.NET Security Blog
Elliptic Curve DSA
Yesterday I gave a quick rundown of all the new cryptographic algorithms available in the Orcas...
Author: Shawn Farkas - MS Date: 01/18/2007
New Crypto Algorithms in Orcas
The January CTP of Orcas is now available, and with it comes a total of 12 new cryptography...
Author: Shawn Farkas - MS Date: 01/17/2007
Combining Strong Names with Authenticode
If you want to use both a strong name and Authenticode signature on your assembly (for instance if...
Author: Shawn Farkas - MS Date: 01/10/2007
Happy Holidays!
In an effort to escape Seattle's ... interesting ... weather patterns of the last few months, I've...
Author: Shawn Farkas - MS Date: 12/22/2006
Evidence Must Be Serializable
The Evidence object acts as a collection for any sort of object that you want to add as evidence for...
Author: Shawn Farkas - MS Date: 12/20/2006
new NamedPermissionSet
Every once in a while I find some code doing something similar to this: new...
Author: Shawn Farkas - MS Date: 11/14/2006
Relative URL Membership Conditions
Caspol will allow you to setup a URL membership condition with a relative URL by using a command...
Author: Shawn Farkas - MS Date: 11/03/2006
SecureString Redux
A few times over the last couple of days discussion about a tool on the Internet which can attach to...
Author: Shawn Farkas - MS Date: 11/01/2006
Quickly Testing Code Under Different Cultures
Earlier this week, a situation came up where we needed to make sure a new feature worked when it was...
Author: Shawn Farkas - MS Date: 10/20/2006
XML Digital Signature Verification with Unknown URI Schemes
A few years back, there was a discussion thread on one of my XML digital signature posts about...
Author: Shawn Farkas - MS Date: 10/12/2006
Kenny Kerr Explores UAC
Kenny Kerr, one of our Security MVPs, has updated his Windows Vista for Developers series with Part4...
Author: Shawn Farkas - MS Date: 10/10/2006
The Differences Between Rijndael and AES
When you need to write managed code that encrypts or decrypts data according to the AES standard,...
Author: Shawn Farkas - MS Date: 10/09/2006
Using Lightweight CodeGen from Partial Trust
Last time I talked about the new Orcas feature allowing you to use reflection from partial trust....
Author: Shawn Farkas - MS Date: 10/05/2006
RestrictedMemberAccess
The September CTP of Orcas went live last night, including lots of features that other MSDN blogs...
Author: Shawn Farkas - MS Date: 09/29/2006
RSACryptoServiceProvider, Impersonation, and Ephemeral Keys
If you construct an RSACryptoServiceProvider class without specifying a name for the key, the CLR...
Author: Shawn Farkas - MS Date: 09/21/2006
[WeddingPermission(SecurityAction.Demand, Unrestricted=true)]
Having just checked in my last few bug fixes and the Orcas feature I've been working on, it's time...
Author: Shawn Farkas - MS Date: 08/04/2006
What Evidence does Internet Explorer Give an Assembly
One of the reasons I started this blog was to have a permanent record of a question I used to see on...
Author: Shawn Farkas - MS Date: 07/26/2006
$20 on Double Zero, $20 on LUA please
I spent last weekend in Vegas, and on Saturday night / Sunday morning decided to recreate those...
Author: Shawn Farkas - MS Date: 07/17/2006
ClickOnce Same Site Permissions
ClickOnce applications can request that they be granted permission to contact their site of origin....
Author: Shawn Farkas - MS Date: 07/15/2006
Sandboxed Applications Can’t Elevate Their Own Permissions
Every once in a while someone will ask how they can do something similar to these caspol commands...
Author: Shawn Farkas - MS Date: 07/13/2006
Every CLR has Independent CAS Policy
It’s relatively easy to find a set of instructions for using caspol or Admin UI to provide a CAS...
Author: Shawn Farkas - MS Date: 07/11/2006
Column Guides in Visual Studio
A lot of coding guidelines specify the maximum length for a line of code. For instance in the CLR,...
Author: Shawn Farkas - MS Date: 07/07/2006
Reducing Startup Time Due To Strong Name Verification
Occasionally we run into a scenario where someone asks about shipping a strong name skip...
Author: Shawn Farkas - MS Date: 06/23/2006
APTCA and SQL Server 2005
Last year, I explored the ins and outs of the AllowPartiallyTrustedCallersAttribute. Today, the...
Author: Shawn Farkas - MS Date: 06/23/2006
CLR Inside Out: Using Strong Name Signatures
Mike Downen, our CLR security PM, wrote the CLR Inside Out column this month in MSDN Magazine on...
