Best IT Recipes

Why doesn't .NET check BCL / CLR?

All .NET assemblies in BCL and CLR (hereinafter only CLR will be used) will be firmly named and digitally signed . Digital certificates are provided to ensure that the assembly has not been modified or replaced. However, it does not seem that .NET ever verifies a digital signature (it can verify a strong name, as indicated by Hans).

It makes sense that checking the assembly load is erroneous because the modified CLR can fake responses. I believe that the only safe place from the point of view of .NET 1 for checking is the beginning of the framework program as part of the unmanaged code that loads the framework. The big drawback is the impact of performance.

I look at it from the point of view of the developer, in other words, how do I know if my application is not compromised by the existing CLR 2 or otherwise, otherwise an application trusted by the CLR?

So my question is: why does .NET not check the CLR? Is it due to the fact that the influence of productivity or is it greater?

<h / ">
1. I focus on .NET, you can talk to Windows and thereby break the idea, but if you already have Windows, you really don't need to own .NET.
2. An example of this is to enter the user's password into the application, it is stored in SecureString, but the BCL is compromised so that the attacker now receives this information. This allows them to capture information for something else. I understand that an attacker, if he can replace the CLR, can also put a key logger on the machine, but this (I hope) is detected using a decent security tool. There are also many other ways to attack this; the kernel is how I can find out if SecureString has been modified.

+6
Sep 12 '11 at 8:24
source share
2 answers

This has been changed in .NET 3.5 SP1, intended for an initial improvement for applications that are fully trusted, to give them parity with native programs that do not perform such verification. Validating a strong name is expensive, and cold starts of managed programs are usually slow due to the large number of DLLs. You can enable it using the .config file:

<configuration> <runtime> <bypassTrustedAppStrongNames enabled="false"/> </runtime> </configuration>

Or by editing the registry key so that it works for all .NET programs:

 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework] "AllowStrongNameBypass"=dword:00000000

Also install the HKLM \ Software \ Wow6432Node key on a 64-bit machine.

+6
Sep 12 '11 at 8:40
source share

They are in the GAC. Anyone who can communicate with the GAC is already a privileged user. Also, most applications work in full trust mode, in any case it does not matter. Since in an application with full trust, you can use pointers, native-interop, ... all of which can violate security based on validation.

Code verification is important in scenarios where you run a lower trust code, such as in Silverlight. In such a sandbox that you want to execute:

  • Verified secure untrusted code
  • Trusted code that resides in the GAC or is signed using a key that you trust.


  • An example of this is the user entering the password into the application, it is stored in SecureString, but the BCL is hacked so that the attacker now receives this information. This allows them to capture information for something else. I understand that an attacker, if he can replace the CLR, can also put a key log on the machine, but this (I hope) is detected using a decent security tool.

You already have a defective security model. There are so many ways to attack your application in this threat scenario that you do not need to worry about BCL. For example, an attacker could fix NGen ed or JITed code. Either connect directly to the SecureString methods or the input code. He could use various keyword registration functions or message interception functions, which in my experience are rarely detected. He could subclass your window. You can completely replace your GUI. It could just replace all your assemblies on disk. It is unlikely that the user would have noticed.

In my experience, most security tools don't even care that the application sets a low-level keyboard hook, which is one of the easiest ways to write to the log.

+3
Sep 12 '11 at 8:30
source share


More articles:


All Articles