Protecting .NET assemblies (runtime)

Discussion in 'ASP .Net Security' started by Tophog, Mar 29, 2007.

  1. Tophog

    Tophog Guest

    I have a collection of various .NET assemblies I authored used in various
    applications within our corporate Intranet. The assemblies are used in
    fat-client apps, asp.net apps, etc, therefore many of the assemblies are
    distributed to end user systems (they are not installed in the GAC).

    It is my understanding that anyone can basically copy a .NET assembly,
    create a reference to it and consume it's public methods if CAS is not
    implemented in some fashion? I understand .NET assemblies are just MSIL code
    and meta data and can be reverse engineered quite easily (based on what I've
    read) using tools like the .NET reflector, etc. if they are not obfuscated.
    I'm not so concerned with this security aspect as developers/end users
    reusing my .NET assemblies in their own applications.

    In short, I've read where with Framework 1.1 one could use the
    [StrongNameIdentityPermission ( SecurityAction.Demand , PublicKey="public
    key" ...) declaration at a class/function level which would throw a runtime
    error if any consumer tried to use a strong-named assembly where the caller
    was not also signed with the same strong-name key. I then found this is no
    longer the case in .NET 2.0 where if the caller is fully trusted the
    StrongNameIdentifyPermission check is completey disregarded as discussed here
    http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines0003_class3

    How can I protect my .NET 2.0 assemblies from being consumed by other
    applications?
     
    Tophog, Mar 29, 2007
    #1
    1. Advertising

  2. short answer: you can't

    longer answer:

    you can try to do your best - like checking the SN of the caller - but it
    all boils down to: if you hand out your code (even in binary format) a skilled
    person can do to it whatever he wants...

    There are companies that have much more budget trying to solve these problems
    (games vendors, big commercial software, OS etc) - and everything has been
    cracked so far...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I have a collection of various .NET assemblies I authored used in
    > various applications within our corporate Intranet. The assemblies
    > are used in fat-client apps, asp.net apps, etc, therefore many of the
    > assemblies are distributed to end user systems (they are not installed
    > in the GAC).
    >
    > It is my understanding that anyone can basically copy a .NET assembly,
    > create a reference to it and consume it's public methods if CAS is not
    > implemented in some fashion? I understand .NET assemblies are just
    > MSIL code and meta data and can be reverse engineered quite easily
    > (based on what I've read) using tools like the .NET reflector, etc. if
    > they are not obfuscated. I'm not so concerned with this security
    > aspect as developers/end users reusing my .NET assemblies in their own
    > applications.
    >
    > In short, I've read where with Framework 1.1 one could use the
    > [StrongNameIdentityPermission ( SecurityAction.Demand ,
    > PublicKey="public key" ...) declaration at a class/function level
    > which would throw a runtime error if any consumer tried to use a
    > strong-named assembly where the caller was not also signed with the
    > same strong-name key. I then found this is no longer the case in .NET
    > 2.0 where if the caller is fully trusted the
    > StrongNameIdentifyPermission check is completey disregarded as
    > discussed here?
    > http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines00
    > 03_class3
    >
    > How can I protect my .NET 2.0 assemblies from being consumed by other
    > applications?
    >
     
    Dominick Baier, Mar 29, 2007
    #2
    1. Advertising

  3. Tophog

    Tophog Guest

    Amazing :( I am losing respect for .NET the more I use it. With security
    being one of the most important aspects of applications today one cannot
    protect their own assemblies to prevent others from using them? I am sitting
    here wondering why anyone is developing with .NET!? Jesus.

    "Dominick Baier" wrote:

    > short answer: you can't
    >
    > longer answer:
    >
    > you can try to do your best - like checking the SN of the caller - but it
    > all boils down to: if you hand out your code (even in binary format) a skilled
    > person can do to it whatever he wants...
    >
    > There are companies that have much more budget trying to solve these problems
    > (games vendors, big commercial software, OS etc) - and everything has been
    > cracked so far...
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > I have a collection of various .NET assemblies I authored used in
    > > various applications within our corporate Intranet. The assemblies
    > > are used in fat-client apps, asp.net apps, etc, therefore many of the
    > > assemblies are distributed to end user systems (they are not installed
    > > in the GAC).
    > >
    > > It is my understanding that anyone can basically copy a .NET assembly,
    > > create a reference to it and consume it's public methods if CAS is not
    > > implemented in some fashion? I understand .NET assemblies are just
    > > MSIL code and meta data and can be reverse engineered quite easily
    > > (based on what I've read) using tools like the .NET reflector, etc. if
    > > they are not obfuscated. I'm not so concerned with this security
    > > aspect as developers/end users reusing my .NET assemblies in their own
    > > applications.
    > >
    > > In short, I've read where with Framework 1.1 one could use the
    > > [StrongNameIdentityPermission ( SecurityAction.Demand ,
    > > PublicKey="public key" ...) declaration at a class/function level
    > > which would throw a runtime error if any consumer tried to use a
    > > strong-named assembly where the caller was not also signed with the
    > > same strong-name key. I then found this is no longer the case in .NET
    > > 2.0 where if the caller is fully trusted the
    > > StrongNameIdentifyPermission check is completey disregarded as
    > > discussed here?
    > > http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines00
    > > 03_class3
    > >
    > > How can I protect my .NET 2.0 assemblies from being consumed by other
    > > applications?
    > >

    >
    >
    >
     
    Tophog, Mar 29, 2007
    #3
  4. you never could that - in no language...

    Or do you think vendors like Microsoft haven't tried preventing people to
    use e.g. Windows without paying for it??


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Amazing :( I am losing respect for .NET the more I use it. With
    > security being one of the most important aspects of applications today
    > one cannot protect their own assemblies to prevent others from using
    > them? I am sitting here wondering why anyone is developing with
    > .NET!? Jesus.
    >
    > "Dominick Baier" wrote:
    >
    >> short answer: you can't
    >>
    >> longer answer:
    >>
    >> you can try to do your best - like checking the SN of the caller -
    >> but it all boils down to: if you hand out your code (even in binary
    >> format) a skilled person can do to it whatever he wants...
    >>
    >> There are companies that have much more budget trying to solve these
    >> problems (games vendors, big commercial software, OS etc) - and
    >> everything has been cracked so far...
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> I have a collection of various .NET assemblies I authored used in
    >>> various applications within our corporate Intranet. The assemblies
    >>> are used in fat-client apps, asp.net apps, etc, therefore many of
    >>> the assemblies are distributed to end user systems (they are not
    >>> installed in the GAC).
    >>>
    >>> It is my understanding that anyone can basically copy a .NET
    >>> assembly, create a reference to it and consume it's public methods
    >>> if CAS is not implemented in some fashion? I understand .NET
    >>> assemblies are just MSIL code and meta data and can be reverse
    >>> engineered quite easily (based on what I've read) using tools like
    >>> the .NET reflector, etc. if they are not obfuscated. I'm not so
    >>> concerned with this security aspect as developers/end users reusing
    >>> my .NET assemblies in their own applications.
    >>>
    >>> In short, I've read where with Framework 1.1 one could use the
    >>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    >>> PublicKey="public key" ...) declaration at a class/function level
    >>> which would throw a runtime error if any consumer tried to use a
    >>> strong-named assembly where the caller was not also signed with the
    >>> same strong-name key. I then found this is no longer the case in
    >>> .NET 2.0 where if the caller is fully trusted the
    >>> StrongNameIdentifyPermission check is completey disregarded as
    >>> discussed here?
    >>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines
    >>> 00 03_class3
    >>>
    >>> How can I protect my .NET 2.0 assemblies from being consumed by
    >>> other applications?
    >>>
     
    Dominick Baier, Mar 29, 2007
    #4
  5. Tophog

    Tophog Guest

    It's much more difficult to reverse engineer/re-use compiled binaries as
    opposed to MSIL-based assemblies isn't it? I'm talking about basic security
    meaures to protect someone from copying/executing methods within an assembly
    authored by someone else? I understand any software can be compromised
    given enough time, talent, etc. But given some mechanism to implement
    *basic* security it would help prevent your average "joe" user from executing
    code within your own assemblies. It seams something could be done to
    implement basic "I authored this assembly and I don't want anyone else to
    re-use it outside *my* applications" type security.


