.Net Research Links

This page is a collection of links (most from my Dinis' owasp.net blog) which releate to .Net

Exploit Central

 * http://www.milw0rm.com/
 * http://www.secwatch.org/ - Providing updated information on the latest security vulnerabilities.
 * http://www.packetstormsecurity.org/
 * http://elsenot.com/ - List Microsoft Security Bulletin List and exploits  (a bit out of date)
 * http://jav.ch/  - List Microsoft Security Bulletin List and exploits  (a bit out of date)

Clr stuff

 * http://pinvoke.net - Detailed list of .NET's PInvoke definitions
 * Very, Very interesting interview by Anders Hejlsberg (the lead C# architect) with Bruce Eckel and Bill Venners (There are 8 parts and this CLR Design Choices links to the 8th (which contains links to all of them))
 * Yun Jin's Dangerous PInvokes - string modification
 * Calli is not Verifiable (see also calli on numeric constant thread)
 * Joel Pobar's More late-bound invocation scenario notes
 * Jonathan Keljo's CLR Blog Using the Profiling API EnterLeave Function Hooks
 * How to Migrate to clrpure and Pure and Verifiable Code This last one contains this note: “There is one coding scenario that will pass the compiler but that will result in an unverifiable assembly: calling a virtual function through an object instance using the scope resolution operator. For example: MyObj -> A::VirtualFunction;.”
 * David Notario's Gotchas with Reverse Pinvoke (unmanaged to managed code callbacks)
 * Drill Into .NET Framework Internals to See How the CLR Creates Runtime Objects
 * The Common Language Runtime (CLR) (on MSDN)


 * Let The CLR Find Bugs For You With Managed Debugging Assistants

CAS

 * The Security Infrastructure of the CLR Provides Evidence, Policy, Permissions, and Enforcement Services

.Net 2.0

 * More on 2.0 changes: Delegates Security (from Eugene Bobukh's WebLog)

Click Once - entry needs reformating
Out What's New with Code Access Security in the .NET Framework 2.0] and its	side notes (MSDN Magazine, November 2005)
 * [http://msdn.microsoft.com/msdnmag/issues/05/11/CodeAccessSecurity/default.aspx Find

 ClickOnce and or No Touch Deployment example sites on Developer Newsgroups   Take the Pain Out of Deployments with ClickOnce  ClickOnce Deploy and Update Your Smart Client Projects Using a Central Server (MSDN Magazine, May 2004) says:  “<i>To allow the application to		obtain the permissions it needs without administrator intervention on the client machine, ClickOnce can prompt the user at		installation time to ask them to grant the application the elevated permissions. Once permission is granted, the user will not be prompted again on subsequent runs. Although this capability circumvents some of the security protections provided by the CLR by		allowing a user to elevate security permissions for that application, you can prevent the user from being allowed to do this through security policy in an enterprise environment.” </i> </li> dasBlonde series of posts on <a href="http://www.dasblonde.net/CategoryView,category,ClickOnce.aspx"> ClickOnce </a>

</li></ul> </li> <a href="http://blogs.msdn.com/shawnfa/archive/2005/08/31/458641.aspx"> When the Opposite of Transparent isn't Opaque </a> </li> Series of articles on <a href="http://www.artima.com/articles/index.jsp?topic=security">Artima about Java JVM security</a>

</li> .Net Security Blog: <a href="http://blogs.msdn.com/shawnfa/archive/2006/01/18/514407.aspx">Isolated Storage and ClickOnce</a> and  <a href="http://blogs.msdn.com/shawnfa/archive/2006/01/20/514411.aspx">Detecting that You're Running in a ClickOnce Application</a> </li>  ClickOnce_Security - Microsoft ClickOnce Vulnerabilities and Remediation measures </li> </ul>

WinDbg and SoS (Son of Strike)
SoS is the WinDbg extension for analysing Managed Applications  Keith Brown's <a href="http://msdn.microsoft.com/msdnmag/issues/03/06/Bugslayer/">Bugslayer SOS It's Not Just an ABBA Song Anymore</a> (MSDN Magazine,	June 2003) </li> <a href="http://msdn.microsoft.com/msdnmag/issues/05/05/JITCompiler/">JIT and Run Drill Into .NET Framework Internals to See How the CLR Creates Runtime Objects</a> (MSDN Magazine, May 2005)

