• .NET Security Blog

    Detecting that You're Running in a ClickOnce Application

    • 15 Comments
    In my last post , I mentioned that application scoped isolated storage only works if you're running in a ClickOnce application. That begs the question -- how do I tell if I'm currently running in the context of a ClickOnce application? You can see...
  • .NET Security Blog

    Managed DPAPI Part II: ProtectedMemory

    • 14 Comments
    Last week (ok, really two weeks ago ....), I wrote about using DPAPI with Whidbey. (You can find that post here: Managed DPAPI Part I: ProtectedData ). In addition to the ProtectedData class, Whidbey will also expose DPAPI through the ProtectedMemory...
  • .NET Security Blog

    Running Processes as a Different User

    • 14 Comments
    Before Whidbey, if you wanted to run code as a different user, you needed to use impersonation. There was no easy solution for starting a new process and having it run with a different user's credentaials. Probably the best solution in v1.0 and 1.1 of...
  • .NET Security Blog

    Whidbey's New SecurityException

    • 14 Comments
    One of the more difficult things to debug with .NET 1.0 and 1.1 is the security exception. With these frameworks generally the only information that you got was the state of the failed permission. Due to the complexity of debugging security problems,...
  • .NET Security Blog

    An Enhanced Version of the Sandboxed AppDomain

    • 14 Comments
    Last week I showed how to create an AppDomain with a limited set of permissions . I also presented an easy way to create a StrongNameMembershipCondition . Now I'll put the two together to make an enhanced version of the sandboxed AppDomain. Why create...
  • .NET Security Blog

    Silverlight Security II: What Makes a Method Critical

    • 14 Comments
    Yesterday we talked about the CoreCLR security model , and how it is built upon the transparency model introduced in the v2.0 .NET Framework. The quick summary was that all Silverlight application code is transparent, and transparent code may only call...
  • .NET Security Blog

    Security Policy in the v4 CLR

    • 13 Comments
    One of the first changes that you might see to security in the v4 CLR is that we’ve overhauled the security policy system.  In previous releases of the .NET Framework, CAS policy applied to all assemblies loaded into an application (except for in...
  • .NET Security Blog

    Authenticode and Assemblies

    • 13 Comments
    The general concepts of Authenticode signing an assembly are well understood -- they mostly correlate directly to the standard Win32 concept of a signed catalog. However, there are a few places where managed code plays differently, and sometimes these...
  • .NET Security Blog

    Managed DPAPI Part I: ProtectedData

    • 13 Comments
    Overview of DPAPI Although APIs such as CAPI and the .NET System.Security.Cryptography classes make using cryptography relatively easy, one of the hardest things to do when implementing a secure cryptographic system is key management. In order to help...
  • .NET Security Blog

    Using XPath to Sign Specific XML

    • 13 Comments
    In my last posting , I promised to write about a more general purpose way of selecting specific XML to sign. Although the technique I presented in the last post will work, it requires a custom class derived from SignedXml, and will not work unless both...
  • .NET Security Blog

    Which Package are the Security Tools In?

    • 13 Comments
    When installing the v2.0 .NET redist package, you'll find that the .Net Configuration MMC snap-in is missing . As of v2.0, we've moved this tool to the SDK package, which you can download here: [x86] [ x64 ] [ IA64 ]. The split of security tools between...
  • .NET Security Blog

    Isolated Storage and ClickOnce

    • 13 Comments
    Isolated storage introduced a new scope in v2.0 of the CLR to work with ClickOnce applications. Application scoped Isolated storage is backed by the application's data directory. This enables scenarios where your isolated storage data will flow forward...
  • .NET Security Blog

    Generating Larger Keys with SN

    • 13 Comments
    A while back, I wrote about using the StrongNameKeyGenEx API to generate keys to sign assemblies with. That API lets you pass in a dwKeySize parameter to specify the number of bits to generate in the key. If you're calling the API from your own code,...
  • .NET Security Blog

    Adding a UAC Manifest to Managed Code

    • 12 Comments
    The UAC feature of Vista is one of my favorite new features -- it really makes running as a non-admin much less painful than it has been in the past. One of the requirements that UAC puts on developers is that we must mark our applications with manifests...
  • .NET Security Blog

    Comparing Java and .NET Security

    • 12 Comments
    It's been a while since I've last seen a comparison of Java and .NET security . Nathaneal Paul and David Evans from the University of Virginia Computer Science Department recently finished their comparison, Comparing Java and .NET Security: Lessons Learned...
  • .NET Security Blog

    Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

    • 12 Comments
    The MSDN Magazine site just put up my article, Do You Trust It? Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0 , as a preview of their November security issue . In the article I cover various techniques for safely...
  • .NET Security Blog

    XML Digital Signatures in .Net

    • 12 Comments
    Creating and Verifying Enveloped Signatures...
  • .NET Security Blog

    SafeHandle

    • 12 Comments
    Prior to Whidbey, interop with Win32 handles was done by passing IntPtrs back and forth through P/Invoke. This had several drawbacks including: Lack of type safety. Nothing is preventing me from taking an IntPtr containing a HWND and passing it to a method...
  • .NET Security Blog

    The Managed Hosting API

    • 12 Comments
    With v1.0 and v1.1 of the CLR, if you wanted to have much control over how the CLR was working under the covers, you needed to write an unmanaged host. The unmanaged hosting API still exists with Whidbey (in fact, its gotten quite a few improvements of...
  • .NET Security Blog

    Why Can't I Change the KeySize of Asymmetric Algoritms or: The Joys of Backwards Compatibility

    • 12 Comments
    Here's a little quirk that can definitely cause a lot of confusion. When I run the following code snippet, what do you suppose the output will be: RSA rsa = new RSACryptoServiceProvider ( ) ; Console . WriteLine ( rsa . KeySize ) ; rsa . KeySize = 4096;...
  • .NET Security Blog

    The Silverlight Security Model

    • 12 Comments
    You may have heard a thing or two last week about a little project we like to call Silverlight , including a small version of the CLR that will run in the browser on both Windows and the Mac. (If you haven't grabbed the Silverlight v1.1 alpha bits yet...
  • .NET Security Blog

    Using RSACryptoServiceProvider for RSA-SHA256 signatures

    • 12 Comments
    Earlier this month, we released .NET 3.5 SP 1 .  One of the new features available in this update is that RSACryptoServiceProvider has gained the ability to create and verify RSA-SHA256 signatures. Since RSACryptoServiceProvider relies on the underlying...
  • .NET Security Blog

    .NET 4.0 Security

    • 11 Comments
    The first beta of the v4.0 .NET Framework is now available , and with it comes a lot of changes to the CLR's security system. We've updated both the policy and enforcement portions of the runtime in a lot of ways that I'm pretty excited to finally see...
  • .NET Security Blog

    Replacing Calc with Calculator Plus

    • 11 Comments
    On my home machine, and one of my office machines I log in as a normal user , and only elevate to an account with admin status when installing software, or doing other maintenance. Needless to say, doing that creates problems with various programs that...
  • .NET Security Blog

    All About Assert Part I: What Assert Actually Does

    • 11 Comments
    There are several common misconceptions about the Assert stack modifier, not the least of which are: Assert changes an assembly's permission grant Assert is just a perf optimization You don't need the permissions that you're Asserting in order to effectively...
Page 2 of 15 (368 items) 12345»