.NET Security Blog

Declarative Security and Reflection

If you’re using the CustomAttributeData APIs to examine declarative security permission, you might...

Author: Shawn Farkas - MS Date: 04/21/2010

Is CAS dead in .NET 4?

With all the changes in the security system of .NET 4, the question frequently arises “so, is CAS...

Author: Shawn Farkas - MS Date: 02/24/2010

Using SecAnnotate to Analyze Your Assemblies for Transparency Violations – An Example

SecAnnotate (available in the final .NET 4 SDK, and in beta form here) can be used to analyze your...

Author: Shawn Farkas - MS Date: 11/18/2009

SecAnnotate Beta

One of the design goals of the security transparency system in the CLR is that it should be as...

Author: Shawn Farkas - MS Date: 11/18/2009

Differences Between the Security Rule Sets

In my last post I talked about the two different security rule sets supported by the v4 CLR. ...

Author: Shawn Farkas - MS Date: 11/12/2009

Transparency Models: A Tale of Two Levels

Earlier this week, we looked at how the v4 CLR continued the evolution of the security transparency...

Author: Shawn Farkas - MS Date: 11/11/2009

Transparency as Enforcement in CLR v4

Now that we know the basics of security transparency, let's look at how it evolved over time. In...

Author: Shawn Farkas - MS Date: 11/09/2009

Bridging the Gap Between Transparent and Critical Code

Last time we looked at the set of operations that can only be performed by security critical code....

Author: Shawn Farkas - MS Date: 11/05/2009

Transparency 101: Basic Transparency Rules

One of the biggest changes in the .NET 4 security model is a move toward security transparency as a...

Author: Shawn Farkas - MS Date: 11/03/2009

CLR v4 Security Policy Roundup

Over the last few weeks we’ve been taking a look at the updates to the CLR security policy system in...

Author: Shawn Farkas - MS Date: 06/12/2009

Temporarily re-enabling CAS policy during migration

Over the last few weeks we’ve been looking at the changes to security policy in .NET 4, namely that...

Author: Shawn Farkas - MS Date: 06/12/2009

Coding with Security Policy in .NET 4 part 2 – Explicit uses of CAS policy

Over the last few posts, I’ve been looking at how the update to the CLR v4 security policy interacts...

Author: Shawn Farkas - MS Date: 06/09/2009

More Implicit Uses of CAS Policy: loadFromRemoteSources

In my last post about changes to the CLR v4 security policy model, I looked at APIs which implicitly...

Author: Shawn Farkas - MS Date: 06/08/2009

CLR 4 Security on Channel 9

A while back I did an interview with Charles Torre  about the changes to security in CLR v4,...

Author: Shawn Farkas - MS Date: 05/28/2009

Visual Studio 10 Security Tab Changes

Kris Makey, who works on the Visual Studio team, has written up a good blog post about the changes...

Author: Shawn Farkas - MS Date: 05/28/2009

Coding with Security Policy in .NET 4.0 – Implicit uses of CAS policy

Last week we looked at sandboxing and the v4 CLR – with the key change being that the CLR now defers...

Author: Shawn Farkas - MS Date: 05/27/2009

Sandboxing in .NET 4.0

Yesterday I talked about the changes in security policy for managed applications, namely that...

Author: Shawn Farkas - MS Date: 05/22/2009

Security Policy in the v4 CLR

One of the first changes that you might see to security in the v4 CLR is that we’ve overhauled the...

Author: Shawn Farkas - MS Date: 05/21/2009

.NET 4.0 Security

The first beta of the v4.0 .NET Framework is now available, and with it comes a lot of changes to...

Author: Shawn Farkas - MS Date: 05/20/2009

Authenticated Symmetric Encryption in .NET

Over the last week, we've made a couple of updates to our Codeplex projects to add authenticated...

Author: Shawn Farkas - MS Date: 03/17/2009

MD5 on Silverlight

Reid Borsuk, an SDE/T on the CLR security team, has released a fully transparent implementation of...

Author: Shawn Farkas - MS Date: 12/09/2008

CryptoConfig

The crypto config schema has been a bit of a hot topic around here lately, specifically around how...

Author: Shawn Farkas - MS Date: 12/02/2008

Using RSACryptoServiceProvider for RSA-SHA256 signatures

Earlier this month, we released .NET 3.5 SP 1.  One of the new features available in this...

Author: Shawn Farkas - MS Date: 08/25/2008

CLR Security Team CodePlex Site

The CLR Security Team just launched our CodePlex site: https://www.codeplex.com/clrsecurity. ...

Author: Shawn Farkas - MS Date: 07/10/2008

Dr. Dobbs Looks at Silverlight Security

Dino Esposito has an article in the March Dr. Dobb's Journal taking a look at the Silverlight...

