Re: Does .NET detect alterations to an assembly?

From: Michel Gallant (MVP) (neutron@istar.ca)
Date: 02/14/03 

Date: Fri, 14 Feb 2003 14:14:07 -0500
From: "Michel Gallant (MVP)" <neutron@istar.ca>

see also:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconassembliessecurityconsiderations.asp

"The common language runtime also performs a hash verification; the assembly
manifest contains a list of all files that make up the assembly, including a hash
of each file as it existed when the manifest was built. As each file is loaded,
its contents are hashed and compared with the hash value stored in the manifest.
If the two hashes do not match, the assembly fails to load. "

 - Mitch

"Shawn Farkas [MS]" wrote:

> David,
>
> If you sign your assembly, then the framework will detect if it has been
> tampered with, and refuse to load it.
>
> -Shawn
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Please do not send email directly to this alias, this alias is for newsgroup
> purposes only.
>
> "David Thom" <davidt@npsinc.com> wrote in message
> news:uk8oMSD1CHA.1644@TK2MSFTNGP12...
> > If an assembly were altered - say, with a hex editor - does .NET detect
> the
> > alteration?
> >
> > If, for example, we embed a string value in a .NET assembly, can it be
> > changed by a hacker? (we don't care if it can be viewed, we just don't
> want
> > it to be changed).
> >
> > I seem to recall that .NET assemblies have a "hash count/code" to protect
> > against this. But I don't know if that "feature" requires code signing or
> > some other overt action on the developer's/deployer's part in order to
> > activate it.
> >
> > If I simply create a .NET assembly and do nothing else, is it protected
> > against modification? Or should I say, will the alteration at least be
> > detected?
> >
> > Thanks!
> >
> > David Thom
> >
> >
> >
> >

Relevant Pages

  • ClickOnce and Side-by-Side com components
    ... + Parsing and DOM creation of the manifest resulted in error. ... COMPONENT STORE TRANSACTION FAILURE SUMMARY ...
    (microsoft.public.dotnet.framework.windowsforms)
  • RE: Question on Mage.exe
    ... using mage.exe to update the manifest for my ClickOnce application. ... has either a different computed hash than the one specified or no hash ... deploymentManifest, String targetDir, Uri deploymentUri, ...
    (microsoft.public.dotnet.general)
  • Clickonce file association
    ... I'm having difficulty implementing a Clickonce deployment with file ... the manifest may not be valid or the file could not be opened. ...
    (microsoft.public.dotnet.general)
  • Re: Using VC8 linker to generate isolated app manifest with dependencies.
    ... You can use the platform SDK utility Mt.exe to generate hash. ... Mt.exe generates hashes using the CryptoAPI implementation of the Safe Hash ... already integrated the platform SDK's manifest tool. ... option in the project Property Pages dialog. ...
    (microsoft.public.dotnet.languages.vc)
  • Re: [complete newbie] data (not necessarily encrypted) integrity check...
    ... or only against accidental alteration (e.g. ... Consider a CRC of at least 2 bytes with a standard polynomial; ... Can you insure that the device transmitting the data to protect against ... SHA-256, SHA-1, even MD5 as the underlying hash. ...
    (sci.crypt)