Compilation of Code in Microsoft Visual Studio .NET and a couple of other Microsoft .NET questions

[Guest]

Hi all, I'm afraid this is the second posting of this information as I didn't get a response on the previous post. I will try to shorten my message (i.e. be more concise) in the hopes that it will make it easier for someone (i.e. a Microsoft person) to digest the information and respond to it. I am a C++ and Java developer with over 3 years of industry experience. I've written low level C++ code, in addition to web clients that use web services. I've just recently installed the Visual Studio .net Professional trial version 2003. I have been reading up various documents that discuss - "What is Microsoft .Net" and have found some enlightening information

I'm trying to write a paper on security and software development using Microsoft .Net. So far the most difficult aspect has been determining - what is Microsoft .NET?

--Questions-

1. What is included in the "set of software technologies" that are part of Microsoft .NET beyond the Microsoft .NET Framework. Specifically, I'm wondering if I speak to someone about Microsoft .NET does that include Microsoft Visual Studio .NET and other supportive technologies

2. If I write unmanaged C++ code in Microsoft Visual Studio .NET is it transformed/compiled into MSIL (intermediate language) and then Just-In-Time comiled using CLR into native code? If so, is the best way to look at the MSIL form of this code by using ildasm.exe? I notice when I comile C# code that there is a tempPE directory. Is this where the MSIL form of the C# program is stored temporarily? If so, can I force Visual Studio .NET to leave the file there after compilation

3. If I can find a security issue (i.e. one of the functions like printf in iostream provided by Visual Studio .NE
has a security flaw) in a C++ program (compiled using Visual Studio ..net) then does that mean that I have found a security flaw in .NET or is it just a security flaw in Microsoft's implementation of the printf function? I.E. are they one and the same

4. When I read this one .NET security document "Security in the Microsoft ..NET Environment" it indicated the framework had a variety of security mechanisms
Evidence-Based Security, Code Access Security, Role-Based Security, etc. Are these just features of using the libraries available in all of the languages that are compiled into MSIL (like C#, C++, ASP.NET, etc)? The document even went on to show a line of code (from I assume ASP.NET)
if (HTTPContext.IsCallerInRole("Admin"){...}

5. (a) If I compile a C++ program (that uses only managed code) using Visual Studio .NET will that executable require the .NET framework to be installed? I.E. if I send it to my friend on a different computer (same OS), will he require the .NET framework to execute it

(b) If I compile a C++ program (that uses only UNmanaged code) using Visual Studio .NET will that executable require the .NET framework to be installed? I.E. if I send it to my friend on a different computer (same OS), will he require the .NET framework to execute it

(c) Also, has the executable in (b) been generated using the JIT compiler in CLR

In summary, I want to clearly understand where .NET begins and ends. I want to know if I find a security related problem in some of the supporting libraries (i.e. iostream) of C++ that are found within Visual Studio .net have I found a .NET security flaw or is it just a security flaw in Microsoft's implementation of the iostream library for C++? Is the security framework I mentioned earlier available to all of the previously mentioned languages like C#, J#, ASP.NET, etc i
some form or another (due to their compilation to MSIL and subsequent JIT compile to native code)?

Thanks for any advice in this regard
Novice

 

[Daniel O'Connell [C# MVP]]

Hi all, I'm afraid this is the second posting of this information as I

didn't get a response on the previous post. I will try to shorten my
message (i.e. be more concise) in the hopes that it will make it easier for
someone (i.e. a Microsoft person) to digest the information and respond to
it. I am a C++ and Java developer with over 3 years of industry experience.
I've written low level C++ code, in addition to web clients that use web
services. I've just recently installed the Visual Studio .net Professional
trial version 2003. I have been reading up various documents that discuss -
"What is Microsoft .Net" and have found some enlightening information.

I'm trying to write a paper on security and software development using

Microsoft .Net. So far the most difficult aspect has been determining -
what is Microsoft .NET?

--Questions--

1. What is included in the "set of software technologies" that are part

of Microsoft .NET beyond the Microsoft .NET Framework. Specifically, I'm
wondering if I speak to someone about Microsoft .NET does that include
Microsoft Visual Studio .NET and other supportive technologies?
This is a tough question, mostly due to mistakes by MS marketing. I do not
belive any (major)products outside of Visual Studio still use the .NET
moniker.

2. If I write unmanaged C++ code in Microsoft Visual Studio .NET is it

transformed/compiled into MSIL (intermediate language) and then Just-In-Time
comiled using CLR into native code? If so, is the best way to look at the
MSIL form of this code by using ildasm.exe? I notice when I comile C# code
that there is a tempPE directory. Is this where the MSIL form of the C#
program is stored temporarily? If so, can I force Visual Studio .NET to
leave the file there after compilation?Unmanaged C++ is not compiled to MSIL, its compiled to native code. As for
the tempPE directory, I don't know off hand waht that does, except that its
part of visual studio, not the compiler. I do not believe the c# compiler
generates an assembly file in any form. To examine MSIL, ildasm is your best
choise though.

3. If I can find a security issue (i.e. one of the functions like printf

in iostream provided by Visual Studio .NET

has a security flaw) in a C++ program (compiled using Visual Studio ..net)

then does that mean that I have found a security flaw in .NET or is it just
a security flaw in Microsoft's implementation of the printf function? I.E.
are they one and the same?That would be a bug in MS's printf function. .NET, as far as security goes,
would mostly be the framework classes. Unmanged C and STL\ATL classes are
not a portion of the framework(although bugs in them are important if you
are using managed C++).

4. When I read this one .NET security document "Security in the Microsoft

...NET Environment" it indicated the framework had a variety of security
mechanisms:

Evidence-Based Security, Code Access Security, Role-Based Security, etc.

Are these just features of using the libraries available in all of the
languages that are compiled into MSIL (like C#, C++, ASP.NET, etc)? The
document even went on to show a line of code (from I assume ASP.NET):

if (HTTPContext.IsCallerInRole("Admin"){...})

Code access and Evidence based security is enforced by the runtime, if
memory serves. So any app that runs in the system is restricted by them.

5. (a) If I compile a C++ program (that uses only managed code) using

Visual Studio .NET will that executable require the .NET framework to be
installed? I.E. if I send it to my friend on a different computer (same
OS), will he require the .NET framework to execute it.

Yes
(b) If I compile a C++ program (that uses only UNmanaged code) using

Visual Studio .NET will that executable require the .NET framework to be
installed? I.E. if I send it to my friend on a different computer (same
OS), will he require the .NET framework to execute it.

No.
(c) Also, has the executable in (b) been generated using the JIT compiler in CLR?

No, it would be generated by the MS C++ compiler.

In summary, I want to clearly understand where .NET begins and ends. I

want to know if I find a security related problem in some of the supporting
libraries (i.e. iostream) of C++ that are found within Visual Studio .net
have I found a .NET security flaw or is it just a security flaw in
Microsoft's implementation of the iostream library for C++? Is the security
framework I mentioned earlier available to all of the previously mentioned
languages like C#, J#, ASP.NET, etc in

some form or another (due to their compilation to MSIL and subsequent JIT compile to native code)?

Most of the compilation to native code shouldn't be reliant on the C library
or the STL, however the JIT does use these and *may* be vulnerable, however
proving that may not be easy.