Author: Shawn Farkas - MS Date: 07/09/2008

Strong Name Bypass

Many managed applications start up slower than they really need to because of time spent verifying...

Author: Shawn Farkas - MS Date: 05/14/2008

FullTrust on the LocalIntranet

We released the first beta of .NET 3.5 SP 1 this morning, and it includes a change to the default...

Author: Shawn Farkas - MS Date: 05/12/2008

Disabling the FIPS Algorithm Check

.NET 2.0 introduced a check for FIPS certified algorithms if your local security policy was...

Author: Shawn Farkas - MS Date: 03/14/2008

CAS and Native Code

CAS is complicated enough to understand when all of the moving parts are written in managed code...

Author: Shawn Farkas - MS Date: 03/04/2008

Which Groups Does WindowsIdentity.Groups Return?

WindowsIdentity exposes a Groups property which returns a collection of IdentityReferences for the...

Author: Shawn Farkas - MS Date: 02/07/2008

Manifested Controls Redux

Last year, I made a series of posts about a new feature available in the betas of .NET 3.5 which...

Author: Shawn Farkas - MS Date: 01/24/2008

Transparency as Least Privilege

In my last post I mentioned that there is a better alternative to RequestRefuse for achieving least...

Author: Shawn Farkas - MS Date: 10/30/2007

Avoiding Assembly Level Declarative Security

I've written in the past about the three assembly level declarative security actions:...

Author: Shawn Farkas - MS Date: 10/02/2007

CLR Inside Out: Digging into IDisposable

My third MSDN magazine article, Digging into IDisposable, appeared in this month's issue in the CLR...

Author: Shawn Farkas - MS Date: 06/20/2007

Silverlight Security Cheat Sheet

Over the last week we took a look at the new Silverlight security model. When you're writing a...

Author: Shawn Farkas - MS Date: 05/14/2007

Silverlight Security III: Inheritance

Over the last few days we've looked at the basics of the CoreCLR security model in Silverlight, and...

Author: Shawn Farkas - MS Date: 05/11/2007

Silverlight Security II: What Makes a Method Critical

Yesterday we talked about the CoreCLR security model, and how it is built upon the transparency...

Author: Shawn Farkas - MS Date: 05/10/2007

The Silverlight Security Model

You may have heard a thing or two last week about a little project we like to call Silverlight,...

Author: Shawn Farkas - MS Date: 05/09/2007

Bypassing the Authenticode Signature Check on Startup

A while back I wrote about the performance penalty of loading an assembly with an Authenticode...

Author: Shawn Farkas - MS Date: 05/07/2007

Loading an Assembly as a Byte Array

One of the various ways that you can load an assembly is by supplying the raw bytes of an assembly...

Author: Shawn Farkas - MS Date: 04/18/2007

TemplateControl.control

Attached is the TemplateControl.control manifest. TemplateControl.control

Author: Shawn Farkas - MS Date: 03/29/2007

Using the MMC Snap-In to Configure 64 Bit CAS Policy

The .NET Framework SDK ships with a MMC Snap-In which enables you to, among other things, avoid...

Author: Shawn Farkas - MS Date: 03/15/2007

Tying your IE Hosted Control to a Manifest

Last week, I talked about the Orcas feature which allows you to provide a manifest to elevate your...

Author: Shawn Farkas - MS Date: 03/12/2007

Manifests for IE Hosted Controls

Earlier this week,I talked about the Orcas feature where controls can declaratively request...

Author: Shawn Farkas - MS Date: 03/09/2007

Specifying Permissions for IE Controls in Orcas

One of my most read blog posts (and one of the reasons I created this blog in the first place -- to...

Author: Shawn Farkas - MS Date: 03/07/2007

Enumerating Evidence

The Evidence class supports being enumerated in three different ways: GetAssemblyEnumerator...

Author: Shawn Farkas - MS Date: 02/23/2007

Assembly Provided Evidence

We all know that the CLR provides many types of evidence to assemblies and AppDomains by default,...

Author: Shawn Farkas - MS Date: 02/20/2007

Introduction to the Orcas Add-In Model

One of the features the CLR team is adding in Orcas is that we're providing a new model to help...

Author: Shawn Farkas - MS Date: 02/20/2007

Please do not use the .NET 2.0 HMACSHA512 and HMACSHA384 Classes

We’ve recently discovered a bug in the HMACSHA512 and HMACSHA384 classes which shipped in the .NET...

Author: Shawn Farkas - MS Date: 01/31/2007

Elliptic Curve Diffie-Hellman

The second elliptic curve algorithm added to Orcas is elliptic curve Diffie-Hellman, as the...

Author: Shawn Farkas - MS Date: 01/22/2007

Next>