• .NET Security Blog

    Securing AppDomain Data

    • 0 Comments
    While we're on the topic of AppDomains ... One feature of AppDomains that many people don't know about is that they expose a property dictionary of string/object pairs. This dictionary is exposed through the GetData / SetData pair of methods. In the...
  • .NET Security Blog

    Comparing Java and .NET Security

    • 12 Comments
    It's been a while since I've last seen a comparison of Java and .NET security . Nathaneal Paul and David Evans from the University of Virginia Computer Science Department recently finished their comparison, Comparing Java and .NET Security: Lessons Learned...
  • .NET Security Blog

    A Closer Look at the Simple Sandboxed AppDomain

    • 3 Comments
    Yesterday we took a look at Whidbey's new Simple Sandboxing API . At first glance this API does seem relatively simple, however when you start to look closer at the AppDomain that is created for your sandboxed code, there are a few surprising properties...
  • .NET Security Blog

    The Simple Sandboxing API

    • 10 Comments
    A while back I gave some sample code to show how to setup a sandboxed AppDomain . This technique has worked since v1.0, and will continue to work with Whidbey. However, Whidbey also introduces a simple sandboxing API which eliminates the need for this...
  • .NET Security Blog

    3 Years, 3 Pounds

    • 3 Comments
    Today marks my 3 year anniversary on the CLR security team (not counting my internship, which I suppose would bring me to 3 years 3 months). We have a tradition on the CLR team where on the anniversary of your hire, you bring in an equivalent number of...
  • .NET Security Blog

    Why Is CasPol Prompting Me For Confirmation?

    • 2 Comments
    Every once in a while I get asked a question along the lines of: "I used to run CasPol in a script to modify security settings. Now my script never returns, and when I debug CasPol has started asking me to confirm its operations. What happened?...
  • .NET Security Blog

    Profiling Signed Assemblies

    • 0 Comments
    Ian Huff has an entry today about the problems you'll run into when using Visual Studio Team System to profile assemblies that have a strong name signature . He walks through the steps necessary to cause Visual Studio to resign your assemblies after they...
  • .NET Security Blog

    Bootstrapping your Application's AppDomainManager

    • 7 Comments
    Last time I mentioned that when using pure managed code to setup an AppDomainManager, you should prefer to use the environment variables rather than the registry keys. Once you've decided to use the environment variables, you need to determine a strategy...
  • .NET Security Blog

    Setting up an AppDomainManager

    • 5 Comments
    When I first talked about AppDomainManagers , I mentioned that there were three ways to tell the CLR that you'd like to use the managed hosting infrastructure: The unmanaged hosting API Environment variables APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE...
  • .NET Security Blog

    Loading the Same Assembly with Different Evidence

    • 5 Comments
    Assembly.Load provides overloads that take an Evidence object in addition to the name of the assembly to load. This leads to the question -- what happens if you were to load the same assembly multiple times with different Evidence. It's easy enough...
  • .NET Security Blog

    Don't Sign C++/CLI Assemblies with Attributes

    • 4 Comments
    We've already talked about using the /keyfile or /keycontainer switches to sign C# and VB assemblies instead of using the AssemblyKeyFile attribute. When dealing with C++/CLI assemblies, using these switches becomes even more important. The reasoning...
  • .NET Security Blog

    Heading to New York

    • 0 Comments
    Now that I've resolved the broken computer problem , and am all set up to blog again, I'm off to New York until July 11th. (Well, actually I've been in New York since June 29th, but things were pretty hectic getting ready to leave, so I wasn't able to...
  • .NET Security Blog

    Configuring the TrustManager

    • 1 Comments
    I've been working on the CLR side of ClickOnce pretty much from the beginning. In fact, since I started working with it, I can count at least 3 major design revisions and countless minor tweaks. I believe that of all the people on the CLR team, I've been...
  • .NET Security Blog

    A New Machine

    • 1 Comments
    About 2 weeks ago my main office machine died, taking with it all of my current work, and my blog post information. Getting the replacement to my office, setup, and running has been, well, a somewhat interesting saga involving lost emails, delayed deliveries...
  • .NET Security Blog

    Viewing IL at Debug Time

    • 5 Comments
    Last week, I mentioned Yiru’s post on using SOS to see the IL of a dynamically generated method. Yiru’s post is about lightweight code gen, but the technique she shows is useful for more general purpose managed debugging . Let’s work...
  • .NET Security Blog

    Console Applications requre UIPermission

    • 1 Comments
    Starting with beta 2, we’ve made a change around what permissions are required to launch a console application. When I talk about console applications here, I’m talking about applications that specify they should run with the WINDOWS_CUI subsystem (.subsystem...
  • .NET Security Blog

    Dynamic Assemblies and Declarative Security

    • 2 Comments
    Speaking of dynamic IL generation ... Before Whidbey, the framework supplied two ways of creating code on the fly, CodeDOM and Reflection.Emit. The two vary greatly in their approaches. With CodeDOM you basically emit C# (or VB, or any other language...
  • .NET Security Blog

    Yiru on Debugging LCG

    • 2 Comments
    Yiru's got a great piece up on using SOS to debug code that was emitted using Whidbey's new Lightweight CodeGen feature. Debugging any code written at the IL level can be tricky for anyone who doesn't have Partition III of ECMA committed to mind. LCG...
  • .NET Security Blog

    Mike Downen Starts Blogging

    • 0 Comments
    After months of telling me that he's just about to start blogging, Mike Downen , the guy who's in charge of designing CLR security features, finally got his blog setup today . His first post is about obfuscation, and future posts will go into some of...
  • .NET Security Blog

    Receiving Session Lock and Unlock Notifications

    • 16 Comments
    Some programs, such as MSN Messenger, change their behavior when the current session is locked and unlocked. Messenger, for instance, will change your status to Away while your machine is locked, and then back to Online when your machine is unlocked....
  • .NET Security Blog

    FullTrust Means FullTrust

    • 9 Comments
    One of the items on my long list of blog todo's has been a change that the security team has been calling "FullTrust Means FullTrust" internally. Basically, this change means that demands for identity permissions will now always succeed in FullTrust,...
  • .NET Security Blog

    Enforcing FIPS Certified Cryptography

    • 35 Comments
    Certain types of software, such as code written for a government contract, require adhering to a strict set of guidelines, especially when it comes to security. To better enable this type of software, v2.0 of the CLR provides the ability for you to enforce...
  • .NET Security Blog

    Security Off Wrap Up

    • 4 Comments
    I've got just a few loose ends to tie up about our new security off behavior , and then we'll move on to other topics. System.Security.SecurityManager.SecurityEnabled As part of the work to move to the new security off model, we've removed the ability...
  • .NET Security Blog

    Forcing Security to Stay On

    • 1 Comments
    Last time we looked at how the Whidbey version of CasPol uses a mutex to indicate the state of the security system. One of the more interesting fallouts from this model is that is that we can actually use this information to prevent security from being...
  • .NET Security Blog

    Whidbey's Security Off Model

    • 17 Comments
    Although the v1.0 and v1.1 versions of CasPol provided a switch to disable the CLR's security system, running without CAS enforcement on was never a scenario that we encouraged for obvious reasons. The choice to disable security was a system wide switch...
Page 7 of 15 (368 items) «56789»