Re: Protecting .NET assemblies (runtime)

..NET is flawed IMHO when it comes to security.

-Jeff MCSD.net
ADP Dealer Services

"Dominick Baier" wrote:

that's no hack, thats no special feature - thats how .net works....


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Ah, the ol' undocumented special feature thing :) I'll do some
research and see if I can figure out the hack. thanks again for your
help.

-Jeff

"Dominick Baier" wrote:

not sure if it is documented.

You can extract the strong name of the calling assembly and compare
it to a list of allowed names - thats it...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I assume
it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.
ge tcallingassembly.aspx

"Dominick Baier" wrote:

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given enough
time, talent, etc. But given some mechanism to implement *basic*
security it would help prevent your average "joe" user from
executing code within your own assemblies. It seams something
could be done to implement basic "I authored this assembly and I
don't want anyone else to re-use it outside *my* applications"
type security.

"Dominick Baier" wrote:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing :( I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies to
prevent others from using them? I am sitting here wondering why
anyone is developing with .NET!? Jesus.

"Dominick Baier" wrote:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your code
(even in binary format) a skilled person can do to it whatever
he wants...

There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc)
- and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used
in various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I
understand .NET assemblies are just MSIL code and meta data
and can be reverse engineered quite easily (based on what I've
read) using tools like the .NET reflector, etc. if they are
not obfuscated. I'm not so concerned with this security aspect
as developers/end users reusing my .NET assemblies in their
own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer tried
to use a strong-named assembly where the caller was not also
signed with the same strong-name key. I then found this is no
longer the case in .NET 2.0 where if the caller is fully
trusted the StrongNameIdentifyPermission check is completey
disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguid
el in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed
by other applications?




.

Relevant Pages

  • Re: Protecting .NET assemblies (runtime)
    ... Dominick Baier ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... mentions nothing about how to use it to protect assemblies. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Protecting .NET assemblies (runtime)
    ... Dominick Baier ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... mentions nothing about how to use it to protect assemblies. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Protecting .NET assemblies (runtime)
    ... Dominick Baier ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... mentions nothing about how to use it to protect assemblies. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Protecting .NET assemblies (runtime)
    ... Dominick Baier ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... mentions nothing about how to use it to protect assemblies. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Protecting .NET assemblies (runtime)
    ... Dominick Baier ... Developing More Secure Microsoft ASP.NET 2.0 Applications ... mentions nothing about how to use it to protect assemblies. ... security it would help prevent your average "joe" user from ...
    (microsoft.public.dotnet.framework.aspnet.security)