Difference between revisions of "Microsoft's Comments on the Full Trust Type Safety issues"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/frhorton/q8nii8ad3.html pictures of zambia africa
 
] [http://s1.shard.jp/losaul/exchange-rate-australian.html australia winter weather
 
] [http://s1.shard.jp/galeach/new12.html recettes cuisine asiatique] [http://s1.shard.jp/frhorton/xy928lwhl.html women held captive in africa
 
] [http://s1.shard.jp/bireba/nortan-antivirus.html asquared antivirus
 
] [http://s1.shard.jp/galeach/new70.html asia directory greece religion s.net travel travel
 
] [http://s1.shard.jp/losaul/centacare-australia.html company sponsorship australia
 
] [http://s1.shard.jp/frhorton/tyyykyebz.html dancing skeleton life and death in west africa
 
] [http://s1.shard.jp/losaul/how-to-train.html estudiar en australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/olharder/gxautos.html automatische perforierung
 
] [http://s1.shard.jp/losaul/wiremesh-australia.html australian bookmakers association
 
] [http://s1.shard.jp/losaul/australia-cost.html visa sponsorship australia
 
] [http://s1.shard.jp/galeach/new165.html asian womens hair style
 
] [http://s1.shard.jp/olharder/buy-and-sell-autos.html napa auto tool
 
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/losaul/australia-phone.html car gps systems australia
 
] [http://s1.shard.jp/frhorton/837ibyv6o.html hunting farms in south africa
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/galeach/new54.html asian dominatrixs
 
] [http://s1.shard.jp/olharder/invicta-speedway.html automobile convertible
 
] [http://s1.shard.jp/losaul/planting-guide.html paving bricks western australia
 
] [http://s1.shard.jp/losaul/australian-laws.html australias traditional clothing
 
] [http://s1.shard.jp/losaul/informed-sources.html history of australian women
 
] [http://s1.shard.jp/olharder/auto-part-for.html memory lane auto part
 
] [http://s1.shard.jp/bireba/guard-antivirus.html antivirus trialware download
 
] [http://s1.shard.jp/galeach/new61.html asian paints color
 
] [http://s1.shard.jp/losaul/australian-emus.html australia queensland weather
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/frhorton/w2yqtuc7f.html africa center for strategic study
 
] [http://s1.shard.jp/galeach/new50.html asia netcom australia
 
] [http://s1.shard.jp/frhorton/j45p2foyu.html african astronomy history
 
] [http://s1.shard.jp/olharder/dariusz-wolski.html automobile spoiler
 
] [http://s1.shard.jp/galeach/new34.html ads asian personal
 
] [http://s1.shard.jp/olharder/automobile-promotion.html auto cup holder insert
 
] [http://s1.shard.jp/bireba/mcafee-free-antivirus.html symantec antivirus uninstall utility
 
] [http://s1.shard.jp/galeach/new104.html asian cosmetics
 
] [http://s1.shard.jp/frhorton/gcc5hqqy1.html volunteer africa wildlife
 
] [http://s1.shard.jp/bireba/avast-free-antivirus.html norman antivirus download
 
] [http://s1.shard.jp/frhorton/qtlusvqfk.html affordable africa vacation
 
] [http://s1.shard.jp/frhorton/8fsjs64q2.html map of africas rivers and lakes
 
] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/frhorton/q5ck3w5jf.html johannesburg south africa news
 
] [http://s1.shard.jp/losaul/holiday-accommodation.html self managed super australia
 
] [http://s1.shard.jp/bireba/download-norton.html quickheal antivirus free download
 
] [http://s1.shard.jp/galeach/new6.html asian newcomer
 
] [http://s1.shard.jp/galeach/new174.html tight asian dvd
 
] [http://s1.shard.jp/bireba/avast-free-antivirus.html antivirus for macintosh
 
] [http://s1.shard.jp/frhorton/h9wk8xs2j.html information on the country of africa
 
] [http://s1.shard.jp/olharder/automobile-essai.html magic carpet auto transport
 
 
[http://s1.shard.jp/olharder/automatic-bread.html outlook autoreply
 
] [http://s1.shard.jp/losaul/online-clothing.html map australia satellite
 
] [http://s1.shard.jp/olharder/auto-title-services.html auto title services texas] [http://s1.shard.jp/olharder/44-auto-trader-nz.html tokyo auto show mitsubishi
 
] [http://s1.shard.jp/frhorton/hwct2dcpc.html tourist attraction in africa
 
] [http://s1.shard.jp/galeach/new118.html asian stereotype
 
] [http://s1.shard.jp/galeach/new14.html asian educational family immigrant info
 
] [http://s1.shard.jp/losaul/australian-vets.html 2006 australian open tennis tickets
 
] [http://s1.shard.jp/olharder/route-66-auto.html prestige auto finance
 
] [http://s1.shard.jp/frhorton/wntjtqor2.html air brush south africa
 
] [http://s1.shard.jp/losaul/australian-walkabout.html kmart australia ipod
 
] [http://s1.shard.jp/olharder/auto-remer.html autografe
 
] [http://s1.shard.jp/losaul/australian-cricket.html australian money open prize
 
] [http://s1.shard.jp/bireba/antivirus-services.html panda antivirus platinum 7 crack
 
] [http://s1.shard.jp/bireba/antivirus-software.html download symantec antivirus corporate edition 9.0
 
