• .NET Security Blog

    Isolated Storage and ClickOnce

    • 13 Comments
    Isolated storage introduced a new scope in v2.0 of the CLR to work with ClickOnce applications. Application scoped Isolated storage is backed by the application's data directory. This enables scenarios where your isolated storage data will flow forward...
  • .NET Security Blog

    Temporarily re-enabling CAS policy during migration

    • 4 Comments
    Over the last few weeks we’ve been looking at the changes to security policy in .NET 4, namely that security policy is now in the hands of the host and the operating system. While we’ve looked at how to update code that implicitly uses CAS policy , loads...
  • .NET Security Blog

    Silverlight Security Cheat Sheet

    • 5 Comments
    Over the last week we took a look at the new Silverlight security model. When you're writing a Silverlight application though, there's a lot of information there that you may not want to wade through to get yourself unblocked. Here's a quick cheat sheet...
  • .NET Security Blog

    Silverlight Security II: What Makes a Method Critical

    • 14 Comments
    Yesterday we talked about the CoreCLR security model , and how it is built upon the transparency model introduced in the v2.0 .NET Framework. The quick summary was that all Silverlight application code is transparent, and transparent code may only call...
  • .NET Security Blog

    All About Assert Part III: Dispelling the Myths

    • 7 Comments
    So far we've seen What Assert Actually Does , and What Assert Is Good For , now its time to examine some popular misconceptions about the Assert stack modifier. Myth #1: Assert changes an assembly's permission grant Assert is a stack walk modifier. It...
  • .NET Security Blog

    Why Is CasPol Prompting Me For Confirmation?

    • 2 Comments
    Every once in a while I get asked a question along the lines of: "I used to run CasPol in a script to modify security settings. Now my script never returns, and when I debug CasPol has started asking me to confirm its operations. What happened?...
  • .NET Security Blog

    CryptEncrypt and RSACryptoServiceProvider::Encrypt

    • 10 Comments
    The RSACryptoServiceProvider class provides two methods, Encrypt and Decrypt which seem to be the managed counterparts to CAPI's CryptEncrypt and CryptDecrypt functions. However, if you try to encrypt using CAPI and decrypt using managed code, you'll...
  • .NET Security Blog

    FormatMessage Shortcut for Win32 Error Codes

    • 5 Comments
    If you ever need to P/Invoke to an API that returns extended error information via the GetLastError function, then you've also probably been through the pain of converting the error code into a usable error message via the FormatMessage API ... not exactly...
  • .NET Security Blog

    Disabling the FIPS Algorithm Check

    • 4 Comments
    .NET 2.0 introduced a check for FIPS certified algorithms if your local security policy was configured to require them. This resulted in algorithms which are not FIPS compliant (or implementations which were not FIPS certified) throwing an InvalidOperationException...
  • .NET Security Blog

    Generating Larger Keys with SN

    • 13 Comments
    A while back, I wrote about using the StrongNameKeyGenEx API to generate keys to sign assemblies with. That API lets you pass in a dwKeySize parameter to specify the number of bits to generate in the key. If you're calling the API from your own code,...
  • .NET Security Blog

    Managed DPAPI Part II: ProtectedMemory

    • 14 Comments
    Last week (ok, really two weeks ago ....), I wrote about using DPAPI with Whidbey. (You can find that post here: Managed DPAPI Part I: ProtectedData ). In addition to the ProtectedData class, Whidbey will also expose DPAPI through the ProtectedMemory...
  • .NET Security Blog

    Which Cryptographic Operations are Available?