    "Dominick Baier" wrote:

    > you never could that - in no language...
    >
    > Or do you think vendors like Microsoft haven't tried preventing people to
    > use e.g. Windows without paying for it??
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > Amazing :( I am losing respect for .NET the more I use it. With
    > > security being one of the most important aspects of applications today
    > > one cannot protect their own assemblies to prevent others from using
    > > them? I am sitting here wondering why anyone is developing with
    > > .NET!? Jesus.
    > >
    > > "Dominick Baier" wrote:
    > >
    > >> short answer: you can't
    > >>
    > >> longer answer:
    > >>
    > >> you can try to do your best - like checking the SN of the caller -
    > >> but it all boils down to: if you hand out your code (even in binary
    > >> format) a skilled person can do to it whatever he wants...
    > >>
    > >> There are companies that have much more budget trying to solve these
    > >> problems (games vendors, big commercial software, OS etc) - and
    > >> everything has been cracked so far...
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> I have a collection of various .NET assemblies I authored used in
    > >>> various applications within our corporate Intranet. The assemblies
    > >>> are used in fat-client apps, asp.net apps, etc, therefore many of
    > >>> the assemblies are distributed to end user systems (they are not
    > >>> installed in the GAC).
    > >>>
    > >>> It is my understanding that anyone can basically copy a .NET
    > >>> assembly, create a reference to it and consume it's public methods
    > >>> if CAS is not implemented in some fashion? I understand .NET
    > >>> assemblies are just MSIL code and meta data and can be reverse
    > >>> engineered quite easily (based on what I've read) using tools like
    > >>> the .NET reflector, etc. if they are not obfuscated. I'm not so
    > >>> concerned with this security aspect as developers/end users reusing
    > >>> my .NET assemblies in their own applications.
    > >>>
    > >>> In short, I've read where with Framework 1.1 one could use the
    > >>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    > >>> PublicKey="public key" ...) declaration at a class/function level
    > >>> which would throw a runtime error if any consumer tried to use a
    > >>> strong-named assembly where the caller was not also signed with the
    > >>> same strong-name key. I then found this is no longer the case in
    > >>> .NET 2.0 where if the caller is fully trusted the
    > >>> StrongNameIdentifyPermission check is completey disregarded as
    > >>> discussed here?
    > >>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines
    > >>> 00 03_class3
    > >>>
    > >>> How can I protect my .NET 2.0 assemblies from being consumed by
    > >>> other applications?
    > >>>

    >
    >
    >
     
    Tophog, Mar 29, 2007
    #5
  6. and as i said you can do that.

    Check Assembly.GetCallingAssembly()

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > It's much more difficult to reverse engineer/re-use compiled binaries
    > as opposed to MSIL-based assemblies isn't it? I'm talking about basic
    > security meaures to protect someone from copying/executing methods
    > within an assembly authored by someone else? I understand any
    > software can be compromised given enough time, talent, etc. But given
    > some mechanism to implement *basic* security it would help prevent
    > your average "joe" user from executing code within your own
    > assemblies. It seams something could be done to implement basic "I
    > authored this assembly and I don't want anyone else to re-use it
    > outside *my* applications" type security.
    >
    > "Dominick Baier" wrote:
    >
    >> you never could that - in no language...
    >>
    >> Or do you think vendors like Microsoft haven't tried preventing
    >> people to use e.g. Windows without paying for it??
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Amazing :( I am losing respect for .NET the more I use it. With
    >>> security being one of the most important aspects of applications
    >>> today one cannot protect their own assemblies to prevent others from
    >>> using them? I am sitting here wondering why anyone is developing
    >>> with .NET!? Jesus.
    >>>
    >>> "Dominick Baier" wrote:
    >>>
    >>>> short answer: you can't
    >>>>
    >>>> longer answer:
    >>>>
    >>>> you can try to do your best - like checking the SN of the caller -
    >>>> but it all boils down to: if you hand out your code (even in binary
    >>>> format) a skilled person can do to it whatever he wants...
    >>>>
    >>>> There are companies that have much more budget trying to solve
    >>>> these problems (games vendors, big commercial software, OS etc) -
    >>>> and everything has been cracked so far...
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> I have a collection of various .NET assemblies I authored used in
    >>>>> various applications within our corporate Intranet. The
    >>>>> assemblies are used in fat-client apps, asp.net apps, etc,
    >>>>> therefore many of the assemblies are distributed to end user
    >>>>> systems (they are not installed in the GAC).
    >>>>>
    >>>>> It is my understanding that anyone can basically copy a .NET
    >>>>> assembly, create a reference to it and consume it's public methods
    >>>>> if CAS is not implemented in some fashion? I understand .NET
    >>>>> assemblies are just MSIL code and meta data and can be reverse
    >>>>> engineered quite easily (based on what I've read) using tools like
    >>>>> the .NET reflector, etc. if they are not obfuscated. I'm not so
    >>>>> concerned with this security aspect as developers/end users
    >>>>> reusing my .NET assemblies in their own applications.
    >>>>>
    >>>>> In short, I've read where with Framework 1.1 one could use the
    >>>>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    >>>>> PublicKey="public key" ...) declaration at a class/function level
    >>>>> which would throw a runtime error if any consumer tried to use a
    >>>>> strong-named assembly where the caller was not also signed with
    >>>>> the same strong-name key. I then found this is no longer the case
    >>>>> in .NET 2.0 where if the caller is fully trusted the
    >>>>> StrongNameIdentifyPermission check is completey disregarded as
    >>>>> discussed here?
    >>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelin
    >>>>> es 00 03_class3
    >>>>>
    >>>>> How can I protect my .NET 2.0 assemblies from being consumed by
    >>>>> other applications?
    >>>>>
     
    Dominick Baier, Mar 29, 2007
    #6
  7. Tophog

    Tophog Guest

    Thanks. What I find ironic is MS's own webpage that covers this mentions
    nothing about how to use it to protect assemblies. I assume it's documented
    elsewhere? in your book?


    http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.getcallingassembly.aspx

    "Dominick Baier" wrote:

    > and as i said you can do that.
    >
    > Check Assembly.GetCallingAssembly()
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > It's much more difficult to reverse engineer/re-use compiled binaries
    > > as opposed to MSIL-based assemblies isn't it? I'm talking about basic
    > > security meaures to protect someone from copying/executing methods
    > > within an assembly authored by someone else? I understand any
    > > software can be compromised given enough time, talent, etc. But given
    > > some mechanism to implement *basic* security it would help prevent
    > > your average "joe" user from executing code within your own
    > > assemblies. It seams something could be done to implement basic "I
    > > authored this assembly and I don't want anyone else to re-use it
    > > outside *my* applications" type security.
    > >
    > > "Dominick Baier" wrote:
    > >
    > >> you never could that - in no language...
    > >>
    > >> Or do you think vendors like Microsoft haven't tried preventing
    > >> people to use e.g. Windows without paying for it??
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> Amazing :( I am losing respect for .NET the more I use it. With
    > >>> security being one of the most important aspects of applications
    > >>> today one cannot protect their own assemblies to prevent others from
    > >>> using them? I am sitting here wondering why anyone is developing
    > >>> with .NET!? Jesus.
    > >>>
    > >>> "Dominick Baier" wrote:
    > >>>
    > >>>> short answer: you can't
    > >>>>
    > >>>> longer answer:
    > >>>>
    > >>>> you can try to do your best - like checking the SN of the caller -
    > >>>> but it all boils down to: if you hand out your code (even in binary
    > >>>> format) a skilled person can do to it whatever he wants...
    > >>>>
    > >>>> There are companies that have much more budget trying to solve
    > >>>> these problems (games vendors, big commercial software, OS etc) -
    > >>>> and everything has been cracked so far...
    > >>>>
    > >>>> -----
    > >>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>> I have a collection of various .NET assemblies I authored used in
    > >>>>> various applications within our corporate Intranet. The
    > >>>>> assemblies are used in fat-client apps, asp.net apps, etc,
    > >>>>> therefore many of the assemblies are distributed to end user
    > >>>>> systems (they are not installed in the GAC).
    > >>>>>
    > >>>>> It is my understanding that anyone can basically copy a .NET
    > >>>>> assembly, create a reference to it and consume it's public methods
    > >>>>> if CAS is not implemented in some fashion? I understand .NET
    > >>>>> assemblies are just MSIL code and meta data and can be reverse
    > >>>>> engineered quite easily (based on what I've read) using tools like
    > >>>>> the .NET reflector, etc. if they are not obfuscated. I'm not so
    > >>>>> concerned with this security aspect as developers/end users
    > >>>>> reusing my .NET assemblies in their own applications.
    > >>>>>
    > >>>>> In short, I've read where with Framework 1.1 one could use the
    > >>>>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    > >>>>> PublicKey="public key" ...) declaration at a class/function level
    > >>>>> which would throw a runtime error if any consumer tried to use a
    > >>>>> strong-named assembly where the caller was not also signed with
    > >>>>> the same strong-name key. I then found this is no longer the case
    > >>>>> in .NET 2.0 where if the caller is fully trusted the
    > >>>>> StrongNameIdentifyPermission check is completey disregarded as
    > >>>>> discussed here?
    > >>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelin
    > >>>>> es 00 03_class3
    > >>>>>
    > >>>>> How can I protect my .NET 2.0 assemblies from being consumed by
    > >>>>> other applications?
    > >>>>>

    >
    >
    >
     
    Tophog, Mar 29, 2007
    #7
  8. not sure if it is documented.

