Protecting .NET assemblies (runtime)

[Tophog]

I have a collection of various .NET assemblies I authored used in various
applications within our corporate Intranet. The assemblies are used in
fat-client apps, asp.net apps, etc, therefore many of the assemblies are
distributed to end user systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET assembly,
create a reference to it and consume it's public methods if CAS is not
implemented in some fashion? I understand .NET assemblies are just MSIL code
and meta data and can be reverse engineered quite easily (based on what I've
read) using tools like the .NET reflector, etc. if they are not obfuscated.
I'm not so concerned with this security aspect as developers/end users
reusing my .NET assemblies in their own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand , PublicKey="public
key" ...) declaration at a class/function level which would throw a runtime
error if any consumer tried to use a strong-named assembly where the caller
was not also signed with the same strong-name key. I then found this is no
longer the case in .NET 2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as discussed here
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines0003_class3

How can I protect my .NET 2.0 assemblies from being consumed by other
applications?

 

[Dominick Baier]

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the caller - but it
all boils down to: if you hand out your code (even in binary format) a skilled
person can do to it whatever he wants...

There are companies that have much more budget trying to solve these problems
(games vendors, big commercial software, OS etc) - and everything has been
cracked so far...

 

[Tophog]

Amazing I am losing respect for .NET the more I use it. With security
being one of the most important aspects of applications today one cannot
protect their own assemblies to prevent others from using them? I am sitting
here wondering why anyone is developing with .NET!? Jesus.

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the caller - but it
all boils down to: if you hand out your code (even in binary format) a skilled
person can do to it whatever he wants...

There are companies that have much more budget trying to solve these problems
(games vendors, big commercial software, OS etc) - and everything has been
cracked so far...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

I have a collection of various .NET assemblies I authored used in
various applications within our corporate Intranet. The assemblies
are used in fat-client apps, asp.net apps, etc, therefore many of the
assemblies are distributed to end user systems (they are not installed
in the GAC).

It is my understanding that anyone can basically copy a .NET assembly,
create a reference to it and consume it's public methods if CAS is not
implemented in some fashion? I understand .NET assemblies are just
MSIL code and meta data and can be reverse engineered quite easily
(based on what I've read) using tools like the .NET reflector, etc. if
they are not obfuscated. I'm not so concerned with this security
aspect as developers/end users reusing my .NET assemblies in their own
applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function level
which would throw a runtime error if any consumer tried to use a
strong-named assembly where the caller was not also signed with the
same strong-name key. I then found this is no longer the case in .NET
2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as
discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines00
03_class3

How can I protect my .NET 2.0 assemblies from being consumed by other
applications?

 

[Dominick Baier]

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing people to
use e.g. Windows without paying for it??


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Amazing I am losing respect for .NET the more I use it. With
security being one of the most important aspects of applications today
one cannot protect their own assemblies to prevent others from using
them? I am sitting here wondering why anyone is developing with
.NET!? Jesus.

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the caller -
but it all boils down to: if you hand out your code (even in binary
format) a skilled person can do to it whatever he wants...

There are companies that have much more budget trying to solve these
problems (games vendors, big commercial software, OS etc) - and
everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

I have a collection of various .NET assemblies I authored used in
various applications within our corporate Intranet. The assemblies
are used in fat-client apps, asp.net apps, etc, therefore many of
the assemblies are distributed to end user systems (they are not
installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public methods
if CAS is not implemented in some fashion? I understand .NET
assemblies are just MSIL code and meta data and can be reverse
engineered quite easily (based on what I've read) using tools like
the .NET reflector, etc. if they are not obfuscated. I'm not so
concerned with this security aspect as developers/end users reusing
my .NET assemblies in their own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function level
which would throw a runtime error if any consumer tried to use a
strong-named assembly where the caller was not also signed with the
same strong-name key. I then found this is no longer the case in
.NET 2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as
discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines
00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed by
other applications?

 

[Tophog]

It's much more difficult to reverse engineer/re-use compiled binaries as
opposed to MSIL-based assemblies isn't it? I'm talking about basic security
meaures to protect someone from copying/executing methods within an assembly
authored by someone else? I understand any software can be compromised
given enough time, talent, etc. But given some mechanism to implement
*basic* security it would help prevent your average "joe" user from executing
code within your own assemblies. It seams something could be done to
implement basic "I authored this assembly and I don't want anyone else to
re-use it outside *my* applications" type security.

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing people to
use e.g. Windows without paying for it??


