DOCSLIB.ORG

Extending .NET Security to Unmanaged Code

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

International Journal of Information Security manuscript No. (will be inserted by the editor) Patrick Klinkoff · Engin Kirda · Christopher Kruegel · Giovanni Vigna Extending .NET Security to Unmanaged Code Abstract The number of applications that are down- implementation is the first solution to secure unmanaged loaded from the Internet and executed on-the-fly is in- code in .NET. creasing every day. Unfortunately, not all of these ap- · · plications are benign, and, often, users are unsuspecting Keywords .NET Security Unmanaged Code and unaware of the intentions of a program. To facilitate Sandboxing and secure this growing class of mobile code, Microsoft introduced the .NET framework, a new development and runtime environment where machine-independent byte- 1 Introduction code is executed by a virtual machine. An important feature of this framework is that it allows access to na- With the growth of the Internet, applications are increas- tive libraries to support legacy code or to directly invoke ingly downloaded from remote sources, such as Web sites, the Windows API. Such native code is called unmanaged and executed on-the-fly. Often, little or no knowledge ex- (as opposed to managed code). Unfortunately, the exe- ists about the author or her intentions. Therefore, users cution of unmanaged native code is not restricted by the are susceptible to executing potentially malicious pro- .NET security model, and, thus, could provide the at- grams on their computers. Malicious programs contain tacker with a mechanism to completely circumvent the code that executes in any unauthorized or undesirable framework’s security mechanisms if the user decides to way. grant execute permission to the .NET application. To secure users and increase the proliferation of mo- The approach described in this paper uses a sand- bile code, Microsoft recently introduced a new devel- boxing mechanism to prevent an attacker from executing opment and runtime framework called .NET [5]. This malicious, unmanaged code that is not permitted by the framework leverages the previous experiences gathered security policy. Our sandbox is implemented as two secu- with the Java virtual machine concepts and includes a rity layers, one on top of the Windows API and one in the fine-grained security model that allows one to control kernel. Also, managed and unmanaged parts of an appli- the level of access associated with software built upon cation are automatically separated and executed in two .NET. These applications are referred to as composed of different processes. This ensures that potentially unsafe managed code. The model significantly limits the dam- code can neither issue system calls not permitted by the age that can be caused by malicious code. To address .NET security policy nor tamper with the memory of the the important problem of backward compatibility and .NET runtime. Our proof-of-concept implementation is legacy code support, .NET also offers a mechanism to transparent to applications and secures unmanaged code tie in native libraries. These libraries, however, execute with a generally acceptable performance penalty. To the outside of the .NET security model, and therefore are best of our knowledge, the presented architecture and called unmanaged code. As a consequence, the usage of this feature in .NET applications may allow an attacker P. Klinkoff, E.Kirda, and C. Kruegel to completely circumvent the framework’s security mech- Secure Systems Lab / DSG-ASG anisms, leading to the unrestricted execution of arbitrary Technical University Vienna code. This security problem is important because the use E-mail: [pk,ek,chris]@seclab.tuwien.ac.at · of unmanaged code will probably be common in future G. Vigna Windows .NET applications. Millions of lines of legacy Department of Computer Science native Windows code exist that will need to be integrated University of California, Santa Barbara and supported over the next decade. Also, software en- E-mail: [email protected] gineering research [10] has shown that it is not realistic 2 Patrick Klinkoff et al. to expect existing applications to be entirely rewritten declared and used in the runtime. An important prop- from scratch in order to take advantage of the features erty of the .NET framework is that it is type-safe. Type of a new language. safety ensures that memory accesses are performed only This paper describes our approach to extend the cur- in well-defined ways, and no operation will be applied rent .NET security model to native (unmanaged) code to a variable of the wrong type. That is, any declared invoked from .NET. To this end, we use a sandboxing variable will always reference an object of either that mechanism that is based on the analysis of Windows API type or a subtype of that type. In particular, type safety and system call invocations to enforce the .NET security prevents a non-pointer from being dereferenced to access policy. Our approach ensures that all unmanaged code memory. Without type