Securing the .NET Programming Model. Andrew J. Kennedy.
The security of the .NET programming model is studied from the standpoint of fully abstract compilation of C#. A number of failures of full abstraction are identified, and fixes described. The most serious problems have recently been fixed for version 2.0 of the .NET Common Language Runtime.
This is highly amusing stuff, of course. Some choice quotes:
if source-language compilation is not fully abstract, then there exist contexts (think â€˜attackersâ€™) in the target language that can observably distinguish two program fragments not distinguishable by source contexts. Such abstraction holes can sometimes be turned into security holes: if the author of a library has reasoned about the behaviour of his code by considering only source-level contexts (i.e. other components written in the same source language), then it may be possible to construct a component in the target language which provokes unexpected and damaging behaviour.
One could argue that full abstraction is just a nicety; programmers donâ€™t really reason about observations, program contexts, and all that, do they? Well, actually, I would like to argue that they do. At least, expert programmers...
"A C# programmer can reason about the security properties of component A by considering the behaviour of another component B written in C# that â€œattacksâ€ A through its public API." -
This can only be achieved if compilation is fully abstract.
To see the six problems identified by thinking about full abstraction you'll have to go read the paper...