Re: .NET and buffer overruns

From: Eugene V. Bobukh [MS] (eugenebo_at_online.microsoft.com)
Date: 07/29/03

• Next message: Miha Pihler: "Re: Assigning Certificates"
• Previous message: spider: "Re: .NET and buffer overruns"
• In reply to: spider: ".NET and buffer overruns"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 28 Jul 2003 17:40:19 -0700

Ron,

1. Chances to have a buffer overrun in .NET are not zero, but much, much lesser then with traditional C++. Basically, there could be only two sources for them: a) if you write so-called "unsafe" code that uses pointers [yes, this is allowed in .NET] and do mistakes; b) bugs in .NET librarires, chances for that are hopefully very slim.

2. No, this does not prevent hackers from running your application. However, .NET Security gives you a number of oportunities to restrict types and origin of your code callers, thus reducing the possibility of code being "hacked". This is a huge topic though. If you are interested, you might consider getting acquainted with it through some reading like this:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconcodeaccesssecurity.asp

-- 
Eugene V. Bobukh
This message is provided "AS IS" with no warranties, and confers no rights. Any opinions or policies stated within it are my own and do not necessarily constitute those of my employer.
----
"spider" <spider@web.com> wrote in message news:eDn%23ISUVDHA.3376@tk2msftngp13.phx.gbl...
> Hi,
> 
> I've been reading "Writing Secure Code" from Microsoft Press and it seems
> that buffer overruns
> apply to C and C++ programmers. Are .NET C# developers protected from buffer
> overruns by the CLR? If not could you point me to coding practices to
> prevent them in .NET.
> 
> Also, does strong naming the assembly and modifying the security policy to
> trust
> this strong name prevent hackers from executing code in the assembly?
> 
> Thanks...Ron
> 
> 

---

• Next message: Miha Pihler: "Re: Assigning Certificates"
• Previous message: spider: "Re: .NET and buffer overruns"
• In reply to: spider: ".NET and buffer overruns"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature ... I have followed Stackguard on this mailing list for quite some time ... "Tools exist to make static buffer overruns more difficult to exploit. ... > surprising coincidences. ... The mention of your name in "Writing Secure Code" is not at all related ... (Bugtraq) .NET and buffer overruns ... I've been reading "Writing Secure Code" from Microsoft Press and it seems ... that buffer overruns ... apply to C and C++ programmers. ... (microsoft.public.dotnet.security) Re: Self restarting property of RTOS-How it works? ... >> that is susceptible to attacks as simple as buffer overruns, ... most of that stuff was invented before comp-sci ... Expressed in this posting are my opinions. ... to opinions held by my employer, Sun Microsystems. ... (comp.arch.embedded) Re: Security Evaluation ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Writing Secure Code - http://www.microsoft.com/MSPress/books/5612.asp ... (microsoft.public.win2000.security) Re: Use of NetUser API ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Writing Secure Code - http://www.microsoft.com/MSPress/books/5612.asp ... > I want to access user information such as the currently logged on user's ... > NetUserGetGroups() and NetUserGetInfoapis. ... (microsoft.public.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.security  > 2003-07