Saturday, December 11, 2010

UnSafe Code


By default, Microsoft’s C# compiler produces safe code. Safe code is code that is verifiably safe. However, Microsoft’s C# compiler allows developers to write unsafe code. Unsafe code is allowed to work directly with memory addresses and can manipulate bytes at these addresses. This is a very powerful feature and is typically useful when interoperating with unmanaged code or when you want to improve the performance of a time-critical algorithm.

However, using unsafe code introduces a significant risk: unsafe code can corrupt data structures and exploit or even open up security vulnerabilities. For this reason, the C# compiler requires that all methods that contain unsafe code be marked with the unsafe keyword. In addition, the C# compiler requires you to compile the source code by using the /unsafe compiler switch.

When the JIT compiler attempts to compile an unsafe method, it checks to see if the assembly containing the method has been granted the System.Security.Permissions.Security Permission with the System.Security.Permissions.SecurityPermissionFlag’s SkipVerification flag set. If this flag is set, the JIT compiler will compile the unsafe code and allow it to execute. The CLR is trusting this code and is hoping the direct address and byte manipulations do not cause any harm. If the flag is not set, the JIT compiler throws either a System.InvalidProgramException or a System.Security.VerificationException, preventing the method from executing. In fact, the whole application will probably terminate at this point, but at least no harm can be done.

47 comments:

  1. What happens when third party dot net dlls are used? In what way can we check the dlls are calling unsafe methods or not? Do we have tools that inspect the third party dlls for checking any security vulnerabilities?

    ReplyDelete
  2. Good questions Srini, as usual. To take control, Security.Permissions namespace helps as indicated in the last para. In terms of tools, there are few tools like Axivion, Lanquard, DLLHijackAuditor in the market. But, I would recommend to learn from Microsoft's security tech blog 'http://blogs.technet.com/b/srd/' for latest frequent updates.

    ReplyDelete
  3. Hi, Honestly, it's a Nice Article
    If you are looking for the best Cloud Solutions that will be helpful for your business. We provide efficient methodologies for the successful implementation of Cloud computing business solutions | cloud computing companies in Madhapur | Cloud Computing Services in Madhapur | cloud computing companies in Hyderabad | cloud computing services companies in India | cloud computing solutions companies.
    Thank you!

    ReplyDelete
  4. Thanks for your informative articel .its very useful
    Visit us: Dot Net Online Training
    Visit us: Dot Net Online Course

    ReplyDelete
  5. Hello, thank you for sharing your knowledge.
    This is a fantastic and very helpful essay.
    I appreciate you offering this information, and I wish everyone who chooses to participate luck. Linux Online Training - NareshIT

    ReplyDelete
    Replies

    1. Hi,
      I really appreciate you sharing this knowledge, so thank you so much.
      It is a useful and stylish item.
      You're welcome to share this information with anyone who might be interested. Linux Online Training - NareshIT

      Delete
  6. Good day, hello.
    It's been fun working with you.
    This item combines both beauty and utility.
    Thank you for making this information available to anyone who wish to participate. Linux Online Training - NareshIT

    ReplyDelete
  7. This is a great article. I found the information provided to be very insightful and informative. It's always refreshing to come across well-written content that offers valuable insights.
    AWS Training in Electronic City Bangalore

    ReplyDelete