Re: Protecting assemblies from being used outside a company/group/team
From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 02/11/05
- Next message: Nicole Calinoiu: "Re: Code Access Security ASP.NET"
- Previous message: David Young: "Check for existence of key"
- In reply to: Nicole Calinoiu: "Re: Protecting assemblies from being used outside a company/group/team"
- Next in thread: Nicole Calinoiu: "Re: Protecting assemblies from being used outside a company/group/team"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Feb 2005 11:32:19 -0500
If we trust the obfuscation does not allow reverse (which is not stone), and
the encryption of the public token string then we may be able to just use
our embedded public key. However, there are a whole host of other strings
and resources we want to verify too just to prove we are using the same
assembly we shipped. The double check proves the signed version matches the
embedded key. We could probably also check that the signature is not zeros
to prevent that simple hack . This tries to protect the easy hack where we
can find a resource or string we want to change with a hex editor. You
don't need to decompile to do this hack. However the check would help
prevent that. To get around that, you would actually need to make a logic
change to the code to remove or jump around all test-and-branch instructions
where we test that. But as you can't easily read the code, this is harder
to find all spots that may check. So you could sprinkle other tests in the
code. Basically, this would force you into using a debugger to find the hex
locations of what you want to change in the file. If they can do that, then
the check code or the SN does not matter as they can get around both. Just
raises the bar. In the end, you can use or not use. Just another defense
layer to add to your assem.
-- William Stacey, MVP http://mvp.support.microsoft.com
- Next message: Nicole Calinoiu: "Re: Code Access Security ASP.NET"
- Previous message: David Young: "Check for existence of key"
- In reply to: Nicole Calinoiu: "Re: Protecting assemblies from being used outside a company/group/team"
- Next in thread: Nicole Calinoiu: "Re: Protecting assemblies from being used outside a company/group/team"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
