Re: .Net scurity drives me nuts

From: spider (spider_at_web.com)
Date: 07/26/03 

Date: Fri, 25 Jul 2003 18:21:10 -0700

Shawn,
I read your security blog and I have an additional question.
Does strong naming the assembly and modifying the security policy to trust
this strong name prevent hackers from causing buffer overruns? Are .NET C#
developers protected from buffer overruns by the CLR and if not could you
point me to coding practices to prevent them in .NET. I've been reading
"Writing Secure Code" from Microsoft Press and it seems that buffer overruns
apply to C and C++ programmers. Today I just read that RPC has a buffer
overrun problem. How can a .NET developer protect against something like
that?
Thanks...Ron Lemire

""Shawn Farkas [MS]"" <shawnfa@online.microsoft.com> wrote in message
news:oGWOoElUDHA.1996@cpmsftngxa06.phx.gbl...
> My guess is that you weren't running this code from your local computer,
but were trying to run it over the network. Running code over the network
results in a reduced set of permissions granted to
> your application. You can check my security blog for more information on
how to trust code running from a remote location:
>
>
http://blogs.gotdotnet.com/shawnfa/PermaLink.aspx/40884dc9-dbb7-48e7-a70f-5f1f4627410c
>
> -Shawn
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
>
> Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
> --------------------
> >From: "Dudeus" <bogus.email@bogus-addr.com>
> >Subject: .Net scurity drives me nuts
> >Date: Thu, 24 Jul 2003 13:12:45 -0700
> >Lines: 108
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> >Message-ID: <#kO6z$hUDHA.2568@tk2msftngp13.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.security
> >NNTP-Posting-Host: pc138.egr.nau.edu 134.114.16.138
> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> >Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.security:2221
> >X-Tomcat-NG: microsoft.public.dotnet.security
> >
> >
> >Allight guys, I am new to .Net framework.
> >I have tried to find a good documentation about .Net security but no luck
so
> >far.
> >If anybody could give me some pointer where to read about .Net security
in
> >regards to coding, please let me know.
> >
> >The following code is so simple but gave error about .Net security.
> >I hope that someone could help me out on this and how to setup the .Net
> >security to make this simple code to work.
> >Otherwise, I'll just ditch .Net and C# altogether and stay with good ol
C++
> >and WIN32 API.
> >
> >using System;
> >using System.Management;
> >class MainClass
> >{
> >public static void Main(string[] args)
> >{
> >ManagementObjectSearcher query1 = new ManagementObjectSearcher("SELECT *
> >FROM Win32_OperatingSystem") ;
> >}
> >}
> >
> >
> >Here is the error that I've got when trying to run this program:
> >
> >
> >
> >Unhandled Exception: System.Security.SecurityException: Security error.
> > at MainClass.Main(String[] args)
> >
> >The granted set of the failing assembly was:
> ><PermissionSet class="System.Security.PermissionSet"
> > version="1">
> > <IPermission class="System.Security.Permissions.EnvironmentPermission,
> >mscorl
> >ib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> > version="1"
> > Read="USERNAME"/>
> > <IPermission class="System.Security.Permissions.FileDialogPermission,
> >mscorli
> >b, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> > version="1"
> > Unrestricted="true"/>
> > <IPermission class="System.Security.Permissions.FileIOPermission,
> >mscorlib, V
> >ersion=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> > version="1"
> > Read="H:\SharpDevelop Projects\WMI\"
> > PathDiscovery="H:\SharpDevelop Projects\WMI\"/>
> > <IPermission
> >class="System.Security.Permissions.IsolatedStorageFilePermission
> >, mscorlib, Version=1.0.5000.0, Culture=neutral,
> >PublicKeyToken=b77a5c561934e089
> >"
> > version="1"
> > Allowed="AssemblyIsolationByUser"
> > UserQuota="9223372036854775807"
> > Expiry="9223372036854775807"
> > Permanent="True"/>
> > <IPermission class="System.Security.Permissions.ReflectionPermission,
> >mscorli
> >b, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> > version="1"
> > Flags="ReflectionEmit"/>
> > <IPermission class="System.Security.Permissions.SecurityPermission,
> >mscorlib,
> > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> > version="1"
> > Flags="Assertion, Execution, BindingRedirects"/>
> > <IPermission class="System.Security.Permissions.UIPermission,
mscorlib,
> >Versi
> >on=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> > version="1"
> > Unrestricted="true"/>
> > <IPermission class="System.Net.DnsPermission, System,
Version=1.0.5000.0,
> >Cul
> >ture=neutral, PublicKeyToken=b77a5c561934e089"
> > version="1"
> > Unrestricted="true"/>
> > <IPermission class="System.Drawing.Printing.PrintingPermission,
> >System.Drawin
> >g, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
> > version="1"
> > Level="DefaultPrinting"/>
> > <IPermission class="System.Diagnostics.EventLogPermission, System,
> >Version=1.
> >0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> > version="1">
> > <Machine name="."
> > access="Instrument"/>
> > </IPermission>
> > <IPermission class="System.Security.Permissions.UrlIdentityPermission,
> >mscorl
> >ib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
> > version="1"
> > Url="file://H:/Test Projects/WMI/WMI.exe"/>
> > <IPermission
class="System.Security.Permissions.ZoneIdentityPermission,
> >mscor
> >lib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
> > version="1"
> > Zone="Intranet"/>
> ></PermissionSet>
> >
> >Press any key to continue . . .
> >
> >
> >
>
>