BCL 和 CLR 中的所有 .NET 程序集(以后仅使用 CLR)都是强命名和数字签名 https://stackoverflow.com/questions/1334631/signing-of-net-assemblies。提供数字证书是为了提供组件未被篡改或替换的信任措施。然而,.NET 似乎从未检查过数字签名(它可以检查强名称如 Hans指出 https://stackoverflow.com/questions/7385084/why-does-net-not-verify-the-bcl-clr/7385229#7385229).
It makes sense that checking on assembly load is flawed becaused an modified CLR could fake the answers. My thinking is that the only safe place from the perspective of .NET1 to check is on start of the framework as part of the unmanaged code that boot straps the framework. Big downside is the performance impact.
I am looking at this from the perspective of a developer, in otherwords how do I know that my application is not being compromised by an already owned CLR2, or put another way is there anyway for an application to trust the CLR?
所以我的问题是为什么 .NET 不验证 CLR?是因为性能影响还是还有其他原因?
1. I am focusing on .NET, it is possible to mess with Windows and thus break the idea but if you already own Windows you don't really need to own .NET.
2. Example of this is user inputs password into application, it is stored in a SecureString but the BCL is compromised so the attacker is now getting that info. It allows them to capture the information for something else. I realise the attacker if he could replace the CLR could put a key logger on the machine too, but that is (hopefully) detectable with a decent security tool. There is also lots of other ways to attack this, the core is how do I know if SecureString has been changed.