safety, a program could construct abides by the security permissions granted by the frame- an integer value that corresponds to a target address, and work. then use it as a pointer to reference an arbitrary location Our primary contributions are as follows: in memory. Type safety is typically achieved by a com- bination of static and dynamic techniques. During the – Extension of existing sandboxing methods to .NET just-in-time (JIT) compilation process, a verifier checks unmanaged code invocations. whether the code fulfills all necessary (but not sufficient) – Two-step authorization of system calls by placing the requirements for type safety. Those operations that can- security layer in the Windows API and the enforce- not statically be proven to be type-safe are augmented ment mechanisms in a loadable kernel driver. with dynamic checks. In addition to type safety, .NET – Separation of untrusted native library and trusted also provides memory safety, which ensures that a pro- managed code into two separate processes by way of gram cannot access memory outside of properly allocated .NET remoting. objects. Languages such as C are neither type-safe nor memory-safe. Thus, arbitrary memory access and type We implemented a proof-of-concept prototype imple- casts are possible, potentially leading to security vul- mentation of the architecture we propose and tested it nerabilities such as buffer overflows. Also, as arbitrary against two real-world, popular libraries: Sleepycat Soft- memory access is possible, programs can rewrite parts of ware’s Berkeley Database [25] and the OpenGL graph- their own code or jump to code constructed on-the-fly. ics library [22]. Our evaluation shows that our system is As a result, it is typically almost impossible to provide well-suited to operate in real-world environments. strong security guarantees about programs written in an The paper is structured as follows. The next section unsafe language. provides an overview of the .NET framework and its The runtime environment can enforce a variety of security-relevant components. Section 3 introduces the security restrictions on the execution of a program by design of our proposed system. Section 4 discusses the relying on type and memory safety. This makes it pos- evaluation of the security and performance of the sys- sible to run multiple .NET programs with different sets tem and shows that our approach is viable. Section 5 of permissions in the same process (on the same virtual presents related work. Finally, Section 6 outlines future machine). To specify security restrictions, the CLI de- work and concludes the paper. fines a security model that is denoted as Code Access Security (CAS) [9]. CAS uses evidence provided by the program and security policies configured on the machine to generate permission sets associated with the applica- 2 Overview of the .NET Framework tion. Security relevant operations (for example, file ac- cess) create corresponding permission objects, which are Microsoft’s .NET framework is an implementation of the tested with respect to the granted permission set. If the Common Language Infrastructure (CLI) [6], which is the permission is not found in the granted set, the action is open, public specification of a runtime environment and not permitted and a security exception is thrown. Oth- its executable code. The architecture of the .NET frame- erwise, the operation continues. Evidence is a term that work is depicted in Figure 1. Multiple programming lan- describes the information used by the runtime to deter- guages can be used with the .NET Framework (e.g., mine the identity (and hence, the trust level) associated VB.NET, C#, C++, etc.). The idea is that programs with a program. It exists in two forms. The first is in- in any of these languages are compiled into a Common herent evidence provided by the software. This includes Intermediate Language (CIL), which is hardware-neutral the assembly content, publisher certificate, or a strong byte-code. The bottom layer of the architecture consists 1 name . The second form is runtime-based evidence, such of the Common Language Runtime (CLR). The CLR is as the location or URL the assembly is loaded from. That a virtual machine that interprets and executes the .NET is, different permissions can be assigned to programs de- byte-code. The .NET class libraries (also written in CIL) pending on the author of the code or the location from are built on top of the CLR and provide functionality where the code is downloaded. such as networking, I/O, streams, or serialization. A part of the CLI specification describes the Com- 1 A strong name is a cryptographic signature authenticat- mon Type System (CTS), which defines how types are ing the publisher. Extending .NET Security to Unmanaged Code 3 Fig. 1 Architecture of the .NET Framework Programs that are written in the common interme- executed with the same restrictions as managed .NET diate language are referred to as managed code.Man- code.
Recommended publications
  • THINC: a Virtual and Remote Display Architecture for Desktop Computing and Mobile Devices