    You can extract the strong name of the calling assembly and compare it to
    a list of allowed names - thats it...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Thanks. What I find ironic is MS's own webpage that covers this
    > mentions nothing about how to use it to protect assemblies. I assume
    > it's documented elsewhere? in your book?
    >
    > http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.ge
    > tcallingassembly.aspx
    >
    > "Dominick Baier" wrote:
    >
    >> and as i said you can do that.
    >>
    >> Check Assembly.GetCallingAssembly()
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> It's much more difficult to reverse engineer/re-use compiled
    >>> binaries as opposed to MSIL-based assemblies isn't it? I'm talking
    >>> about basic security meaures to protect someone from
    >>> copying/executing methods within an assembly authored by someone
    >>> else? I understand any software can be compromised given enough
    >>> time, talent, etc. But given some mechanism to implement *basic*
    >>> security it would help prevent your average "joe" user from
    >>> executing code within your own assemblies. It seams something could
    >>> be done to implement basic "I authored this assembly and I don't
    >>> want anyone else to re-use it outside *my* applications" type
    >>> security.
    >>>
    >>> "Dominick Baier" wrote:
    >>>
    >>>> you never could that - in no language...
    >>>>
    >>>> Or do you think vendors like Microsoft haven't tried preventing
    >>>> people to use e.g. Windows without paying for it??
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> Amazing :( I am losing respect for .NET the more I use it. With
    >>>>> security being one of the most important aspects of applications
    >>>>> today one cannot protect their own assemblies to prevent others
    >>>>> from using them? I am sitting here wondering why anyone is
    >>>>> developing with .NET!? Jesus.
    >>>>>
    >>>>> "Dominick Baier" wrote:
    >>>>>
    >>>>>> short answer: you can't
    >>>>>>
    >>>>>> longer answer:
    >>>>>>
    >>>>>> you can try to do your best - like checking the SN of the caller
    >>>>>> - but it all boils down to: if you hand out your code (even in
    >>>>>> binary format) a skilled person can do to it whatever he wants...
    >>>>>>
    >>>>>> There are companies that have much more budget trying to solve
    >>>>>> these problems (games vendors, big commercial software, OS etc) -
    >>>>>> and everything has been cracked so far...
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>> I have a collection of various .NET assemblies I authored used
    >>>>>>> in various applications within our corporate Intranet. The
    >>>>>>> assemblies are used in fat-client apps, asp.net apps, etc,
    >>>>>>> therefore many of the assemblies are distributed to end user
    >>>>>>> systems (they are not installed in the GAC).
    >>>>>>>
    >>>>>>> It is my understanding that anyone can basically copy a .NET
    >>>>>>> assembly, create a reference to it and consume it's public
    >>>>>>> methods if CAS is not implemented in some fashion? I understand
    >>>>>>> .NET assemblies are just MSIL code and meta data and can be
    >>>>>>> reverse engineered quite easily (based on what I've read) using
    >>>>>>> tools like the .NET reflector, etc. if they are not obfuscated.
    >>>>>>> I'm not so concerned with this security aspect as developers/end
    >>>>>>> users reusing my .NET assemblies in their own applications.
    >>>>>>>
    >>>>>>> In short, I've read where with Framework 1.1 one could use the
    >>>>>>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    >>>>>>> PublicKey="public key" ...) declaration at a class/function
    >>>>>>> level which would throw a runtime error if any consumer tried to
    >>>>>>> use a strong-named assembly where the caller was not also signed
    >>>>>>> with the same strong-name key. I then found this is no longer
    >>>>>>> the case in .NET 2.0 where if the caller is fully trusted the
    >>>>>>> StrongNameIdentifyPermission check is completey disregarded as
    >>>>>>> discussed here?
    >>>>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidel
    >>>>>>> in es 00 03_class3
    >>>>>>>
    >>>>>>> How can I protect my .NET 2.0 assemblies from being consumed by
    >>>>>>> other applications?
    >>>>>>>
     
    Dominick Baier, Mar 29, 2007
    #8
  9. Tophog

    Tophog Guest

    Ah, the ol' undocumented special feature thing :) I'll do some research and
    see if I can figure out the hack. thanks again for your help.

    -Jeff

    "Dominick Baier" wrote:

    > not sure if it is documented.
    >
    > You can extract the strong name of the calling assembly and compare it to
    > a list of allowed names - thats it...
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > Thanks. What I find ironic is MS's own webpage that covers this
    > > mentions nothing about how to use it to protect assemblies. I assume
    > > it's documented elsewhere? in your book?
    > >
    > > http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.ge
    > > tcallingassembly.aspx
    > >
    > > "Dominick Baier" wrote:
    > >
    > >> and as i said you can do that.
    > >>
    > >> Check Assembly.GetCallingAssembly()
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> It's much more difficult to reverse engineer/re-use compiled
    > >>> binaries as opposed to MSIL-based assemblies isn't it? I'm talking
    > >>> about basic security meaures to protect someone from
    > >>> copying/executing methods within an assembly authored by someone
    > >>> else? I understand any software can be compromised given enough
    > >>> time, talent, etc. But given some mechanism to implement *basic*
    > >>> security it would help prevent your average "joe" user from
    > >>> executing code within your own assemblies. It seams something could
    > >>> be done to implement basic "I authored this assembly and I don't
    > >>> want anyone else to re-use it outside *my* applications" type
    > >>> security.
    > >>>
    > >>> "Dominick Baier" wrote:
    > >>>
    > >>>> you never could that - in no language...
    > >>>>
    > >>>> Or do you think vendors like Microsoft haven't tried preventing
    > >>>> people to use e.g. Windows without paying for it??
    > >>>>
    > >>>> -----
    > >>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>> Amazing :( I am losing respect for .NET the more I use it. With
    > >>>>> security being one of the most important aspects of applications
    > >>>>> today one cannot protect their own assemblies to prevent others
    > >>>>> from using them? I am sitting here wondering why anyone is
    > >>>>> developing with .NET!? Jesus.
    > >>>>>
    > >>>>> "Dominick Baier" wrote:
    > >>>>>
    > >>>>>> short answer: you can't
    > >>>>>>
    > >>>>>> longer answer:
    > >>>>>>
    > >>>>>> you can try to do your best - like checking the SN of the caller
    > >>>>>> - but it all boils down to: if you hand out your code (even in
    > >>>>>> binary format) a skilled person can do to it whatever he wants...
    > >>>>>>
    > >>>>>> There are companies that have much more budget trying to solve
    > >>>>>> these problems (games vendors, big commercial software, OS etc) -
    > >>>>>> and everything has been cracked so far...
    > >>>>>>
    > >>>>>> -----
    > >>>>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>>>> I have a collection of various .NET assemblies I authored used
    > >>>>>>> in various applications within our corporate Intranet. The
    > >>>>>>> assemblies are used in fat-client apps, asp.net apps, etc,
    > >>>>>>> therefore many of the assemblies are distributed to end user
    > >>>>>>> systems (they are not installed in the GAC).
    > >>>>>>>
    > >>>>>>> It is my understanding that anyone can basically copy a .NET
    > >>>>>>> assembly, create a reference to it and consume it's public
    > >>>>>>> methods if CAS is not implemented in some fashion? I understand
    > >>>>>>> .NET assemblies are just MSIL code and meta data and can be
    > >>>>>>> reverse engineered quite easily (based on what I've read) using
    > >>>>>>> tools like the .NET reflector, etc. if they are not obfuscated.
    > >>>>>>> I'm not so concerned with this security aspect as developers/end
    > >>>>>>> users reusing my .NET assemblies in their own applications.
    > >>>>>>>
    > >>>>>>> In short, I've read where with Framework 1.1 one could use the
    > >>>>>>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    > >>>>>>> PublicKey="public key" ...) declaration at a class/function
    > >>>>>>> level which would throw a runtime error if any consumer tried to
    > >>>>>>> use a strong-named assembly where the caller was not also signed
    > >>>>>>> with the same strong-name key. I then found this is no longer
    > >>>>>>> the case in .NET 2.0 where if the caller is fully trusted the
    > >>>>>>> StrongNameIdentifyPermission check is completey disregarded as
    > >>>>>>> discussed here?
    > >>>>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidel
    > >>>>>>> in es 00 03_class3
    > >>>>>>>
    > >>>>>>> How can I protect my .NET 2.0 assemblies from being consumed by
    > >>>>>>> other applications?
    > >>>>>>>

    >
    >
    >
     
    Tophog, Mar 29, 2007
    #9
  10. that's no hack, thats no special feature - thats how .net works....


