Re: .Net scurity drives me nuts

From: Shawn Farkas [MS] (shawnfa_at_online.microsoft.com)
Date: 07/30/03

Next message: Sreenivas Vemula: "How to get the private key from the certificate using .net"
Previous message: Chet Borg: "Re: System.Security.Principal.WindowsImpersonation"
In reply to: spider: "Re: .Net scurity drives me nuts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Jul 2003 22:55:59 GMT

Hi Ron,

When you code in C# (and the other managed langauges), as long as you don't use unsafe code, such as COM Interop, P/Invoke, or unsafe code blocks, you will be protected from buffer
overruns. This applies regardless of strong names or security policy settings.

-Shawn

-- 
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm 
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.  
--------------------
>From: "spider" <spider@web.com>
>References: <#kO6z$hUDHA.2568@tk2msftngp13.phx.gbl> <oGWOoElUDHA.1996@cpmsftngxa06.phx.gbl>
>Subject: Re: .Net scurity drives me nuts
>Date: Fri, 25 Jul 2003 18:21:10 -0700
>Lines: 171
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.3790.0
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Message-ID: <#SY13QxUDHA.1280@tk2msftngp13.phx.gbl>
>Newsgroups: microsoft.public.dotnet.security
>NNTP-Posting-Host: cpe-66-27-215-45.socal.rr.com 66.27.215.45
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.security:2248
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>Shawn,
>I read your security blog and I have an additional question.
>Does strong naming the assembly and modifying the security policy to trust
>this strong name prevent hackers from causing buffer overruns? Are .NET C#
>developers protected from buffer overruns by the CLR and if not could you
>point me to coding practices to prevent them in .NET. I've been reading
>"Writing Secure Code" from Microsoft Press and it seems that buffer overruns
>apply to C and C++ programmers. Today I just read that RPC has a buffer
>overrun problem. How can a .NET developer protect against something like
>that?
>Thanks...Ron Lemire
>
>
>""Shawn Farkas [MS]"" <shawnfa@online.microsoft.com> wrote in message
>news:oGWOoElUDHA.1996@cpmsftngxa06.phx.gbl...
>> My guess is that you weren't running this code from your local computer,
>but were trying to run it over the network.  Running code over the network
>results in a reduced set of permissions granted to
>> your application.  You can check my security blog for more information on
>how to trust code running from a remote location:
>>
>>
>http://blogs.gotdotnet.com/shawnfa/PermaLink.aspx/40884dc9-dbb7-48e7-a70f-5f1f4627410c
>>
>> -Shawn
>>
>> -- 
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>rights. Use of included script samples are subject to the terms specified at
>http://www.microsoft.com/info/cpyright.htm
>>
>> Note:  For the benefit of the community-at-large, all responses to this
>message are best directed to the newsgroup/thread from which they
>originated.
>> --------------------
>> >From: "Dudeus" <bogus.email@bogus-addr.com>
>> >Subject: .Net scurity drives me nuts
>> >Date: Thu, 24 Jul 2003 13:12:45 -0700
>> >Lines: 108
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >Message-ID: <#kO6z$hUDHA.2568@tk2msftngp13.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.security
>> >NNTP-Posting-Host: pc138.egr.nau.edu 134.114.16.138
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>> >Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.security:2221
>> >X-Tomcat-NG: microsoft.public.dotnet.security
>> >
>> >
>> >Allight guys, I am new to .Net framework.
>> >I have tried to find a good documentation about .Net security but no luck
>so
>> >far.
>> >If anybody could give me some pointer where to read about .Net security
>in
>> >regards to coding, please let me know.
>> >
>> >The following code is so simple but gave error about .Net security.
>> >I hope that someone could help me out on this and how to setup the .Net
>> >security to make this simple code to work.
>> >Otherwise, I'll just ditch .Net and C# altogether and stay with good ol
>C++
>> >and WIN32 API.
>> >
>> >using System;
>> >using System.Management;
>> >class MainClass
>> >{
>> >public static void Main(string[] args)
>> >{
>> >ManagementObjectSearcher query1 = new ManagementObjectSearcher("SELECT *
>> >FROM Win32_OperatingSystem") ;
>> >}
>> >}
>> >
>> >
>> >Here is the error that I've got when trying to run this program:
>> >
>> >
>> >
>> >Unhandled Exception: System.Security.SecurityException: Security error.
>> >   at MainClass.Main(String[] args)
>> >
>> >The granted set of the failing assembly was:
>> ><PermissionSet class="System.Security.PermissionSet"
>> >               version="1">
>> >   <IPermission class="System.Security.Permissions.EnvironmentPermission,
>> >mscorl
>> >ib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> >                version="1"
>> >                Read="USERNAME"/>
>> >   <IPermission class="System.Security.Permissions.FileDialogPermission,
>> >mscorli
>> >b, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> >                version="1"
>> >                Unrestricted="true"/>
>> >   <IPermission class="System.Security.Permissions.FileIOPermission,
>> >mscorlib, V
>> >ersion=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> >                version="1"
>> >                Read="H:\SharpDevelop Projects\WMI\"
>> >                PathDiscovery="H:\SharpDevelop Projects\WMI\"/>
>> >   <IPermission
>> >class="System.Security.Permissions.IsolatedStorageFilePermission
>> >, mscorlib, Version=1.0.5000.0, Culture=neutral,
>> >PublicKeyToken=b77a5c561934e089
>> >"
>> >                version="1"
>> >                Allowed="AssemblyIsolationByUser"
>> >                UserQuota="9223372036854775807"
>> >                Expiry="9223372036854775807"
>> >                Permanent="True"/>
>> >   <IPermission class="System.Security.Permissions.ReflectionPermission,
>> >mscorli
>> >b, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> >                version="1"
>> >                Flags="ReflectionEmit"/>
>> >   <IPermission class="System.Security.Permissions.SecurityPermission,
>> >mscorlib,
>> > Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> >                version="1"
>> >                Flags="Assertion, Execution, BindingRedirects"/>
>> >   <IPermission class="System.Security.Permissions.UIPermission,
>mscorlib,
>> >Versi
>> >on=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> >                version="1"
>> >                Unrestricted="true"/>
>> >   <IPermission class="System.Net.DnsPermission, System,
>Version=1.0.5000.0,
>> >Cul
>> >ture=neutral, PublicKeyToken=b77a5c561934e089"
>> >                version="1"
>> >                Unrestricted="true"/>
>> >   <IPermission class="System.Drawing.Printing.PrintingPermission,
>> >System.Drawin
>> >g, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
>> >                version="1"
>> >                Level="DefaultPrinting"/>
>> >   <IPermission class="System.Diagnostics.EventLogPermission, System,
>> >Version=1.
>> >0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> >                version="1">
>> >      <Machine name="."
>> >               access="Instrument"/>
>> >   </IPermission>
>> >   <IPermission class="System.Security.Permissions.UrlIdentityPermission,
>> >mscorl
>> >ib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
>> >                version="1"
>> >                Url="file://H:/Test Projects/WMI/WMI.exe"/>
>> >   <IPermission
>class="System.Security.Permissions.ZoneIdentityPermission,
>> >mscor
>> >lib, Version=1.0.5000.0, Culture=neutral,
>PublicKeyToken=b77a5c561934e089"
>> >                version="1"
>> >                Zone="Intranet"/>
>> ></PermissionSet>
>> >
>> >Press any key to continue . . .
>> >
>> >
>> >
>>
>>
>
>
>

Next message: Sreenivas Vemula: "How to get the private key from the certificate using .net"
Previous message: Chet Borg: "Re: System.Security.Principal.WindowsImpersonation"
In reply to: spider: "Re: .Net scurity drives me nuts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [Lit.] Buffer overruns
... But I'm not advocating perfect security. ... > I agree that buffer overruns are unreasonable. ... > cause - sloppy programming practices. ...
(sci.crypt)
Re: Is Microsoft serious?
... >> Microsoft appears to be more serious about security than they've ever ... > errors) and the errors still focus upon buffer overruns ... > My ongoing joke has bee during the "Microsoft Interview Quiz" (let's ...
(alt.computer.security)
Re: Is Microsoft serious?
... > Microsoft appears to be more serious about security than they've ever ... errors) and the errors still focus upon buffer overruns ... My ongoing joke has bee during the "Microsoft Interview Quiz" (let's ...
(alt.computer.security)
[NT] Cumulative Security Update for Internet Explorer (MS04-025)
... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
(Securiteam)
SecurityFocus Microsoft Newsletter #75
... Microsoft's Internet Security & Acceleration Server with fault-tolerance ... The Microsoft UPnP Vulnerability ... Relevant URL: ...
(Focus-Microsoft)