• .NET Security Blog

    Visual Studio Tip: Editing Project Files

    • 11 Comments
    Earlier I mentioned tweaking project files -- something that a lot of people do just by opening the project file up in Notepad and tweaking it. Although it's a bit hard to discover, you can actually do this right within Visual Studio 2005, saving you...
  • .NET Security Blog

    Customizing the AppDomain Creation Process

    • 8 Comments
    Last week, I posted about AppDomainManagers . Today, I'm going to look a little more closely at how the AppDomainManager allows you to customize the domain creation process. Specifically there are two methods that, when overridden, allow you to modify...
  • .NET Security Blog

    RSACryptoServiceProvider, Impersonation, and Ephemeral Keys

    • 2 Comments
    If you construct an RSACryptoServiceProvider class without specifying a name for the key, the CLR will create a random ephemeral key for you. However, ephemeral keys are not supported by the underlying CAPI APIs on all of the platforms that the CLR was...
  • .NET Security Blog

    Whidbey's Security Off Model

    • 17 Comments
    Although the v1.0 and v1.1 versions of CasPol provided a switch to disable the CLR's security system, running without CAS enforcement on was never a scenario that we encouraged for obvious reasons. The choice to disable security was a system wide switch...
  • .NET Security Blog

    IronPython + MDbg = good times

    • 3 Comments
    Mike Stall recently completed a project to embed IronPython into the MDbg debugger as an MDbg extension. IronPython's hosting interface is pretty slick, in fact it took Mike only 10 steps to get IronPython running inside MDbg and expose the debugger functionality...
  • .NET Security Blog

    Return of the Mailbag

    • 1 Comments
    Over the last week or so I've seen a few questions pop up multiple times. In no particular order: Q: Is calling a virtual method with a non-virtual call verifiable? A: It depends :-) In v1.x of the CLR this was verifiable. We made a change in v2...
  • .NET Security Blog

    Coding with Security Policy in .NET 4.0 – Implicit uses of CAS policy

    • 4 Comments
    Last week we looked at sandboxing and the v4 CLR – with the key change being that the CLR now defers exclusively to the host application when setting up sandboxed domains by moving away from the old CAS policy model, and moving instead to simple sandboxed...
  • .NET Security Blog

    Test Signing in Action: IronPython Beta 7

    • 1 Comments
    The IronPython team just announced their v1.0 beta 7 release , which is especially interesting to me because they’ve enabled IronPython to be signed with a test key signature. Beta 7 has four configurations, the standard Release and Debug along with...
  • .NET Security Blog

    Sandboxing in .NET 4.0

    • 7 Comments
    Yesterday I talked about the changes in security policy for managed applications , namely that managed applications will run with full trust - the same as native applications - when you execute them directly. That change doesn’t mean that managed code...
  • .NET Security Blog

    Creating Partial Trust Directories

    • 2 Comments
    Last night at the Writing Partial Trust Code BoF, someone was wondering if they could create a sort of download sandbox on their machine. The problem that we're trying to solve is to be able to save code to the local machine from the browser instead of...
  • .NET Security Blog

    Comparing Java and .NET Security

    • 12 Comments
    It's been a while since I've last seen a comparison of Java and .NET security . Nathaneal Paul and David Evans from the University of Virginia Computer Science Department recently finished their comparison, Comparing Java and .NET Security: Lessons Learned...
  • .NET Security Blog

    Using the Hashing Transforms (or How Do I Compute a Hash Block by Block)

    • 5 Comments
    Occasionally I get asked how to use the hashing algorithms that ship with .NET to get the hash of some data when there is only access to pieces of the input at a time. This comes up for various reasons, sometimes the input data is too big to fit entirely...
  • .NET Security Blog

    More on the FullTrust GAC

    • 19 Comments
    Last week I mentioned that although currently assemblies in the GAC receive FullTrust as a side effect of the GAC being on the local machine, from Whidbey beta 2 and beyond, being in the GAC will imply FullTrust on its own. A lot of the feedback wondered...
  • .NET Security Blog

    Viewing IL at Debug Time

    • 5 Comments
    Last week, I mentioned Yiru’s post on using SOS to see the IL of a dynamically generated method. Yiru’s post is about lightweight code gen, but the technique she shows is useful for more general purpose managed debugging . Let’s work...
  • .NET Security Blog

    Getting Information about an X509Certificate's Key Container

    • 8 Comments
    One of the more common things a lot of people want to do with their X509Certificate2 is figure out what key container its keys are stored in. You can access this information relatively trivially via the PublicKey property of the X509Certificate2 object...
  • .NET Security Blog

    What to do when CasPol throws SecurityExceptions

    • 5 Comments
    CasPol is written in managed code, and as such is subject to the CLR's security policy system just like any other piece of managed code. Generally this is not a problem for it, since it is granted FullTrust by two separate code groups in the default policy...
  • .NET Security Blog

    Finding the Raw Strong Name Signature

    • 5 Comments
    Wow ... there's been lots of interest in signatures lately :-) In response to my last post about reserving a larger section of the PE file for the signature when you create a signature with a larger key, William wants to know if you can extract the actual...
  • .NET Security Blog

    Signing Specific XML With References

    • 6 Comments
    I've previously blogged about creating XML digital signatures using the .NET framework, but today I'd like to write about a more advanced technique using these signatures. My previous post signed an entire XML document, however, this is not always necessary...
  • .NET Security Blog

    Public Key Tokens

    • 1 Comments
    Time for another visit to the managed strong name API; this time lets take a look at public key tokens. If we want to calculate a token, the strong name API provides two functions that we can use. We've already covered the first, StrongNameTokenFromAssemblyEx...
  • .NET Security Blog

    3 Years, 3 Pounds

    • 3 Comments
    Today marks my 3 year anniversary on the CLR security team (not counting my internship, which I suppose would bring me to 3 years 3 months). We have a tradition on the CLR team where on the anniversary of your hire, you bring in an equivalent number of...
  • .NET Security Blog

    Happy Birthday Channel 9

    • 2 Comments
    Channel 9 turns one year old today, and to celebrate they've been releasing quite a few interesting interviews. One in particular that really stands out is the four parter with Windows Kernel Architect Dave Probert . Dave gives an overview of Windows...
  • .NET Security Blog

    Why == and the Equals Method Return Different Results for Floating Point Values

    • 3 Comments
    There's a subtle difference between comparing floating point values with the Equals method and comparing them with the == operator. (In all the code I show in this post, I use the Double class, however everything I say also applies to the Single class...
  • .NET Security Blog

    Getting the Current Permissions in a Named Permission Set

    • 5 Comments
    There are several named permission sets defined by default in the CLR security policy: FullTrust SkipVerification Execution Nothing LocalIntranet Internet Everything These sets are used to create the default policy, however there's nothing stopping any...
  • .NET Security Blog

    Elliptic Curve DSA

    • 3 Comments
    Yesterday I gave a quick rundown of all the new cryptographic algorithms available in the Orcas January CTP . Today, let's dive in a little deeper to the first of the elliptic curve algorithms, ECDSA. (ECDSA, along with the rest of the CNG classes in...
  • .NET Security Blog

    Easily Creating a StrongNameMembershipCondition for an Assembly

    • 3 Comments
    Taking a break from sandboxing in an AppDomain for a minute, lets take a look at another aspect of policy. One situation that comes up very frequently when trying to execute code in a limited-trust sandbox is that there are some assemblies that you do...
Page 5 of 15 (368 items) «34567»