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Ah, the ol' undocumented special feature thing :) I'll do some
    > research and see if I can figure out the hack. thanks again for your
    > help.
    >
    > -Jeff
    >
    > "Dominick Baier" wrote:
    >
    >> not sure if it is documented.
    >>
    >> You can extract the strong name of the calling assembly and compare
    >> it to a list of allowed names - thats it...
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Thanks. What I find ironic is MS's own webpage that covers this
    >>> mentions nothing about how to use it to protect assemblies. I assume
    >>> it's documented elsewhere? in your book?
    >>>
    >>> http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.
    >>> ge tcallingassembly.aspx
    >>>
    >>> "Dominick Baier" wrote:
    >>>
    >>>> and as i said you can do that.
    >>>>
    >>>> Check Assembly.GetCallingAssembly()
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> It's much more difficult to reverse engineer/re-use compiled
    >>>>> binaries as opposed to MSIL-based assemblies isn't it? I'm
    >>>>> talking about basic security meaures to protect someone from
    >>>>> copying/executing methods within an assembly authored by someone
    >>>>> else? I understand any software can be compromised given enough
    >>>>> time, talent, etc. But given some mechanism to implement *basic*
    >>>>> security it would help prevent your average "joe" user from
    >>>>> executing code within your own assemblies. It seams something
    >>>>> could be done to implement basic "I authored this assembly and I
    >>>>> don't want anyone else to re-use it outside *my* applications"
    >>>>> type security.
    >>>>>
    >>>>> "Dominick Baier" wrote:
    >>>>>
    >>>>>> you never could that - in no language...
    >>>>>>
    >>>>>> Or do you think vendors like Microsoft haven't tried preventing
    >>>>>> people to use e.g. Windows without paying for it??
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>> Amazing :( I am losing respect for .NET the more I use it.
    >>>>>>> With security being one of the most important aspects of
    >>>>>>> applications today one cannot protect their own assemblies to
    >>>>>>> prevent others from using them? I am sitting here wondering why
    >>>>>>> anyone is developing with .NET!? Jesus.
    >>>>>>>
    >>>>>>> "Dominick Baier" wrote:
    >>>>>>>
    >>>>>>>> short answer: you can't
    >>>>>>>>
    >>>>>>>> longer answer:
    >>>>>>>>
    >>>>>>>> you can try to do your best - like checking the SN of the
    >>>>>>>> caller - but it all boils down to: if you hand out your code
    >>>>>>>> (even in binary format) a skilled person can do to it whatever
    >>>>>>>> he wants...
    >>>>>>>>
    >>>>>>>> There are companies that have much more budget trying to solve
    >>>>>>>> these problems (games vendors, big commercial software, OS etc)
    >>>>>>>> - and everything has been cracked so far...
    >>>>>>>>
    >>>>>>>> -----
    >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>> I have a collection of various .NET assemblies I authored used
    >>>>>>>>> in various applications within our corporate Intranet. The
    >>>>>>>>> assemblies are used in fat-client apps, asp.net apps, etc,
    >>>>>>>>> therefore many of the assemblies are distributed to end user
    >>>>>>>>> systems (they are not installed in the GAC).
    >>>>>>>>>
    >>>>>>>>> It is my understanding that anyone can basically copy a .NET
    >>>>>>>>> assembly, create a reference to it and consume it's public
    >>>>>>>>> methods if CAS is not implemented in some fashion? I
    >>>>>>>>> understand .NET assemblies are just MSIL code and meta data
    >>>>>>>>> and can be reverse engineered quite easily (based on what I've
    >>>>>>>>> read) using tools like the .NET reflector, etc. if they are
    >>>>>>>>> not obfuscated. I'm not so concerned with this security aspect
    >>>>>>>>> as developers/end users reusing my .NET assemblies in their
    >>>>>>>>> own applications.
    >>>>>>>>>
    >>>>>>>>> In short, I've read where with Framework 1.1 one could use the
    >>>>>>>>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    >>>>>>>>> PublicKey="public key" ...) declaration at a class/function
    >>>>>>>>> level which would throw a runtime error if any consumer tried
    >>>>>>>>> to use a strong-named assembly where the caller was not also
    >>>>>>>>> signed with the same strong-name key. I then found this is no
    >>>>>>>>> longer the case in .NET 2.0 where if the caller is fully
    >>>>>>>>> trusted the StrongNameIdentifyPermission check is completey
    >>>>>>>>> disregarded as discussed here?
    >>>>>>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguid
    >>>>>>>>> el in es 00 03_class3
    >>>>>>>>>
    >>>>>>>>> How can I protect my .NET 2.0 assemblies from being consumed
    >>>>>>>>> by other applications?
    >>>>>>>>>
     
    Dominick Baier, Mar 29, 2007
    #10
  11. Tophog

    Tophog Guest

    ..NET is flawed IMHO when it comes to security.

    -Jeff MCSD.net
    ADP Dealer Services

    "Dominick Baier" wrote:

    > that's no hack, thats no special feature - thats how .net works....
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > Ah, the ol' undocumented special feature thing :) I'll do some
    > > research and see if I can figure out the hack. thanks again for your
    > > help.
    > >
    > > -Jeff
    > >
    > > "Dominick Baier" wrote:
    > >
    > >> not sure if it is documented.
    > >>
    > >> You can extract the strong name of the calling assembly and compare
    > >> it to a list of allowed names - thats it...
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> Thanks. What I find ironic is MS's own webpage that covers this
    > >>> mentions nothing about how to use it to protect assemblies. I assume
    > >>> it's documented elsewhere? in your book?
    > >>>
    > >>> http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.
    > >>> ge tcallingassembly.aspx
    > >>>
    > >>> "Dominick Baier" wrote:
    > >>>
    > >>>> and as i said you can do that.
    > >>>>
    > >>>> Check Assembly.GetCallingAssembly()
    > >>>>
    > >>>> -----
    > >>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>> It's much more difficult to reverse engineer/re-use compiled
    > >>>>> binaries as opposed to MSIL-based assemblies isn't it? I'm
    > >>>>> talking about basic security meaures to protect someone from
    > >>>>> copying/executing methods within an assembly authored by someone
    > >>>>> else? I understand any software can be compromised given enough
    > >>>>> time, talent, etc. But given some mechanism to implement *basic*
    > >>>>> security it would help prevent your average "joe" user from
    > >>>>> executing code within your own assemblies. It seams something
    > >>>>> could be done to implement basic "I authored this assembly and I
    > >>>>> don't want anyone else to re-use it outside *my* applications"
    > >>>>> type security.
    > >>>>>
    > >>>>> "Dominick Baier" wrote:
    > >>>>>
    > >>>>>> you never could that - in no language...
    > >>>>>>
    > >>>>>> Or do you think vendors like Microsoft haven't tried preventing
    > >>>>>> people to use e.g. Windows without paying for it??
    > >>>>>>
    > >>>>>> -----
    > >>>>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>>>> Amazing :( I am losing respect for .NET the more I use it.
    > >>>>>>> With security being one of the most important aspects of
    > >>>>>>> applications today one cannot protect their own assemblies to
    > >>>>>>> prevent others from using them? I am sitting here wondering why
    > >>>>>>> anyone is developing with .NET!? Jesus.
    > >>>>>>>
    > >>>>>>> "Dominick Baier" wrote:
    > >>>>>>>
    > >>>>>>>> short answer: you can't
    > >>>>>>>>
    > >>>>>>>> longer answer:
    > >>>>>>>>
    > >>>>>>>> you can try to do your best - like checking the SN of the
    > >>>>>>>> caller - but it all boils down to: if you hand out your code
    > >>>>>>>> (even in binary format) a skilled person can do to it whatever
    > >>>>>>>> he wants...
    > >>>>>>>>
    > >>>>>>>> There are companies that have much more budget trying to solve
    > >>>>>>>> these problems (games vendors, big commercial software, OS etc)
    > >>>>>>>> - and everything has been cracked so far...
    > >>>>>>>>
    > >>>>>>>> -----
    > >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>>>>>> I have a collection of various .NET assemblies I authored used
    > >>>>>>>>> in various applications within our corporate Intranet. The
    > >>>>>>>>> assemblies are used in fat-client apps, asp.net apps, etc,
    > >>>>>>>>> therefore many of the assemblies are distributed to end user
    > >>>>>>>>> systems (they are not installed in the GAC).
    > >>>>>>>>>
    > >>>>>>>>> It is my understanding that anyone can basically copy a .NET
    > >>>>>>>>> assembly, create a reference to it and consume it's public
    > >>>>>>>>> methods if CAS is not implemented in some fashion? I
    > >>>>>>>>> understand .NET assemblies are just MSIL code and meta data
    > >>>>>>>>> and can be reverse engineered quite easily (based on what I've
    > >>>>>>>>> read) using tools like the .NET reflector, etc. if they are
    > >>>>>>>>> not obfuscated. I'm not so concerned with this security aspect
    > >>>>>>>>> as developers/end users reusing my .NET assemblies in their
    > >>>>>>>>> own applications.
    > >>>>>>>>>
    > >>>>>>>>> In short, I've read where with Framework 1.1 one could use the
    > >>>>>>>>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    > >>>>>>>>> PublicKey="public key" ...) declaration at a class/function
    > >>>>>>>>> level which would throw a runtime error if any consumer tried
    > >>>>>>>>> to use a strong-named assembly where the caller was not also
    > >>>>>>>>> signed with the same strong-name key. I then found this is no
    > >>>>>>>>> longer the case in .NET 2.0 where if the caller is fully
    > >>>>>>>>> trusted the StrongNameIdentifyPermission check is completey
    > >>>>>>>>> disregarded as discussed here?
    > >>>>>>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguid
    > >>>>>>>>> el in es 00 03_class3
    > >>>>>>>>>
    > >>>>>>>>> How can I protect my .NET 2.0 assemblies from being consumed
    > >>>>>>>>> by other applications?
    > >>>>>>>>>

    >
    >
    >
     
    Tophog, Mar 29, 2007
    #11
  12. Tophog

    Tophog Guest

    Say I have a compiled COM-based DLL (binary) 'helloworld.dll' with a function
    that simply returns "Hello World". I build the DLL and distribute it with a
    fat-client application that is installed on a developers desktop.

