Access denied errors are not uncommon when deploying new websites / features that interact with the filesystem. While it might work in local testing, it suddenly doesn't anymore when deployed. Using Process Monitor I'll show how to easily debug these issues. I've made a very simple web application project with a Default.aspx file that has the following codebehind code: using System; using System.IO; using System.Web.UI; namespace FileWritingWebsite { public partial class _Default : Page { protected void Page_Load(object sender, EventArgs e) { File.WriteAllText(@"C:\Test.txt", "Hello world!"); Response.Write("Done!"); } } } After deploying this to my webserver we receive the archetypical access denied error: In this case it's rather obvious where the error stems from,...

At a recent TechTalk I talked about code access security and how to perform declarative and imperative security demands & requests. There's no doubt declarative security checking is nicer than imperative checking, but not everything can be done declaratively. Say we have the following method: static void writeFile(string filePath) { File.WriteAllText("test", filePath); } We want to make sure we have permission to write to the filepath. Declaratively, we can request (SecurityAction.RequestMinimum) for an unrestricted FileIOPermission which would ensure that we had write access. But requesting unrestricted IO access is way overkill, since we only need access to select paths. I got the question,...

I continued my TechTalk on security in the .NET framework today, taking off from where we left last time. As promised, here are the demos and slides (in Danish). Regarding the demos, the baseline folders contain the code as it was at the beginning of the presentation, the others contain the code as it ended up after the presentation. Slides Demos

I held my TechTalk on CAS security in the .NET framework today. As promised, here are the demos and slides (in Danish). If you're asked for a key password, it's "123456". Slides Demos

I will be hosting two TechTalks on security in .NET, at Microsoft Denmark in August. The TechTalks will be held in DANISH. Jakob Andersen will be co-hosting the TechTalks, hopefully filling in on my weak points and vice versa. I urge participants to comment on this post regarding topics you would like us to talk about, problems you've had, suggestions and so forth. If you're not attending, please comment anyways - I'll be blogging a lot on security for the time being and I'm always seeking relevant topics to research further :)

I recently mentioned the possibility of having an assembly provide custom evidence alongside the CLR provided evidence. Let's see how to do it. Creating the evidence The first step is to actually create the evidence itself. The evidence can be in any form, as long as it's serializable. That means you can use strings, complex types (provided they're serializable), or plain old'n'good XML. In lack of a better example, I'll create a piece of evidence that tells the birthdate and name of the developer behind the assembly. Really useful, I know. <?xml version="1.0" encoding="utf-8" ?> <myEvidence> <birthDay>1985-07-25</birthDay> <name>Mark S. Rasmussen</name> </myEvidence> Saving...

When the CLR loads an assembly and needs to determine the appropriate permission set to apply, it's based on various evidence. Assembly evidence tells the CLR about the origins of the assembly, the zone it's loaded from and the file hash of the actual assembly file - these are just some of the more common evidence types the CLR uses, there are a lot more that are rarely used. Any object can be a piece of evidence, the CLR will only react on well known evidence types though. There are two different overall origins of evidence, assembly provided and...

When you write your code, compile it, and distribute the exe/dll's, is your source safe? We're not talking about protection against buffer overruns, SQL injection and various other code hacking techniques, we're talking protection of the source code itself, protection of intellectual properties. This article is the result of me touring the danish universities as a Microsoft Student Partner, giving lectures on the subject of securing code and intellectual properties in the realm of the .NET Framework. Download source code for the examples: securing_dotnet.zip The problem Why protect...