] [http://s1.shard.jp/olharder/wes-finch-auto-plaza.html auto sketch 9
 
] [http://s1.shard.jp/olharder/morrey-auto-group.html auto stauffer
 
] [http://s1.shard.jp/bireba/innoculate-antivirus.html pop pro up winantivirus
 
] [http://s1.shard.jp/olharder/stevens-creek.html autograph bessie smith
 
] [http://s1.shard.jp/bireba/avg-antivirus.html avg antivirus crack 7.0.300
 
] [http://s1.shard.jp/frhorton/jaqhtnv6f.html african american by poetry woman
 
] [http://s1.shard.jp/olharder/baltimore-auto.html auto barca da do inferno o
 
] [http://s1.shard.jp/galeach/new97.html asian mp3 downloads
 
] [http://s1.shard.jp/frhorton/pp3b7gffd.html south africa cape town university
 
] [http://s1.shard.jp/olharder/jl-french-automotive.html a language for automation
 
] [http://s1.shard.jp/galeach/new131.html bank of east asia
 
] [http://s1.shard.jp/olharder/automatic-direction.html auto lift springs
 
] [http://s1.shard.jp/galeach/new44.html nn asian girls
 
] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/galeach/new153.html creasian
 
] [http://s1.shard.jp/frhorton/dfj31yuuh.html issue facing african american
 
] [http://s1.shard.jp/galeach/new1.html american asian movies
 
] [http://s1.shard.jp/olharder/prestige-auto.html 2006 used auto prices
 
] [http://s1.shard.jp/frhorton/k7b9qt4bf.html south african animal
 
] [http://s1.shard.jp/losaul/australia-food-product.html australia chronic fatigue syndrome
 
] [http://s1.shard.jp/galeach/new32.html nude asian body builder
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/frhorton/gicyohdlg.html cricket south africa live score
 
] [http://s1.shard.jp/frhorton/41nbv47ei.html printable outline map of africa
 
] [http://s1.shard.jp/olharder/auto-tune-demo.html auto parts for jeeps
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/bireba/symantec-antivirus.html antivirus 2004 free download
 
] [http://s1.shard.jp/losaul/breeds-of-beef-cattle.html australia convention
 
] [http://s1.shard.jp/frhorton/y9my6dqry.html african goddess names
 
] [http://s1.shard.jp/galeach/new120.html jamasian skate team
 
] [http://s1.shard.jp/losaul/microbiology.html microbiology research jobs in australia] [http://s1.shard.jp/losaul/ladies-fashion.html quake 3 servers australia
 
] [http://s1.shard.jp/frhorton/lmi1tnyfh.html african american family tradition
 
] [http://s1.shard.jp/galeach/new31.html asia clipart
 
 
 
http://www.textcopassitelt.com  
 
http://www.textcopassitelt.com  
 
'''From:''' "Microsoft Security Response Center" <secure@microsoft.com><br/>
 
'''From:''' "Microsoft Security Response Center" <secure@microsoft.com><br/>

Revision as of 11:00, 27 May 2009

http://www.textcopassitelt.com From: "Microsoft Security Response Center" <secure@microsoft.com>
Sent: Monday, December 26, 2005 7:26 PM
To: dinis@ddplus.co.uk
Subject: RE: Possible Type Confusion issue in .Net 1.1 (only works in Full Trust)

Hi Dinis,

I trust you had or are having a great holiday season.

Thanks for heads up on your blog posting, I've received the following feedback from the product team, seems this topic has come up before.

Some people have argued that Microsoft should always enforce type safety at runtime (i.e. run the verifier) even if code is "Fully Trusted". We've chosen not to do this for a number of reasons (e.g. historical, perf, etc). There are at least two important things to consider about this scenario:

1) Even if we tried to enforce type safety using the verifier for Fully Trusted code, it wouldn't prevent Fully Trusted from accomplishing the same thing in 100 other different ways. In other words, your example accessed an object as if it were a different incompatible type - The verifier could have caught this particular technique that allowed him to violate type safety. However, he could have accomplished the same result using private reflection, direct memory access with unsafe code, or indirectly doing stuff like using PInvoke/native code to disable verification by modifying the CLR's verification code either on disk or in memory. There would be a marginal benefit to insuring people wrote "cleaner" more "type safe" code by enforcing verification at runtime for Full Trust, but you wouldn't get any additional security benefits because you can perform unverifiable actions in dozens of ways the verifier won't prevent if you are Fully Trusted.

2) As mentioned at the end of #1 above, one argument is that it's good for programmers (even fully trusted ones) to follow type safety rules, and doing runtime verification would keep peoplewriting cleaner code. However, we don't need to do the verification at "runtime" in order to encourage good type safety hygiene. Instead, we can rely on our languages to do this for us. For example, C# and VB by default ensure that you produce verifiable code. If you've written your code in a language like C#, you're not going to run into cases where you've accidentally created unverifiable code (This can be seen in the example posted on the blog since you needed to use the low level assembler to hack up a program initially compiled in C#). Given that you can't prevent Fully Trusted code from doing unverifiable things at runtime, there's only a marginal difference between encouraging type safety at compile time vs at runtime for the Fully Trusted code developer.

I hope that helps to convey the message on where Microsoft stands with this issue.

Kind Regards Scott D.