    Now I build a .NET dll with the same function and distribute it with a
    client app to the same users desktop.

    Which DLL is going to be easier for the user re-use in his/her own
    application? Why? (I know the answer already, it's not a trick question)

    Shouldn't the .NET dll be more difficult to re-use simply based on the fact
    ..NET is the "latest/greatest" technology in this day security is one, if not
    the most, important aspect of software applications?


    "Dominick Baier" wrote:

    > that's no hack, thats no special feature - thats how .net works....
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > Ah, the ol' undocumented special feature thing :) I'll do some
    > > research and see if I can figure out the hack. thanks again for your
    > > help.
    > >
    > > -Jeff
    > >
    > > "Dominick Baier" wrote:
    > >
    > >> not sure if it is documented.
    > >>
    > >> You can extract the strong name of the calling assembly and compare
    > >> it to a list of allowed names - thats it...
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> Thanks. What I find ironic is MS's own webpage that covers this
    > >>> mentions nothing about how to use it to protect assemblies. I assume
    > >>> it's documented elsewhere? in your book?
    > >>>
    > >>> http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.
    > >>> ge tcallingassembly.aspx
    > >>>
    > >>> "Dominick Baier" wrote:
    > >>>
    > >>>> and as i said you can do that.
    > >>>>
    > >>>> Check Assembly.GetCallingAssembly()
    > >>>>
    > >>>> -----
    > >>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>> It's much more difficult to reverse engineer/re-use compiled
    > >>>>> binaries as opposed to MSIL-based assemblies isn't it? I'm
    > >>>>> talking about basic security meaures to protect someone from
    > >>>>> copying/executing methods within an assembly authored by someone
    > >>>>> else? I understand any software can be compromised given enough
    > >>>>> time, talent, etc. But given some mechanism to implement *basic*
    > >>>>> security it would help prevent your average "joe" user from
    > >>>>> executing code within your own assemblies. It seams something
    > >>>>> could be done to implement basic "I authored this assembly and I
    > >>>>> don't want anyone else to re-use it outside *my* applications"
    > >>>>> type security.
    > >>>>>
    > >>>>> "Dominick Baier" wrote:
    > >>>>>
    > >>>>>> you never could that - in no language...
    > >>>>>>
    > >>>>>> Or do you think vendors like Microsoft haven't tried preventing
    > >>>>>> people to use e.g. Windows without paying for it??
    > >>>>>>
    > >>>>>> -----
    > >>>>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>>>> Amazing :( I am losing respect for .NET the more I use it.
    > >>>>>>> With security being one of the most important aspects of
    > >>>>>>> applications today one cannot protect their own assemblies to
    > >>>>>>> prevent others from using them? I am sitting here wondering why
    > >>>>>>> anyone is developing with .NET!? Jesus.
    > >>>>>>>
    > >>>>>>> "Dominick Baier" wrote:
    > >>>>>>>
    > >>>>>>>> short answer: you can't
    > >>>>>>>>
    > >>>>>>>> longer answer:
    > >>>>>>>>
    > >>>>>>>> you can try to do your best - like checking the SN of the
    > >>>>>>>> caller - but it all boils down to: if you hand out your code
    > >>>>>>>> (even in binary format) a skilled person can do to it whatever
    > >>>>>>>> he wants...
    > >>>>>>>>
    > >>>>>>>> There are companies that have much more budget trying to solve
    > >>>>>>>> these problems (games vendors, big commercial software, OS etc)
    > >>>>>>>> - and everything has been cracked so far...
    > >>>>>>>>
    > >>>>>>>> -----
    > >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>>>>>> I have a collection of various .NET assemblies I authored used
    > >>>>>>>>> in various applications within our corporate Intranet. The
    > >>>>>>>>> assemblies are used in fat-client apps, asp.net apps, etc,
    > >>>>>>>>> therefore many of the assemblies are distributed to end user
    > >>>>>>>>> systems (they are not installed in the GAC).
    > >>>>>>>>>
    > >>>>>>>>> It is my understanding that anyone can basically copy a .NET
    > >>>>>>>>> assembly, create a reference to it and consume it's public
    > >>>>>>>>> methods if CAS is not implemented in some fashion? I
    > >>>>>>>>> understand .NET assemblies are just MSIL code and meta data
    > >>>>>>>>> and can be reverse engineered quite easily (based on what I've
    > >>>>>>>>> read) using tools like the .NET reflector, etc. if they are
    > >>>>>>>>> not obfuscated. I'm not so concerned with this security aspect
    > >>>>>>>>> as developers/end users reusing my .NET assemblies in their
    > >>>>>>>>> own applications.
    > >>>>>>>>>
    > >>>>>>>>> In short, I've read where with Framework 1.1 one could use the
    > >>>>>>>>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    > >>>>>>>>> PublicKey="public key" ...) declaration at a class/function
    > >>>>>>>>> level which would throw a runtime error if any consumer tried
    > >>>>>>>>> to use a strong-named assembly where the caller was not also
    > >>>>>>>>> signed with the same strong-name key. I then found this is no
    > >>>>>>>>> longer the case in .NET 2.0 where if the caller is fully
    > >>>>>>>>> trusted the StrongNameIdentifyPermission check is completey
    > >>>>>>>>> disregarded as discussed here?
    > >>>>>>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguid
    > >>>>>>>>> el in es 00 03_class3
    > >>>>>>>>>
    > >>>>>>>>> How can I protect my .NET 2.0 assemblies from being consumed
    > >>>>>>>>> by other applications?
    > >>>>>>>>>

    >
    >
    >
     
    Tophog, Mar 29, 2007
    #12
  13. i am not sure what you are talking about...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > .NET is flawed IMHO when it comes to security.
    >
    > -Jeff MCSD.net
    > ADP Dealer Services
    > "Dominick Baier" wrote:
    >
    >> that's no hack, thats no special feature - thats how .net works....
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> Ah, the ol' undocumented special feature thing :) I'll do some
    >>> research and see if I can figure out the hack. thanks again for
    >>> your help.
    >>>
    >>> -Jeff
    >>>
    >>> "Dominick Baier" wrote:
    >>>
    >>>> not sure if it is documented.
    >>>>
    >>>> You can extract the strong name of the calling assembly and compare
    >>>> it to a list of allowed names - thats it...
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> Thanks. What I find ironic is MS's own webpage that covers this
    >>>>> mentions nothing about how to use it to protect assemblies. I
    >>>>> assume it's documented elsewhere? in your book?
    >>>>>
    >>>>> http://msdn2.microsoft.com/en-us/library/system.reflection.assembl
    >>>>> y. ge tcallingassembly.aspx
    >>>>>
    >>>>> "Dominick Baier" wrote:
    >>>>>
    >>>>>> and as i said you can do that.
    >>>>>>
    >>>>>> Check Assembly.GetCallingAssembly()
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>> It's much more difficult to reverse engineer/re-use compiled
    >>>>>>> binaries as opposed to MSIL-based assemblies isn't it? I'm
    >>>>>>> talking about basic security meaures to protect someone from
    >>>>>>> copying/executing methods within an assembly authored by someone
    >>>>>>> else? I understand any software can be compromised given
    >>>>>>> enough time, talent, etc. But given some mechanism to implement
    >>>>>>> *basic* security it would help prevent your average "joe" user
    >>>>>>> from executing code within your own assemblies. It seams
    >>>>>>> something could be done to implement basic "I authored this
    >>>>>>> assembly and I don't want anyone else to re-use it outside *my*
    >>>>>>> applications" type security.
    >>>>>>>
    >>>>>>> "Dominick Baier" wrote:
    >>>>>>>
    >>>>>>>> you never could that - in no language...
    >>>>>>>>
    >>>>>>>> Or do you think vendors like Microsoft haven't tried preventing
    >>>>>>>> people to use e.g. Windows without paying for it??
    >>>>>>>>
    >>>>>>>> -----
    >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>> Amazing :( I am losing respect for .NET the more I use it.
    >>>>>>>>> With security being one of the most important aspects of
    >>>>>>>>> applications today one cannot protect their own assemblies to
    >>>>>>>>> prevent others from using them? I am sitting here wondering
    >>>>>>>>> why
    >>>>>>>>> anyone is developing with .NET!? Jesus.
    >>>>>>>>> "Dominick Baier" wrote:
    >>>>>>>>>
    >>>>>>>>>> short answer: you can't
    >>>>>>>>>>
    >>>>>>>>>> longer answer:
    >>>>>>>>>>
    >>>>>>>>>> you can try to do your best - like checking the SN of the
    >>>>>>>>>> caller - but it all boils down to: if you hand out your code
    >>>>>>>>>> (even in binary format) a skilled person can do to it
    >>>>>>>>>> whatever he wants...
    >>>>>>>>>>
    >>>>>>>>>> There are companies that have much more budget trying to
    >>>>>>>>>> solve these problems (games vendors, big commercial software,
    >>>>>>>>>> OS etc) - and everything has been cracked so far...
    >>>>>>>>>>
    >>>>>>>>>> -----
    >>>>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>>>> I have a collection of various .NET assemblies I authored
    >>>>>>>>>>> used in various applications within our corporate Intranet.
    >>>>>>>>>>> The assemblies are used in fat-client apps, asp.net apps,
    >>>>>>>>>>> etc, therefore many of the assemblies are distributed to end
    >>>>>>>>>>> user systems (they are not installed in the GAC).
    >>>>>>>>>>>
    >>>>>>>>>>> It is my understanding that anyone can basically copy a .NET
    >>>>>>>>>>> assembly, create a reference to it and consume it's public
    >>>>>>>>>>> methods if CAS is not implemented in some fashion? I
    >>>>>>>>>>> understand .NET assemblies are just MSIL code and meta data
    >>>>>>>>>>> and can be reverse engineered quite easily (based on what
    >>>>>>>>>>> I've read) using tools like the .NET reflector, etc. if they
    >>>>>>>>>>> are not obfuscated. I'm not so concerned with this security
    >>>>>>>>>>> aspect as developers/end users reusing my .NET assemblies in
    >>>>>>>>>>> their own applications.
    >>>>>>>>>>>
    >>>>>>>>>>> In short, I've read where with Framework 1.1 one could use
    >>>>>>>>>>> the [StrongNameIdentityPermission ( SecurityAction.Demand ,
    >>>>>>>>>>> PublicKey="public key" ...) declaration at a class/function
    >>>>>>>>>>> level which would throw a runtime error if any consumer
    >>>>>>>>>>> tried to use a strong-named assembly where the caller was
    >>>>>>>>>>> not also signed with the same strong-name key. I then found
    >>>>>>>>>>> this is no longer the case in .NET 2.0 where if the caller
    >>>>>>>>>>> is fully trusted the StrongNameIdentifyPermission check is
    >>>>>>>>>>> completey disregarded as discussed here?
    >>>>>>>>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#paggu
    >>>>>>>>>>> id el in es 00 03_class3
    >>>>>>>>>>>
    >>>>>>>>>>> How can I protect my .NET 2.0 assemblies from being consumed
    >>>>>>>>>>> by other applications?
    >>>>>>>>>>>
     
    Dominick Baier, Mar 29, 2007
    #13
  14. Tophog

    Tophog Guest

    yes, I realize that.

    "Dominick Baier" wrote:

    > i am not sure what you are talking about...
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
    >
    > > .NET is flawed IMHO when it comes to security.
    > >
    > > -Jeff MCSD.net
    > > ADP Dealer Services
    > > "Dominick Baier" wrote:
    > >
    > >> that's no hack, thats no special feature - thats how .net works....
    > >>
    > >> -----
    > >> Dominick Baier (http://www.leastprivilege.com)
    > >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>
    > >>> Ah, the ol' undocumented special feature thing :) I'll do some
    > >>> research and see if I can figure out the hack. thanks again for
    > >>> your help.
    > >>>
    > >>> -Jeff
    > >>>
    > >>> "Dominick Baier" wrote:
    > >>>
    > >>>> not sure if it is documented.
    > >>>>
    > >>>> You can extract the strong name of the calling assembly and compare
    > >>>> it to a list of allowed names - thats it...
    > >>>>
    > >>>> -----
    > >>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>> Thanks. What I find ironic is MS's own webpage that covers this
    > >>>>> mentions nothing about how to use it to protect assemblies. I
    > >>>>> assume it's documented elsewhere? in your book?
    > >>>>>
    > >>>>> http://msdn2.microsoft.com/en-us/library/system.reflection.assembl
    > >>>>> y. ge tcallingassembly.aspx
    > >>>>>
    > >>>>> "Dominick Baier" wrote:
    > >>>>>
    > >>>>>> and as i said you can do that.
    > >>>>>>
    > >>>>>> Check Assembly.GetCallingAssembly()
    > >>>>>>
    > >>>>>> -----
    > >>>>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>>>> It's much more difficult to reverse engineer/re-use compiled
    > >>>>>>> binaries as opposed to MSIL-based assemblies isn't it? I'm
    > >>>>>>> talking about basic security meaures to protect someone from
    > >>>>>>> copying/executing methods within an assembly authored by someone
    > >>>>>>> else? I understand any software can be compromised given
    > >>>>>>> enough time, talent, etc. But given some mechanism to implement
    > >>>>>>> *basic* security it would help prevent your average "joe" user
    > >>>>>>> from executing code within your own assemblies. It seams
    > >>>>>>> something could be done to implement basic "I authored this
    > >>>>>>> assembly and I don't want anyone else to re-use it outside *my*
    > >>>>>>> applications" type security.
    > >>>>>>>
    > >>>>>>> "Dominick Baier" wrote:
    > >>>>>>>
    > >>>>>>>> you never could that - in no language...
    > >>>>>>>>
    > >>>>>>>> Or do you think vendors like Microsoft haven't tried preventing
    > >>>>>>>> people to use e.g. Windows without paying for it??
    > >>>>>>>>
    > >>>>>>>> -----
    > >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>>>>>> Amazing :( I am losing respect for .NET the more I use it.
    > >>>>>>>>> With security being one of the most important aspects of
    > >>>>>>>>> applications today one cannot protect their own assemblies to
    > >>>>>>>>> prevent others from using them? I am sitting here wondering
    > >>>>>>>>> why
    > >>>>>>>>> anyone is developing with .NET!? Jesus.
    > >>>>>>>>> "Dominick Baier" wrote:
    > >>>>>>>>>
    > >>>>>>>>>> short answer: you can't
    > >>>>>>>>>>
    > >>>>>>>>>> longer answer:
    > >>>>>>>>>>
    > >>>>>>>>>> you can try to do your best - like checking the SN of the
    > >>>>>>>>>> caller - but it all boils down to: if you hand out your code
    > >>>>>>>>>> (even in binary format) a skilled person can do to it
    > >>>>>>>>>> whatever he wants...
    > >>>>>>>>>>
    > >>>>>>>>>> There are companies that have much more budget trying to
    > >>>>>>>>>> solve these problems (games vendors, big commercial software,
    > >>>>>>>>>> OS etc) - and everything has been cracked so far...
    > >>>>>>>>>>
    > >>>>>>>>>> -----
    > >>>>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    > >>>>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    > >>>>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    > >>>>>>>>>>> I have a collection of various .NET assemblies I authored
    > >>>>>>>>>>> used in various applications within our corporate Intranet.
    > >>>>>>>>>>> The assemblies are used in fat-client apps, asp.net apps,
    > >>>>>>>>>>> etc, therefore many of the assemblies are distributed to end
    > >>>>>>>>>>> user systems (they are not installed in the GAC).
    > >>>>>>>>>>>
    > >>>>>>>>>>> It is my understanding that anyone can basically copy a .NET
    > >>>>>>>>>>> assembly, create a reference to it and consume it's public
    > >>>>>>>>>>> methods if CAS is not implemented in some fashion? I
    > >>>>>>>>>>> understand .NET assemblies are just MSIL code and meta data
    > >>>>>>>>>>> and can be reverse engineered quite easily (based on what
    > >>>>>>>>>>> I've read) using tools like the .NET reflector, etc. if they
    > >>>>>>>>>>> are not obfuscated. I'm not so concerned with this security
    > >>>>>>>>>>> aspect as developers/end users reusing my .NET assemblies in
    > >>>>>>>>>>> their own applications.
    > >>>>>>>>>>>
    > >>>>>>>>>>> In short, I've read where with Framework 1.1 one could use
    > >>>>>>>>>>> the [StrongNameIdentityPermission ( SecurityAction.Demand ,
    > >>>>>>>>>>> PublicKey="public key" ...) declaration at a class/function
    > >>>>>>>>>>> level which would throw a runtime error if any consumer
    > >>>>>>>>>>> tried to use a strong-named assembly where the caller was
    > >>>>>>>>>>> not also signed with the same strong-name key. I then found
    > >>>>>>>>>>> this is no longer the case in .NET 2.0 where if the caller
    > >>>>>>>>>>> is fully trusted the StrongNameIdentifyPermission check is
    > >>>>>>>>>>> completey disregarded as discussed here?
    > >>>>>>>>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#paggu
    > >>>>>>>>>>> id el in es 00 03_class3
    > >>>>>>>>>>>
    > >>>>>>>>>>> How can I protect my .NET 2.0 assemblies from being consumed
    > >>>>>>>>>>> by other applications?
    > >>>>>>>>>>>

    >
    >
    >
     
    Tophog, Mar 29, 2007
    #14
  15. Tophog

    Ornette Guest

    Why not implement your own protection in the constructor of you assembly ?
    You can check whatever you want.

