Before digging into a pretty clever optimization that the SSCLI makes for certain special permission demands, I want to point out that everything I’m about to cover is an implementation detail. Although this optimization does occur today, we can and will change it for future versions of the CLR (and...

My previous post is begging the question "so what is the SSCLI's zone mapping policy?" It's actually quite simple, the source for SecurityPolicy::QuickGetZone in clr\src\vm\securitypolicy.cpp shows that SSCLI maps a URL to: NoZone if the URL is NULL MyComputer if the URL is a file URL ...

On the topic of zones and the CLR ... Windows lets you define custom zones outside of the standard ones that the CLR knows about (see MSDN's topic on Security Zones for more information). However, because the CLR doesn't know about them, generally any assembly loaded from one of those zones will not...

When an assembly is test signed , the public key used to verify its signature is different from the public key that makes up part of the assembly identity. So what happens when you take an assembly which is registered as a test signed assembly on your machine and fully sign it? The key here (aren...

As Jason announces , v2.0 of the SSCLI is now available for download: http://msdn.microsoft.com/net/sscli . In addition to general CLR features like generics that are available in this download, some interesting security points to look at are: Transparency (sscli20\clr\src\vm\securitytransparentassembly...

It's been a while since I've last seen a comparison of Java and .NET security . Nathaneal Paul and David Evans from the University of Virginia Computer Science Department recently finished their comparison, Comparing Java and .NET Security: Lessons Learned and Missed. In their paper, Nathaneal and...

Reflection and its interaction with security can sometimes be a bit of a confusing matter. The easiest portion to figure out is the permissions needed to use Reflection.Emit. In order to do anything with the reflection emit feature, you'll need to have ReflectionPermission with the ReflectionEmit flag...

There's a subtle difference between comparing floating point values with the Equals method and comparing them with the == operator. (In all the code I show in this post, I use the Double class, however everything I say also applies to the Single class). When the following code is run, it compiles...

The libraries laid out in the ECMA spec are all signed with a public key that looks pretty strange. If you ildasm mscorlib.dll, System.dll, or any of the other framework libraries that are defined in the ECMA specs (see partition IV: Library if you're interested in which libraries these are), you'll...

Fairly frequently, people will want to know how to get same site socket permissions, in the same way that they can get same site web permission today. Unfortunately, the answer is that with the security objects shipped with the framework, there is no way to accomplish this. In order to figure out...

Yesterday I posted about detecting which CSP provided algorithms were available on your copy of Windows, and upgrading IE to get a newer CSP that supported more algorithms. Sebastien Pouliot provied some nice followup information on using pure managed classes instead of the *CryptoServiceProvider implementations...

Joel Pobar has a nice post with Jan Kotas' explanation of how exceptions work in Rotor (and by extension, the CLR).

The GotDotNet blogs are being frozen, so I'll be moving my blog over to the ASP.Net site.  You can find the new location at http://blogs.msdn.com/shawnfa

Currently, there are no samples on MSDN for creating custom security objects.  However, the SSCLI ships with implementations for all of the built in security objects that shipped with the .Net framework 1.0.  This source can be used as a sample to help along with custom security object...