    • 7 Comments
    One of the more common problems to creep up when people start using the various cryptographic algorithms in the System.Security.Cryptography namespace is that their app, which works fine on their WinXP dev box suddenly starts throwing CryptographicExceptions...
  • .NET Security Blog

    Replacing Calc with Calculator Plus

    • 11 Comments
    On my home machine, and one of my office machines I log in as a normal user , and only elevate to an account with admin status when installing software, or doing other maintenance. Needless to say, doing that creates problems with various programs that...
  • .NET Security Blog

    Post Build Assembly Modification Or: Why Won't SN -Vr Work on Tampered Assemblies

    • 1 Comments
    A while back I wrote about delay signing an assembly, and using SN -Vr to register that assembly to have its signature verification skipped. However, some people have noticed that SN -Vr doesn't work if you fully sign an assembly and then tamper with...
  • .NET Security Blog

    SafeHandle

    • 12 Comments
    Prior to Whidbey, interop with Win32 handles was done by passing IntPtrs back and forth through P/Invoke. This had several drawbacks including: Lack of type safety. Nothing is preventing me from taking an IntPtr containing a HWND and passing it to a method...
  • .NET Security Blog

    Does Being in the GAC Grant FullTrust?

    • 20 Comments
    What does being in the GAC imply about the permission set that will be assigned to an assembly? Well, it depends ... In v1.0 and 1.1, the fact that assemblies in the GAC seem to always get a FullTrust grant is actually a side effect of the fact that the...
  • .NET Security Blog

    Test Key Signing

    • 10 Comments
    One feature that will start to show up on the latest CTP of Whidbey is test key signing -- basically delay signing++. Lets do a quick review of what delay signing is , and then see where test key signing takes over. Recall a delay signed assembly is one...
  • .NET Security Blog

    Creating an AppDomain with limited permissions

    • 10 Comments
    Oftentimes in an application, it's necessary to run untrusted code. The CLR lets you do this safely by placing the code in its own AppDomain and sandboxing the AppDomain to have a limited set of permissions. Usually setting up the AppDomain with the Internet...
  • .NET Security Blog

    Bootstrapping your Application's AppDomainManager

    • 7 Comments
    Last time I mentioned that when using pure managed code to setup an AppDomainManager, you should prefer to use the environment variables rather than the registry keys. Once you've decided to use the environment variables, you need to determine a strategy...
  • .NET Security Blog

    When is ReflectionPermission Needed?

    • 11 Comments
    Reflection and its interaction with security can sometimes be a bit of a confusing matter. The easiest portion to figure out is the permissions needed to use Reflection.Emit. In order to do anything with the reflection emit feature, you'll need to have...
  • .NET Security Blog

    All About RSAParameters

    • 3 Comments
    The RSA class exposes an ExportParameters method which allows you to get at the raw RSA key in the form of an RSAParameters structure. What that structure contains isn't very obvious to people not familiar with how RSA works. With fields named P, Q, D...
  • .NET Security Blog

    An Enhanced Version of the Sandboxed AppDomain

    • 14 Comments
    Last week I showed how to create an AppDomain with a limited set of permissions . I also presented an easy way to create a StrongNameMembershipCondition . Now I'll put the two together to make an enhanced version of the sandboxed AppDomain. Why create...
  • .NET Security Blog

    Elliptic Curve Diffie-Hellman

    • 8 Comments
    The second elliptic curve algorithm added to Orcas is elliptic curve Diffie-Hellman, as the ECDiffieHellmanCng class. This is the first time Diffie-Hellman is available as part of the .NET Framework, so lets take a quick look at what it is and what it...
  • .NET Security Blog

    Spot the Defect: Modifying the Security Policy in Code

    • 2 Comments
    Modifying the CLR's security policy can be done in your code by interacting with the SecurityManager object. Specifically, you can access the PolicyHierarchy method which will expose an enumerator over the policy levels, and the SavePolicy method, which...
  • .NET Security Blog

    Using XPath to Sign Specific XML

    • 13 Comments
    In my last posting , I promised to write about a more general purpose way of selecting specific XML to sign. Although the technique I presented in the last post will work, it requires a custom class derived from SignedXml, and will not work unless both...
Page 3 of 15 (368 items) 12345»