• .NET Security Blog

    An Interesting Take On Two-Factor Authentication

    • 6 Comments
    (via Bruce Schneier ) Two banks in New Zealand are introducing an interesting form of two-factor authentication. Looks like anyone who tries to transfer $2,500 or more to a third party bank account via the website will be required to use their new technology...
  • .NET Security Blog

    What to do when CasPol throws SecurityExceptions

    • 5 Comments
    CasPol is written in managed code, and as such is subject to the CLR's security policy system just like any other piece of managed code. Generally this is not a problem for it, since it is granted FullTrust by two separate code groups in the default policy...
  • .NET Security Blog

    Getting the Current Permissions in a Named Permission Set

    • 5 Comments
    There are several named permission sets defined by default in the CLR security policy: FullTrust SkipVerification Execution Nothing LocalIntranet Internet Everything These sets are used to create the default policy, however there's nothing stopping any...
  • .NET Security Blog

    FormatMessage Shortcut for Win32 Error Codes

    • 5 Comments
    If you ever need to P/Invoke to an API that returns extended error information via the GetLastError function, then you've also probably been through the pain of converting the error code into a usable error message via the FormatMessage API ... not exactly...
  • .NET Security Blog

    How do you use MigPol?

    • 5 Comments
    In preparing for Whidbey, we'd like to collect some information about how you use the MigPol tool. Specifically, the CLR Security team is interested in: How do you use MigPol? How often do you use it? Common usage scenarios Did you even know MigPol existed...
  • .NET Security Blog

    Managed StrongName API

    • 5 Comments
    About a week ago, I wrote about verifying strong name signatures from managed code . There are also several other strong name APIs exposed to unmanged code that don't have any managed equivilent, so I thought it might be a good idea to turn that post...
  • .NET Security Blog

    Using the XSLT Transform with XML Signatures

    • 5 Comments
    One of the transforms that ships with the .Net framework is the XmlDsigXsltTransform, which implements the XSLT transform specified in the W3C recommendation. A few people have asked me to write a bit on how to use this transform, so here's a brief explanation...
  • .NET Security Blog

    Using the Hashing Transforms (or How Do I Compute a Hash Block by Block)

    • 5 Comments
    Occasionally I get asked how to use the hashing algorithms that ship with .NET to get the hash of some data when there is only access to pieces of the input at a time. This comes up for various reasons, sometimes the input data is too big to fit entirely...
  • .NET Security Blog

    Using XML Encryption With CipherReferences, Part 1 - Local Data

    • 5 Comments
    Most users of encrypted XML will encrypt their data and embed the resulting cipher value directly into the EncryptedData element, using a CipherValue tag. However, XML encryption also supports the use of CipherReferences, which allow you to place the...
  • .NET Security Blog

    Comparison of .NET and Java Security

    • 5 Comments
    Denis Piliptchouk has written a four part series comparing .NET and Java security on O'Reilly's OnJava site. Part 1 - Security Configuration and Code Containment Part 2 - Cryptography and Communication Part 3 - Code Protection and CAS Part...
  • .NET Security Blog

    Host Protection

    • 5 Comments
    One of our new Whidbey hosting features is called Host Protection -- basically it allows an application hosting the CLR to declare some types of operations off limits for use by hosted code. This is orthogonal to CAS in that CAS allows an administrator...
  • .NET Security Blog

    LinkDemands and InheritenceDemands Occur at JIT Time

    • 5 Comments
    We previously saw that the SkipVerification demand for calling a method with unverifiable code occurs at JIT time rather than at runtime. Two other types of demands also occur at JIT time, LinkDemands and InheritenceDemands. An InheritenceDemand will...
  • .NET Security Blog

    SSCLI v2

    • 5 Comments
    As Jason announces , v2.0 of the SSCLI is now available for download: http://msdn.microsoft.com/net/sscli . In addition to general CLR features like generics that are available in this download, some interesting security points to look at are: ...
  • .NET Security Blog

    Why Do I Still Get an Exception Accessing a File with Full FileIOPermission?

    • 5 Comments
    This issue (and its cousin: Why Do I Still Get an Exception Accessing the Registry with Full RegistryPermission?) come up fairly frequently on the newsgroups. The reasoning is actually very simple. The exception being thrown in these cases arises from...
  • .NET Security Blog

    What Happens When You Sign With A Larger Key

    • 5 Comments
    In response to last Friday's post about creating a key that's longer than 1024 bits, Nicole wondered if anyone had tried doing this, and what the results might be. I just created a 16,384 bit key on beta 1 of the framework (confirming Eugene's time estimate...
  • .NET Security Blog

    Finding the Raw Strong Name Signature

    • 5 Comments
    Wow ... there's been lots of interest in signatures lately :-) In response to my last post about reserving a larger section of the PE file for the signature when you create a signature with a larger key, William wants to know if you can extract the actual...
  • .NET Security Blog

    Loading the Same Assembly with Different Evidence

    • 5 Comments
    Assembly.Load provides overloads that take an Evidence object in addition to the name of the assembly to load. This leads to the question -- what happens if you were to load the same assembly multiple times with different Evidence. It's easy enough...
  • .NET Security Blog

    Setting up an AppDomainManager

    • 5 Comments
    When I first talked about AppDomainManagers , I mentioned that there were three ways to tell the CLR that you'd like to use the managed hosting infrastructure: The unmanaged hosting API Environment variables APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE...
  • .NET Security Blog

    Viewing IL at Debug Time

    • 5 Comments
    Last week, I mentioned Yiru’s post on using SOS to see the IL of a dynamically generated method. Yiru’s post is about lightweight code gen, but the technique she shows is useful for more general purpose managed debugging . Let’s work...
  • .NET Security Blog

    More on First Pass Exception Issues

    • 5 Comments
    Keith Brown recently pointed out that the issues with first pass exception handling extend well beyond the instance I mention of correctly reverting your impersonation context . Basically, anywhere you rely on a finally block to keep your state consistent...
  • .NET Security Blog

    Authenticated Symmetric Encryption in .NET

    • 5 Comments
    Over the last week, we've made a couple of updates to our Codeplex projects to add authenticated symmetric encryption to the managed cryptography surface area for the first time. Since we've never supported authenticated symmetric algorithms in managed...
  • .NET Security Blog

    Every CLR has Independent CAS Policy

    • 5 Comments
    It’s relatively easy to find a set of instructions for using caspol or Admin UI to provide a CAS elevation for some managed code that’s hitting security exceptions. However, using the directions correctly gets complicated when multiple runtimes are on...
  • .NET Security Blog

    Silverlight Security Cheat Sheet

    • 5 Comments
    Over the last week we took a look at the new Silverlight security model. When you're writing a Silverlight application though, there's a lot of information there that you may not want to wade through to get yourself unblocked. Here's a quick cheat sheet...
  • .NET Security Blog

    Strong Name Bypass

    • 5 Comments
    Many managed applications start up slower than they really need to because of time spent verifying their strong name signatures. For most of these applications, the strong name verification isn't buying the application anything - especially fully trusted...
  • .NET Security Blog

    When the Opposite of Transparent isn't Opaque

    • 5 Comments
    When you provide an assembly that will be called by partially trusted callers, you need to make sure that you do a thorough security audit of that assembly -- especially if it’s an APTCA assembly. One of the primary reasons this security review is required...
Page 5 of 15 (368 items) «34567»