Re: Protecting .NET assemblies (runtime)
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Mar 2007 05:38:35 +0000 (UTC)
you never could that - in no language...
Or do you think vendors like Microsoft haven't tried preventing people to use e.g. Windows without paying for it??
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Amazing :( I am losing respect for .NET the more I use it. With
security being one of the most important aspects of applications today
one cannot protect their own assemblies to prevent others from using
them? I am sitting here wondering why anyone is developing with
.NET!? Jesus.
"Dominick Baier" wrote:
short answer: you can't
longer answer:
you can try to do your best - like checking the SN of the caller -
but it all boils down to: if you hand out your code (even in binary
format) a skilled person can do to it whatever he wants...
There are companies that have much more budget trying to solve these
problems (games vendors, big commercial software, OS etc) - and
everything has been cracked so far...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used in
various applications within our corporate Intranet. The assemblies
are used in fat-client apps, asp.net apps, etc, therefore many of
the assemblies are distributed to end user systems (they are not
installed in the GAC).
It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public methods
if CAS is not implemented in some fashion? I understand .NET
assemblies are just MSIL code and meta data and can be reverse
engineered quite easily (based on what I've read) using tools like
the .NET reflector, etc. if they are not obfuscated. I'm not so
concerned with this security aspect as developers/end users reusing
my .NET assemblies in their own applications.
In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function level
which would throw a runtime error if any consumer tried to use a
strong-named assembly where the caller was not also signed with the
same strong-name key. I then found this is no longer the case in
.NET 2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as
discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines
00 03_class3
How can I protect my .NET 2.0 assemblies from being consumed by
other applications?
.
- Follow-Ups:
- Re: Protecting .NET assemblies (runtime)
- From: Tophog
- Re: Protecting .NET assemblies (runtime)
- Prev by Date: Re: Protecting .NET assemblies (runtime)
- Next by Date: Re: Protecting .NET assemblies (runtime)
- Previous by thread: Re: Protecting .NET assemblies (runtime)
- Next by thread: Re: Protecting .NET assemblies (runtime)
- Index(es):
Relevant Pages
|
|
