Permission Calculator Tool (Permcalc.exe)
The Minimum Grant Set Determination tool (Permcalc.exe) is used to estimate the permissions callers must be granted to access the public entry points of an assembly. This tool is new in the .NET Framework version 2.0. It is intended for use by advanced users.
PermCalc [options] assemblyName [assemblyDependencyName…]
Parameters
Option |
Description |
---|---|
-CleanCache |
Reconstructs all cache files. |
-HostProtection |
Reports information about HostProtectionAttribute protected categories. |
-Internet |
In cases where exact permission values cannot be determined, uses Internet zone permissions as an estimate. The default is to overestimate by using an unrestricted permission state where permission values cannot be determined. |
-Out fileName |
Directs output to fileName. The default is assemblyName.PermCalc.xml, or sandbox.PermCalc.xml if the -Sandbox option is specified. |
-Sandbox |
Reports the minimum permission sandbox in which an application can run instead of the permissions required by entry point callers. |
-Show |
Displays the output file when done. |
-Stacks |
Includes call stacks in the output to show the origin of permission demands. |
-Under |
In cases where exact permission values cannot be determined, tries to underestimate the permissions. The default is to overestimate when permission values cannot be determined. |
-? |
Displays usage information. |
Argument |
Description |
---|---|
assemblyName |
The assembly to calculate permissions for. |
assemblyDependencyName |
An assembly that assemblyName depends on. |
Remarks
The Minimum Grant Set Determination tool calculates the minimum permission set required to run an application by examining all applicable code paths of all application assemblies and dependency assemblies. The tool returns a permission set per application assembly.
Starting from the entry point of the application, the tool traces all code paths through all application assemblies and the shared and system libraries called from the application. The tool maintains a simulated call stack that contains all the assemblies involved in the code path trace. On every code path trace, the tool checks for the presence of declarative demands, link demands, and declarative stack walk modifiers. Because all permission state used in declarative security actions must be known at compile time, the effects of all declarative security actions on application assemblies can be calculated exactly. For instance, if a declarative demand is used, the minimum grant permission set for every assembly on the call stack at that point is updated with the demanded permission set. If a declarative assert is found on the simulated call stack, then only the intersection between the asserted permission set and the demanded permission set is updated for all assemblies above the assert on the call stack. Similarly, if a link demand is found, only the caller on the simulated call stack above the point of the link demand is updated with the requested permission set.
Part of the code path trace is a trace through the Microsoft intermediate language (MSIL) of every method, starting with the primary entry-point method of the application. If imperative permission set actions are found in the method MSIL trace, then the following update algorithm is run for each assembly:
If the permission state used in the imperative demand, link demand, assert, permit only, or deny can be determined statically, and it is certain to be not dependent on any state available only at run time, then the effect of such security action on application assemblies can be determined and is calculated for the effects of declarative security actions on the minimum grant permission set of all profiled assemblies.
If the state of the permission set used in an imperative security action cannot be determined statically, then the unrestricted state of the permission is assumed, for example, unrestricted security permission or unrestricted file IO read permissions. In some instances this can lead to an overestimation of the permissions required for an application to run. Use the -Under option to override this default behavior.
If there are multiple code paths through a method and some have different security action annotations, then the union of the demands and the intersection of the asserts are used, because the tool might not be able to determine which of the possible code paths through a method the application will take at run time.
Depending on the size and complexity of the assemblies and their dependencies, the tool might take several minutes to perform a thorough analysis.
Examples
You can execute the following examples by typing the commands into the SDK Command Prompt window, substituting your file names for those in the examples.
The following command reconstructs all cache files and includes call stacks for the mylib.dll assembly. It displays the output in the default viewer for XML files.
Permcalc.exe -cleancache -stacks -show mylib.dll
The following command reports the minimum permission sandbox the myapp.exe application needs to run. It displays the output in the default viewer for XML files. The target file is myapp.exe, and the dependent files are mydep1.dll and mydep2.dll.
Permcalc.exe -sandbox -show myapp.exe mydep1.dll mydep2.dll