Re: Protecting .NET assemblies (runtime)
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Mar 2007 01:41:51 +0000 (UTC)
What's your problem? Do you want help - or just rant?
AFAIK you already have all the answers? If you have more questions ask them - and there will be somebody who will help you.
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
yes, I realize that.
"Dominick Baier" wrote:
i am not sure what you are talking about...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
.NET is flawed IMHO when it comes to security.
-Jeff MCSD.net
ADP Dealer Services
"Dominick Baier" wrote:
that's no hack, thats no special feature - thats how .net works....
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Ah, the ol' undocumented special feature thing :) I'll do some
research and see if I can figure out the hack. thanks again for
your help.
-Jeff
"Dominick Baier" wrote:
not sure if it is documented.
You can extract the strong name of the calling assembly and
compare it to a list of allowed names - thats it...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I
assume it's documented elsewhere? in your book?
http://msdn2.microsoft.com/en-us/library/system.reflection.assem
bl y. ge tcallingassembly.aspx
"Dominick Baier" wrote:
and as i said you can do that.
Check Assembly.GetCallingAssembly()
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by
someone else? I understand any software can be compromised
given enough time, talent, etc. But given some mechanism to
implement *basic* security it would help prevent your average
"joe" user from executing code within your own assemblies. It
seams something could be done to implement basic "I authored
this assembly and I don't want anyone else to re-use it
outside *my* applications" type security.
"Dominick Baier" wrote:
you never could that - in no language...
Or do you think vendors like Microsoft haven't tried
preventing people to use e.g. Windows without paying for it??
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing :( I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies
to
prevent others from using them? I am sitting here wondering
why
anyone is developing with .NET!? Jesus.
"Dominick Baier" wrote:
short answer: you can't
longer answer:
you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your
code (even in binary format) a skilled person can do to it
whatever he wants...
There are companies that have much more budget trying to
solve these problems (games vendors, big commercial
software, OS etc) - and everything has been cracked so
far...
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored
used in various applications within our corporate
Intranet. The assemblies are used in fat-client apps,
asp.net apps, etc, therefore many of the assemblies are
distributed to end user systems (they are not installed in
the GAC).
It is my understanding that anyone can basically copy a
.NET assembly, create a reference to it and consume it's
public methods if CAS is not implemented in some fashion?
I understand .NET assemblies are just MSIL code and meta
data and can be reverse engineered quite easily (based on
what I've read) using tools like the .NET reflector, etc.
if they are not obfuscated. I'm not so concerned with this
security aspect as developers/end users reusing my .NET
assemblies in their own applications.
In short, I've read where with Framework 1.1 one could use
the [StrongNameIdentityPermission ( SecurityAction.Demand
, PublicKey="public key" ...) declaration at a
class/function level which would throw a runtime error if
any consumer tried to use a strong-named assembly where
the caller was not also signed with the same strong-name
key. I then found this is no longer the case in .NET 2.0
where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey
disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pag
gu id el in es 00 03_class3
How can I protect my .NET 2.0 assemblies from being
consumed by other applications?
.
- References:
- Re: Protecting .NET assemblies (runtime)
- From: Tophog
- Re: Protecting .NET assemblies (runtime)
- Prev by Date: Re: Protecting .NET assemblies (runtime)
- Next by Date: AZMan headeach
- Previous by thread: Re: Protecting .NET assemblies (runtime)
- Next by thread: Re: Protecting .NET assemblies (runtime)
- Index(es):
Relevant Pages
|
|
