About varocarbas.com

--

About me

--

Contact me

--

Visit customsolvers.com, another side of my work

--

Valid markup

--

Valid CSS

--

© 2015-2017 Alvaro Carballo Garcia

--

URL friendly

--

Optimised for 1920x1080 - Proudly mobile unfriendly

R&D projects RSS feed

All projects in full-screen mode

PDFs:

Project 10

Project 9

Project 8

FlexibleParser code analysis:

UnitParser

NumberParser

Tools:

Chromatic encryption

(v. 1.3)

Pages in customsolvers.com:

Upcoming additions

Failed projects

Active crawling bots:

Ranking type 2

(
)

FlexibleParser raw data:

Unit conversion (UnitParser)

Compound types (UnitParser)

Timezones (DateParser)

Currently active or soon to be updated:

Domain ranking

FlexibleParser (DateParser)

NO NEW PROJECTS:
Project 10 is expected to be the last formal project of varocarbas.com. I will continue using this site as my main self-promotional R&D-focused online resource, but by relying on other more adequate formats like domain ranking.
Note that the last versions of all the successfully completed projects (5 to 10) will always be available.
PROJECT 8
Completed (26 days)
Completed (47 days)
Completed (19 days)
Completed (14 days)
Security implications of open CoreCLR (CoreRun.exe)
Completed on 05-Feb-2016 (26 days) -- Updated on 23-Nov-2016

Some of the conclusions of this project aren't applicable anymore.
To know more about all this, read "OVER-8-MONTH-LATER UPDATE" in the Open .NET & CoreCLR section.

Project 8 in full-screenProject 8 in PDF

The first and most important conclusion of this project is that CoreRun.exe isn't a security threat. In the sense that there is little chance of someone using it to make a .NET executable perform unintended actions. I am not sure whether Microsoft paid special attention to these aspects or whether this is just a fortuitous consequence from a so complex reality; either way the final result seems good enough from a security point of view.

On the other hand, the chosen approach doesn't seem ideal and concluding its suitability to be a threat or not is certainly not trivial. Note that CoreRun.exe can modify the most essential parts of virtually any .NET application by just taking it as an argument (i.e., writing in the command prompt "CoreRun.exe NameOfFile.exe"); this seems a bit too excessive on account of the CoreRun.exe's purpose (i.e., validating modifications in some .NET libraries). In the most likely scenario, programmers will create small applications to test their modifications on the CoreCLR libraries, rather than using random .NET executables (i.e., what CoreRun.exe unnecessarily allows).

CoreRun.exe delivers what is expected and doesn't represent a clear threat to the .NET security. On the other hand, it is a quite peculiar approach giving out much more than strictly required, what is rarely a good idea when dealing with software.