Extending .NET Security to Unmanaged Code

  • Patrick Klinkoff
  • Christopher Kruegel
  • Engin Kirda
  • Giovanni Vigna
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4176)


The number of applications that are downloaded from the Internet and executed on-the-fly is increasing every day. Unfortunately, not all of these applications are benign, and, often, users are unsuspecting and unaware of the intentions of a program. To facilitate and secure this growing class of mobile code, Microsoft introduced the .NET framework, a new development and runtime environment where machine-independent byte-code is executed by a virtual machine. An important feature of this framework is that it allows access to native libraries to support legacy code or to directly invoke the Windows API. Such native code is called unmanaged (as opposed to managed code). Unfortunately, the execution of unmanaged native code is not restricted by the .NET security model, and, thus, provides the attacker with a mechanism to completely circumvent the framework’s security mechanisms.

The approach described in this paper uses a sandboxing mechanism to prevent an attacker from executing malicious, unmanaged code that is not permitted by the security policy. Our sandbox is implemented as two security layers, one on top of the Windows API and one in the kernel. Also, managed and unmanaged parts of an application are automatically separated and executed in two different processes. This ensures that potentially unsafe code can neither issue system calls not permitted by the .NET security policy nor tamper with the memory of the .NET runtime. Our proof-of-concept implementation is transparent to applications and secures unmanaged code with a generally acceptable performance penalty. To the best of our knowledge, the presented architecture and implementation is the first solution to secure unmanaged code in .NET.


Virtual Machine System Call Security Layer Native Code USENIX Security Symposium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Berman, A., Bourassa, V., Selberg, E.: TRON: Process-specific file protection for the UNIX operating system. In: Winter USENIX Technical Conference (1995)Google Scholar
  3. 3.
    Chari, S., Cheng, P.: BlueBox: A Policy-Driven, Host-Based Intrusion Detection System. In: Network and Distributed Systems Security Symposium (NDSS) (2002)Google Scholar
  4. 4.
  5. 5.
    .NET Framework Development Center,
  6. 6.
    ECMA. ECMA 335 - Common Language Infrastructure Partitions I to VI, 3rd edn. (2005)Google Scholar
  7. 7.
    Feng, H., Giffin, J., Huang, Y., Jha, S., Lee, W., Miller, B.: Formalizing Sensitivity in Static Analysis for Intrusion Detection. In: IEEE Symposium on Security and Privacy (2004)Google Scholar
  8. 8.
    Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy (1996)Google Scholar
  9. 9.
    Freeman, A., Jones, A.: Programming. NET Security. O’Reilly & Associates Inc., Sebastopol (2003)Google Scholar
  10. 10.
    Ghezzi, C., Jazayeri, M., Mandrioli, D.: Fundamentals of Software Engineering. Prentice Hall Inc., New York (1991)MATHGoogle Scholar
  11. 11.
    Ghormley, D., Petrou, D., Rodrigues, S., Anderson, T.: SLIC: An Extensibility System for Commodity Operating Systems. In: USENIX Technical Conference (1998)Google Scholar
  12. 12.
    Goldberg, I., Wagner, D., Thomas, R., Brewer, E.: A secure environment for untrusted helper applications: Confining the wily hacker. In: 6th USENIX Security Symposium (1996)Google Scholar
  13. 13.
    Herzog, A., Shahmehri, N.: Using the Java Sandbox for Resource Control. In: 7th Nordic Workshop on Secure IT Systems (NordSec) (2002)Google Scholar
  14. 14.
    Hunt, G., Brubacher, D.: Detours: Binary Interception of Win32 Functions. In: 3rd USENIX Windows NT Symposium (1999)Google Scholar
  15. 15.
    Jain, K., Sekar, R.: User-level infrastructure for system call interposition: A platform for intrusion detection and confinement. In: Network and Distributed Systems Security Symposium (NDSS) (2000)Google Scholar
  16. 16.
    Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure Execution Via Program Shepherding. In: 11th USENIX Security Symposium (2002)Google Scholar
  17. 17.
    Ko, C., Fraser, T., Badger, L., Kilpatrick, D.: Detecting and Countering System Intrusions Using Software Wrappers. In: 9th USENIX Security Symposium (2000)Google Scholar
  18. 18.
    .NET Framework Class Library Documentation - Security.Permissions (2006),
  19. 19.
    Nebbett, G.: Windows NT/2000 Native API Reference. New Riders Publishing, Thousand Oaks (2000)Google Scholar
  20. 20.
  21. 21.
    Osterlund, R.: Windows 2000 Loader, What Goes On Inside Windows 2000: Solving the Mysteries of the Loader. MSDN Magazine (March 2002)Google Scholar
  22. 22.
    Russinovich, M., Cogswell, B.: Windows NT System-Call Hooking. Dr. Dobb’s Journal (January 1997)Google Scholar
  23. 23.
    Sleepycat Software. Berkeley DB Database,
  24. 24.
    Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy (2001)Google Scholar
  25. 25.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Patrick Klinkoff
    • 1
  • Christopher Kruegel
    • 1
  • Engin Kirda
    • 1
  • Giovanni Vigna
    • 2
  1. 1.Secure Systems LabTechnical University Vienna 
  2. 2.Department of Computer ScienceUniversity of CaliforniaSanta Barbara

Personalised recommendations