    THINC: a Virtual and Remote Display Architecture for Desktop Computing and Mobile Devices

    THINC: A Virtual and Remote Display Architecture for Desktop Computing and Mobile Devices Ricardo A. Baratto Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2011 c 2011 Ricardo A. Baratto This work may be used in accordance with Creative Commons, Attribution-NonCommercial-NoDerivs License. For more information about that license, see http://creativecommons.org/licenses/by-nc-nd/3.0/. For other uses, please contact the author. ABSTRACT THINC: A Virtual and Remote Display Architecture for Desktop Computing and Mobile Devices Ricardo A. Baratto THINC is a new virtual and remote display architecture for desktop computing. It has been designed to address the limitations and performance shortcomings of existing remote display technology, and to provide a building block around which novel desktop architectures can be built. THINC is architected around the notion of a virtual display device driver, a software-only component that behaves like a traditional device driver, but instead of managing specific hardware, enables desktop input and output to be intercepted, manipulated, and redirected at will. On top of this architecture, THINC introduces a simple, low-level, device-independent representation of display changes, and a number of novel optimizations and techniques to perform efficient interception and redirection of display output. This dissertation presents the design and implementation of THINC. It also intro- duces a number of novel systems which build upon THINC's architecture to provide new and improved desktop computing services. The contributions of this dissertation are as follows: • A high performance remote display system for LAN and WAN environments.
  • Middleware in Action 2007

    Middleware in Action 2007

    Technology Assessment from Ken North Computing, LLC Middleware in Action Industrial Strength Data Access May 2007 Middleware in Action: Industrial Strength Data Access Table of Contents 1.0 Introduction ............................................................................................................. 2 Mature Technology .........................................................................................................3 Scalability, Interoperability, High Availability ...................................................................5 Components, XML and Services-Oriented Architecture..................................................6 Best-of-Breed Middleware...............................................................................................7 Pay Now or Pay Later .....................................................................................................7 2.0 Architectures for Distributed Computing.................................................................. 8 2.1 Leveraging Infrastructure ........................................................................................ 8 2.2 Multi-Tier, N-Tier Architecture ................................................................................. 9 2.3 Persistence, Client-Server Databases, Distributed Data ....................................... 10 Client-Server SQL Processing ......................................................................................10 Client Libraries ..............................................................................................................
  • Tizen 2.4 Compliance Specification for Mobile Profile

    Tizen 2.4 Compliance Specification for Mobile Profile

    Tizen® 2.4 Compliance Specification for Mobile Profile Version 1.0 Copyright© 2014, 2015 Samsung Electronics Co., Ltd. Copyright© 2014, 2015 Intel Corporation Linux is a registered trademark of Linus Torvalds. Tizen® is a registered trademark of The Linux Foundation. ARM is a registered trademark of ARM Holdings Plc. Intel® is a registered trademark of Intel Corporation in the U.S. and/or other countries * Other names and brands may be claimed as the property of others. Revision History Revision Date Author Reason for Changes Tizen 2.2.1 Compliance Specification for 11 Nov. 2013 Tizen TSG Official release Mobile Profile, v1.0 Tizen 2.3 Compliance Specification for 14 Nov 2014 Tizen TSG Official release Mobile Profile, 1.0 Tizen 2.3.1 Compliance Specification for 22 Sep 2015 Tizen TSG Official release Mobile Profile, 1.0 Tizen 2.4 Compliance Specification for 22 Oct 2015 Tizen TSG Official release Mobile Profile, 1.0 Glossary Term Definition Application Binary Interface, the runtime interface between a binary software ABI program and the underlying operating system. Application Programming Interface, the interface between software API components, including methods, data structures and processes. Compliance Certified for full conformance, which was verified by testing. Conformance How well the implementation follows a specification. Cascading Style Sheets, a simple mechanism for adding style such as fonts, CSS colors, and spacing to web documents. Document Object Model, a platform and language-neutral interface that will DOM allow programs and scripts to dynamically access and update the content, structure and style of documents. DTV Digital Television, a target of the TV Profile.
  • The Following Documentation Is an Electronically‐ Submitted

