Re: How to protect intellectual property?
From: AlexS (salexru2000NO_at_SPAMsympaticoPLEASE.ca)
Date: 07/11/03
- Previous message: James Bender: "Storing encrypted data in a database."
- In reply to: Keith Patrick: "Re: How to protect intellectual property?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Jul 2003 11:58:10 -0700
Keith,
as I see it - all these tricks might work only for calls / access through
Reflection engine of CLR/ If somebody will read assembly directly (binary,
through private reflection implementation) and reconstruct information from
metadata bypassing CLR Reflection - all these protections would be useless.
To me it looks like proper code protection could be achieved only when
hooking file access events and filtering call stacks inside OS kernel. I
don't know how true is this. Possibly 2003 - or whatever will follow - will
have this functionality, but it is absent in W2K and WXP, right?
So far, I have opinion, that the only way to protect code is by using Web
Forms or clean ASP.Net, where you can manage to send to client only
resulting html.
Do I miss something?
Rgds
Alex
"Keith Patrick" <richard_keith_patrick@hotmail.com> wrote in message
news:eubPe3xRDHA.2240@TK2MSFTNGP11.phx.gbl...
> Actually, I may be wrong on that last point; I'm not really sure how .Net
> calls methods under the covers. It's conceivable that even a call to
> Object.ToString() starts as a message; might not be something that is
> implemented at the ContextBoundObject level. If that is the case, your
> performance shouldn't be hindered much. From personal experience, mine
does
> take a hit, but that's because I have constraint-checking aspects in place
> for all of my method parameters, so there is a huge hit (but it gets
turned
> off when not debugging)
>
> "Keith Patrick" <kpatrick@nospam.houston.rr.com> wrote in message
> news:Ohngy8bRDHA.4024@tk2msftngp13.phx.gbl...
> > If you want to get REALLY tricky, you could subclass of
> ContextBoundObject,
> > create a method interception aspect, and put your own checks in (like
> > checking the source of a message/method). The MSDN documentation on
that
> > class is absent, but MSDN has a good article on aspect-based programming
> > that goes into doing it. You won't get blazing code, since your method
> > calls become messages ala Remoting, but you will get more control. Of
> > course, you can *still* fake messages, so I need to reiterate that any
> > single security measure is not guaranteed (and by extension, no
> combination
> > of security measures are guaranteed) but the more you use, the lower the
> > odds of having your code misused.
> >
> > "AlexS" <salexru2000NO@SPAMsympaticoPLEASE.ca> wrote in message
> > news:%23Am9R2XRDHA.1804@TK2MSFTNGP11.phx.gbl...
> > > Does it mean I have to implement my own invocation checks in the code?
> > > Can this be done by subclassing StrongNameIdentityPermissionAttribute?
> > >
> > > Or there is better and simpler way?
> > > Alex
> > >
> > >
> > > "Eugene V. Bobukh [MS]" <eugenebo@online.microsoft.com> wrote in
message
> > > news:%23WBWdkXRDHA.3768@tk2msftngp13.phx.gbl...
> > > Unfortunately, this method is not really helpful. If, for example, MS
> > > libraries will be calling your code [by delegate invokation], they
will
> > > fail, 'cause they posess different public key.
> > >
> > > Also, if a person is an Admin on his/her local computer he can strip
the
> > > public key from your code, embed it into his assemblies and then add
> > > corresponding public key token to so called "Skip Verification List",
so
> > > such assemblies, even though they are badly "signed", will be able to
> run
> > > and invoke your code.
> > >
> > > --
> > > Eugene V. Bobukh
> > >
> > > "Konstantin Kipa" <konstantin@metaobjects.net> wrote in message
> > > news:%23O3ty7VRDHA.212@TK2MSFTNGP10.phx.gbl...
> > > > > [StrongNameIdentityPermissionAttribute(SecurityAction.Demand,
> > > > > PublicKey="<key of assembly allowed to call me>")]
> > > > > public void Foo() {
> > > > > }
> > > >
> > > > Thanks a lot! I didn't know about that one.
> > > >
> > > > Nevertheless, I am still open for other tips & tricks. This
attribute
> > > > sertainly will not make my code secure. At least it would not be
> > possible
> > > to
> > > > just copy and use it. I assume, that a calling assembly has to be
> signed
> > > > with appropriate private key in order to call that assemble. I hope
it
> > is
> > > > not possible to extract my key and sign other assembly with it.
> > > >
> > > > ---
> > > > Konstantin
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Previous message: James Bender: "Storing encrypted data in a database."
- In reply to: Keith Patrick: "Re: How to protect intellectual property?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
