dc.description.abstract | SuperOffice is a software company developing SuperOffice CRM software. The traditional
hosting option is the on-site solution where the customer is responsible for
hosting and maintenance. SuperOffice CRM is quite extensible due to differences
between enterprises requirements and processes. The move from an on-site installation
to an online installation reduces the level of customization available. Especially,
executing custom code written by third parties in on-site solutions was the
customer s responsibility. The shift to online moves this responsibility to SuperOf-
fice, resulting in unacceptable risk towards the installation, other installations and
the online environment. Is it possible to trust the custom code written by thirdparties?
If so, how? This thesis looks at how instrumentation techniques can be
used for analyzing and instrumenting .NET assemblies in order to get assurance
they do behave in a predictable manner and with acceptable risk to the customer
installation, other installations and the environment. Analyzing the custom assemblies
with static analysis techniques reveal the potential interactions between the
custom assembly, the .NET runtime and the rest of the system. Runtime enforcers
can be added to calls to methods which can only be conditionally executed.
However, there are several threats to an instrumentation engine such as this.
There are indeed many ways of fooling it; Platform Invoke, ForwardedTypes and
Mixed-Mode assemblies to mention a few. | |