| re: Compilation of Code in Microsoft Visual Studio .NET and a couple of other Microsoft .NET questions
"Novice" <6tc1@qlinkDOTqueensuDOTca> wrote in message
news:8B8270FF-E63A-4EBB-BA26-94AA774E8FCF@microsoft.com...[color=blue]
> Hi all, I'm afraid this is the second posting of this information as I[/color]
didn't get a response on the previous post. I will try to shorten my
message (i.e. be more concise) in the hopes that it will make it easier for
someone (i.e. a Microsoft person) to digest the information and respond to
it. I am a C++ and Java developer with over 3 years of industry experience.
I've written low level C++ code, in addition to web clients that use web
services. I've just recently installed the Visual Studio .net Professional
trial version 2003. I have been reading up various documents that discuss -
"What is Microsoft .Net" and have found some enlightening information.[color=blue]
>
> I'm trying to write a paper on security and software development using[/color]
Microsoft .Net. So far the most difficult aspect has been determining -
what is Microsoft .NET?[color=blue]
>
> --Questions--
>
> 1. What is included in the "set of software technologies" that are part[/color]
of Microsoft .NET beyond the Microsoft .NET Framework. Specifically, I'm
wondering if I speak to someone about Microsoft .NET does that include
Microsoft Visual Studio .NET and other supportive technologies?[color=blue]
>[/color]
This is a tough question, mostly due to mistakes by MS marketing. I do not
belive any (major)products outside of Visual Studio still use the .NET
moniker.
[color=blue]
> 2. If I write unmanaged C++ code in Microsoft Visual Studio .NET is it[/color]
transformed/compiled into MSIL (intermediate language) and then Just-In-Time
comiled using CLR into native code? If so, is the best way to look at the
MSIL form of this code by using ildasm.exe? I notice when I comile C# code
that there is a tempPE directory. Is this where the MSIL form of the C#
program is stored temporarily? If so, can I force Visual Studio .NET to
leave the file there after compilation?[color=blue]
>[/color]
Unmanaged C++ is not compiled to MSIL, its compiled to native code. As for
the tempPE directory, I don't know off hand waht that does, except that its
part of visual studio, not the compiler. I do not believe the c# compiler
generates an assembly file in any form. To examine MSIL, ildasm is your best
choise though.[color=blue]
> 3. If I can find a security issue (i.e. one of the functions like printf[/color]
in iostream provided by Visual Studio .NET[color=blue]
> has a security flaw) in a C++ program (compiled using Visual Studio ..net)[/color]
then does that mean that I have found a security flaw in .NET or is it just
a security flaw in Microsoft's implementation of the printf function? I.E.
are they one and the same?[color=blue]
>[/color]
That would be a bug in MS's printf function. .NET, as far as security goes,
would mostly be the framework classes. Unmanged C and STL\ATL classes are
not a portion of the framework(although bugs in them are important if you
are using managed C++).[color=blue]
> 4. When I read this one .NET security document "Security in the Microsoft[/color]
...NET Environment" it indicated the framework had a variety of security
mechanisms:[color=blue]
> Evidence-Based Security, Code Access Security, Role-Based Security, etc.[/color]
Are these just features of using the libraries available in all of the
languages that are compiled into MSIL (like C#, C++, ASP.NET, etc)? The
document even went on to show a line of code (from I assume ASP.NET):[color=blue]
> if (HTTPContext.IsCallerInRole("Admin"){...})[/color]
Code access and Evidence based security is enforced by the runtime, if
memory serves. So any app that runs in the system is restricted by them.[color=blue]
>
> 5. (a) If I compile a C++ program (that uses only managed code) using[/color]
Visual Studio .NET will that executable require the .NET framework to be
installed? I.E. if I send it to my friend on a different computer (same
OS), will he require the .NET framework to execute it.[color=blue]
>[/color]
Yes[color=blue]
> (b) If I compile a C++ program (that uses only UNmanaged code) using[/color]
Visual Studio .NET will that executable require the .NET framework to be
installed? I.E. if I send it to my friend on a different computer (same
OS), will he require the .NET framework to execute it.[color=blue]
>[/color]
No.[color=blue]
> (c) Also, has the executable in (b) been generated using the JIT[/color]
compiler in CLR?[color=blue]
>[/color]
No, it would be generated by the MS C++ compiler.[color=blue]
> In summary, I want to clearly understand where .NET begins and ends. I[/color]
want to know if I find a security related problem in some of the supporting
libraries (i.e. iostream) of C++ that are found within Visual Studio .net
have I found a .NET security flaw or is it just a security flaw in
Microsoft's implementation of the iostream library for C++? Is the security
framework I mentioned earlier available to all of the previously mentioned
languages like C#, J#, ASP.NET, etc in[color=blue]
> some form or another (due to their compilation to MSIL and subsequent JIT[/color]
compile to native code)?[color=blue]
>[/color]
Most of the compilation to native code shouldn't be reliant on the C library
or the STL, however the JIT does use these and *may* be vulnerable, however
proving that may not be easy.
[color=blue]
> Thanks for any advice in this regard,
> Novice[/color]
| 
