Re: Protecting .NET assemblies (runtime)
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Mar 2007 07:55:16 +0000 (UTC)
and as i said you can do that.
Check Assembly.GetCallingAssembly()
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled binaries
as opposed to MSIL-based assemblies isn't it? I'm talking about basic
security meaures to protect someone from copying/executing methods
within an assembly authored by someone else? I understand any
software can be compromised given enough time, talent, etc. But given
some mechanism to implement *basic* security it would help prevent
your average "joe" user from executing code within your own
assemblies. It seams something could be done to implement basic "I
authored this assembly and I don't want anyone else to re-use it
outside *my* applications" type security.
"Dominick Baier" wrote:
you never could that - in no language...
Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing :( I am losing respect for .NET the more I use it. With
security being one of the most important aspects of applications
today one cannot protect their own assemblies to prevent others from
using them? I am sitting here wondering why anyone is developing
with .NET!? Jesus.
"Dominick Baier" wrote:
short answer: you can't
longer answer:
you can try to do your best - like checking the SN of the caller -
but it all boils down to: if you hand out your code (even in binary
format) a skilled person can do to it whatever he wants...
There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc) -
and everything has been cracked so far...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used in
various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).
It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public methods
if CAS is not implemented in some fashion? I understand .NET
assemblies are just MSIL code and meta data and can be reverse
engineered quite easily (based on what I've read) using tools like
the .NET reflector, etc. if they are not obfuscated. I'm not so
concerned with this security aspect as developers/end users
reusing my .NET assemblies in their own applications.
In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function level
which would throw a runtime error if any consumer tried to use a
strong-named assembly where the caller was not also signed with
the same strong-name key. I then found this is no longer the case
in .NET 2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as
discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelin
es 00 03_class3
How can I protect my .NET 2.0 assemblies from being consumed by
other applications?
.
- Follow-Ups:
- Re: Protecting .NET assemblies (runtime)
- From: Tophog
- Re: Protecting .NET assemblies (runtime)
- References:
- Re: Protecting .NET assemblies (runtime)
- From: Tophog
- Re: Protecting .NET assemblies (runtime)
- Prev by Date: Re: Protecting .NET assemblies (runtime)
- Next by Date: opening restircted web sites
- Previous by thread: Re: Protecting .NET assemblies (runtime)
- Next by thread: Re: Protecting .NET assemblies (runtime)
- Index(es):
Relevant Pages
|
Loading