    The Following Documentation Is an Electronically‐ Submitted

    The following documentation is an electronically‐ submitted vendor response to an advertised solicitation from the West Virginia Purchasing Bulletin within the Vendor Self‐Service portal at wvOASIS.gov. As part of the State of West Virginia’s procurement process, and to maintain the transparency of the bid‐opening process, this documentation submitted online is publicly posted by the West Virginia Purchasing Division at WVPurchasing.gov with any other vendor responses to this solicitation submitted to the Purchasing Division in hard copy format. Purchasing Division State of West Virginia 2019 Washington Street East Solicitation Response Post Office Box 50130 Charleston, WV 25305-0130 Proc Folder : 702868 Solicitation Description : Addendum No 2 Supplemental Staffing for Microsoft Applicatio Proc Type : Central Contract - Fixed Amt Date issued Solicitation Closes Solicitation Response Version 2020-06-10 SR 1300 ESR06012000000007118 1 13:30:00 VENDOR VS0000022405 TeXCloud Solutions, Inc Solicitation Number: CRFQ 1300 STO2000000002 Total Bid : $325,000.00 Response Date: 2020-06-10 Response Time: 11:31:14 Comments: FOR INFORMATION CONTACT THE BUYER Melissa Pettrey (304) 558-0094 [email protected] Signature on File FEIN # DATE All offers subject to all terms and conditions contained in this solicitation Page : 1 FORM ID : WV-PRC-SR-001 Line Comm Ln Desc Qty Unit Issue Unit Price Ln Total Or Contract Amount 1 Temporary information technology 2000.00000 HOUR $65.000000 $130,000.00 software developers Comm Code Manufacturer Specification Model # 80111608 Extended Description : Year 1 / Individual 1 2 Temporary information technology 2000.00000 HOUR $65.000000 $130,000.00 software developers 80111608 Year 1 / Individual 2 3 Temporary information technology 500.00000 HOUR $65.000000 $32,500.00 software developers 80111608 Three (3) Month Renewal Option Individual 1 4 Temporary information technology 500.00000 HOUR $65.000000 $32,500.00 software developers 80111608 Three (3) Month Renewal Option Individual 2 Page : 2 TeXCloud Solutions, Inc.
  • KGC Khronos API Overview Nov11 Korea

    KGC Khronos API Overview Nov11 Korea

    The State of Gaming APIs Neil Trevett Vice President Mobile Content, NVIDIA President, The Khronos Group © Copyright Khronos Group, 2011 - Page 1 State of Gaming APIs–the Role of Khronos High-end graphics Breakthrough games embrace technology is created on mobility‟s strengths – not just treat high-end platforms phones as small consoles - and will need complex, interoperating APIs e.g. Augmented Reality As platforms diversify – mobile, Mobile is the new platform for games TV, embedded – HTML5 will innovation. Mobile APIs are needed become increasingly important to unlock hardware potential while as a universal app platform conserving battery life © Copyright Khronos Group, 2011 - Page 2 Khronos - Connecting Software to Silicon • Creating open, royalty-free API standards - Focus on graphics, dynamic media, compute and sensor hardware • Low-level - just above raw silicon - “Foundation” functionality needed on every platform • Safe forum for industry cooperation - „By the industry for the industry‟ - Open to any company to join - IP framework to protect members and industry APIs enable software developers to turn silicon functionality into rich end user experiences © Copyright Khronos Group, 2011 - Page 3 Apple Over 100 members – any company worldwide is welcome to join Board of Promoters © Copyright Khronos Group, 2011 - Page 4 3D Evolution on PCs „Doom‟ on a PC – 1993 id Software „Samaritan‟ Real-time Demo on a PC – 2011 Epic Unreal Engine http://www.youtube.com/watch?v=RSXyztq_0uM © Copyright Khronos Group, 2011 - Page 5 OpenGL for Each
  • Taxonomy of Cross-Platform Mobile Applications Development Approaches

    Taxonomy of Cross-Platform Mobile Applications Development Approaches

    Ain Shams Engineering Journal (2015) xxx, xxx–xxx Ain Shams University Ain Shams Engineering Journal www.elsevier.com/locate/asej www.sciencedirect.com ELECTRICAL ENGINEERING Taxonomy of Cross-Platform Mobile Applications Development Approaches Wafaa S. El-Kassas *, Bassem A. Abdullah, Ahmed H. Yousef, Ayman M. Wahba Department of Computer and Systems Engineering, Faculty of Engineering, Ain Shams University, Egypt Received 13 September 2014; revised 30 May 2015; accepted 3 August 2015 KEYWORDS Abstract The developers use the cross-platform mobile development solutions to develop the Cross-platform mobile mobile application once and run it on many platforms. Many of these cross-platform solutions development; are still under research and development. Also, these solutions are based on different approaches Interpretation approach; such as Cross-Compilation approach, Virtual Machine approach, and Web-Based approach. There Cloud computing; are many survey papers about the cross-platform mobile development solutions but they do not Compilation approach; include the most recent approaches, including Component-Based approach, Cloud-Based Component-Based approach, and Merged approach. The main aim of this paper is helping the researchers to know approach; the most recent approaches and the open research issues. This paper surveys the existing cross- Model-Driven Engineering platform mobile development approaches and attempts to provide a global view: it thoroughly introduces a comprehensive categorization to the cross-platform approaches, defines the pros and cons of each approach, explains sample solutions per approach, compares the cross-platform mobile development solutions, and ends with the open research areas. Ó 2015 Faculty of Engineering, Ain Shams University. Production and hosting by Elsevier B.V.
  • Exposing Native Device Apis to Web Apps

