堆栈内存溢出
  简体   繁体   English

C# 安全风险

[英]C# Security Risks

 原文  2020-03-04 07:29:22       c#/ security

问题描述

I am developing a small C# application, that acts as a handler for a certain web-protocol (myprotocol://blafoobar).我正在开发一个小型 C# 应用程序,它充当某个网络协议 (myprotocol://blafoobar) 的处理程序。 Thus whenever the user clicks on such a web link, the handler is invoked by Windows.因此,每当用户单击此类 Web 链接时,Windows 都会调用该处理程序。 It then parses the URI and performs certain actions.然后它解析 URI 并执行某些操作。

This of could of course be a security risk.这当然可能是一个安全风险。 One possible attack vector would be, that an attacker provides a malicious link to the user: "myprotocol://someevilstuff".一种可能的攻击向量是,攻击者向用户提供恶意链接:“myprotocol://someevilstuff”。 Then the parsing of the URI would cause my application to expose some unexpected behavior, due to buffer overflows etc. (<- I'm no expert on this).然后,由于缓冲区溢出等,URI 的解析会导致我的应用程序暴露一些意外行为(<-我不是这方面的专家)。

So I have a bunch of questions:所以我有一堆问题:

  • Is C# in general more robust against buffer overflows etc. (since eg array bounds are always checked)? C# 是否通常对缓冲区溢出等更健壮(因为总是检查数组边界)?
  • Is the C# string class rather safe (splitting etc.)? C# 字符串类是否相当安全(拆分等)?
  • Is there some general advice what I should look out for/avoid?是否有一些我应该注意/避免的一般建议?

1 个解决方案

解决方案1
 4 已采纳  2020-03-04 07:34:27

Is C# in general more robust against buffer overflows C#通常对缓冲区溢出更健壮吗

It is, AS IS GOOD WRITTEN C# code - basically you MUST check allocated memory all the time.是的,就像编写好的 C# 代码一样 - 基本上你必须一直检查分配的内存。 That said, unless your app explicitly violates trust boundaries (unsafe code, calls into native libraries) you are QUITE safe.也就是说,除非您的应用程序明确违反信任边界(不安全的代码、调用本机库),否则您是非常安全的。 100% is not likely, but a lot of people work on fixing every bug there. 100% 不太可能,但很多人都在努力修复那里的每个错误。

Is the C# string class rather safe (splitting etc.)? C# 字符串类是否相当安全(拆分等)?

Yes.是的。

Is there some general advice what I should look out for/avoid?是否有一些我应该注意/避免的一般建议?

Not really on a technical level.不是真的在技术层面上。 On a logical level - make the possible attack vector as small as possible, ie do not JUST delete things etc. and validate the input makes sense.在逻辑层面上 - 使可能的攻击向量尽可能小,即不要只是删除东西等并验证输入是否有意义。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 优化C#中的代码有风险吗? - Are there risks to optimizing code in C#? C#mongodb ObjectId使用风险 - C# mongodb ObjectId useage risks 提高 C# 项目的语言版本号会涉及任何风险吗? - Any risks involved in raising the language version number of a C# project? 精盐会带来安全隐患 - Security risks from trimming a salt C#插件系统安全性 - C# Pluginsystem security C# 安全异常 - C# Security Exception C#脚本和安全性 - C# Scripting and Security 重构公共API以减少安全风险 - Refactoring public API to reduce security risks 不使用OO封装会带来安全风险吗? - Does not use OO Encapsulation creates Security Risks? 连接字符串安全性C# - Connection String Security C#
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM