• .NET Security Blog

    SN v2.0 Works With PFX Files

    • 10 Comments
    One enhancement to the v2.0 SN tool that may not get noticed right away is that it now has the ability to work with PKCS #12 PFX files in addition to SNK files. The logic here is that a self signed certificate stored in a PFX file is the moral equivalent...
  • .NET Security Blog

    What Happens If Security Policy Files Are Missing?

    • 0 Comments
    We've previously discussed where the security policy files are located on your disk . Depending on how you install the CLR, you may find that the actual security .config files are missing -- what does the CLR do if it can't find them? Even if there...
  • .NET Security Blog

    Which Package are the Security Tools In?

    • 13 Comments
    When installing the v2.0 .NET redist package, you'll find that the .Net Configuration MMC snap-in is missing . As of v2.0, we've moved this tool to the SDK package, which you can download here: [x86] [ x64 ] [ IA64 ]. The split of security tools between...
  • .NET Security Blog

    Deny and PermitOnly Are Not For Sandboxing

    • 0 Comments
    Deny and PermitOnly cannot be used to create an effective sandbox because like Assert , they function as stack walk modifiers -- meaning they modify the current call stack and not the grant set of an assembly. We talked about this previously in Assert...
  • .NET Security Blog

    UAC Policy Settings

    • 0 Comments
    The new UAC blog (formerly LUA, formerly UAP) has up a good post on the six security policy settings that have been introduced to control how UAC works. As the Vista betas start coming out and people can start to play with UAC, knowing that some of these...
  • .NET Security Blog

    Detecting that You're Running in a ClickOnce Application

    • 15 Comments
    In my last post , I mentioned that application scoped isolated storage only works if you're running in a ClickOnce application. That begs the question -- how do I tell if I'm currently running in the context of a ClickOnce application? You can see...
  • .NET Security Blog

    Isolated Storage and ClickOnce

    • 13 Comments
    Isolated storage introduced a new scope in v2.0 of the CLR to work with ClickOnce applications. Application scoped Isolated storage is backed by the application's data directory. This enables scenarios where your isolated storage data will flow forward...
  • .NET Security Blog

    How Do You Customize Your Policy?

    • 8 Comments
    As part of planning for our next release, we're interested in collecting some data on how you customize your security policy. We're intereseted in as much information as you have to offer. For instance, do you mainly add code groups to the machine level...
  • .NET Security Blog

    LinkDemands and InheritenceDemands Occur at JIT Time

    • 5 Comments
    We previously saw that the SkipVerification demand for calling a method with unverifiable code occurs at JIT time rather than at runtime. Two other types of demands also occur at JIT time, LinkDemands and InheritenceDemands. An InheritenceDemand will...
  • .NET Security Blog

    PrincipalPermission and Finalizers

    • 3 Comments
    Nicole Calinoiu , one of our developer security MVPs, has just posted a good description of the problems that occur when using PrincipalPermission with impersonation and finalizers . The key thing to take away from this is that impersonation occurs on...
  • .NET Security Blog

    Mike Rousos on Registry Security

    • 2 Comments
    Over the weekend, Mike Rousos (a BCL tester who's been temporarily drafted onto the security team) posted an interesting piece about the new BCL registry security support on the BCL blog . While the title mentions RegistryPermission, the post is actually...
  • .NET Security Blog

    RSACryptoServiceProvider::Encrypt Does Not Provide Deterministic Output

    • 2 Comments
    On one of our internal mailing lists, someone was recently surprised that calling RSACryptoServiceProvider::Encrypt on the same bytes with the same instance of the RSA object resulted in two completely different output bytes arrays. The reason is that...
  • .NET Security Blog

    Debugging ADMHost

    • 0 Comments
    A few people have noticed that the ADMHost sample is not set up to do mixed mode debugging by default. If you're working with this sample and you'd like to debug through both halves of the host, you'll need to enable this mode. Right click on the...
  • .NET Security Blog

    Happy Holidays

    • 2 Comments
    It's that time of year again when most of the offices around Microsoft start going dark, and I'll be adding 42/2221 to that list for the next couple of weeks as I head off to New York for Christmas. My traditional weather.com check shows that I should...
  • .NET Security Blog

    What Do You Want to See in Crypto / ClickOnce?

    • 7 Comments
    Now that Whidbey's out the door, it's time to look at what we want to do in future releases. If you've run into any issues with the crypto classes or with ClickOnce let me know! You can leave comments here or file requests in the MSDN Product Feedback...
  • .NET Security Blog

    New and Improved Security in the .NET Framework 2.0

    • 3 Comments
    To add to our other lists of "What's New in Whidbey Security", Rudolph Araujo and Shanit Gupta have a nice roundup of new security features posted on the Microsoft .NET Framework Developer Center. They've got them categorized, summarized, and provide...
  • .NET Security Blog

    Process Requires FullTrust

    • 6 Comments
    The Process class has a LinkDemand and an InheritenceDemand for FullTrust on it. This means that if your assembly is not fully trusted, it will be unable to kick off new Processes or get information about running processes. One implication is that assemblies...
  • .NET Security Blog

    Authenticode and Assemblies

    • 13 Comments
    The general concepts of Authenticode signing an assembly are well understood -- they mostly correlate directly to the standard Win32 concept of a signed catalog. However, there are a few places where managed code plays differently, and sometimes these...
  • .NET Security Blog

    A Look at the Xbox 360 CPU Design

    • 2 Comments
    Jeffery Brown has posted his paper on the Xbox 360 CPU Design from the Fall Processor Forum over on IBM's DeveloperWorks. Since I have my degree in hardware design , I always find these types of things interesting. While this paper is at a relatively...
  • .NET Security Blog

    CryptEncrypt and RSACryptoServiceProvider::Encrypt

    • 10 Comments
    The RSACryptoServiceProvider class provides two methods, Encrypt and Decrypt which seem to be the managed counterparts to CAPI's CryptEncrypt and CryptDecrypt functions. However, if you try to encrypt using CAPI and decrypt using managed code, you'll...
  • .NET Security Blog

    Why Can't I See My Partially Trusted ClickOnce Applications in Task Manager?

    • 0 Comments
    If you're developing a partial trust ClickOnce application and are looking for its process in Task Manager or Process Explorer, you might be surprised that you can't find it listed anywhere. What you will see however is a process named AppLaunch.exe....
  • .NET Security Blog

    Where Does the Stack Walk Start or: Why Do Demands from Main Always Succeed?

    • 3 Comments
    When starting to play with CAS a lot of people come up with toy programs that simply do a Demand for some permission or another, then copy that program to various locations that will cause it to be granted different permission sets. It's generally a surprise...
  • .NET Security Blog

    Finding the Source Code for an Assembly

    • 2 Comments
    Sometimes, especially when working on large projects (such as, I don't know, say ... the CLR), you find yourself debugging a problem where you don't know where a component is built from. Depending on the problem, it might be useful to get to the sources...
  • .NET Security Blog

    All About RSAParameters

    • 3 Comments
    The RSA class exposes an ExportParameters method which allows you to get at the raw RSA key in the form of an RSAParameters structure. What that structure contains isn't very obvious to people not familiar with how RSA works. With fields named P, Q, D...
  • .NET Security Blog

    Don't Roundtrip Ciphertext Via a String Encoding

    • 37 Comments
    One common mistake that people make when using managed encryption classes is that they attempt to store the result of an encryption operation in a string by using one of the Encoding classes. That seems to make sense right? After all, Encoding.ToString...
Page 5 of 15 (368 items) «34567»