Re: sn.exe -Vr assembly

From: Shawn Farkas [MS] (shawnfa_at_online.microsoft.com)
Date: 01/25/05 

Date: Tue, 25 Jan 2005 22:56:44 GMT

> Yup. CAS can also be disabled entirely,
In fact, we could go so far as to say that an admin can install a modified
runtime with all security checks disabled.

As Nicole notes, if an administrator of a machine cannot be trusted,
there's not a lot you're going to be able to do to protect yourself. For
instance, even if we somehow prevented SN -Vr from working, locked in the
correct version of the CLR, and forced CAS on, an administrator could still
hook up a debugger to the process and catch all calls to (for instance)
StrongNameSignatureVerificationEx and simply return that everything
validates. This wouldn't take much effort for someone serious about
bypassing the system.

In fact, this specific scenario is even easier to fix than that. Any user
that has physical access to your code (not even an admin in this case), can
simply ildasm your assemblies, remove the key, and ilasm them back. Now
they can do anything they want with your code without getting a
verification issue.

What this boils down to is that if you need to be sure that your exact code
is being run, then you need to retain control over that code. One really
easy way to do that with .Net is to wrap your assembly in a web service,
and only ship to your clients the code that calls the web service. Of
course, if you don't have any way on the client side to validate that the
service was properly called, you'll end up with the same problem where
they could just bypass the call to the web service.

-Shawn
http://blogs.msdn.com/shawnfa
--
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Note:
For the benefit of the community-at-large, all responses to this message
are best directed to the newsgroup/thread from which they originated.
--------------------
> From: "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com>
> References: <#ZYPKLy$EHA.2804@TK2MSFTNGP15.phx.gbl>
> Subject: Re: sn.exe -Vr assembly
> Date: Thu, 20 Jan 2005 15:09:07 -0500
> Lines: 35
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
> X-RFC2646: Format=Flowed; Response
> Message-ID: <umvb7vy$EHA.1404@TK2MSFTNGP11.phx.gbl>
> Newsgroups: microsoft.public.dotnet.security
> NNTP-Posting-Host: modemcable209.143-202-24.mc.videotron.ca 24.202.143.209
> Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
.phx.gbl
> Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:8801
> X-Tomcat-NG: microsoft.public.dotnet.security
>
> "Gecko" <nada@nada.com> wrote in message
> news:%23ZYPKLy$EHA.2804@TK2MSFTNGP15.phx.gbl...
> > Is it possible for a hacker to run the strong name utility on a client
> > computer with the -Vr parameter to skip verification of *signed*
> > assemblies installed in the client computer rendering my whole strong
name
> > security scenario useless?
>
> Yup. CAS can also be disabled entirely, which is an even easier way to
> disable strong name identity verifications. What exactly is the goal of
> your "strong name security scenario"? If you provide some more details,
> perhaps someone could suggest an alternate approach.
>
>
> > Since most people are usually logged as Administrators, if I was a
> > disgruntled ex-employee and wanted to do some damage to my ex-employer,
it
> > seems to me like if I could run the sn.exe utility on the client
computer
> > to skip verification of the assemblies that I know my employer
distributes
> > and replace them with my own and I could easily cause some good damage
in
> > the name of my ex-employer.
>
> If you dig deeper than the MSDN documentation (which, I agree, you
shouldn't
> have to <g>), you'll find that Microsoft folks don't much seem to care
about
> scenarios where administrators aren't considered trustworthy. That said,
in
> a single-authorization system, there's no way to completely protect
against
> a malicious admin. However, one might argue that this particular form of
> meddling should be a great deal more difficult than it presently is.
>
>
>
> > I am still too new to this strong naming thing so forgive me if the
> > question is a silly one, thanks.
> >
> >
>
>
>

Relevant Pages

  • Re: Newbie question on User Priveleges
    ... The problems on the client are broad: We added an existing a machine (from ... > make the user a local admin on the machine...not a domain admin ... > We've recently stood up SBS2003 in a small and standard configuration. ... > local machine) where the database resides. ...
    (microsoft.public.windows.server.sbs)
  • Re: Dumb Question Regarding Password & Sessions
    ... Perhaps I should dumb it down so that I don't offend people ... >>> Validation Page - Checks database for User/Password ... >>> 1 Admin LogIN ... >>> 1 Client LogON ...
    (microsoft.public.frontpage.programming)
  • RE: Printer Redirects, But No Output
    ... On local machine, login as Admin. ... > the TS server and client is able to access the printer from applications. ... see Help and Support Center at ...
    (microsoft.public.win2000.termserv.apps)
  • Re: Dumb Question Regarding Password & Sessions
    ... would be either admin or client. ... Then the secured pages can tell if it is a client ... Validation Page - Checks database for User/Password ... the Admin LOGIN link and become the Admin...obviuosly ...
    (microsoft.public.frontpage.programming)
  • Re: Dumb Question Regarding Password & Sessions
    ... requirements of your app, but nothing about the app itself. ... > Validation Page - Checks database for User/Password ... > 1 Admin LogIN ... > 1 Client LogON ...
    (microsoft.public.frontpage.programming)