    Exposing Native Device Apis to Web Apps

    Exposing Native Device APIs to Web Apps Arno Puder Nikolai Tillmann Michał Moskal San Francisco State University Microsoft Research Microsoft Research Computer Science One Microsoft Way One Microsoft Way Department Redmond, WA 98052 Redmond, WA 98052 1600 Holloway Avenue [email protected] [email protected] San Francisco, CA 94132 [email protected] ABSTRACT language of the respective platform, HTML5 technologies A recent survey among developers revealed that half plan to gain traction for the development of mobile apps [12, 4]. use HTML5 for mobile apps in the future. An earlier survey A recent survey among developers revealed that more than showed that access to native device APIs is the biggest short- half (52%) are using HTML5 technologies for developing mo- coming of HTML5 compared to native apps. Several dif- bile apps [22]. HTML5 technologies enable the reuse of the ferent approaches exist to overcome this limitation, among presentation layer and high-level logic across multiple plat- them cross-compilation and packaging the HTML5 as a na- forms. However, an earlier survey [21] on cross-platform tive app. In this paper we propose a novel approach by using developer tools revealed that access to native device APIs a device-local service that runs on the smartphone and that is the biggest shortcoming of HTML5 compared to native acts as a gateway to the native layer for HTML5-based apps apps. Several different approaches exist to overcome this running inside the standard browser. WebSockets are used limitation. Besides the development of native apps for spe- for bi-directional communication between the web apps and cific platforms, popular approaches include cross-platform the device-local service.
  • C++/CLI Tutorial

    C++/CLI Tutorial

    CC++++//CCLLII TTuuttoorriiaall Author: Adam Sawicki, [email protected], www.asawicki.info Version 1.0, December 2011 Table of Contents Table of Contents .............................................................................................................................................................. 1 Introduction ...................................................................................................................................................................... 2 What is C++/CLI? ............................................................................................................................................................... 2 Why Use C++/CLI? ......................................................................................................................................................... 2 What C++/CLI is Not? .................................................................................................................................................... 2 Hello World Example ........................................................................................................................................................ 3 Project Properties ............................................................................................................................................................. 3 Namespaces .....................................................................................................................................................................
  • React-Native.Pdf

    React-Native.Pdf

    react-native #react- native Table of Contents About 1 Chapter 1: Getting started with react-native 2 Remarks 2 Examples 2 Setup for Mac 2 Setup for Windows 14 Setup for Linux (Ubuntu) 15 Start the terminal and run the following commands to install nodeJS: 15 If node command is unavailable 15 Alternatives NodeJS instalations: 16 check if you have the current version 16 Run the npm to install the react-native 16 Android SDK or Android Studio 16 Android SDK e ENV 16 Example app init 17 Obs: Always check if the version on android/app/build.gradle is the same as the Build Tool 17 Open Android AVD to set up a virtual android. Execute the command line: 18 Chapter 2: Android - Hardware Back Button 19 Examples 19 Detect Hardware back button presses in Android 19 Example of BackAndroid along with Navigator 19 Example of Hardware back button detection using BackHandler 20 Hardware back button handling using BackHandler and Navigation Properties (without using d 20 Chapter 3: Animation API 22 Examples 22 Animate an Image 22 Chapter 4: Command Line Instructions 23 Examples 23 Check version installed 23 Upgrade existing project to latest RN version 23 Logging 23 Initialize and getting started with React Native project 23 Start React Native Packager 24 Add android project for your app 24 Chapter 5: Components 25 Examples 25 Basic Component 25 Stateful Component 25 Stateless Component 25 Chapter 6: Create a shareable APK for android 27 Introduction 27 Remarks 27 Examples 27 Create a key to sign the APK 27 Once the key is generated, use it to generate
  • Introduction to Managed Code

