• .NET Security Blog

    Strong Name Bypass

    • 5 Comments
    Many managed applications start up slower than they really need to because of time spent verifying their strong name signatures. For most of these applications, the strong name verification isn't buying the application anything - especially fully trusted...
  • .NET Security Blog

    FullTrust on the LocalIntranet

    • 18 Comments
    We released the first beta of .NET 3.5 SP 1 this morning, and it includes a change to the default grant set for applications launched from the LocalIntranet zone. The quick summary is that as of .NET 3.5 SP1, applications run from a network share will...
  • .NET Security Blog

    Disabling the FIPS Algorithm Check

    • 4 Comments
    .NET 2.0 introduced a check for FIPS certified algorithms if your local security policy was configured to require them. This resulted in algorithms which are not FIPS compliant (or implementations which were not FIPS certified) throwing an InvalidOperationException...
  • .NET Security Blog

    CAS and Native Code

    • 2 Comments
    CAS is complicated enough to understand when all of the moving parts are written in managed code (and therefore have all the associated managed meta-information like grant sets, etc). However, once native code comes into play things can get even more...
  • .NET Security Blog

    Which Groups Does WindowsIdentity.Groups Return?

    • 1 Comments
    WindowsIdentity exposes a Groups property which returns a collection of IdentityReferences for the groups that a particular user is a member of. However, if you look closely, you'll find that these returned groups won't necessarily include all of the...
  • .NET Security Blog

    Manifested Controls Redux

    • 1 Comments
    Last year, I made a series of posts about a new feature available in the betas of .NET 3.5 which enabled you to specify declaratively the set of permissions that IE hosted managed controls should run with. Since the betas there have been a couple of tweaks...
  • .NET Security Blog

    Transparency as Least Privilege

    • 0 Comments
    In my last post I mentioned that there is a better alternative to RequestRefuse for achieving least privilege . The tool I like to use for least privilege is actually the security transparency model available in v2.0+ of the CLR (and which became the...
  • .NET Security Blog

    Avoiding Assembly Level Declarative Security

    • 0 Comments
    I've written in the past about the three assembly level declarative security actions : RequestMinimum, RequestOptional, and RequestRefuse. Although the CLR has supported these since v1.0, I tend to stay away from using them as much as I possibly can,...
  • .NET Security Blog

    CLR Inside Out: Digging into IDisposable

    • 0 Comments
    My third MSDN magazine article, Digging into IDisposable , appeared in this month's issue in the CLR Inside Out Column. It's a bit of a departure from my usual security fare; this time looking at how to best handle writing class libraries that must manage...
  • .NET Security Blog

    Silverlight Security Cheat Sheet

    • 5 Comments
    Over the last week we took a look at the new Silverlight security model. When you're writing a Silverlight application though, there's a lot of information there that you may not want to wade through to get yourself unblocked. Here's a quick cheat sheet...
  • .NET Security Blog

    Silverlight Security III: Inheritance

    • 2 Comments
    Over the last few days we've looked at the basics of the CoreCLR security model in Silverlight , and how to tell which platform APIs are available for applications to call . Let's wrap up this mini-series on CoreCLR security by looking at how the CoreCLR...
  • .NET Security Blog

    Silverlight Security II: What Makes a Method Critical

    • 14 Comments
    Yesterday we talked about the CoreCLR security model , and how it is built upon the transparency model introduced in the v2.0 .NET Framework. The quick summary was that all Silverlight application code is transparent, and transparent code may only call...
  • .NET Security Blog

    The Silverlight Security Model

    • 12 Comments
    You may have heard a thing or two last week about a little project we like to call Silverlight , including a small version of the CLR that will run in the browser on both Windows and the Mac. (If you haven't grabbed the Silverlight v1.1 alpha bits yet...
  • .NET Security Blog

    Bypassing the Authenticode Signature Check on Startup

    • 3 Comments
    A while back I wrote about the performance penalty of loading an assembly with an Authenticode signature . The CLR will attempt to verify the signature at load time to generate Publisher evidence for the assembly. However, by default most applications...
  • .NET Security Blog

    Loading an Assembly as a Byte Array

    • 1 Comments
    One of the various ways that you can load an assembly is by supplying the raw bytes of an assembly as a byte array. The security identity of an assembly loaded this way turns out to be different than if you were to load the same assembly by name or by...
  • .NET Security Blog

    Using the MMC Snap-In to Configure 64 Bit CAS Policy

    • 1 Comments
    The .NET Framework SDK ships with a MMC Snap-In which enables you to, among other things, avoid using caspol to modify your local security policy. Since each runtime installed on your machine has independent security policy , the MMC Snap-In will only...
  • .NET Security Blog

    Tying your IE Hosted Control to a Manifest

    • 1 Comments
    Last week, I talked about the Orcas feature which allows you to provide a manifest to elevate your control's permissions declaratively . We also saw how to generate manifests that would state what permissions your control needs (and the rules associated...
  • .NET Security Blog

    Manifests for IE Hosted Controls

    • 8 Comments
    Earlier this week,I talked about the Orcas feature where controls can declaratively request permissions in a similar way to ClickOnce applications. In fact, the manifests used for this request are the same manifests used for ClickOnce applications, with...
  • .NET Security Blog

    Specifying Permissions for IE Controls in Orcas

    • 1 Comments
    One of my most read blog posts (and one of the reasons I created this blog in the first place -- to answer what was one of the most asked questions on the old .NET Security newsgroup), is my post about granting managed controls hosted in IE extra permissions...
  • .NET Security Blog

    Enumerating Evidence

    • 1 Comments
    The Evidence class supports being enumerated in three different ways: GetAssemblyEnumerator GetHostEnumerator GetEnumerator The first two are pretty self explanatory, enumerating over the evidence that the assembly supplied itself , or over the evidence...
  • .NET Security Blog

    Assembly Provided Evidence

    • 6 Comments
    We all know that the CLR provides many types of evidence to assemblies and AppDomains by default, but one feature of the runtime that's much less known is that assemblies can actually provide evidence of their own. This seems to be one of the best kept...
  • .NET Security Blog

    Introduction to the Orcas Add-In Model

    • 2 Comments
    One of the features the CLR team is adding in Orcas is that we're providing a new model to help enable your application to host Add-Ins. I've got a special interest in this set of features, as I always try to make my hobby applications pluggable for some...
  • .NET Security Blog

    Please do not use the .NET 2.0 HMACSHA512 and HMACSHA384 Classes

    • 19 Comments
    We’ve recently discovered a bug in the HMACSHA512 and HMACSHA384 classes which shipped in the .NET Framework 2.0. This bug will cause these algorithms to produce incorrect results which are not consistent with other implementations of HMAC-SHA-512 and...
  • .NET Security Blog

    Elliptic Curve Diffie-Hellman

    • 8 Comments
    The second elliptic curve algorithm added to Orcas is elliptic curve Diffie-Hellman, as the ECDiffieHellmanCng class. This is the first time Diffie-Hellman is available as part of the .NET Framework, so lets take a quick look at what it is and what it...
  • .NET Security Blog

    Elliptic Curve DSA

    • 3 Comments
    Yesterday I gave a quick rundown of all the new cryptographic algorithms available in the Orcas January CTP . Today, let's dive in a little deeper to the first of the elliptic curve algorithms, ECDSA. (ECDSA, along with the rest of the CNG classes in...
Page 2 of 15 (368 items) 12345»