</li> <a href="http://www.eggheadcafe.com/articles/20060114.asp">Investigating ASP.Net Memory Issues using WinDbg and SOS</a> </li> Jason Zander's <a href="http://blogs.msdn.com/jasonz/archive/2003/10/21/53581.aspx">SOS Debugging of the CLR, Part 1</a> </li> WinDbg in Action  <a href="http://mtaulty.com/blog/%28qpfuv145clrvlf5520rplrfo%29/archive/2004/08/03/608.aspx">A word for WinDbg</a> and <a href="http://mtaulty.com/blog/%28xvr5rffxvkzjgc55h5jocynf%29/archive/2004/08/03/609.aspx">A word for WinDbg (2)</a> (now talking about SoS) <a href="http://mtaulty.com/blog/%28qpfuv145clrvlf5520rplrfo%29/archive/2004/08/03/608.aspx"> </a>Yun Jin's <a href="https://blogs.msdn.com/yunjin/archive/2004/01/27/63642.aspx">OutOfMemoryException and Pinning</a>

</li> <a href="http://www.codeproject.com/debug/windbg_part1.asp">Windows Debuggers Part 1 A WinDbg Tutorial </a>(The Code Project) </li></ul> </li> good archive list <a href="http://www.eggheadcafe.com/forumarchives/windbg/">windbg .NET Framework Post</a> </li> good document, demos and toolset: <a href="http://msdn.microsoft.com/library/en-us/dnbda/html/DBGrm.asp?frame=true">

Debugging .NET Applications (Building Distributed Applications)</a> </li><li> Also related:

<ul><li> mvstanton's <a href="http://blogs.msdn.com/mvstanton/archive/2004/04/05/108023.aspx">Traversing the gc heap (and introducing PSSCOR.DLL)</a> </li><li> <a href="http://www.developerland.com/DotNet/Enterprise/285.aspx">[SOS from your production environment]</a> (DeveloperLand.com ) </li><li> <a href="http://www.codinghorror.com/blog/archives/000015.html">Coding Horror Debugging ASPNET_WP in Production</a> </li><li> <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q286350">How to use ADPlus to troubleshoot hangs and crashes</a> </li><li> <a href="http://msdn.microsoft.com/library/en-us/dnbda/html/dbgch02.asp?frame=true">Debugging Memory Problems (Building Distributed Applications)</a>

IL (needs some cleaning on the links)

 * https://mailserver.di.unipi.it/pipermail/dotnet/msg00147.html and http://mailserver.di.unipi.it/pipermail/dotnet/msg00164.html
 * http://blogs.msdn.com/ptorr/archive/2004/01/28/63748.aspx
 * http://blogs.msdn.com/ptorr/archive/2004/1/27.aspx
 * http://blogs.msdn.com/ptorr/archive/2004/01/27/63308.aspx
 * http://blogs.msdn.com/ptorr/archive/2005/01/16/353816.aspx
 * http://blogs.msdn.com/ptorr/archive/2004/01/26/62900.aspx
 * http://blogs.msdn.com/ptorr/archive/2004/01/15/58902.aspx
 * http://groups.google.com/group/microsoft.public.dotnet.languages.csharp/browse_frm/thread/3f41b45911a5d346/51a4058ba297c1fd#51a4058ba297c1fd


 * http://blogs.msdn.com/ericlippert/archive/2004/01/22/61803.aspx#61933
 * http://blogs.msdn.com/ericlippert/archive/2004/01/14/58700.aspx
 * http://weblogs.asp.net/jarnold/archive/2004/01/27/63574.aspx


 * http://blogs.gotdotnet.com/joelpob/archive/2004/11/17/259224.aspx
 * http://blogs.gotdotnet.com/joelpob/archive/2004/09/22/233121.aspx
 * http://blogs.gotdotnet.com/joelpob/archive/2004/07/19/187709.aspx
 * http://blogs.gotdotnet.com/joelpob/archive/2005/07/01/434728.aspx


 * http://discuss.fogcreek.com/joelonsoftware/default.asp?cmd=show&ixPost=106245&ixReplies=9
 * http://www.thinktecture.com/Resources/Articles/SealedIsGood.html


 * "Flexible Bytecode for Linking in .NET" (http://slurp.doc.ic.ac.uk/pubs/flexiblebytecodefordotnet-bytecode05.pdf)
 * "Untrusted Code Security" (http://securitytf.cs.kuleuven.ac.be/teaching/UntrustedCodeSecurity.pdf)

Cool Articles (to normalize)

 * Launching a process and displaying its standard output
 * Responding to COM Events in .NET Applications
 * WebBrowser Customization, About the Browser Blocking images similar to Outlook in .NET 2.0 , Extended .NET 2.0 WebBrowser Control