堆栈内存溢出
  简体   繁体   English

任何特定于C#的编码安全问题?

[英]Any coding security issues specific to C#?

 原文  2010-03-03 18:29:06       c#/ .net/ security

问题描述

In C++ world there is a variety of ways to make an exploitable vulnerability: buffer overflow, unsafe sting handling, various arithmetic tricks, printf issues, strings not ending with '\\0' and many more. 在C ++世界中,存在多种方法来制造可利用的漏洞:缓冲区溢出,不安全的sting处理,各种算术技巧,printf问题,不以'\\ 0'结尾的字符串等等。 Despite most of these problems were solved in java, there are some things to talk about. 尽管java中解决了大多数这些问题,但仍有一些事情需要讨论。 But is there any list of typical C#-specific coding vulnerabilities? 但是,是否有任何典型的C#特定编码漏洞列表? (and not related to .NET platform itself) (与.NET平台本身无关)

5 个解决方案

解决方案1
 6  2010-03-03 18:44:51

Here are a few issues you can run into: 以下是您可能遇到的一些问题:

  1. If you've got any sort of language interpreter (HTML, JavaScript, and SQL being the big three) then you can still have injection or XSS vulnerabilities. 如果你有任何类型的语言解释器(HTML,JavaScript和SQL是三大),那么你仍然可以有注入或XSS漏洞。
  2. P/Invoke can cause problems, especially if you're doing any custom marshalling. P / Invoke可能会导致问题,尤其是在您进行任何自定义编组时。 Even if you're calling a "safe" API through P/Invoke, your marshalling code could contain a bug that corrupts or exposes memory. 即使您通过P / Invoke调用“安全”API,您的编组代码也可能包含破坏或暴露内存的错误。
  3. If you're doing file access then you need to make sure your files are always in acceptable directories. 如果您正在进行文件访问,那么您需要确保您的文件始终位于可接受的目录中。 Be sure to sanitize against bad absolute and relative paths. 一定要消除糟糕的绝对和相对路径。
  4. Cryptography. 加密。 Good cryptographic programming is really hard, and .Net's various safety features do nothing against crypto attacks. 良好的加密编程非常难,而.Net的各种安全功能对加密攻击没有任何作用。

解决方案2
 5  2010-03-03 18:32:14

C# is based on .NET and .NET is supposed to be type-safe, which means none of your list of horrors applies to C# or any .NET language. C#基于.NET,.NET应该是类型安全的,这意味着你的恐怖列表都不适用于C#或任何.NET语言。

But then again, C# has an unsafe keyword and after that all bets are off. 但话说回来,C#有一个unsafe关键字,之后所有的赌注都关闭了。
It allows real pointers and everything that comes with them. 它允许真正的指针和它们附带的一切。

解决方案3
 2  2010-03-04 15:48:16

Not really. 并不是的。 I'm going to make a bold statement here: 我将在这里做一个大胆的声明:
There's no such thing as a "C#-specific coding vulnerability that isn't related to the .net platform". 没有“与.net平台无关的C#特定编码漏洞”。

A program written in C++ is compiled directly into a machine executable, so the language compiler is directly responsible for the creation of the executed code, hence the way C++ can be easily capable of "creating an exploitable vulnerability". 用C ++编写的程序直接编译成机器可执行文件,因此语言编译器直接负责创建执行代码,因此C ++可以轻松地“创建可利用的漏洞”。

A program written in C# however is compiled into IL, which is the only language that the .net platform works with. 然而,用C#编写的程序被编译成IL,这是.net平台使用的唯一语言。 The .net environment creates a machine executable based on that IL code. .net环境基于该IL代码创建机器可执行文件。 Everything that C# can do is merely a subset of what the .net platform is capable of. 一切,C#能做的仅仅是什么.NET平台的强大功能的子集 This is how I can make my bold statement. 这就是我如何能够做出大胆的陈述。 Anything you could possibly do with C# that created a coding vulnerability would be one of: 您可以使用C#创建编码漏洞的任何操作都是以下之一:
1) A bug in the .net platform 1).net平台中的一个错误
or 要么
2) Executing code outside of the .net platform 2)在.net平台之外执行代码

So the way your question is currently phrased leads me to believe that either you're not fully aware of the huge differences between "writing code in C" and "writing code for the .net platform" or I'm misunderstanding your question. 所以你的问题目前的措辞方式让我相信,要么你没有完全意识到“用C语言编写代码”和“为.net平台编写代码”之间的巨大差异,要么我误解了你的问题。 Perhaps a bit of both! 也许两者都有! 8 ) 8)

Hope this helps! 希望这可以帮助!

解决方案4
 0  2010-03-03 18:35:26

可能没有你的问题清单,但这是一个要小心的: void*

解决方案5
 -1  2012-10-02 19:21:23

Don't forget, you can call any C++ from C#. 别忘了,你可以从C#调用任何C ++。 I do it all the time. 我一直这样做。 So all the buffer overrun issues and so on for C++ are relevant for C# as well even if you don't directly call C++ because C# calls C++ to do it's work. 因此C ++的所有缓冲区溢出问题等都与C#相关, 即使 不直接调用C ++也是如此,因为C#调用C ++来完成它的工作。
Think about it. 想一想。 And any COM calls and Marshal calls are just as open to attack as normal. 任何COM调用和Marshal调用都像正常一样开放。 In Linux you can use _r routines and in Ver 8 up in VC++ you can use _s routines to lessen then chance of buffer overflow (requires user buffers and/or max sizes). 在Linux中,您可以使用_r例程,在Ver ++中使用VC ++,您可以使用_s例程来减少缓冲区溢出的可能性(需要用户缓冲区和/或最大大小)。 About the only way to stop vulnerabilities is to turn off your computer and read a paper back book (unless it too has a virus). 关于阻止漏洞的唯一方法是关闭计算机并阅读纸质书(除非它也有病毒)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 C#安全工具编码 - C# Security Tools Coding Unity中特定项目的C#编码问题 - Problems with C# coding in Unity for a specific project 在线c#解释安全问题 - Online c# interpreter security issues c#在线编译执行安全问题 - c# online compiling and execution security issues 将具有任何编码的任何文本转换为字节数组C# - Turning any Text with any Coding into byte array C# C#security - LinkDemand或SecurityCritical还是有什么解释? - C# security - LinkDemand or SecurityCritical or any explanation? 清单C#问题的清单,或其他与此编码有关的指针 - List of List C# question or something else any pointers in coding this 是否有任何编码Winforms应用程序的准则,尤其是C#/。net中的UI? - Any guildelines for coding Winforms applications, especially UI in C#/.net? Sonarqube没有显示任何c#问题 - Sonarqube not showing any c# issues 编码模式c# - Coding pattern c#
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM