• .NET Security Blog

    Browsing the SSCLI in Visual Studio

    • 9 Comments
    I've attached a simple Visual Studio 2005 project that I use for browsing the SSCLI v2 source tree . (Once you've downloaded it, rename the file to remove the .txt extension). The project is good for browsing, however it will not build or debug the SSCLI...
  • .NET Security Blog

    Special Permissions in the SSCLI

    • 2 Comments
    Before digging into a pretty clever optimization that the SSCLI makes for certain special permission demands, I want to point out that everything I’m about to cover is an implementation detail. Although this optimization does occur today, we can and will...
  • .NET Security Blog

    Test Signing in Action: IronPython Beta 7

    • 1 Comments
    The IronPython team just announced their v1.0 beta 7 release , which is especially interesting to me because they’ve enabled IronPython to be signed with a test key signature. Beta 7 has four configurations, the standard Release and Debug along with...
  • .NET Security Blog

    Why the Simple Sandboxing API Requires an ApplicationBase

    • 0 Comments
    One trap that catches a lot of people new to the simple sandboxing API is that the API will throw an InvalidOperationException if the AppDomainSetup parameter does not contain an ApplicationBase, saying "This API requires the ApplicationBase to be specified...
  • .NET Security Blog

    Handling Custom Zones with the HostSecurityManager

    • 3 Comments
    We've looked at how the CLR supports mapping a custom zone to the Internet zone and how you can modify the SSCLI to handle whatever zone mapping policy you want , but if you want richer mapping than is built in and don't want to run on a custom SSCLI...
  • .NET Security Blog

    SSCLI Zone Mappings

    • 1 Comments
    My previous post is begging the question "so what is the SSCLI's zone mapping policy?" It's actually quite simple, the source for SecurityPolicy::QuickGetZone in clr\src\vm\securitypolicy.cpp shows that SSCLI maps a URL to: NoZone if the URL...
  • .NET Security Blog

    Custom Zones and the CLR

    • 4 Comments
    On the topic of zones and the CLR ... Windows lets you define custom zones outside of the standard ones that the CLR knows about (see MSDN's topic on Security Zones for more information). However, because the CLR doesn't know about them, generally...
  • .NET Security Blog

    How does the CLR figure out Zone evidence?

    • 4 Comments
    This week, I've had three separate cases where people have wondered why the CLR was assigning seemingly incorrect zone evidence to their assembly, causing their permission sets to be less than what was expected. The quick and dirty answer is that the...
  • .NET Security Blog

    Simple Sandboxing and the LoadFrom Demand

    • 1 Comments
    One of the common problems that people run into when setting up simple sandbox domains in their application is that any call through to Assembly.LoadFrom results in a FileIOPermission demand for read access to the assembly in question. Generally, the...
  • .NET Security Blog

    Category Cleanup

    • 0 Comments
    My Ship-It sticker for Whidbey shows that we officially shipped on October 27th -- hard to believe it's been 6 months already! In celebration of the anniversary, I'm going to remove the Whidbey category from this blog, and future posts will assume...
  • .NET Security Blog

    Visual Studio Tip: Editing Project Files

    • 11 Comments
    Earlier I mentioned tweaking project files -- something that a lot of people do just by opening the project file up in Notepad and tweaking it. Although it's a bit hard to discover, you can actually do this right within Visual Studio 2005, saving you...
  • .NET Security Blog

    Sharing a Strong Name Key File Across Projects

    • 34 Comments
    v2.0 of the .NET Framework deprecated the use of the AssemblyKeyFileAttribute and AssemblyKeyContainerAttribute . Often times, these attributes were used to share a common key file across several projects. If you try to share key files using the Visual...
  • .NET Security Blog

    5 Reasons to Choose Simple Sandboxing

    • 17 Comments
    When it comes time to host some partially trusted code in your application, perhaps as a part of an Add-In model, you’ve got a few options to choose from. How do you decide which is the best way to go? Thankfully the answer to this one is relatively...
  • .NET Security Blog

    Adding a UAC Manifest to Managed Code

    • 12 Comments
    The UAC feature of Vista is one of my favorite new features -- it really makes running as a non-admin much less painful than it has been in the past. One of the requirements that UAC puts on developers is that we must mark our applications with manifests...
  • .NET Security Blog

    FxCop Transparency Rules

    • 1 Comments
    The FxCop team has just announced the availability of RC 1 of FxCop 1.35 . Notable in this release is the introduction of the first three rules around security transparency . Namely, you'll see: SecurityTransparentAssembliesShouldNotContainSecurityCriticalCode...
  • .NET Security Blog

    What Happens When You Fully Sign a Test Signed Assembly

    • 3 Comments
    When an assembly is test signed , the public key used to verify its signature is different from the public key that makes up part of the assembly identity. So what happens when you take an assembly which is registered as a test signed assembly on your...
  • .NET Security Blog

    Getting Information about an X509Certificate's Key Container

    • 8 Comments
    One of the more common things a lot of people want to do with their X509Certificate2 is figure out what key container its keys are stored in. You can access this information relatively trivially via the PublicKey property of the X509Certificate2 object...
  • .NET Security Blog

    Debugging a Partial Trust ClickOnce Application

    • 3 Comments
    Although the theory is that by the time we deploy a finished application it's already fully debugged we all know that in practice things rarely go that smoothly. So what happens if you deploy a partial trust ClickOnce application that starts to crash...
  • .NET Security Blog

    SSCLI v2

    • 5 Comments
    As Jason announces , v2.0 of the SSCLI is now available for download: http://msdn.microsoft.com/net/sscli . In addition to general CLR features like generics that are available in this download, some interesting security points to look at are: ...
  • .NET Security Blog

    Why Can't I See Extended SecurityException Information?

    • 1 Comments
    The v2.0 SecurityException is chock full of debugging goodness -- for trusted code that is. In some cases you might not see all the extended error information. The reason is that before writing extra security information into the output of ToString()...
  • .NET Security Blog

    Return of the Mailbag

    • 1 Comments
    Over the last week or so I've seen a few questions pop up multiple times. In no particular order: Q: Is calling a virtual method with a non-virtual call verifiable? A: It depends :-) In v1.x of the CLR this was verifiable. We made a change in v2...
  • .NET Security Blog

    Impersonation and Exception Filters in v2.0

    • 8 Comments
    A while back, I wrote about a potential security hole when malicious code can set up an exception filter before calling your code which does impersonation . In the final release of v2.0, we've added a feature to help mitigate this problem. The CLR...
  • .NET Security Blog

    Enveloped PKCS #7 Signatures

    • 16 Comments
    One of the new cryptography features in the v2.0 framework is the ability to work with PKCS #7 formatted messages . The PKCS features live in the new System.Security.Cryptography.Pkcs namespace in System.Security.dll, and are thin wrappers around the...
  • .NET Security Blog

    APTCA and Custom Attributes

    • 2 Comments
    Haibo just posted an excellent article about what happens when you use reflection to get a custom attribute across trust boundaries . The specific situation he talks about is when you have: A fully trusted assembly defining a custom attribute ...
  • .NET Security Blog

    The best part about today ...

    • 3 Comments
    ... the availability of peanut butter cups 6 2/3 times bigger than normal . The best part about tomorrow? They'll probably be available for less than a dollar at Safeway. I can feel the waistline growing already :-)
Page 4 of 15 (368 items) «23456»