Security of a C# Windows service

Question

I know that a Windows Service running in Java is flawed on a security level, because it implies that a JVM is running in the service Thread so se number of potential threats is increased .

What about C#? C# is running on the CLR (Common Language Runtime) so am I wrong when I say that it could also lead to some serious security breachs?

Answer 1

Well the CLR implements several security measures to actually provide an extra layer of security and avoid some of the pitfalls of JVM.

First of all your code is yours and it will execute as such, it's not interpreted and run over a virtual machine like in Java. When you generate an assembly or an exe file in .NET you get IL code, that is, intermediate language code.

That IL is then Just In Time compiled to machine code and then that machine code is executed. There's no virtual machine interpreting it, once the code is being compiled into assembler for your specific machine it's executed as any other program written in a standard language.

When you execute a .NET program the first instructions on the program actually load the CLR which in turn looks for the main entry point of your program and starts its execution. The CLR loader is located in the mscorlib.dll, which in turn is located in the GAC.

Now, the GAC itself does include some security measures, the most important of all is that assemblies located in the GAC (including of course those from Microsoft) are strongly named, in other words, they are signed.

Microsoft keeps his private key and signs every assembly of the .NET Framework for any release and then, upon installation on the GAC, that signature is checked against the Microsoft public key to see that they match. That process is automatically done for you when you reference a .NET framework version with Visual Studio although it can be explicitly done during compilation via command line.

So in short, NO, it doesn't lead to the same security breaches.