    Introduction to Managed Code

    McGrath.book Page 89 Thursday, December 7, 2006 10:04 AM 3 Introduction to Managed Code Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand. —PUTT’S LAW Topics Covered in This Chapter What Is Managed Code? Introduction to Object-Oriented Programming Exploring the .NET Framework VSTO and Managed Code Summary Review Questions What Is Managed Code? Code that runs within the .NET Framework is considered managed code. This includes applications written in languages such as Visual C# and Visual Basic 2005. Code that is not managed by the .NET Frame- work is typically referred to as unmanaged code. This includes applica- tions written in programming languages such as C++, Visual Basic 6.0, and VBA. All Office solutions created using VSTO are written in managed code. VSTO supports both Visual Basic 2005 and Visual C#; however, we refer only to Visual Basic 2005 in text and in code examples in this book 89 McGrath.book Page 90 Thursday, December 7, 2006 10:04 AM 90 Chapter 3 Introduction to Managed Code because we believe it is easier to transition from VBA to Visual Basic 2005. Keep in mind that there is much to learn about the .NET Frame- work and managed code; this chapter only scratches the surface. Following are some benefits of using managed code: • Improved security. Often, security permissions are enabled or disabled by end users or determined by the identity of the user who is attempting to run code. However, code managed by the .NET Framework uses the security model code access security (CAS), which is based on the code’s identity and location.
  • Visual Basic .NET and the .NET Platform: an Advanced Guide

    Visual Basic .NET and the .NET Platform: an Advanced Guide

    Visual Basic .NET and the .NET Platform: An Advanced Guide ANDREWTROELSEN APress Media, LLC Visual Basic .NET and the .NET Platform: An Advanced Guide Copyright ©2002 by Andrew'Ii'oelsen Originally published by Apress in 2002 All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN 978-1-893115-26-2 ISBN 978-1-4302-0849-5 (eBook) DOI 10.1007/978-1-4302-0849-5 Trademarked names may appear in this book. Rather than use a trademark sym­ bol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. Editorial Directors: Dan Appleman, Gary Cornell, Jason Gilmore, Karen Watterson Technical Reviewers: Pamela Fanstill, Rob Macdonald, Dan Appleman, William Oellermann Managing Editor: Grace Wong Copy Editors: Anne Friedman, Nicole LeClerc Production Editors: Janet Vail with Kari Brooks and Anne Friedman Composition and Art Services: Impressions Book and Journal Services, Inc. Indexer: Carol Burbo Cover Designer: Tom Debolski Marketing Manager: Stephanie Rodriguez Distributed to the book trade in the United States by Springer-Verlag New York, lnc.,175 Fifth Avenue, New York, NY, 10010 and outside the United States by Springer-Verlag GmbH & Co. KG, Tiergartenstr. 17, 69112 Heidelberg, Germany In the United States, phone 1-800-SPRINGER, email orders@springer-ny.
  • INTRODUCTION to .NET FRAMEWORK NET Framework .NET Framework Is a Complete Environment That Allows Developers to Develop, Run, An

    INTRODUCTION to .NET FRAMEWORK NET Framework .NET Framework Is a Complete Environment That Allows Developers to Develop, Run, An

    INTRODUCTION TO .NET FRAMEWORK NET Framework .NET Framework is a complete environment that allows developers to develop, run, and deploy the following applications: Console applications Windows Forms applications Windows Presentation Foundation (WPF) applications Web applications (ASP.NET applications) Web services Windows services Service-oriented applications using Windows Communication Foundation (WCF) Workflow-enabled applications using Windows Workflow Foundation (WF) .NET Framework also enables a developer to create sharable components to be used in distributed computing architecture. NET Framework supports the object-oriented programming model for multiple languages, such as Visual Basic, Visual C#, and Visual C++. NET Framework supports multiple programming languages in a manner that allows language interoperability. This implies that each language can use the code written in some other language. The main components of .NET Framework? The following are the key components of .NET Framework: .NET Framework Class Library Common Language Runtime Dynamic Language Runtimes (DLR) Application Domains Runtime Host Common Type System Metadata and Self-Describing Components Cross-Language Interoperability .NET Framework Security Profiling Side-by-Side Execution Microsoft Intermediate Language (MSIL) The .NET Framework is shipped with compilers of all .NET programming languages to develop programs. Each .NET compiler produces an intermediate code after compiling the source code. 1 The intermediate code is common for all languages and is understandable only to .NET environment. This intermediate code is known as MSIL. IL Intermediate Language is also known as MSIL (Microsoft Intermediate Language) or CIL (Common Intermediate Language). All .NET source code is compiled to IL. IL is then converted to machine code at the point where the software is installed, or at run-time by a Just-In-Time (JIT) compiler.