• .NET Security Blog

    Process Requires FullTrust

    • 6 Comments
    The Process class has a LinkDemand and an InheritenceDemand for FullTrust on it. This means that if your assembly is not fully trusted, it will be unable to kick off new Processes or get information about running processes. One implication is that assemblies...
  • .NET Security Blog

    Using Host Protection

    • 4 Comments
    Yesterday we looked at what host protection is and what it does. Today lets modify the ADMHost sample code so that it disables access to self affecting and external threading operations. We'll then attempt to run a bit of code that launches 10 threads...
  • .NET Security Blog

    Is CAS dead in .NET 4?

    • 7 Comments
    With all the changes in the security system of .NET 4, the question frequently arises “so, is CAS dead now?”. One of the reasons that this question comes up so frequently, is that the term CAS in the .NET 1 security model was overloaded to refer to many...
  • .NET Security Blog

    New Crypto Algorithms in Orcas

    • 6 Comments
    The January CTP of Orcas is now available , and with it comes a total of 12 new cryptography algorithm implementation classes, which include 2.5 new algorithms. (I'll count AES as 0.5 since we did already have Rijndael :-) ). These classes also are the...
  • .NET Security Blog

    How to link to an ActiveX Control from a Strongly Named Assembly

    • 3 Comments
    Windows Forms has a feature that allows you to use an ActiveX control on your managed form. All you have to do is add the control to your toolbox, and VS takes care of the rest behind the scenes. But this feature has a bit of a problem when it comes to...
  • .NET Security Blog

    Column Guides in Visual Studio

    • 8 Comments
    A lot of coding guidelines specify the maximum length for a line of code. For instance in the CLR, we like to keep lines of code under 110 characters long. Visual Studio has a feature which lets you display a vertical line at the column of your choosing...
  • .NET Security Blog

    Impersonation and Exception Filters in v2.0

    • 8 Comments
    A while back, I wrote about a potential security hole when malicious code can set up an exception filter before calling your code which does impersonation . In the final release of v2.0, we've added a feature to help mitigate this problem. The CLR...
  • .NET Security Blog

    Whidbey's Secure CRT

    • 8 Comments
    One of the features that the Whidbey release of Visual C++ is going to bring is the new Secure CRT. The C++ library team has put a lot of work into creating safe alternatives to the old C runtime library functions that seem to always be behind security...
  • .NET Security Blog

    Adding SignatureProperties to SignedXml

    • 3 Comments
    One of the optional portions of the W3C XML digital signature specification allows for a set of SignatureProperties to be assigned to a signature. SignatureProperties allow the signer to place some metadata into the signature itself, such as the time...
  • .NET Security Blog

    Using Add-Ins with a ClickOnce Deployed Application

    • 7 Comments
    One of the attendees at the PDC had an interesting question combining ClickOnce and Add-Ins. Basically, his application was being deployed with ClickOnce, and was running without elevating it's privileges beyond the Internet zone [fan-tastic :-)]. The...
  • .NET Security Blog

    Deploying Policy on v1.0 and 1.1 of the CLR

    • 9 Comments
    A lot of the time, someone has written an application that won't run under the CLR's default security settings and needs to provide a mechanism for their users to modify the policy easily in order to allow their application to run. For Whidbey, ClickOnce...
  • .NET Security Blog

    Detecting that You're Running in a ClickOnce Application

    • 15 Comments
    In my last post , I mentioned that application scoped isolated storage only works if you're running in a ClickOnce application. That begs the question -- how do I tell if I'm currently running in the context of a ClickOnce application? You can see...
  • .NET Security Blog

    Bypassing the Authenticode Signature Check on Startup

    • 3 Comments
    A while back I wrote about the performance penalty of loading an assembly with an Authenticode signature . The CLR will attempt to verify the signature at load time to generate Publisher evidence for the assembly. However, by default most applications...
  • .NET Security Blog

    Reducing Startup Time Due To Strong Name Verification

    • 6 Comments
    Occasionally we run into a scenario where someone asks about shipping a strong name skip verification entry for their assembly with their product. Generally, their reasoning is that the performance hit of strong name verification is too great for their...
  • .NET Security Blog

    Please do not use the .NET 2.0 HMACSHA512 and HMACSHA384 Classes

    • 19 Comments
    We’ve recently discovered a bug in the HMACSHA512 and HMACSHA384 classes which shipped in the .NET Framework 2.0. This bug will cause these algorithms to produce incorrect results which are not consistent with other implementations of HMAC-SHA-512 and...
  • .NET Security Blog

    Extracting Public Key Blobs

    • 2 Comments
    (Updated 12/3/04 for code refactoring ) Before letting another two months pass, its time to once again update the managed sn.exe port . Today's update adds three modes, each of which allow extraction of a public key blob from various sources: Flag Description...
  • .NET Security Blog

    The Managed Hosting API

    • 12 Comments
    With v1.0 and v1.1 of the CLR, if you wanted to have much control over how the CLR was working under the covers, you needed to write an unmanaged host. The unmanaged hosting API still exists with Whidbey (in fact, its gotten quite a few improvements of...
  • .NET Security Blog

    ClickOnce Same Site Permissions

    • 4 Comments
    ClickOnce applications can request that they be granted permission to contact their site of origin. In Visual Studio this is done by clicking on the Advanced button in the Security tab of the project properties and checking "Grant the application access...
  • .NET Security Blog

    Silverlight Security III: Inheritance

    • 2 Comments
    Over the last few days we've looked at the basics of the CoreCLR security model in Silverlight , and how to tell which platform APIs are available for applications to call . Let's wrap up this mini-series on CoreCLR security by looking at how the CoreCLR...
  • .NET Security Blog

    Which Package are the Security Tools In?

    • 13 Comments
    When installing the v2.0 .NET redist package, you'll find that the .Net Configuration MMC snap-in is missing . As of v2.0, we've moved this tool to the SDK package, which you can download here: [x86] [ x64 ] [ IA64 ]. The split of security tools between...
  • .NET Security Blog

    Combining Strong Names with Authenticode

    • 6 Comments
    If you want to use both a strong name and Authenticode signature on your assembly (for instance if you need a strong name for strong assembly identity, and your company has a rule requiring Authenticode signatures on all shipped products), then you need...
  • .NET Security Blog

    Searching for Custom ID Tags With Signed XML

    • 16 Comments
    Last week, I blogged about using references to sign only specific parts of an XML document. The biggest limitation with doing this is that you must refer to the nodes that are being signed by ID, which for v1.1 and 1.0 of the framework was given by an...
  • .NET Security Blog

    Authenticated Symmetric Encryption in .NET

    • 5 Comments
    Over the last week, we've made a couple of updates to our Codeplex projects to add authenticated symmetric encryption to the managed cryptography surface area for the first time. Since we've never supported authenticated symmetric algorithms in managed...
  • .NET Security Blog

    I'm Published!

    • 4 Comments
    The November 2004 issue of MSDN magazine is available online now, and it includes the first article I've ever had published. I co-authored this month's Trustworthy Code article, Exchange Data More Securely with XML Digital Signatures and Encryption with...
  • .NET Security Blog

    Which Groups Does WindowsIdentity.Groups Return?

    • 1 Comments
    WindowsIdentity exposes a Groups property which returns a collection of IdentityReferences for the groups that a particular user is a member of. However, if you look closely, you'll find that these returned groups won't necessarily include all of the...
Page 4 of 15 (368 items) «23456»