Managed Code

Previous page
Table of content
Next page

Managed assemblies are still susceptible to many of the security vulnerabilities, including buffer overflows, SQL injection, and cross-site scripting, so don t exclude managed assemblies from your security testing. In addition, managed code introduces specific types of attacks. Refer to Chapter 15.

Sample Test Cases

Test Case

Description

Look for APTCA assemblies

Any assembly that is marked with the AllowPartiallyTrustedCallers attribute (APTCA) can be called by partially trusted code, which can lead to luring attacks.

Look for unsafe code blocks, PInvokes of Win32 APIs, and marshaling of data

Managed code can call into unmanaged (native) code, which could lead to certain security problems. Search the code for unsafe or check whether the assembly was compiled using the /unsafe compiler option.

Look for asserts

If the code does an assert, especially if the assembly can be called from partially trusted code, make sure untrusted callers cannot call into the method.

Look for link demands

Look for all places that do a link demand and make sure they cannot be bypassed, such as by casting to an interface.

Look for sensitive data in the assembly

Microsoft .NET Framework assemblies can easily be decompiled, so be sure the source doesn t contain any secrets or backdoors.


Previous page
Table of content
Next page
Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors: Tom Gallagher, Lawrence Landauer, Bryan Jeffries
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Oracle Developer Forms Techniques
Developing Tablet PC Applications (Charles River Media Programming)
SQL Hacks
The Complete Cisco VPN Configuration Guide
101 Microsoft Visual Basic .NET Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy