Sample of non-CAS custom permission with declarative form supported.

Why? Recently, I started seeing numerous requests regarding creation of custom permissions that do not inherit from CodeAccessPermission and thus do not perform stackwalk. There is nothing special about implementing such classes. In fact, it is easier then with CodeAccessPermission as a base. However, having a sample handy, I just decided to share it here…

9

How to Demand several StrongNameIdentityPermissions “at the same time” in 1.0 and 1.1.

Problem Statement: Code Access Security provides developers with numerous ways of protecting their methods from unauthorized or untrusted callers, including usage of caller’s StrongName signature to identify it. So if one would like to make sure that all the callers of some method are signed with particular key [what is almost equivalent to being shipped…

5

FullTrust means Full Trust

The text below is provided “AS IS”, without any responsibilities attached to it. It represents author’s personal opinion and knowledge, and does not necessarily reflect recommended best practices of Microsoft. Author does not assume any responsibility caused by the use of the following information. ================================= Well, here is another post after a long, long break. This…

5

Some tips on testing managed code Security.

<Disclaimer> The text below represents author’s personal opinion and does not necessarily reflect Microsoft recommended best practices. Author does not assume any responsibility caused by the use of the following information. </Disclaimer> Some quick tips on testing managed code Security. So now you are developing or testing some managed application. You’ve heard lots about .NET…

4

Practice and Theory of Security Reviews

Click here if you want’ to skip all the theory and just go to the Security Reviews Heuristics Zoo If you are a software security professional, you might’ve been asked sometimes to conduct a “security design review”. If you felt lost at that point, this article may help you. Here I tried to summarize my…

2

Estimating Hidden Bug Count — Part 1/3

Part 1: Introduction and Basic Theory Part 2: Accounting for Bug Fixes Part 3: Flowchart Summary and Limitations   Part 1: Introduction   Probably every piece of software has some defects in it. Known defects (also called bugs) are found by manufacturers and users and fixed. Unknown ones remain there, waiting to be discovered some…

1

Is Pluto a Planet?

Is Pluto a planet? And how is that question related to Data Science? For sure, physical properties of Pluto do not change if we call it a “planet”, a “dwarf planet”, a “candelabrum”, or a “sea cow”. Pluto stays the same Pluto regardless of all that. For physics or astronomy, naming does not really matter….

0

Equation of a Fuzzing Curve — Part 2/2

Follow-up notes and discussion See Part 1 here.   Can you predict how many bugs will be found at infinity?   No. There seems to be a fundamental limit on fuzzing curve extrapolation. To see that, consider bug distribution function of the following form: where p0 >> p1 but a0 ≈ a1 and δ(x) is…

0

Equation of a Fuzzing Curve — Part 1/2

Equation of a Fuzzing Curve   Introduction While fuzzing, you may need to extrapolate or describe analytically a “fuzzing curve”, which is the dependency between the number of bugs found and the count of fuzzing inputs. Here I will share my approach to deriving an analytical expression for that curve. The results could be applied…

0

Estimating Hidden Bug Count — Part 3/3

Part 4: Step By Step Guide This is just a summary of the previous chapters as a flow chart (click here for the derivation of the method): Here variable meanings are: External bugs, or E – the count of active (not fixed) bugs reported against the product externally Internal bugs, or I – the count…

0