Re: Does .NET detect alterations to an assembly?

From: Michel Gallant (MVP) (neutron@istar.ca)
Date: 02/15/03

• Next message: Michel Gallant (MVP): "Re: .Net & Administrator Previlages"
• Previous message: Michael Giagnocavo: "Re: C# .NET = Handing out your private source code???"
• In reply to: David Thom: "Does .NET detect alterations to an assembly?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 15 Feb 2003 10:17:05 -0500
From: "Michel Gallant (MVP)" <neutron@istar.ca>

David Thom wrote:

> If an assembly were altered - say, with a hex editor - does .NET detect the
> alteration?
>
> If, for example, we embed a string value in a .NET assembly, can it be
> changed by a hacker? (we don't care if it can be viewed, we just don't want
> it to be changed).
>

As stated in previous posts to this thread, and as I verified in my detailed post:

 - strong-named assemblies DO verify if any components of a deployed assembly
   have been tampered in any way. HOWEVER, since there is absolutely no trust
   inherent in Strong Names, you need to unsure that (1) your system is secure from
   hackers so that malware does not REPLACE your entire assembly with an impostor
   which is strong-name signed with another key (since anyone can generate such a key pair
   with sn.exe.
   When you add a strong-named assembly into the GAC, it is assumed that the signed
   assembly is a known reliable assembly, obtained from a reliable source, through a
   reliable channel. The requirements here are on the person placing the assembly into
   the GAC.
   Strong naming is also very useful in development, particularly if there are several
   versions of multi-file assemblies/modules that you wish to distinguish at loadtime
   via hash verification.

 - unsigned assemblies DO NOT verify any hash values, even though the hash values are
    in the manifest.

 - requiring that assemblies ALSO be Authenticode-signed provides a good (but not perfect)
   solution for at least some level of trust, provided that the signature is from a certificate
   issued by a well-known commercial CA and that the person who owns/uses this Authenticode
   certificate is known by you and trusted to keep his private-key access secure. This is what
   I would call "due dilegence" in terms of receiving trusted assemblies. In fact, this would be
   an excellent way to enable CAS (with Publisher condition) for transparent execution of
net-deployed
   assemblies which require elevated permissions on several clients on an Intranet.
   An example of this is an Authenticode-signed web-deployed assembly I developed here:
      http://www3.sympatico.ca/mitchg/dotnet/
   As a matter of *trust*, even though one of the links represents an Authenticode signed assembly,
   you probably would NOT trust my signature, even though it is a commercial Thawte issued cert ,
   was time-stamped at sign-time and therefore the signature would be validated by win32
Authenticode.
   If you wished to use these test examples as they were designed,
   you would certainly try to get info. on the signer, is he/her trusted? any revoked certificates?
   references? (since I am not currently part of a well-known company :-)
   Yet, I know that based on my presence in newsgroups for several years, MANY people run my
   fully privileged signed Java applets with trust. The *trust* issue with signed Java applets is
very
   similar, in some respects, to CAS and custom code-access groups on the client. Verification of
   Authenticode signature ONLY guarantees that (1) integrity of entire assembly is verified against
   (2) public key/cert embedded in signature and (3) the CA who issued this cert is a known and
   trusted entity, within your Trusted CA list on your local machine. Trusting the owner is up to
   the user and technology can't really help.

 - Michel Gallant
   MVP Security
   JavaScience Consulting
   http://pages.istar.ca/~neutron

• Next message: Michel Gallant (MVP): "Re: .Net & Administrator Previlages"
• Previous message: Michael Giagnocavo: "Re: C# .NET = Handing out your private source code???"
• In reply to: David Thom: "Does .NET detect alterations to an assembly?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Confusion about .Net AllowPartiallyTrustedCallers (IE). ... To get around the security exceptions that occur; ... The assumption is that strong named assemblies will often have more ... more permissions to perform this task. ... have Full Trust. ... (microsoft.public.dotnet.security) Re: Tightening the default CAS policy ... years now) that Full Trust is a very bad idea, and that we need to move ... partially trusted applications. ... not in itself be sufficient IMHO to increase an assemblies trust permission. ... information and transmits it to some internet site. ... (microsoft.public.dotnet.security) Re: Tightening the default CAS policy ... years now) that Full Trust is a very bad idea, and that we need to move ... partially trusted applications. ... not in itself be sufficient IMHO to increase an assemblies trust permission. ... information and transmits it to some internet site. ... (microsoft.public.dotnet.security) Re: Tightening the default CAS policy ... years now) that Full Trust is a very bad idea, and that we need to move ... partially trusted applications. ... not in itself be sufficient IMHO to increase an assemblies trust permission. ... information and transmits it to some internet site. ... (microsoft.public.dotnet.security) Code Access Security Best Practices ... I am thinking mainly about code running on the local ... limitations with running some of the native .NET system Assemblies ... LinkDemand without Full Trust. ... but remove permissions on a case by case basis ... (microsoft.public.dotnet.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint