SECSYM: Security Symposium VI

Five tools for helping counter security threats: Threat Modelling Tool. This is a documentation tool to help explore threat models within a product. At present it is internal only – it was used for the SQL Server security push. It will be available for external use shortly, probably on GotDotNet. Code Access Security. The .NET…

0

SECSYM: Security Symposium V

The SQL Server security lead developer demonstrated a black hat tool circulating on the Internet that utilises a SQL injection vulnerability to expose access to the full underlying database server, allowing query of any other table on that system or any linked server for which a web application has access. He demonstrated how a simple ASP.NET…

0

SECSYM: Security Symposium IV

Managed code is safer code! The following function is a C# analogue of a previous fragment: private void CopyStuff(string data) { char[] buffer = new char[128]; data.CopyTo(0, buffer, 0, data.Length); // do other stuff } If the output buffer is too small in the above scenario, the CLR will simply throw an exception. Does that…

0

SECSYM: Security Symposium III

Error #1: Copying untrusted data Take a line of code such as the following: while (*c != ‘\\’) *p++ = *c++; What’s the problem here? The copy process is limited by the source data, not the destinatioin buffer size. Copying untrusted data is one of the most prevalent causes of security issues. Buffer overruns, SQL…

0

SECSYM: Security Symposium II

The moment you plug a live Internet network connection into your computer, you become part of the seediest neighbourhood in the planet. Your neighbours include thieves, con-artists, vandals, criminals and hackers. No wonder our computers are exposed to a very different environment to that of ten years ago! It only takes one bad guy to…

0

SECSYM: Security Symposium I

Most of the security vulnerabilities that have been found in Windows over the last couple of years have not related to security features. For that reason, it’s important that every developer understands how to build secure code. Yet it’s not something that most people have had training on – it’s not taught as part of…

0

Reflections on Wednesday

There were plenty more thought provoking sessions today at the PDC. I’ve uploaded slightly fewer session notes than on previous days; I attended one really poor session that wasn’t worth taking notes for, and one session that was entirely spent in code demos and was therefore impossible to write up. I can’t remember a conference…

0

ARC413: Whidbey CLR Internals

Reader warning: this session was deep! I take no responsibility for any subtle inaccuracies I’ve introduced. I’ve missed out some of the most complex stuff to minimise the risk of error… Generics Generics are not a new concept; they have been around for many years in other languages, including C++ (as templates). Generics are commonly…

2

CLI326: WinFS – File System Integration and Security

WinFS is a marriage with NTFS! It’s a file system that co-exists with and leverages the best of NTFS. There are areas where NTFS will not scale well in the future, not because as a file system it is inadequate but because the new requirements people will have in a world of digital data requires…

5

Rashid: Microsoft Research

Microsoft Research has over 700 employees located across five locations worldwide. Rick Rashid demonstrated some of the innovations covering presentation, storage and communication – three of the Longhorn pillars. Presentation Microsoft presented 11 out 80 papers at SIGGRAPH this year. We’re seeing an increasing reliance on the GPU: it’s turning into one of the most…

3