"Novice" <6tc1@qlinkDOTqueensuDOTca> wrote in message
news:8B8270FF-E63A-4EBB-BA26-(E-Mail Removed)...
> Hi all, I'm afraid this is the second posting of this information as I
didn't get a response on the previous post. I will try to shorten my
message (i.e. be more concise) in the hopes that it will make it easier for
someone (i.e. a Microsoft person) to digest the information and respond to
it. I am a C++ and Java developer with over 3 years of industry experience.
I've written low level C++ code, in addition to web clients that use web
services. I've just recently installed the Visual Studio .net Professional
trial version 2003. I have been reading up various documents that discuss -
"What is Microsoft .Net" and have found some enlightening information.
>
> I'm trying to write a paper on security and software development using
Microsoft .Net. So far the most difficult aspect has been determining -
what is Microsoft .NET?
>
> --Questions--
>
> 1. What is included in the "set of software technologies" that are part
of Microsoft .NET beyond the Microsoft .NET Framework. Specifically, I'm
wondering if I speak to someone about Microsoft .NET does that include
Microsoft Visual Studio .NET and other supportive technologies?
>
This is a tough question, mostly due to mistakes by MS marketing. I do not
belive any (major)products outside of Visual Studio still use the .NET
moniker.
> 2. If I write unmanaged C++ code in Microsoft Visual Studio .NET is it
transformed/compiled into MSIL (intermediate language) and then Just-In-Time
comiled using CLR into native code? If so, is the best way to look at the
MSIL form of this code by using ildasm.exe? I notice when I comile C# code
that there is a tempPE directory. Is this where the MSIL form of the C#
program is stored temporarily? If so, can I force Visual Studio .NET to
leave the file there after compilation?
>
Unmanaged C++ is not compiled to MSIL, its compiled to native code. As for
the tempPE directory, I don't know off hand waht that does, except that its
part of visual studio, not the compiler. I do not believe the c# compiler
generates an assembly file in any form. To examine MSIL, ildasm is your best
choise though.
> 3. If I can find a security issue (i.e. one of the functions like printf
in iostream provided by Visual Studio .NET
> has a security flaw) in a C++ program (compiled using Visual Studio ..net)
then does that mean that I have found a security flaw in .NET or is it just
a security flaw in Microsoft's implementation of the printf function? I.E.
are they one and the same?
>
That would be a bug in MS's printf function. .NET, as far as security goes,
would mostly be the framework classes. Unmanged C and STL\ATL classes are
not a portion of the framework(although bugs in them are important if you
are using managed C++).
> 4. When I read this one .NET security document "Security in the Microsoft
...NET Environment" it indicated the framework had a variety of security
mechanisms:
> Evidence-Based Security, Code Access Security, Role-Based Security, etc.
Are these just features of using the libraries available in all of the
languages that are compiled into MSIL (like C#, C++, ASP.NET, etc)? The
document even went on to show a line of code (from I assume ASP.NET):
> if (HTTPContext.IsCallerInRole("Admin"){...})
Code access and Evidence based security is enforced by the runtime, if
memory serves. So any app that runs in the system is restricted by them.
>
> 5. (a) If I compile a C++ program (that uses only managed code) using
Visual Studio .NET will that executable require the .NET framework to be
installed? I.E. if I send it to my friend on a different computer (same
OS), will he require the .NET framework to execute it.
>
Yes
> (b) If I compile a C++ program (that uses only UNmanaged code) using
Visual Studio .NET will that executable require the .NET framework to be
installed? I.E. if I send it to my friend on a different computer (same
OS), will he require the .NET framework to execute it.
>
No.
> (c) Also, has the executable in (b) been generated using the JIT
compiler in CLR?
>
No, it would be generated by the MS C++ compiler.
> In summary, I want to clearly understand where .NET begins and ends. I
want to know if I find a security related problem in some of the supporting
libraries (i.e. iostream) of C++ that are found within Visual Studio .net
have I found a .NET security flaw or is it just a security flaw in
Microsoft's implementation of the iostream library for C++? Is the security
framework I mentioned earlier available to all of the previously mentioned
languages like C#, J#, ASP.NET, etc in
> some form or another (due to their compilation to MSIL and subsequent JIT
compile to native code)?
>
Most of the compilation to native code shouldn't be reliant on the C library
or the STL, however the JIT does use these and *may* be vulnerable, however
proving that may not be easy.
> Thanks for any advice in this regard,
> Novice
|
Similar Threads
