• .NET Security Blog

    Creating an AppDomain with limited permissions

    • 10 Comments
    Oftentimes in an application, it's necessary to run untrusted code. The CLR lets you do this safely by placing the code in its own AppDomain and sandboxing the AppDomain to have a limited set of permissions. Usually setting up the AppDomain with the Internet...
  • .NET Security Blog

    Getting the Current Permissions in a Named Permission Set

    • 5 Comments
    There are several named permission sets defined by default in the CLR security policy: FullTrust SkipVerification Execution Nothing LocalIntranet Internet Everything These sets are used to create the default policy, however there's nothing stopping any...
  • .NET Security Blog

    The Locations of the Other Policy Levels

    • 0 Comments
    On Monday I wrote about how to recover CasPol to a usable state , if you've modified the security policy to disallow CasPol permission to run. My instructions included deleting %WINDIR%\Microsoft.Net\Framework\v x.y.zzzz \config\Security.config and Security...
  • .NET Security Blog

    I'm Published!

    • 4 Comments
    The November 2004 issue of MSDN magazine is available online now, and it includes the first article I've ever had published. I co-authored this month's Trustworthy Code article, Exchange Data More Securely with XML Digital Signatures and Encryption with...
  • .NET Security Blog

    What to do when CasPol throws SecurityExceptions

    • 5 Comments
    CasPol is written in managed code, and as such is subject to the CLR's security policy system just like any other piece of managed code. Generally this is not a problem for it, since it is granted FullTrust by two separate code groups in the default policy...
  • .NET Security Blog

    Grunk Posts on File Canonicalization for FileIOPermission

    • 1 Comments
    Brian Grunnkmeyer recently posted a good piece on how FileIOPermission deals with file and path canonicalization. Brian wrote a large chunk of the base class library , and contributed to the SLAR . Its a good read if you want to know how FileIOPermission...
  • .NET Security Blog

    Does StrongNameSignatureVerificationEx Cache Registry Lookup Results?

    • 2 Comments
    I received a question recently about my post on Checking for a Valid Strong Name Signature . The person who was using the code I presented there to run some tests under NUnit . The format of the tests was to use the Microsoft.Win32.Registry classes to...
  • .NET Security Blog

    Replacing Calc with Calculator Plus

    • 11 Comments
    On my home machine, and one of my office machines I log in as a normal user , and only elevate to an account with admin status when installing software, or doing other maintenance. Needless to say, doing that creates problems with various programs that...
  • .NET Security Blog

    Mike Stall's (Relatively)New Debugger Blog

    • 1 Comments
    Mike Stall is one of the devs on our base services team, and his focus is on managed debugging. I played football with Mike 4 flag football seasons back, but generally don't need to work directly with him since the debugger and security don't have very...
  • .NET Security Blog

    The Return of ManagedStrongName: Key Containers

    • 1 Comments
    (updated 12/3/04, pointed to the newly refactored source ) It's been nearly two months since the last update to my managed sn.exe port , so its long-past overdue for some new features. This update implements the various key container features that are...
  • .NET Security Blog

    Why Can't I Change the KeySize of Asymmetric Algoritms or: The Joys of Backwards Compatibility

    • 12 Comments
    Here's a little quirk that can definitely cause a lot of confusion. When I run the following code snippet, what do you suppose the output will be: RSA rsa = new RSACryptoServiceProvider ( ) ; Console . WriteLine ( rsa . KeySize ) ; rsa . KeySize = 4096;...
  • .NET Security Blog

    How To Tell if Two PermissionSets Are The Same

    • 0 Comments
    Determining if two PermissionSet objects are logically the same is a relatively common thing for an application that deals with security to attempt to do, however the v1.0 and v1.1 PermissionSet classes did not override the Equals method to allow this...
  • .NET Security Blog

    Finding Out The Current User in the Debugger

    • 2 Comments
    Every once in a while, while debugging multi-threaded applications that do impersonation, it becomes useful to figure out the context that the current thread is running under. This is especially useful when debugging server scenarios where connections...
  • .NET Security Blog

    How do you use MigPol?

