• .NET Security Blog

    FullTrust on the LocalIntranet

    • 18 Comments
    We released the first beta of .NET 3.5 SP 1 this morning, and it includes a change to the default grant set for applications launched from the LocalIntranet zone. The quick summary is that as of .NET 3.5 SP1, applications run from a network share will...
  • .NET Security Blog

    More Implicit Uses of CAS Policy: loadFromRemoteSources

    • 6 Comments
    In my last post about changes to the CLR v4 security policy model, I looked at APIs which implicitly use CAS policy in their operation (such as Assembly.Load overloads that take an Evidence parameter), and how to migrate code that was using those APIs...
  • .NET Security Blog

    Handling Entry Assemblies that Won't Load: Method 1

    • 8 Comments
    Last week, when I posted about failing to run in partial trust gracefully , the method I showed only worked if your main assembly could be loaded. However, if it has a minimum permission request that cannot be satisfied, your main method won't ever be...
  • .NET Security Blog

    Assembly Level Declarative Security

    • 20 Comments
    Assembly level declarative security comes in three forms, RequestMinimum, RequestOptional, and RequestRefuse. The three can be briefly defined as: RequestMinimum -- the set of permissions that are absolutely required for this assembly to run RequestOptional...
  • .NET Security Blog

    Fun with the Visual Studio Find Combo Box

    • 6 Comments
    It's interesting to note all the power of the find combo box in the Visual Studio command bar. It's easily one of the more useful controls I've ever used, yet it just sits there all quiet and unassuming. I've run into a lot of people who know one of two...
  • .NET Security Blog

    Checking For A Valid Strong Name Signature

    • 9 Comments
    Recently a question came up from someone who was trying to have a plugin architecture for their application, but wanted to do some checks before loading a plugin. Specifically, they wanted to ensure that the plugin was signed with a specific public key...
  • .NET Security Blog

    X509CertificateEx is now X509Certificate2

    • 4 Comments
    Last fall, in the article Mike Downen and I wrote for MSDN magazine , we mentioned the expanded support for X.509 certificates, and specifically pointed out how to use them with XML digital signatures . For those of you picking up the Febuaray CTP (and...
  • .NET Security Blog

    When the Opposite of Transparent isn't Opaque

    • 5 Comments
    When you provide an assembly that will be called by partially trusted callers, you need to make sure that you do a thorough security audit of that assembly -- especially if it’s an APTCA assembly. One of the primary reasons this security review is required...
  • .NET Security Blog

    What Happens When My Application Throws An Unhandled Exception

    • 6 Comments
    There are several different behaviors that can occur when a managed application throws an unhandled exception. The two most common are to bring up an error dialog box, or to pop up the Visual Studio Just In Time Debugger dialog box. The first behavior...
  • .NET Security Blog

    Authenticode and Assemblies

    • 13 Comments
    The general concepts of Authenticode signing an assembly are well understood -- they mostly correlate directly to the standard Win32 concept of a signed catalog. However, there are a few places where managed code plays differently, and sometimes these...
  • .NET Security Blog

    Getting Help with your .NET Questions

    • 6 Comments
    Recently I've been getting a lot of email from this blog asking for help with various problems. Although I'd love to help out, I don't have the time to address each mail directly. In fact, most of the problems I (and other members of the CLR team I've...
  • .NET Security Blog

    Delay Signing

    • 28 Comments
    Most people know about the delay signing feature of the CLR. (For those who don't check out MSDN's Delay Signing an Assembly for more details). Basically, delay signing allows a developer to add the public key token to an assembly, without having access...
  • .NET Security Blog

    SN v2.0 Works With PFX Files

    • 10 Comments
    One enhancement to the v2.0 SN tool that may not get noticed right away is that it now has the ability to work with PKCS #12 PFX files in addition to SNK files. The logic here is that a self signed certificate stored in a PFX file is the moral equivalent...
  • .NET Security Blog

    Strong Name Bypass

    • 5 Comments
    Many managed applications start up slower than they really need to because of time spent verifying their strong name signatures. For most of these applications, the strong name verification isn't buying the application anything - especially fully trusted...
  • .NET Security Blog

    Using RSACryptoServiceProvider for RSA-SHA256 signatures

    • 12 Comments
    Earlier this month, we released .NET 3.5 SP 1 .  One of the new features available in this update is that RSACryptoServiceProvider has gained the ability to create and verify RSA-SHA256 signatures. Since RSACryptoServiceProvider relies on the underlying...
  • .NET Security Blog

    XML Encryption in .Net

    • 11 Comments
    Using XML encryption to encrypt payment information...
  • .NET Security Blog

    Marking Your Code Transparent

    • 8 Comments
    Last week I discussed the concepts of security transparency and security critical code. Now it's time to get into the how-to's Marking an Entire Assembly Critical This is by far the easiest of the operations ... just do nothing [:D]. By default...
  • .NET Security Blog

    XML Digital Signatures in .Net

    • 12 Comments
    Creating and Verifying Enveloped Signatures...
  • .NET Security Blog

    The Difference Between the Strong Name Hash and Hash Evidence

    • 7 Comments
    The System.Security.Policy.Hash class allows you to make security decisions based upon the hash of an assembly using the HashMembershipCondition . That sounds awfully similar to how strong names are calculated ... According to ECMA partition II section...
  • .NET Security Blog

    Safe Impersonation With Whidbey

    • 7 Comments
    Over the last couple of days we've talked about how to impersonate another user , and some security issues to keep in mind while impersonating . Now I'd like to take a look at some new features available in Whidbey which can make the whole process much...
  • .NET Security Blog

    Running Processes as a Different User

    • 14 Comments
    Before Whidbey, if you wanted to run code as a different user, you needed to use impersonation. There was no easy solution for starting a new process and having it run with a different user's credentaials. Probably the best solution in v1.0 and 1.1 of...
  • .NET Security Blog

    All About Assert Part I: What Assert Actually Does

    • 11 Comments
    There are several common misconceptions about the Assert stack modifier, not the least of which are: Assert changes an assembly's permission grant Assert is just a perf optimization You don't need the permissions that you're Asserting in order to effectively...
  • .NET Security Blog

    Console Applications requre UIPermission

    • 1 Comments
    Starting with beta 2, we’ve made a change around what permissions are required to launch a console application. When I talk about console applications here, I’m talking about applications that specify they should run with the WINDOWS_CUI subsystem (.subsystem...
  • .NET Security Blog

    Security Policy in the v4 CLR

    • 13 Comments
    One of the first changes that you might see to security in the v4 CLR is that we’ve overhauled the security policy system.  In previous releases of the .NET Framework, CAS policy applied to all assemblies loaded into an application (except for in...
  • .NET Security Blog

    P/Invoke Wiki

    • 2 Comments
    Adam Nathan , who you may recognize as being the author of .NET and COM: The Complete Interoperability Guide , has started up a Wiki on P/Invoke . You'll find lots of P/Invoke definitions, along with recommend managed alternatives and gotchyas there....
Page 2 of 15 (368 items) 12345»