Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#252743 - 27/03/2005 00:06 C# security rant
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
I've been working on a small program for my gaming laptop to change the resolution setting of games to match the desktop resolution. The main reason for this is due to my differing play enviornments of 1280x720, 1280x800 and 1280x1024. Some games force a relaunch of the game to change the resolution, and this can get annoyning especially with MMOs that force you to properly "camp" to exit the game. I settled on C# since I figured it would be a good language to learn to make some tiny windows programs in with my knowledge of C. Plus it gives me some insight into how Objective C works so I can do similar programming on my Mac.

Anyhow, I got the program to a point where it can change 4 games on the system. And because I wanted to distribute this to a friend with a similar setup, I coded the game detection to read registry values to find where the game is installed. Before I sent it to him, I put the program on my home server, and tried it out on a different Windows box in my house. And I stumbled on an bug doing this. Oddly, reading the registry only works if the program is running on the local hard drive. If it is on a network share (\\share\name or a mapped drive), the exception handling I have in it spits back with this exception basically complaining about registry permission issues.

Now for the rant.

Aparently, to prevent that exception, I need to put in a call to RegistryPermission into my program to request access to the registry. I can understand some reasons for this, but why label it security? As stated above, none of this is needed when it runs on the local hard drive. And the fact that I can simply ask for read/write access to the entire registry without the system balking, well, seems to be not so secure. So all this fuction really does is add work to the programmers.

Maybe I'm missing the point of this process, but for now it has given me an interesting look at Microsoft "security" practices. It really does explain why MS apps have major security issues, even after their initiatives to make secure products like Server 2003 and XP SP2. The good unanswered question is why thousands of programmers at Microsoft are missing such glaring holes not only in their code, but in the APIs they write to make the code.

Top
#252744 - 27/03/2005 03:22 Re: C# security rant [Re: drakino]
ninti
old hand

Registered: 28/12/2001
Posts: 868
Loc: Los Angeles
> And I stumbled on an bug doing this. Oddly, reading the registry only works if the program is running on the local hard drive. If it is on a network share (\\share\name or a mapped drive), the exception handling I have in it spits back with this exception basically complaining about registry permission issues.

I don't think that is a bug, it is by design. I admit my knowledge of .Net security is rather lacking (so much to learn, the .Net framework is enormous) but I do know that security really cramps your style when running things over the network.

Have you actually succeded in writing to the registry from a program running over the network? My understanding is that RegistryPermission won't do squat by itself, and the local machine still has to have its security setting set up to allow it.
_________________________
Ninti - MK IIa 60GB Smoke, 30GB, 10GB

Top
#252745 - 27/03/2005 20:12 Re: C# security rant [Re: ninti]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
Quote:
Have you actually succeded in writing to the registry from a program running over the network? My understanding is that RegistryPermission won't do squat by itself, and the local machine still has to have its security setting set up to allow it.


I did tinker with it a bit more, but never got it working. It does indeed seem to be blocked by a policy in XP SP2 by default. Now, the question is, why have the RegistryPermission class when it is not needed on the local machine, and when running remote fails silently? No exception was generated to say it couldn't gain access, it simply ran right by it and caused the same access denied exception when the code tries to read the registry. .Net is pretty new, and already it seems it has worthless crap scattered in it. I can't find one real world reason to use RegistryPermission now.

Top