last June, at the Q&A session at the Pakistan Developer Conference in Karachi, an attendee asked : "Can there be an exploitable buffer overrun in the CLR?". My answer was that it is always possible in theory... I was really tired after five sessions back to back. I did not develop my answer enough. I am not an expert on the CLR, so I post this in hope to get some comments from more knowledgeable people on the subject.

    Here are my thoughts :

1. The CLR is definitely unmanaged, and thus, in theory it can have a buffer overrun. No Developer is beyond making mistakes, and there certainly could be a buffer overrun. the problem is whether it can be exploited, and if so, how...
2. One shouldn't confuse the CLR with the .Net Framework : we develop in managed code against the built-in classes of the .Net Framework. this means that any exploitable buffer overrun that would surface in our applications would have to be there on the classes we develop. This means that if a buffer overrun on CLR is to be exploited through managed code, it has not only to be there on the CLR, but also to re-surface through some of the .Net Framework classes (calls to managed heap allocation for example, without validating values before making the call to the CLR). then, our own code would have to have the same flaw again... that means that the same flaw, applying to the very same value, would have to exist in three separate layers. The probability is so low that, even if it is theoritically possible, it remains so improbable that one should dismiss its possibility. There is a higher chance of having a class in the .Net framework itself having a buffer overrun in a native call, than having a CLR buffer overrun re-surface.
3. Can there be an unmanaged call to the CLR exploiting a possible buffer overrun ? I will address this in a coming post

    Anyway, I realize the question's main objective is to find out whether it is possible to defeat the managed code security messaging. No matter whether there is a possible theoritical buffer overrun exploit (which will be, in any case so improbable that it is virtually impossible), it is very clear that the managed code is hundreds of times more secure than unmanaged...

8/6/2004 3:15:22 PM UTC     

    Back to Casablanca. My great friend Chris Foster is here. I am taking some time for myself, and to take her and her friend Kristen around.

     I will not be blogging for few days. When I'm back, there will be quite a few technical topics I will be talking about, and a few poetic texts waiting to be let out...

7/4/2004 8:56:10 PM UTC     

     Friday, Lee Mungai and I had a great day speaking at DevDays Mauritius. here is the content I presented (sorry for the delay).

(0) Trends and Vision.ppt (1.54 MB)

(1) Threats and Defenses.ppt (1.72 MB)

(2) Rebuild the puzzle.ppt (1.69 MB)

DevDays_Demos.zip (257.15 KB)

6/28/2004 6:26:59 AM UTC     

   Wednesday, coming back from the Bowling in Area 51, I was the accomplice of Nasser recording a conversion that took place on the bus somewhere around 12:30 AM.The main voice that is on the recording is that of Serge Lenbet. Off course the rest of us, as geeky as we are, were discussing much more technical subject like distributed security and handheld devices used by the mobiles forces...

 Enjoy

6/18/2004 6:55:13 PM UTC     

    Yesterday, after a day in which I spoke on 5 sessions back to back, and then had to sit through the Q&A session (not that I had any energy to actively partcipate). Then, with a heavy security escort (the police took us for some really important people as it sems), we all went a bowling in Area 51.

At the bowling, we had fun and very good food. There were all 6 RDs :

From left to right, one can see Ahmad Badr, Hossam Khalifa, Clemens Vasters, Me,Goksin Bakir and Farhan Muhammad.

6/18/2004 12:40:25 AM UTC     

    This morning, the Pakistan Developer Conference 2004 has started in Karachi. The event is sold out (4000 registered, only 1500 accomodated because of venue size).

    The opening session was attended by many oficials : Chief Minister of Sind, Pakistan Minister of IT, Minister of IT of Sind, Mayor of Karachi, and others. Rafal Lukawiecki did a great keynote on his view of the next decade in IT.

The Mayor of Karachi speaking about the value of IT for the City, and welcoming ecverybody.

   There are 6 RDs speaking at the event (Steven Forte was supposed to be of the party, but couldn't make it because of a blizzard in Alaska. Get Well quick my friend, we miss you over here). The RDs speaking are :

• Clemens Vasters
• Farhan Muhammad
• Goksin Bakir
• Ahmad Badr
• Hossam Khalifa
• myself

6/15/2004 8:28:52 AM UTC