• .NET Security Blog

    New Crypto Algorithms in Orcas

    • 6 Comments
    The January CTP of Orcas is now available , and with it comes a total of 12 new cryptography algorithm implementation classes, which include 2.5 new algorithms. (I'll count AES as 0.5 since we did already have Rijndael :-) ). These classes also are the...
  • .NET Security Blog

    Combining Strong Names with Authenticode

    • 6 Comments
    If you want to use both a strong name and Authenticode signature on your assembly (for instance if you need a strong name for strong assembly identity, and your company has a rule requiring Authenticode signatures on all shipped products), then you need...
  • .NET Security Blog

    Happy Holidays!

    • 0 Comments
    In an effort to escape Seattle's ... interesting ... weather patterns of the last few months, I've taken off to New York for the holidays. (And unlike last year's 19 degree temperature drop , this year it's actually going to be warmer in the Northeast...
  • .NET Security Blog

    Evidence Must Be Serializable

    • 4 Comments
    The Evidence object acts as a collection for any sort of object that you want to add as evidence for an assembly or AppDomain. (It can get confusing because there is both an Evidence class and objects used as evidence. I'll capitalize the first one to...
  • .NET Security Blog

    new NamedPermissionSet

    • 0 Comments
    Every once in a while I find some code doing something similar to this: new NamedPermissionSet ( "LocalIntranet" ).Assert(); // ... call some API that requires Intranet permissions here CodeAccessPermission .RevertAssert(); At best this...
  • .NET Security Blog

    Relative URL Membership Conditions

    • 0 Comments
    Caspol will allow you to setup a URL membership condition with a relative URL by using a command such as: caspol -ag 1. -url Foo.dll Internet -exclusive on This command probably doesn't do exactly what you would expect though. Namely, it does...
  • .NET Security Blog

    SecureString Redux

    • 4 Comments
    A few times over the last couple of days discussion about a tool on the Internet which can attach to your process and dump out the contents of your SecureStrings has come up. If this tool can exist, then what benefit does SecureString really provide?...
  • .NET Security Blog

    Quickly Testing Code Under Different Cultures

    • 1 Comments
    Earlier this week, a situation came up where we needed to make sure a new feature worked when it was used with a non-English culture. Normally we'd run some tests on a Japanese machine, but one wasn't readily available at the time. Instead, I put together...
  • .NET Security Blog

    XML Digital Signature Verification with Unknown URI Schemes

    • 0 Comments
    A few years back, there was a discussion thread on one of my XML digital signature posts about verifying an XML digital signature which had references to a URI prefixed with cid:. Recently Mattias Lindberg ran into this problem as well, and devised a...
  • .NET Security Blog

    Kenny Kerr Explores UAC

    • 0 Comments
    Kenny Kerr , one of our Security MVPs, has updated his Windows Vista for Developers series with Part4 - User Account Control. Kenny takes an in-depth look at what UAC means for developers and covers areas that a lot of other sources don't touch on, such...
  • .NET Security Blog

    The Differences Between Rijndael and AES

    • 9 Comments
    When you need to write managed code that encrypts or decrypts data according to the AES standard, most people just plug the RijndaelManaged class in and go on their way. After all, Rijndael was the winner of the NIST competition to select the algorithm...
  • .NET Security Blog

    Using Lightweight CodeGen from Partial Trust

    • 0 Comments
    Last time I talked about the new Orcas feature allowing you to use reflection from partial trust . Specifically we talked about standard reflection and Reflection.Emit, putting off Lightweight CodeGen until today. Before we start, if you're new to...
  • .NET Security Blog

    RestrictedMemberAccess

    • 3 Comments
    The September CTP of Orcas went live last night, including lots of features that other MSDN blogs are buzzing about such as LINQ to Objects, partial C# 3.0 support, and partial VB 9.0 support. (And prompting me to create the new Orcas category to replace...
  • .NET Security Blog

    RSACryptoServiceProvider, Impersonation, and Ephemeral Keys

    • 2 Comments
    If you construct an RSACryptoServiceProvider class without specifying a name for the key, the CLR will create a random ephemeral key for you. However, ephemeral keys are not supported by the underlying CAPI APIs on all of the platforms that the CLR was...
  • .NET Security Blog

    [WeddingPermission(SecurityAction.Demand, Unrestricted=true)]

    • 6 Comments
    Having just checked in my last few bug fixes and the Orcas feature I've been working on, it's time to take off on a vacation. But not just any vacation ... Tomorrow I head back to New York for my wedding on August 12th. (Here's hoping that it cools...
  • .NET Security Blog

    What Evidence does Internet Explorer Give an Assembly

    • 1 Comments
    One of the reasons I started this blog was to have a permanent record of a question I used to see on the old microsoft.public.dotnet.security newsgroup about providing extra trust for an Internet Explorer hosted assembly . In that post I mentioned that...
  • .NET Security Blog

    $20 on Double Zero, $20 on LUA please

    • 0 Comments
    I spent last weekend in Vegas, and on Saturday night / Sunday morning decided to recreate those college bar crawls with a bit of a casino crawl. Starting a Caesar's we bounced up the strip hitting every casino on the way with one rule: start with $40...
  • .NET Security Blog

    ClickOnce Same Site Permissions

    • 4 Comments
    ClickOnce applications can request that they be granted permission to contact their site of origin. In Visual Studio this is done by clicking on the Advanced button in the Security tab of the project properties and checking "Grant the application access...
  • .NET Security Blog

    Sandboxed Applications Can’t Elevate Their Own Permissions

    • 6 Comments
    Every once in a while someone will ask how they can do something similar to these caspol commands from within their application. Generally, they want their application to be deployed from the Internet or a file share and don’t want users to have to deal...
  • .NET Security Blog

    Every CLR has Independent CAS Policy

    • 5 Comments
    It’s relatively easy to find a set of instructions for using caspol or Admin UI to provide a CAS elevation for some managed code that’s hitting security exceptions. However, using the directions correctly gets complicated when multiple runtimes are on...
  • .NET Security Blog

    Column Guides in Visual Studio

    • 8 Comments
    A lot of coding guidelines specify the maximum length for a line of code. For instance in the CLR, we like to keep lines of code under 110 characters long. Visual Studio has a feature which lets you display a vertical line at the column of your choosing...
  • .NET Security Blog

    Reducing Startup Time Due To Strong Name Verification

    • 6 Comments
    Occasionally we run into a scenario where someone asks about shipping a strong name skip verification entry for their assembly with their product. Generally, their reasoning is that the performance hit of strong name verification is too great for their...
  • .NET Security Blog

    APTCA and SQL Server 2005

    • 1 Comments
    Last year, I explored the ins and outs of the AllowPartiallyTrustedCallersAttribute . Today, the SQL-CLR blog takes a look at how APTCA affects assemblies hosted in SQL Server 2005 databases -- recommended reading for those dealing with strong names and...
  • .NET Security Blog

    CLR Inside Out: Using Strong Name Signatures

    • 2 Comments
    Mike Downen , our CLR security PM, wrote the CLR Inside Out column this month in MSDN Magazine on strong name signatures. He covers what strong name signatures are, what they're good for, what they're not good for, delay signing, and test signing. I just...
  • .NET Security Blog

    Avoiding Deny and Permit Only: Take 2

    • 2 Comments
    Last week when I dug into the details of the special permission optimization , we saw in the code that before the CLR can use this optimized form of a demand, it needs to check to ensure there are no Deny or PermitOnly modifiers on the call stack. I noted...
Page 3 of 15 (368 items) 12345»