The .Net Framework provides a number of security features that enables in secure applications, and one of the features is evidence based that works on the top of operating system security. The evidence based security gathers evidences regarding the assembly and determine whether the code has permissions to execute. Any assembly that gets installed in Global Assembly Cache (GAC) is considered by .Net Framework to have Full Trust i.e. the code has unrestricted access to all protected resources and these assemblies can only be called by other Full Trust assemblies. However the partial trust assemblies cannot call the Full Trust assemblies therefore .NET Framework 1.1 introduced an assembly-level custom attribute AllowPartiallyTrustedCallers. The Full Trust assemblies marked with AllowPartiallyTrustedCallersAttribute can be called by partially trusted assemblies and the implicit demand is not called. The improper usage of this attribute can introduce vulnerabilities that can lead to luring attack. The solution presented in this document discusses the proper usage of AllowPartiallyTrustedCallersAttribute.
Any assembly that has been strong named and installed in GAC is Full Trust Assembly, unless someone has lock down the security policy by changing the grant set of local machine to something less than full trust. This permission set gives code unrestricted access to all protected resources. This can be a very dangerous permission set; it allows full access to your computer’s resources such as the file system or network access, potentially operating outside the control of the security system. If you are modifying security policy, be sure to set policy such that only assemblies you fully trust could possibly get this permission set.
APTCA only removes the implicit Link demands; any demands explicitly placed in your assembly will still be enforced. This means that even once an assembly has been marked with APTCA, it could still have some types in it that are not usable from partial trust by use of Explicit Demands.
Introduction to Code Access Security – http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconintroductiontocodeaccesssecurity.asp
Code Access Security Basics – http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconcodeaccesssecuritybasics.asp
Using Libraries from Partially Trusted Code – http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconUsingLibrariesFromPartiallyTrustedCode.asp
APTCA methods should only call APTCA methods – http://msdn2.microsoft.com/en-us/library/ms182297.aspx