[英]Any coding security issues specific to C#?
In C++ world there is a variety of ways to make an exploitable vulnerability: buffer overflow, unsafe sting handling, various arithmetic tricks, printf issues, strings not ending with '\\0' and many more. 在C ++世界中,存在多种方法来制造可利用的漏洞:缓冲区溢出,不安全的sting处理,各种算术技巧,printf问题,不以'\\ 0'结尾的字符串等等。 Despite most of these problems were solved in java, there are some things to talk about.
尽管java中解决了大多数这些问题,但仍有一些事情需要讨论。 But is there any list of typical C#-specific coding vulnerabilities?
但是,是否有任何典型的C#特定编码漏洞列表? (and not related to .NET platform itself)
(与.NET平台本身无关)
Here are a few issues you can run into: 以下是您可能遇到的一些问题:
C# is based on .NET and .NET is supposed to be type-safe, which means none of your list of horrors applies to C# or any .NET language. C#基于.NET,.NET应该是类型安全的,这意味着你的恐怖列表都不适用于C#或任何.NET语言。
But then again, C# has an unsafe
keyword and after that all bets are off. 但话说回来,C#有一个
unsafe
关键字,之后所有的赌注都关闭了。
It allows real pointers and everything that comes with them. 它允许真正的指针和它们附带的一切。
Not really. 并不是的。 I'm going to make a bold statement here:
我将在这里做一个大胆的声明:
There's no such thing as a "C#-specific coding vulnerability that isn't related to the .net platform". 没有“与.net平台无关的C#特定编码漏洞”。
A program written in C++ is compiled directly into a machine executable, so the language compiler is directly responsible for the creation of the executed code, hence the way C++ can be easily capable of "creating an exploitable vulnerability". 用C ++编写的程序直接编译成机器可执行文件,因此语言编译器直接负责创建执行代码,因此C ++可以轻松地“创建可利用的漏洞”。
A program written in C# however is compiled into IL, which is the only language that the .net platform works with. 然而,用C#编写的程序被编译成IL,这是.net平台使用的唯一语言。 The .net environment creates a machine executable based on that IL code.
.net环境基于该IL代码创建机器可执行文件。 Everything that C# can do is merely a subset of what the .net platform is capable of.
一切,C#能做的仅仅是什么.NET平台的强大功能的子集 。 This is how I can make my bold statement.
这就是我如何能够做出大胆的陈述。 Anything you could possibly do with C# that created a coding vulnerability would be one of:
您可以使用C#创建编码漏洞的任何操作都是以下之一:
1) A bug in the .net platform 1).net平台中的一个错误
or 要么
2) Executing code outside of the .net platform 2)在.net平台之外执行代码
So the way your question is currently phrased leads me to believe that either you're not fully aware of the huge differences between "writing code in C" and "writing code for the .net platform" or I'm misunderstanding your question. 所以你的问题目前的措辞方式让我相信,要么你没有完全意识到“用C语言编写代码”和“为.net平台编写代码”之间的巨大差异,要么我误解了你的问题。 Perhaps a bit of both!
也许两者都有! 8 )
8)
Hope this helps! 希望这可以帮助!
可能没有你的问题清单,但这是一个要小心的: void*
Don't forget, you can call any C++ from C#. 别忘了,你可以从C#调用任何C ++。 I do it all the time.
我一直这样做。 So all the buffer overrun issues and so on for C++ are relevant for C# as well even if you don't directly call C++ because C# calls C++ to do it's work.
因此C ++的所有缓冲区溢出问题等都与C#相关, 即使 你不直接调用C ++也是如此,因为C#调用C ++来完成它的工作。
Think about it. 想一想。 And any COM calls and Marshal calls are just as open to attack as normal.
任何COM调用和Marshal调用都像正常一样开放。 In Linux you can use _r routines and in Ver 8 up in VC++ you can use _s routines to lessen then chance of buffer overflow (requires user buffers and/or max sizes).
在Linux中,您可以使用_r例程,在Ver ++中使用VC ++,您可以使用_s例程来减少缓冲区溢出的可能性(需要用户缓冲区和/或最大大小)。 About the only way to stop vulnerabilities is to turn off your computer and read a paper back book (unless it too has a virus).
关于阻止漏洞的唯一方法是关闭计算机并阅读纸质书(除非它也有病毒)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.