.NET Security Blog
Declarative Security and Reflection
If you’re using the CustomAttributeData APIs to examine declarative security permission, you might...
Date: 04/21/2010
Is CAS dead in .NET 4?
With all the changes in the security system of .NET 4, the question frequently arises “so, is CAS...
Date: 02/24/2010
Using SecAnnotate to Analyze Your Assemblies for Transparency Violations – An Example
SecAnnotate (available in the final .NET 4 SDK, and in beta form here) can be used to analyze your...
Date: 11/18/2009
SecAnnotate Beta
One of the design goals of the security transparency system in the CLR is that it should be as...
Date: 11/18/2009
Differences Between the Security Rule Sets
In my last post I talked about the two different security rule sets supported by the v4 CLR. ...
Date: 11/12/2009
Transparency Models: A Tale of Two Levels
Earlier this week, we looked at how the v4 CLR continued the evolution of the security transparency...
Date: 11/11/2009
Transparency as Enforcement in CLR v4
Now that we know the basics of security transparency, let's look at how it evolved over time. In...
Date: 11/09/2009
Bridging the Gap Between Transparent and Critical Code
Last time we looked at the set of operations that can only be performed by security critical code....
Date: 11/05/2009
Transparency 101: Basic Transparency Rules
One of the biggest changes in the .NET 4 security model is a move toward security transparency as a...
Date: 11/03/2009
CLR v4 Security Policy Roundup
Over the last few weeks we’ve been taking a look at the updates to the CLR security policy system in...
Date: 06/12/2009
Temporarily re-enabling CAS policy during migration
Over the last few weeks we’ve been looking at the changes to security policy in .NET 4, namely that...
Date: 06/12/2009
Coding with Security Policy in .NET 4 part 2 – Explicit uses of CAS policy
Over the last few posts, I’ve been looking at how the update to the CLR v4 security policy interacts...
Date: 06/09/2009
More Implicit Uses of CAS Policy: loadFromRemoteSources
In my last post about changes to the CLR v4 security policy model, I looked at APIs which implicitly...
Date: 06/08/2009
CLR 4 Security on Channel 9
A while back I did an interview with Charles Torre about the changes to security in CLR v4,...
Date: 05/28/2009
Visual Studio 10 Security Tab Changes
Kris Makey, who works on the Visual Studio team, has written up a good blog post about the changes...
Date: 05/28/2009
Coding with Security Policy in .NET 4.0 – Implicit uses of CAS policy
Last week we looked at sandboxing and the v4 CLR – with the key change being that the CLR now defers...
Date: 05/27/2009
Sandboxing in .NET 4.0
Yesterday I talked about the changes in security policy for managed applications, namely that...
Date: 05/22/2009
Security Policy in the v4 CLR
One of the first changes that you might see to security in the v4 CLR is that we’ve overhauled the...
Date: 05/21/2009
.NET 4.0 Security
The first beta of the v4.0 .NET Framework is now available, and with it comes a lot of changes to...
Date: 05/20/2009
Authenticated Symmetric Encryption in .NET
Over the last week, we've made a couple of updates to our Codeplex projects to add authenticated...
Date: 03/17/2009
MD5 on Silverlight
Reid Borsuk, an SDE/T on the CLR security team, has released a fully transparent implementation of...
Date: 12/09/2008
CryptoConfig
The crypto config schema has been a bit of a hot topic around here lately, specifically around how...
Date: 12/02/2008
Using RSACryptoServiceProvider for RSA-SHA256 signatures
Earlier this month, we released .NET 3.5 SP 1. One of the new features available in this...
Date: 08/25/2008
CLR Security Team CodePlex Site
The CLR Security Team just launched our CodePlex site: https://www.codeplex.com/clrsecurity. ...
Date: 07/10/2008
Dr. Dobbs Looks at Silverlight Security
Dino Esposito has an article in the March Dr. Dobb's Journal taking a look at the Silverlight...
Date: 07/09/2008
Strong Name Bypass
Many managed applications start up slower than they really need to because of time spent verifying...
Date: 05/14/2008
FullTrust on the LocalIntranet
We released the first beta of .NET 3.5 SP 1 this morning, and it includes a change to the default...
Date: 05/12/2008
Disabling the FIPS Algorithm Check
.NET 2.0 introduced a check for FIPS certified algorithms if your local security policy was...
Date: 03/14/2008
CAS and Native Code
CAS is complicated enough to understand when all of the moving parts are written in managed code...
Date: 03/04/2008
Which Groups Does WindowsIdentity.Groups Return?
WindowsIdentity exposes a Groups property which returns a collection of IdentityReferences for the...
Date: 02/07/2008
Manifested Controls Redux
Last year, I made a series of posts about a new feature available in the betas of .NET 3.5 which...
Date: 01/24/2008
Transparency as Least Privilege
In my last post I mentioned that there is a better alternative to RequestRefuse for achieving least...
Date: 10/30/2007
Avoiding Assembly Level Declarative Security
I've written in the past about the three assembly level declarative security actions:...
Date: 10/02/2007
CLR Inside Out: Digging into IDisposable
My third MSDN magazine article, Digging into IDisposable, appeared in this month's issue in the CLR...
Date: 06/20/2007
Silverlight Security Cheat Sheet
Over the last week we took a look at the new Silverlight security model. When you're writing a...
Date: 05/14/2007
Silverlight Security III: Inheritance
Over the last few days we've looked at the basics of the CoreCLR security model in Silverlight, and...
Date: 05/11/2007
Silverlight Security II: What Makes a Method Critical
Yesterday we talked about the CoreCLR security model, and how it is built upon the transparency...
Date: 05/10/2007
The Silverlight Security Model
You may have heard a thing or two last week about a little project we like to call Silverlight,...
Date: 05/09/2007
Bypassing the Authenticode Signature Check on Startup
A while back I wrote about the performance penalty of loading an assembly with an Authenticode...
Date: 05/07/2007
Loading an Assembly as a Byte Array
One of the various ways that you can load an assembly is by supplying the raw bytes of an assembly...
Date: 04/18/2007
TemplateControl.control
Attached is the TemplateControl.control manifest. TemplateControl.control
Date: 03/29/2007
Using the MMC Snap-In to Configure 64 Bit CAS Policy
The .NET Framework SDK ships with a MMC Snap-In which enables you to, among other things, avoid...
Date: 03/15/2007
Tying your IE Hosted Control to a Manifest
Last week, I talked about the Orcas feature which allows you to provide a manifest to elevate your...
Date: 03/12/2007
Manifests for IE Hosted Controls
Earlier this week,I talked about the Orcas feature where controls can declaratively request...
Date: 03/09/2007
Specifying Permissions for IE Controls in Orcas
One of my most read blog posts (and one of the reasons I created this blog in the first place -- to...
Date: 03/07/2007
Enumerating Evidence
The Evidence class supports being enumerated in three different ways: GetAssemblyEnumerator...
Date: 02/23/2007
Assembly Provided Evidence
We all know that the CLR provides many types of evidence to assemblies and AppDomains by default,...
Date: 02/20/2007
Introduction to the Orcas Add-In Model
One of the features the CLR team is adding in Orcas is that we're providing a new model to help...
Date: 02/20/2007
Please do not use the .NET 2.0 HMACSHA512 and HMACSHA384 Classes
We’ve recently discovered a bug in the HMACSHA512 and HMACSHA384 classes which shipped in the .NET...
Date: 01/31/2007
Elliptic Curve Diffie-Hellman
The second elliptic curve algorithm added to Orcas is elliptic curve Diffie-Hellman, as the...
Date: 01/22/2007