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Amazing I am losing respect for .NET the more I use it. With
security being one of the most important aspects of applications today
one cannot protect their own assemblies to prevent others from using
them? I am sitting here wondering why anyone is developing with
.NET!? Jesus.

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the caller -
but it all boils down to: if you hand out your code (even in binary
format) a skilled person can do to it whatever he wants...

There are companies that have much more budget trying to solve these
problems (games vendors, big commercial software, OS etc) - and
everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

I have a collection of various .NET assemblies I authored used in
various applications within our corporate Intranet. The assemblies
are used in fat-client apps, asp.net apps, etc, therefore many of
the assemblies are distributed to end user systems (they are not
installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public methods
if CAS is not implemented in some fashion? I understand .NET
assemblies are just MSIL code and meta data and can be reverse
engineered quite easily (based on what I've read) using tools like
the .NET reflector, etc. if they are not obfuscated. I'm not so
concerned with this security aspect as developers/end users reusing
my .NET assemblies in their own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function level
which would throw a runtime error if any consumer tried to use a
strong-named assembly where the caller was not also signed with the
same strong-name key. I then found this is no longer the case in
.NET 2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as
discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelines
00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed by
other applications?

 

[Dominick Baier]

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

It's much more difficult to reverse engineer/re-use compiled binaries
as opposed to MSIL-based assemblies isn't it? I'm talking about basic
security meaures to protect someone from copying/executing methods
within an assembly authored by someone else? I understand any
software can be compromised given enough time, talent, etc. But given
some mechanism to implement *basic* security it would help prevent
your average "joe" user from executing code within your own
assemblies. It seams something could be done to implement basic "I
authored this assembly and I don't want anyone else to re-use it
outside *my* applications" type security.

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Amazing I am losing respect for .NET the more I use it. With
security being one of the most important aspects of applications
today one cannot protect their own assemblies to prevent others from
using them? I am sitting here wondering why anyone is developing
with .NET!? Jesus.

:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the caller -
but it all boils down to: if you hand out your code (even in binary
format) a skilled person can do to it whatever he wants...

There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc) -
and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used in
various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public methods
if CAS is not implemented in some fashion? I understand .NET
assemblies are just MSIL code and meta data and can be reverse
engineered quite easily (based on what I've read) using tools like
the .NET reflector, etc. if they are not obfuscated. I'm not so
concerned with this security aspect as developers/end users
reusing my .NET assemblies in their own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function level
which would throw a runtime error if any consumer tried to use a
strong-named assembly where the caller was not also signed with
the same strong-name key. I then found this is no longer the case
in .NET 2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as
discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelin
es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed by
other applications?

 

[Tophog]

Thanks. What I find ironic is MS's own webpage that covers this mentions
nothing about how to use it to protect assemblies. I assume it's documented
elsewhere? in your book?


http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.getcallingassembly.aspx

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

It's much more difficult to reverse engineer/re-use compiled binaries
as opposed to MSIL-based assemblies isn't it? I'm talking about basic
security meaures to protect someone from copying/executing methods
within an assembly authored by someone else? I understand any
software can be compromised given enough time, talent, etc. But given
some mechanism to implement *basic* security it would help prevent
your average "joe" user from executing code within your own
assemblies. It seams something could be done to implement basic "I
authored this assembly and I don't want anyone else to re-use it
outside *my* applications" type security.

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Amazing I am losing respect for .NET the more I use it. With
security being one of the most important aspects of applications
today one cannot protect their own assemblies to prevent others from
using them? I am sitting here wondering why anyone is developing
with .NET!? Jesus.

:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the caller -
but it all boils down to: if you hand out your code (even in binary
format) a skilled person can do to it whatever he wants...

There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc) -
and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used in
various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public methods
if CAS is not implemented in some fashion? I understand .NET
assemblies are just MSIL code and meta data and can be reverse
engineered quite easily (based on what I've read) using tools like
the .NET reflector, etc. if they are not obfuscated. I'm not so
concerned with this security aspect as developers/end users
reusing my .NET assemblies in their own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function level
which would throw a runtime error if any consumer tried to use a
strong-named assembly where the caller was not also signed with
the same strong-name key. I then found this is no longer the case
in .NET 2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as
discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidelin
es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed by
other applications?

 

[Dominick Baier]

not sure if it is documented.

You can extract the strong name of the calling assembly and compare it to
a list of allowed names - thats it...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I assume
it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.ge
tcallingassembly.aspx

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm talking
about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given enough
time, talent, etc. But given some mechanism to implement *basic*
security it would help prevent your average "joe" user from
executing code within your own assemblies. It seams something could
be done to implement basic "I authored this assembly and I don't
want anyone else to re-use it outside *my* applications" type
security.

:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing I am losing respect for .NET the more I use it. With
security being one of the most important aspects of applications
today one cannot protect their own assemblies to prevent others
from using them? I am sitting here wondering why anyone is
developing with .NET!? Jesus.

:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the caller
- but it all boils down to: if you hand out your code (even in
binary format) a skilled person can do to it whatever he wants...

There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc) -
and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used
in various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I understand
.NET assemblies are just MSIL code and meta data and can be
reverse engineered quite easily (based on what I've read) using
tools like the .NET reflector, etc. if they are not obfuscated.
I'm not so concerned with this security aspect as developers/end
users reusing my .NET assemblies in their own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer tried to
use a strong-named assembly where the caller was not also signed
with the same strong-name key. I then found this is no longer
the case in .NET 2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as
discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidel
in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed by
other applications?

 

[Tophog]

Ah, the ol' undocumented special feature thing I'll do some research and
see if I can figure out the hack. thanks again for your help.

-Jeff

not sure if it is documented.

You can extract the strong name of the calling assembly and compare it to
a list of allowed names - thats it...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I assume
it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.ge
tcallingassembly.aspx

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm talking
about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given enough
time, talent, etc. But given some mechanism to implement *basic*
security it would help prevent your average "joe" user from
executing code within your own assemblies. It seams something could
be done to implement basic "I authored this assembly and I don't
want anyone else to re-use it outside *my* applications" type
security.

:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing I am losing respect for .NET the more I use it. With
security being one of the most important aspects of applications
today one cannot protect their own assemblies to prevent others
from using them? I am sitting here wondering why anyone is
developing with .NET!? Jesus.

:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the caller
- but it all boils down to: if you hand out your code (even in
binary format) a skilled person can do to it whatever he wants...

There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc) -
and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used
in various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I understand
.NET assemblies are just MSIL code and meta data and can be
reverse engineered quite easily (based on what I've read) using
tools like the .NET reflector, etc. if they are not obfuscated.
I'm not so concerned with this security aspect as developers/end
users reusing my .NET assemblies in their own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer tried to
use a strong-named assembly where the caller was not also signed
with the same strong-name key. I then found this is no longer
the case in .NET 2.0 where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey disregarded as
discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguidel
in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed by
other applications?

 

[Dominick Baier]

that's no hack, thats no special feature - thats how .net works....


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Ah, the ol' undocumented special feature thing I'll do some
research and see if I can figure out the hack. thanks again for your
help.

-Jeff

not sure if it is documented.

You can extract the strong name of the calling assembly and compare
it to a list of allowed names - thats it...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I assume
it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.
ge tcallingassembly.aspx

:

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given enough
time, talent, etc. But given some mechanism to implement *basic*
security it would help prevent your average "joe" user from
executing code within your own assemblies. It seams something
could be done to implement basic "I authored this assembly and I
don't want anyone else to re-use it outside *my* applications"
type security.

:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies to
prevent others from using them? I am sitting here wondering why
anyone is developing with .NET!? Jesus.

:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your code
(even in binary format) a skilled person can do to it whatever
he wants...

There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc)
- and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used
in various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I
understand .NET assemblies are just MSIL code and meta data
and can be reverse engineered quite easily (based on what I've
read) using tools like the .NET reflector, etc. if they are
not obfuscated. I'm not so concerned with this security aspect
as developers/end users reusing my .NET assemblies in their
own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer tried
to use a strong-named assembly where the caller was not also
signed with the same strong-name key. I then found this is no
longer the case in .NET 2.0 where if the caller is fully
trusted the StrongNameIdentifyPermission check is completey
disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguid
el in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed
by other applications?

 

[Tophog]

..NET is flawed IMHO when it comes to security.

-Jeff MCSD.net
ADP Dealer Services

that's no hack, thats no special feature - thats how .net works....


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Ah, the ol' undocumented special feature thing I'll do some
research and see if I can figure out the hack. thanks again for your
help.

-Jeff

not sure if it is documented.

You can extract the strong name of the calling assembly and compare
it to a list of allowed names - thats it...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I assume
it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.
ge tcallingassembly.aspx

:

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given enough
time, talent, etc. But given some mechanism to implement *basic*
security it would help prevent your average "joe" user from
executing code within your own assemblies. It seams something
could be done to implement basic "I authored this assembly and I
don't want anyone else to re-use it outside *my* applications"
type security.

:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies to
prevent others from using them? I am sitting here wondering why
anyone is developing with .NET!? Jesus.

:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your code
(even in binary format) a skilled person can do to it whatever
he wants...