    I can't understand what the point with .NET...

    "Tophog" <> wrote in message
    news:...
    > Say I have a compiled COM-based DLL (binary) 'helloworld.dll' with a
    > function
    > that simply returns "Hello World". I build the DLL and distribute it with
    > a
    > fat-client application that is installed on a developers desktop.
    >
    > Now I build a .NET dll with the same function and distribute it with a
    > client app to the same users desktop.
    >
    > Which DLL is going to be easier for the user re-use in his/her own
    > application? Why? (I know the answer already, it's not a trick question)
    >
    > Shouldn't the .NET dll be more difficult to re-use simply based on the
    > fact
    > .NET is the "latest/greatest" technology in this day security is one, if
    > not
    > the most, important aspect of software applications?
    >
    >
    > "Dominick Baier" wrote:
    >
    >> that's no hack, thats no special feature - thats how .net works....
    >>
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >>
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >> > Ah, the ol' undocumented special feature thing :) I'll do some
    >> > research and see if I can figure out the hack. thanks again for your
    >> > help.
    >> >
    >> > -Jeff
    >> >
    >> > "Dominick Baier" wrote:
    >> >
    >> >> not sure if it is documented.
    >> >>
    >> >> You can extract the strong name of the calling assembly and compare
    >> >> it to a list of allowed names - thats it...
    >> >>
    >> >> -----
    >> >> Dominick Baier (http://www.leastprivilege.com)
    >> >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> >> (http://www.microsoft.com/mspress/books/9989.asp)
    >> >>
    >> >>> Thanks. What I find ironic is MS's own webpage that covers this
    >> >>> mentions nothing about how to use it to protect assemblies. I assume
    >> >>> it's documented elsewhere? in your book?
    >> >>>
    >> >>> http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.
    >> >>> ge tcallingassembly.aspx
    >> >>>
    >> >>> "Dominick Baier" wrote:
    >> >>>
    >> >>>> and as i said you can do that.
    >> >>>>
    >> >>>> Check Assembly.GetCallingAssembly()
    >> >>>>
    >> >>>> -----
    >> >>>> Dominick Baier (http://www.leastprivilege.com)
    >> >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >> >>>>> It's much more difficult to reverse engineer/re-use compiled
    >> >>>>> binaries as opposed to MSIL-based assemblies isn't it? I'm
    >> >>>>> talking about basic security meaures to protect someone from
    >> >>>>> copying/executing methods within an assembly authored by someone
    >> >>>>> else? I understand any software can be compromised given enough
    >> >>>>> time, talent, etc. But given some mechanism to implement *basic*
    >> >>>>> security it would help prevent your average "joe" user from
    >> >>>>> executing code within your own assemblies. It seams something
    >> >>>>> could be done to implement basic "I authored this assembly and I
    >> >>>>> don't want anyone else to re-use it outside *my* applications"
    >> >>>>> type security.
    >> >>>>>
    >> >>>>> "Dominick Baier" wrote:
    >> >>>>>
    >> >>>>>> you never could that - in no language...
    >> >>>>>>
    >> >>>>>> Or do you think vendors like Microsoft haven't tried preventing
    >> >>>>>> people to use e.g. Windows without paying for it??
    >> >>>>>>
    >> >>>>>> -----
    >> >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >> >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >> >>>>>>> Amazing :( I am losing respect for .NET the more I use it.
    >> >>>>>>> With security being one of the most important aspects of
    >> >>>>>>> applications today one cannot protect their own assemblies to
    >> >>>>>>> prevent others from using them? I am sitting here wondering why
    >> >>>>>>> anyone is developing with .NET!? Jesus.
    >> >>>>>>>
    >> >>>>>>> "Dominick Baier" wrote:
    >> >>>>>>>
    >> >>>>>>>> short answer: you can't
    >> >>>>>>>>
    >> >>>>>>>> longer answer:
    >> >>>>>>>>
    >> >>>>>>>> you can try to do your best - like checking the SN of the
    >> >>>>>>>> caller - but it all boils down to: if you hand out your code
    >> >>>>>>>> (even in binary format) a skilled person can do to it whatever
    >> >>>>>>>> he wants...
    >> >>>>>>>>
    >> >>>>>>>> There are companies that have much more budget trying to solve
    >> >>>>>>>> these problems (games vendors, big commercial software, OS etc)
    >> >>>>>>>> - and everything has been cracked so far...
    >> >>>>>>>>
    >> >>>>>>>> -----
    >> >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >> >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >> >>>>>>>>> I have a collection of various .NET assemblies I authored used
    >> >>>>>>>>> in various applications within our corporate Intranet. The
    >> >>>>>>>>> assemblies are used in fat-client apps, asp.net apps, etc,
    >> >>>>>>>>> therefore many of the assemblies are distributed to end user
    >> >>>>>>>>> systems (they are not installed in the GAC).
    >> >>>>>>>>>
    >> >>>>>>>>> It is my understanding that anyone can basically copy a .NET
    >> >>>>>>>>> assembly, create a reference to it and consume it's public
    >> >>>>>>>>> methods if CAS is not implemented in some fashion? I
    >> >>>>>>>>> understand .NET assemblies are just MSIL code and meta data
    >> >>>>>>>>> and can be reverse engineered quite easily (based on what I've
    >> >>>>>>>>> read) using tools like the .NET reflector, etc. if they are
    >> >>>>>>>>> not obfuscated. I'm not so concerned with this security aspect
    >> >>>>>>>>> as developers/end users reusing my .NET assemblies in their
    >> >>>>>>>>> own applications.
    >> >>>>>>>>>
    >> >>>>>>>>> In short, I've read where with Framework 1.1 one could use the
    >> >>>>>>>>> [StrongNameIdentityPermission ( SecurityAction.Demand ,
    >> >>>>>>>>> PublicKey="public key" ...) declaration at a class/function
    >> >>>>>>>>> level which would throw a runtime error if any consumer tried
    >> >>>>>>>>> to use a strong-named assembly where the caller was not also
    >> >>>>>>>>> signed with the same strong-name key. I then found this is no
    >> >>>>>>>>> longer the case in .NET 2.0 where if the caller is fully
    >> >>>>>>>>> trusted the StrongNameIdentifyPermission check is completey
    >> >>>>>>>>> disregarded as discussed here?
    >> >>>>>>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguid
    >> >>>>>>>>> el in es 00 03_class3
    >> >>>>>>>>>
    >> >>>>>>>>> How can I protect my .NET 2.0 assemblies from being consumed
    >> >>>>>>>>> by other applications?
    >> >>>>>>>>>

    >>
    >>
    >>
     
    Ornette, Mar 30, 2007
    #15
  16. What's your problem? Do you want help - or just rant?

