• .NET Security Blog

    What can an ApplicationTrust tell us about an AppDomain

    • 0 Comments
    In v2.0, there is a new ApplicationTrust property on the AppDomain class . This property will be non-null in two conditions Your application is a ClickOnce application Your code is running in a simple sandbox domain In the ClickOnce case,...
  • .NET Security Blog

    Comments in the blog

    • 0 Comments
    Eric just pointed out to me that no comments appear to be showing up in my blog recently. I had switched on moderation for anonymous users, and for some reason the notification email stopped being sent to me. I've gone through the backlog of comments...
  • .NET Security Blog

    Adding SignatureProperties to SignedXml

    • 3 Comments
    One of the optional portions of the W3C XML digital signature specification allows for a set of SignatureProperties to be assigned to a signature. SignatureProperties allow the signer to place some metadata into the signature itself, such as the time...
  • .NET Security Blog

    Debugging Lightweight CodeGen in VS

    • 0 Comments
    Haibo just posted about his debugger visualizer for dynamic methods . This is a pretty sweet piece of code for anyone who uses lightweight code generation and needs to debug the code they've emitted. Basically it adds a visualizer to DynamicMethod objects...
  • .NET Security Blog

    Test Key Signing

    • 10 Comments
    One feature that will start to show up on the latest CTP of Whidbey is test key signing -- basically delay signing++. Lets do a quick review of what delay signing is , and then see where test key signing takes over. Recall a delay signed assembly is one...
  • .NET Security Blog

    Using Host Protection

    • 4 Comments
    Yesterday we looked at what host protection is and what it does. Today lets modify the ADMHost sample code so that it disables access to self affecting and external threading operations. We'll then attempt to run a bit of code that launches 10 threads...
  • .NET Security Blog

    Host Protection

    • 5 Comments
    One of our new Whidbey hosting features is called Host Protection -- basically it allows an application hosting the CLR to declare some types of operations off limits for use by hosted code. This is orthogonal to CAS in that CAS allows an administrator...
  • .NET Security Blog

    MSDN Security Issue

    • 0 Comments
    The annual MSDN Security Issue is now out, in addition to containing my article on hosting untrusted code, it also has one by Mike on What's New With Code Access Security in the .NET Framework 2.0 . We worked to make these two articles fit nicely together...
  • .NET Security Blog

    Exploring the ADMHost Sample

    • 0 Comments
    When I first talked about AppDomainManagers , I mentioned that there were three ways to set them up. You can either setup an environment block, use some registry keys, or use the unmanaged hosting API. In most of my samples so far I've used the environment...
  • .NET Security Blog

    New Security Features in Visual Studio 2005

    • 0 Comments
    Brian Johnson has a new article on MSDN about New Security Features in Visual Studio 2005 . Definitely worth a read -- he covers a lot of area, from Application Verifier, to ClickOnce, to PermCalc, right on down to unit testing.
  • .NET Security Blog

    Tour the CLR Security Team

    • 0 Comments
    Mike and I have been spending time this week meeting with the Visual Developer Security MVPs -- having plenty of discussion about what we can do in future releases of the framework and how CAS relates to some of the rest of Microsoft's products. It's...
  • .NET Security Blog

    Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0

    • 12 Comments
    The MSDN Magazine site just put up my article, Do You Trust It? Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0 , as a preview of their November security issue . In the article I cover various techniques for safely...
  • .NET Security Blog

    Transparency and Member Visibility

    • 0 Comments
    Before PDC we were talking a bit about security transparency, namely what it is and how to use it . We learned the restrictions placed on transparent code which prevents it from elevating the permissions of the call stack, namely: Transparent code...
  • .NET Security Blog

    Using Add-Ins with a ClickOnce Deployed Application

    • 7 Comments
    One of the attendees at the PDC had an interesting question combining ClickOnce and Add-Ins. Basically, his application was being deployed with ClickOnce, and was running without elevating it's privileges beyond the Internet zone [fan-tastic :-)]. The...
  • .NET Security Blog

    RequestOptional Removes Permissions

    • 1 Comments
    Another interesting question arose today. An assembly was granted FullTrust by policy, which was confirmed by CasPol. Yet it was being prevented from calling code in non-APTCA assemblies. Turns out that the code in question had an assembly level RequestOptional...
  • .NET Security Blog

    Creating Partial Trust Directories

    • 2 Comments
    Last night at the Writing Partial Trust Code BoF, someone was wondering if they could create a sort of download sandbox on their machine. The problem that we're trying to solve is to be able to save code to the local machine from the browser instead of...
  • .NET Security Blog

    PDC '05: Quote of the Day

    • 1 Comments
    The day's winding down now, and I'm getting ready to head to Keith's BoF's Writing Secure Code and Writing Partially Trusted Code. Before taking off, here's the quote of the day from PDC: "The two things that are helping .NET really take off are the...
  • .NET Security Blog

    PDC '05: Lunch with Apple

    • 1 Comments
    Just got back from lunch with a group from Apple. After checking the rule book, it turns out that no physical laws would be violated by having Apple and Microsoft so close together, and than fully there was no matter-antimatter reaction :-). They were...
  • .NET Security Blog

    PDC '05: Let There Be Light

    • 0 Comments
    After spending the beginning of the morning in the Fundamentals Lounge, I went up to see Keith during the intermission of his Art of Secure Coding and to let him know that Mike and I would swing by his BOF's tomorrow . Afterwords, we grabbed some lunch...
  • .NET Security Blog

    PDC '05: Developer Powered

    • 0 Comments
    I'll be heading down to Los Angeles this Sunday to take part in my first PDC. I'm going to spend most of my time in the Fundamentals Track Lounge. I'll also be celebrating my birthday at the Ask the Experts on Thursday from 6:30-9:00 (and hopefully celebrating...
  • .NET Security Blog

    Marking Your Code Transparent

    • 8 Comments
    Last week I discussed the concepts of security transparency and security critical code. Now it's time to get into the how-to's Marking an Entire Assembly Critical This is by far the easiest of the operations ... just do nothing [:D]. By default...
  • .NET Security Blog

    IronPython + MDbg = good times

    • 3 Comments
    Mike Stall recently completed a project to embed IronPython into the MDbg debugger as an MDbg extension. IronPython's hosting interface is pretty slick, in fact it took Mike only 10 steps to get IronPython running inside MDbg and expose the debugger functionality...
  • .NET Security Blog

    When the Opposite of Transparent isn't Opaque

    • 5 Comments
    When you provide an assembly that will be called by partially trusted callers, you need to make sure that you do a thorough security audit of that assembly -- especially if it’s an APTCA assembly. One of the primary reasons this security review is required...
  • .NET Security Blog

    Getting Help with your .NET Questions

    • 6 Comments
    Recently I've been getting a lot of email from this blog asking for help with various problems. Although I'd love to help out, I don't have the time to address each mail directly. In fact, most of the problems I (and other members of the CLR team I've...
  • .NET Security Blog

    What's New in Security for v2.0

    • 10 Comments
    There's a ton of new and enhanced security features coming with the v2.0 release of the CLR. However, finding a definitive list of them all can be a somewhat challenging task. Dominick Baier has an excellent slide deck detailing some of the changes and...
Page 6 of 15 (368 items) «45678»