Author: Shawn Farkas - MS Date: 06/16/2006
Avoiding Deny and Permit Only: Take 2
Last week when I dug into the details of the special permission optimization, we saw in the code...
Author: Shawn Farkas - MS Date: 06/14/2006
Browsing the SSCLI in Visual Studio
I've attached a simple Visual Studio 2005 project that I use for browsing the SSCLI v2 source tree....
Author: Shawn Farkas - MS Date: 06/07/2006
Special Permissions in the SSCLI
Before digging into a pretty clever optimization that the SSCLI makes for certain special permission...
Author: Shawn Farkas - MS Date: 06/06/2006
Test Signing in Action: IronPython Beta 7
The IronPython team just announced their v1.0 beta 7 release, which is especially interesting to me...
Author: Shawn Farkas - MS Date: 05/24/2006
Why the Simple Sandboxing API Requires an ApplicationBase
One trap that catches a lot of people new to the simple sandboxing API is that the API will throw an...
Author: Shawn Farkas - MS Date: 05/24/2006
Handling Custom Zones with the HostSecurityManager
We've looked at how the CLR supports mapping a custom zone to the Internet zone and how you can...
Author: Shawn Farkas - MS Date: 05/18/2006
SSCLI Zone Mappings
My previous post is begging the question "so what is the SSCLI's zone mapping policy?" It's actually...
Author: Shawn Farkas - MS Date: 05/16/2006
Custom Zones and the CLR
On the topic of zones and the CLR ... Windows lets you define custom zones outside of the standard...
Author: Shawn Farkas - MS Date: 05/15/2006
How does the CLR figure out Zone evidence?
This week, I've had three separate cases where people have wondered why the CLR was assigning...
Author: Shawn Farkas - MS Date: 05/12/2006
Simple Sandboxing and the LoadFrom Demand
One of the common problems that people run into when setting up simple sandbox domains in their...
Author: Shawn Farkas - MS Date: 05/01/2006
Category Cleanup
My Ship-It sticker for Whidbey shows that we officially shipped on October 27th -- hard to believe...
Author: Shawn Farkas - MS Date: 04/27/2006
Visual Studio Tip: Editing Project Files
Earlier I mentioned tweaking project files -- something that a lot of people do just by opening the...
Author: Shawn Farkas - MS Date: 04/26/2006
Sharing a Strong Name Key File Across Projects
v2.0 of the .NET Framework deprecated the use of the AssemblyKeyFileAttribute and...
Author: Shawn Farkas - MS Date: 04/24/2006
5 Reasons to Choose Simple Sandboxing
When it comes time to host some partially trusted code in your application, perhaps as a part of an...
Author: Shawn Farkas - MS Date: 04/19/2006
Adding a UAC Manifest to Managed Code
The UAC feature of Vista is one of my favorite new features -- it really makes running as a...
Author: Shawn Farkas - MS Date: 04/06/2006
FxCop Transparency Rules
The FxCop team has just announced the availability of RC 1 of FxCop 1.35. Notable in this release is...
Author: Shawn Farkas - MS Date: 04/04/2006
What Happens When You Fully Sign a Test Signed Assembly
When an assembly is test signed, the public key used to verify its signature is different from the...
Author: Shawn Farkas - MS Date: 04/03/2006
Getting Information about an X509Certificate's Key Container
One of the more common things a lot of people want to do with their X509Certificate2 is figure out...
Author: Shawn Farkas - MS Date: 03/30/2006
Debugging a Partial Trust ClickOnce Application
Although the theory is that by the time we deploy a finished application it's already fully debugged...
Author: Shawn Farkas - MS Date: 03/28/2006
SSCLI v2
As Jason announces, v2.0 of the SSCLI is now available for download:...
Author: Shawn Farkas - MS Date: 03/24/2006
Why Can't I See Extended SecurityException Information?
The v2.0 SecurityException is chock full of debugging goodness -- for trusted code that is. In some...
Author: Shawn Farkas - MS Date: 03/23/2006
Return of the Mailbag
Over the last week or so I've seen a few questions pop up multiple times. In no particular order: Q:...
Author: Shawn Farkas - MS Date: 03/21/2006
Impersonation and Exception Filters in v2.0
A while back, I wrote about a potential security hole when malicious code can set up an exception...
Author: Shawn Farkas - MS Date: 03/03/2006
Enveloped PKCS #7 Signatures
One of the new cryptography features in the v2.0 framework is the ability to work with PKCS #7...
Author: Shawn Farkas - MS Date: 02/27/2006
APTCA and Custom Attributes
Haibo just posted an excellent article about what happens when you use reflection to get a custom...
Author: Shawn Farkas - MS Date: 02/22/2006