Re: Protecting .NET assemblies (runtime)
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Mar 2007 15:44:35 +0000 (UTC)
i am not sure what you are talking about...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
.NET is flawed IMHO when it comes to security.
-Jeff MCSD.net
ADP Dealer Services
"Dominick Baier" wrote:
that's no hack, thats no special feature - thats how .net works....
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Ah, the ol' undocumented special feature thing :) I'll do some
research and see if I can figure out the hack. thanks again for
your help.
-Jeff
"Dominick Baier" wrote:
not sure if it is documented.
You can extract the strong name of the calling assembly and compare
it to a list of allowed names - thats it...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I
assume it's documented elsewhere? in your book?
http://msdn2.microsoft.com/en-us/library/system.reflection.assembl
y. ge tcallingassembly.aspx
"Dominick Baier" wrote:
and as i said you can do that.
Check Assembly.GetCallingAssembly()
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given
enough time, talent, etc. But given some mechanism to implement
*basic* security it would help prevent your average "joe" user
from executing code within your own assemblies. It seams
something could be done to implement basic "I authored this
assembly and I don't want anyone else to re-use it outside *my*
applications" type security.
"Dominick Baier" wrote:
you never could that - in no language...
Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing :( I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies to
prevent others from using them? I am sitting here wondering
why
anyone is developing with .NET!? Jesus.
"Dominick Baier" wrote:
short answer: you can't
longer answer:
you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your code
(even in binary format) a skilled person can do to it
whatever he wants...
There are companies that have much more budget trying to
solve these problems (games vendors, big commercial software,
OS etc) - and everything has been cracked so far...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored
used in various applications within our corporate Intranet.
The assemblies are used in fat-client apps, asp.net apps,
etc, therefore many of the assemblies are distributed to end
user systems (they are not installed in the GAC).
It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I
understand .NET assemblies are just MSIL code and meta data
and can be reverse engineered quite easily (based on what
I've read) using tools like the .NET reflector, etc. if they
are not obfuscated. I'm not so concerned with this security
aspect as developers/end users reusing my .NET assemblies in
their own applications.
In short, I've read where with Framework 1.1 one could use
the [StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer
tried to use a strong-named assembly where the caller was
not also signed with the same strong-name key. I then found
this is no longer the case in .NET 2.0 where if the caller
is fully trusted the StrongNameIdentifyPermission check is
completey disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#paggu
id el in es 00 03_class3
How can I protect my .NET 2.0 assemblies from being consumed
by other applications?
.
- Follow-Ups:
- Re: Protecting .NET assemblies (runtime)
- From: Tophog
- Re: Protecting .NET assemblies (runtime)
- References:
- Re: Protecting .NET assemblies (runtime)
- From: Tophog
- Re: Protecting .NET assemblies (runtime)
- Prev by Date: Re: Protecting .NET assemblies (runtime)
- Next by Date: Re: Protecting .NET assemblies (runtime)
- Previous by thread: Re: Protecting .NET assemblies (runtime)
- Next by thread: Re: Protecting .NET assemblies (runtime)
- Index(es):
Relevant Pages
|
|
