Re: Does .NET detect alterations to an assembly?

From: Michel Gallant (MVP) (neutron@istar.ca)
Date: 02/14/03


Date: Fri, 14 Feb 2003 14:14:07 -0500
From: "Michel Gallant (MVP)" <neutron@istar.ca>


see also:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconassembliessecurityconsiderations.asp

"The common language runtime also performs a hash verification; the assembly
manifest contains a list of all files that make up the assembly, including a hash
of each file as it existed when the manifest was built. As each file is loaded,
its contents are hashed and compared with the hash value stored in the manifest.
If the two hashes do not match, the assembly fails to load. "

 - Mitch

"Shawn Farkas [MS]" wrote:

> David,
>
> If you sign your assembly, then the framework will detect if it has been
> tampered with, and refuse to load it.
>
> -Shawn
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Please do not send email directly to this alias, this alias is for newsgroup
> purposes only.
>
> "David Thom" <davidt@npsinc.com> wrote in message
> news:uk8oMSD1CHA.1644@TK2MSFTNGP12...
> > If an assembly were altered - say, with a hex editor - does .NET detect
> the
> > alteration?
> >
> > If, for example, we embed a string value in a .NET assembly, can it be
> > changed by a hacker? (we don't care if it can be viewed, we just don't
> want
> > it to be changed).
> >
> > I seem to recall that .NET assemblies have a "hash count/code" to protect
> > against this. But I don't know if that "feature" requires code signing or
> > some other overt action on the developer's/deployer's part in order to
> > activate it.
> >
> > If I simply create a .NET assembly and do nothing else, is it protected
> > against modification? Or should I say, will the alteration at least be
> > detected?
> >
> > Thanks!
> >
> > David Thom
> >
> >
> >
> >



Relevant Pages

  • Re: Dotfuscator and ClickOnce
    ... The file named ApplicationName.exe does not have a hash specified in the manifest. ... AssemblyManifest deployManifest, AssemblyManifest appManifest, Uri sourceUriBase, String ... target and the .manifest file is created in the GenerateApplicationManifest ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Dotfuscator and ClickOnce
    ... It does not regenerate the manifest files after the BeforePublish target. ... The file named ApplicationName.exe does not have a hash specified in the manifest. ... AssemblyManifest deployManifest, AssemblyManifest appManifest, Uri sourceUriBase, String ...
    (microsoft.public.dotnet.languages.vb)
  • ClickOnce and Side-by-Side com components
    ... + Parsing and DOM creation of the manifest resulted in error. ... COMPONENT STORE TRANSACTION FAILURE SUMMARY ...
    (microsoft.public.dotnet.framework.windowsforms)
  • RE: Question on Mage.exe
    ... using mage.exe to update the manifest for my ClickOnce application. ... has either a different computed hash than the one specified or no hash ... deploymentManifest, String targetDir, Uri deploymentUri, ...
    (microsoft.public.dotnet.general)
  • Re: [complete newbie] data (not necessarily encrypted) integrity check...
    ... or only against accidental alteration (e.g. ... Consider a CRC of at least 2 bytes with a standard polynomial; ... Can you insure that the device transmitting the data to protect against ... SHA-256, SHA-1, even MD5 as the underlying hash. ...
    (sci.crypt)