The security system which is built into the CLR defines a
permission set which could apply to a particular resource. To access a resource,
the code needs to undergo authentication and authorization process. This is
done by traversing through the code and tracking the identity beneath which is
usually termed as stack walk.
In managed code, any permission demanded is verified by the
CLR security manager. The CLR security manager walks through the call stack by
mapping the permissions demanded and the permissions granted. A
SecurityException is thrown if the permission demanded is not found in the call
stack. So the actual permissions are checked depending on the evidences. So
evidences provide information on where the code was actually executed. Below is
the diagram (figure taken from MSDN Article) which depicts the mechanism based
on which the identity is traced across all the referenced assemblies by
performing a call stack.
(Adapted from an article at MSDN)