    • 5 Comments
    In preparing for Whidbey, we'd like to collect some information about how you use the MigPol tool. Specifically, the CLR Security team is interested in: How do you use MigPol? How often do you use it? Common usage scenarios Did you even know MigPol existed...
  • .NET Security Blog

    FormatMessage Shortcut for Win32 Error Codes

    • 5 Comments
    If you ever need to P/Invoke to an API that returns extended error information via the GetLastError function, then you've also probably been through the pain of converting the error code into a usable error message via the FormatMessage API ... not exactly...
  • .NET Security Blog

    Spot the Defect: Modifying the Security Policy in Code

    • 2 Comments
    Modifying the CLR's security policy can be done in your code by interacting with the SecurityManager object. Specifically, you can access the PolicyHierarchy method which will expose an enumerator over the policy levels, and the SavePolicy method, which...
  • .NET Security Blog

    How I Learned to Stop Worrying and Love the GC

    • 0 Comments
    Chris Lyon , the CLR's GC tester, has just started up a new MSDN blog. Working on the GC, Chris has a lot of knowledge about how the CLR works internally, and he'll be able to shed some light on one of the most misunderstood components of the runtime...
  • .NET Security Blog

    Deploying Policy on v1.0 and 1.1 of the CLR

    • 9 Comments
    A lot of the time, someone has written an application that won't run under the CLR's default security settings and needs to provide a mechanism for their users to modify the policy easily in order to allow their application to run. For Whidbey, ClickOnce...
  • .NET Security Blog

    Labor Day Links

    • 0 Comments
    Here are a few quick security links to check out over the barbecue this Labor Day Weekend. Nothing says party like a good discussion about impersonation leaks in managed code and how SIDs work, that's what I always say :-) Eric Lippert grabbed another...
  • .NET Security Blog

    .NET 1.0 SP 3 and .NET 1.1 SP 1 Released

    • 23 Comments
    Today we pushed .NET 1.0 SP3 and .NET 1.1 SP1 onto Windows Update as a Critical Update. You can also download the service packs from the MSDN download center. Here's a brief review of what's new for security in each service pack: .NET 1.0 SP3 (v1.0.3705...
  • .NET Security Blog

    New ILAsm Support For Assembly-Level Security

    • 1 Comments
    Before Whidbey shipped, using assembly level declarative security was always a bit of a pain. Previous versions of the CLR required you to provide security attributes in the form of XML, which meant that you would have to figure out the exact XML represented...
  • .NET Security Blog

    Assembly Level Declarative Security

    • 20 Comments
    Assembly level declarative security comes in three forms, RequestMinimum, RequestOptional, and RequestRefuse. The three can be briefly defined as: RequestMinimum -- the set of permissions that are absolutely required for this assembly to run RequestOptional...
  • .NET Security Blog

    All About Assert Part IV: When Assert Won't Help

    • 1 Comments
    In Assert Myth #7 , I mention three ways for a demand for a permission to fail even though that permission was asserted. The first three are: Myth #3: You don't need the permissions that you're asserting in order to effectively assert them Myth #4: Assert...
  • .NET Security Blog

    All About Assert Part III: Dispelling the Myths

    • 7 Comments
    So far we've seen What Assert Actually Does , and What Assert Is Good For , now its time to examine some popular misconceptions about the Assert stack modifier. Myth #1: Assert changes an assembly's permission grant Assert is a stack walk modifier. It...
  • .NET Security Blog

    All About Assert Part II: What Assert Is Good For

    • 1 Comments
    Now that we know what Assert does , lets figure out what it's good for. The two most common uses of Assert are: Perform high-privilege operations on behalf of untrusted code Convert one permission demand to another Yesterday's example demonstrating what...
Page 11 of 15 (368 items) «910111213»