Transparency as Least Privilege

In my last post I mentioned that there is a better alternative to RequestRefuse for achieving least privilege. The tool I like to use for least privilege is actually the security transparency model available in v2.0+ of the CLR (and which became the basis of the Silverlight security model). On the desktop CLR, transparent code…


Avoiding Assembly Level Declarative Security

I’ve written in the past about the three assembly level declarative security actions: RequestMinimum, RequestOptional, and RequestRefuse.  Although the CLR has supported these since v1.0, I tend to stay away from using them as much as I possibly can, and also recommend that others avoid them as well.  Let me go through each one individually:…


CLR Inside Out: Digging into IDisposable

My third MSDN magazine article, Digging into IDisposable, appeared in this month’s issue in the CLR Inside Out Column.  It’s a bit of a departure from my usual security fare; this time looking at how to best handle writing class libraries that must manage resources. Also in this month’s issue, Kenny Kerr provides a good introduction to…


Silverlight Security Cheat Sheet

Over the last week we took a look at the new Silverlight security model.  When you’re writing a Silverlight application though, there’s a lot of information there that you may not want to wade through to get yourself unblocked.  Here’s a quick cheat sheet highlighting the important points that you’ll need to know when working…


Silverlight Security III: Inheritance

Over the last few days we’ve looked at the basics of the CoreCLR security model in Silverlight, and how to tell which platform APIs are available for applications to call.  Let’s wrap up this mini-series on CoreCLR security by looking at how the CoreCLR transparency model interacts with inheritance in the Silverlight platform. From what…


Silverlight Security II: What Makes a Method Critical

Yesterday we talked about the CoreCLR security model, and how it is built upon the transparency model introduced in the v2.0 .NET Framework.  The quick summary was that all Silverlight application code is transparent, and transparent code may only call other transparent code and safe critical code.  With that in mind, lets take a look…


The Silverlight Security Model

You may have heard a thing or two last week about a little project we like to call Silverlight, including a small version of the CLR that will run in the browser on both Windows and the Mac.  (If you haven’t grabbed the Silverlight v1.1 alpha bits yet, I highly recommend it — as well…


Bypassing the Authenticode Signature Check on Startup

A while back I wrote about the performance penalty of loading an assembly with an Authenticode signature.  The CLR will attempt to verify the signature at load time to generate Publisher evidence for the assembly.  However, by default most applications don’t need Publisher evidence.  Standard CAS policy does not rely on the PublisherMembershipCondition, so unless your…


Loading an Assembly as a Byte Array

One of the various ways that you can load an assembly is by supplying the raw bytes of an assembly as a byte array.  The security identity of an assembly loaded this way turns out to be different than if you were to load the same assembly by name or by file.  In the case…



Attached is the TemplateControl.control manifest. TemplateControl.control