    AFAIK you already have all the answers? If you have more questions ask them
    - and there will be somebody who will help you.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > yes, I realize that.
    >
    > "Dominick Baier" wrote:
    >
    >> i am not sure what you are talking about...
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >> (http://www.microsoft.com/mspress/books/9989.asp)
    >>
    >>> .NET is flawed IMHO when it comes to security.
    >>>
    >>> -Jeff MCSD.net
    >>> ADP Dealer Services
    >>> "Dominick Baier" wrote:
    >>>> that's no hack, thats no special feature - thats how .net works....
    >>>>
    >>>> -----
    >>>> Dominick Baier (http://www.leastprivilege.com)
    >>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>> Ah, the ol' undocumented special feature thing :) I'll do some
    >>>>> research and see if I can figure out the hack. thanks again for
    >>>>> your help.
    >>>>>
    >>>>> -Jeff
    >>>>>
    >>>>> "Dominick Baier" wrote:
    >>>>>
    >>>>>> not sure if it is documented.
    >>>>>>
    >>>>>> You can extract the strong name of the calling assembly and
    >>>>>> compare it to a list of allowed names - thats it...
    >>>>>>
    >>>>>> -----
    >>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>> Thanks. What I find ironic is MS's own webpage that covers this
    >>>>>>> mentions nothing about how to use it to protect assemblies. I
    >>>>>>> assume it's documented elsewhere? in your book?
    >>>>>>>
    >>>>>>> http://msdn2.microsoft.com/en-us/library/system.reflection.assem
    >>>>>>> bl y. ge tcallingassembly.aspx
    >>>>>>>
    >>>>>>> "Dominick Baier" wrote:
    >>>>>>>
    >>>>>>>> and as i said you can do that.
    >>>>>>>>
    >>>>>>>> Check Assembly.GetCallingAssembly()
    >>>>>>>>
    >>>>>>>> -----
    >>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>> It's much more difficult to reverse engineer/re-use compiled
    >>>>>>>>> binaries as opposed to MSIL-based assemblies isn't it? I'm
    >>>>>>>>> talking about basic security meaures to protect someone from
    >>>>>>>>> copying/executing methods within an assembly authored by
    >>>>>>>>> someone else? I understand any software can be compromised
    >>>>>>>>> given enough time, talent, etc. But given some mechanism to
    >>>>>>>>> implement *basic* security it would help prevent your average
    >>>>>>>>> "joe" user from executing code within your own assemblies. It
    >>>>>>>>> seams something could be done to implement basic "I authored
    >>>>>>>>> this assembly and I don't want anyone else to re-use it
    >>>>>>>>> outside *my* applications" type security.
    >>>>>>>>>
    >>>>>>>>> "Dominick Baier" wrote:
    >>>>>>>>>
    >>>>>>>>>> you never could that - in no language...
    >>>>>>>>>>
    >>>>>>>>>> Or do you think vendors like Microsoft haven't tried
    >>>>>>>>>> preventing people to use e.g. Windows without paying for it??
    >>>>>>>>>>
    >>>>>>>>>> -----
    >>>>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>>>> Amazing :( I am losing respect for .NET the more I use it.
    >>>>>>>>>>> With security being one of the most important aspects of
    >>>>>>>>>>> applications today one cannot protect their own assemblies
    >>>>>>>>>>> to
    >>>>>>>>>>> prevent others from using them? I am sitting here wondering
    >>>>>>>>>>> why
    >>>>>>>>>>> anyone is developing with .NET!? Jesus.
    >>>>>>>>>>> "Dominick Baier" wrote:
    >>>>>>>>>>>> short answer: you can't
    >>>>>>>>>>>>
    >>>>>>>>>>>> longer answer:
    >>>>>>>>>>>>
    >>>>>>>>>>>> you can try to do your best - like checking the SN of the
    >>>>>>>>>>>> caller - but it all boils down to: if you hand out your
    >>>>>>>>>>>> code (even in binary format) a skilled person can do to it
    >>>>>>>>>>>> whatever he wants...
    >>>>>>>>>>>>
    >>>>>>>>>>>> There are companies that have much more budget trying to
    >>>>>>>>>>>> solve these problems (games vendors, big commercial
    >>>>>>>>>>>> software, OS etc) - and everything has been cracked so
    >>>>>>>>>>>> far...
    >>>>>>>>>>>>
    >>>>>>>>>>>> -----
    >>>>>>>>>>>> Dominick Baier (http://www.leastprivilege.com)
    >>>>>>>>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications
    >>>>>>>>>>>> (http://www.microsoft.com/mspress/books/9989.asp)
    >>>>>>>>>>>>> I have a collection of various .NET assemblies I authored
    >>>>>>>>>>>>> used in various applications within our corporate
    >>>>>>>>>>>>> Intranet. The assemblies are used in fat-client apps,
    >>>>>>>>>>>>> asp.net apps, etc, therefore many of the assemblies are
    >>>>>>>>>>>>> distributed to end user systems (they are not installed in
    >>>>>>>>>>>>> the GAC).
    >>>>>>>>>>>>>
    >>>>>>>>>>>>> It is my understanding that anyone can basically copy a
    >>>>>>>>>>>>> .NET assembly, create a reference to it and consume it's
    >>>>>>>>>>>>> public methods if CAS is not implemented in some fashion?
    >>>>>>>>>>>>> I understand .NET assemblies are just MSIL code and meta
    >>>>>>>>>>>>> data and can be reverse engineered quite easily (based on
    >>>>>>>>>>>>> what I've read) using tools like the .NET reflector, etc.
    >>>>>>>>>>>>> if they are not obfuscated. I'm not so concerned with this
    >>>>>>>>>>>>> security aspect as developers/end users reusing my .NET
    >>>>>>>>>>>>> assemblies in their own applications.
    >>>>>>>>>>>>>
    >>>>>>>>>>>>> In short, I've read where with Framework 1.1 one could use
    >>>>>>>>>>>>> the [StrongNameIdentityPermission ( SecurityAction.Demand
    >>>>>>>>>>>>> , PublicKey="public key" ...) declaration at a
    >>>>>>>>>>>>> class/function level which would throw a runtime error if
    >>>>>>>>>>>>> any consumer tried to use a strong-named assembly where
    >>>>>>>>>>>>> the caller was not also signed with the same strong-name
    >>>>>>>>>>>>> key. I then found this is no longer the case in .NET 2.0
    >>>>>>>>>>>>> where if the caller is fully trusted the
    >>>>>>>>>>>>> StrongNameIdentifyPermission check is completey
    >>>>>>>>>>>>> disregarded as discussed here?
    >>>>>>>>>>>>> http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pag
    >>>>>>>>>>>>> gu id el in es 00 03_class3
    >>>>>>>>>>>>>
    >>>>>>>>>>>>> How can I protect my .NET 2.0 assemblies from being
    >>>>>>>>>>>>> consumed by other applications?
    >>>>>>>>>>>>>
     
    Dominick Baier, Mar 30, 2007
    #16
  17. Tophog

    Wibberlet Guest

    Hi Tophog,

    I read this post with interest and basically agree with what you are saying.
    It is certainly easier to decompile .Net assemblies than COM assemblies due
    to the IL that they use.

    Obfuscators can protect your code from all but the most determined (and
    skilled) hackers but they are still not perfect and certainly not tamper
    proof.

    I worked on a previous project where the customer bought the source code
    that we produced and insisted on security. The only way we were able to
    convince them that the code was secure was to use an asp.net solution where
    the intellectual copyright was preserved on a web server. Of course, you have
    to trust the host here or host it yourself.

    The whole code security issue is a problem regardless of the language you
    are using but I do sometimes think that more could be done to help secure the
    work that we produce.

    regards - wibberlet
    Development blog at http://wibberlet.blogspot.com

    ====================================

    "Tophog" wrote:

    > I have a collection of various .NET assemblies I authored used in various
    > applications within our corporate Intranet. The assemblies are used in
    > fat-client apps, asp.net apps, etc, therefore many of the assemblies are
    > distributed to end user systems (they are not installed in the GAC).
    >
    > It is my understanding that anyone can basically copy a .NET assembly,
    > create a reference to it and consume it's public methods if CAS is not
    > implemented in some fashion? I understand .NET assemblies are just MSIL code
    > and meta data and can be reverse engineered quite easily (based on what I've
    > read) using tools like the .NET reflector, etc. if they are not obfuscated.
    > I'm not so concerned with this security aspect as developers/end users
    > reusing my .NET assemblies in their own applications.
    >
    > In short, I've read where with Framework 1.1 one could use the
    > [StrongNameIdentityPermission ( SecurityAction.Demand , PublicKey="public
    > key" ...) declaration at a class/function level which would throw a runtime
    > error if any consumer tried to use a strong-named assembly where the caller
    > was not also signed with the same strong-name key. I then found this is no
    > longer the case in .NET 2.0 where if the caller is fully trusted the
    > StrongNameIdentifyPermission check is completey disregarded as discussed here?
    > http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines0003_class3
    >
    > How can I protect my .NET 2.0 assemblies from being consumed by other
    > applications?
     
    Wibberlet, Apr 2, 2007
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Timothy
    Replies:
    1
    Views:
    542
    Gaurav Khanna [C# MVP]
    Jan 27, 2004
  2. Rick Strahl [MVP]

    ASP.Net Runtime Hosting and finding Assemblies

    Rick Strahl [MVP], Oct 18, 2003, in forum: ASP .Net
    Replies:
    5
    Views:
    712
    Natty Gur
    Nov 2, 2003
  3. Gert Conradie

    Protecting classic ASP pages with ASP.NET 2.0

    Gert Conradie, Aug 2, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    565
    Gert Conradie
    Aug 2, 2006
  4. Kulgan

    Different Assemblies At Runtime

    Kulgan, Aug 9, 2007, in forum: ASP .Net
    Replies:
    3
    Views:
    303
    Alexey Smirnov
    Aug 9, 2007
  5. Dutt
    Replies:
    1
    Views:
    475
Loading...

Share This Page