions.RegistryPermission
• System.Security.Permissions.RegistryPermissionAccess
• System.Security.Permissions.RegistryPermissionAttribute
• System.Security.Permissions.ResourcePermissionBase
• System.Security.Permissions.ResourcePermissionBaseEntry
• System.Security.Permissions.SecurityAction
• System.Security.Permissions.SecurityAttribute
• System.Security.Permissions.SecurityPermission
• System.Security.Permissions.SecurityPermissionAttribute
• System.Security.Permissions.SecurityPermissionFlag
• System.Security.Permissions.SiteIdentityPermission
• System.Security.Permissions.SiteIdentityPermissionAttribute
• System.Security.Permissions.StorePermission
• System.Security.Permissions.StorePermissionAttribute
• System.Security.Permissions.StorePermissionFlags
• System.Security.Permissions.StrongNameIdentityPermission
• System.Security.Permissions.StrongNameIdentityPermissionAttribute
• System.Security.Permissions.StrongNamePublicKeyBlob
• System.Security.Permissions.TypeDescriptorPermission
• System.Security.Permissions.TypeDescriptorPermissionAttribute
• System.Security.Permissions.TypeDescriptorPermissionFlags
• System.Security.Permissions.UIPermission
• System.Security.Permissions.UIPermissionAttribute
• System.Security.Permissions.UIPermissionClipboard
• System.Security.Permissions.UIPermissionWindow
• System.Security.Permissions.UrlIdentityPermission
• System.Security.Permissions.UrlIdentityPermissionAttribute
• System.Security.Permissions.WebBrowserPermission
• System.Security.Permissions.WebBrowserPermissionAttribute
• System.Security.Permissions.WebBrowserPermissionLevel
• System.Security.Permissions.ZoneIdentityPermission
• System.Security.Permissions.ZoneIdentityPermissionAttribute
• System.Security.Policy.ApplicationTrust.ApplicationTrust(PermissionSet, IEnumerable<StrongName>)
• System.Security.Policy.ApplicationTrust.FullTrustAssemblies
• System.Security.Policy.FileCodeGroup
• System.Security.Policy.GacInstalled
• System.Security.Policy.IIdentityPermissionFactory
• System.Security.Policy.PolicyLevel.AddNamedPermissionSet
• System.Security.Policy.PolicyLevel.ChangeNamedPermissionSet
• System.Security.Policy.PolicyLevel.GetNamedPermissionSet
• System.Security.Policy.PolicyLevel.RemoveNamedPermissionSet
• System.Security.Policy.PolicyStatement.PermissionSet
• System.Security.Policy.PolicyStatement.PolicyStatement(...)
• System.Security.Policy.Publisher
• System.Security.Policy.Site
• System.Security.Policy.StrongName
• System.Security.Policy.StrongNameMembershipCondition
• System.Security.Policy.Url
• System.Security.Policy.Zone
• System.Security.SecurityManager
• System.ServiceProcess.ServiceControllerPermission
• System.ServiceProcess.ServiceControllerPermissionAttribute
• System.Transactions.DistributedTransactionPermission
• System.Transactions.DistributedTransactionPermissionAttribute
• System.Web.AspNetHostingPermission
• System.Web.AspNetHostingPermissionAttribute
• System.Xaml.Permissions.XamlLoadPermission

---

Issue metadata

• Issue type: breaking-change