There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc)
- and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used
in various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I
understand .NET assemblies are just MSIL code and meta data
and can be reverse engineered quite easily (based on what I've
read) using tools like the .NET reflector, etc. if they are
not obfuscated. I'm not so concerned with this security aspect
as developers/end users reusing my .NET assemblies in their
own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer tried
to use a strong-named assembly where the caller was not also
signed with the same strong-name key. I then found this is no
longer the case in .NET 2.0 where if the caller is fully
trusted the StrongNameIdentifyPermission check is completey
disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguid
el in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed
by other applications?

 

[Tophog]

Say I have a compiled COM-based DLL (binary) 'helloworld.dll' with a function
that simply returns "Hello World". I build the DLL and distribute it with a
fat-client application that is installed on a developers desktop.

Now I build a .NET dll with the same function and distribute it with a
client app to the same users desktop.

Which DLL is going to be easier for the user re-use in his/her own
application? Why? (I know the answer already, it's not a trick question)

Shouldn't the .NET dll be more difficult to re-use simply based on the fact
..NET is the "latest/greatest" technology in this day security is one, if not
the most, important aspect of software applications?

that's no hack, thats no special feature - thats how .net works....


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Ah, the ol' undocumented special feature thing I'll do some
research and see if I can figure out the hack. thanks again for your
help.

-Jeff

not sure if it is documented.

You can extract the strong name of the calling assembly and compare
it to a list of allowed names - thats it...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I assume
it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.
ge tcallingassembly.aspx

:

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given enough
time, talent, etc. But given some mechanism to implement *basic*
security it would help prevent your average "joe" user from
executing code within your own assemblies. It seams something
could be done to implement basic "I authored this assembly and I
don't want anyone else to re-use it outside *my* applications"
type security.

:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies to
prevent others from using them? I am sitting here wondering why
anyone is developing with .NET!? Jesus.

:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your code
(even in binary format) a skilled person can do to it whatever
he wants...

There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc)
- and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used
in various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I
understand .NET assemblies are just MSIL code and meta data
and can be reverse engineered quite easily (based on what I've
read) using tools like the .NET reflector, etc. if they are
not obfuscated. I'm not so concerned with this security aspect
as developers/end users reusing my .NET assemblies in their
own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer tried
to use a strong-named assembly where the caller was not also
signed with the same strong-name key. I then found this is no
longer the case in .NET 2.0 where if the caller is fully
trusted the StrongNameIdentifyPermission check is completey
disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguid
el in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed
by other applications?

 

[Dominick Baier]

i am not sure what you are talking about...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

.NET is flawed IMHO when it comes to security.

-Jeff MCSD.net
ADP Dealer Services

that's no hack, thats no special feature - thats how .net works....

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Ah, the ol' undocumented special feature thing I'll do some
research and see if I can figure out the hack. thanks again for
your help.

-Jeff

:

not sure if it is documented.

You can extract the strong name of the calling assembly and compare
it to a list of allowed names - thats it...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I
assume it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assembl
y. ge tcallingassembly.aspx

:

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given
enough time, talent, etc. But given some mechanism to implement
*basic* security it would help prevent your average "joe" user
from executing code within your own assemblies. It seams
something could be done to implement basic "I authored this
assembly and I don't want anyone else to re-use it outside *my*
applications" type security.

:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies to
prevent others from using them? I am sitting here wondering
why
anyone is developing with .NET!? Jesus.
:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your code
(even in binary format) a skilled person can do to it
whatever he wants...

There are companies that have much more budget trying to
solve these problems (games vendors, big commercial software,
OS etc) - and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored
used in various applications within our corporate Intranet.
The assemblies are used in fat-client apps, asp.net apps,
etc, therefore many of the assemblies are distributed to end
user systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I
understand .NET assemblies are just MSIL code and meta data
and can be reverse engineered quite easily (based on what
I've read) using tools like the .NET reflector, etc. if they
are not obfuscated. I'm not so concerned with this security
aspect as developers/end users reusing my .NET assemblies in
their own applications.

In short, I've read where with Framework 1.1 one could use
the [StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer
tried to use a strong-named assembly where the caller was
not also signed with the same strong-name key. I then found
this is no longer the case in .NET 2.0 where if the caller
is fully trusted the StrongNameIdentifyPermission check is
completey disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#paggu
id el in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed
by other applications?

 

[Tophog]

yes, I realize that.

i am not sure what you are talking about...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

.NET is flawed IMHO when it comes to security.

-Jeff MCSD.net
ADP Dealer Services

that's no hack, thats no special feature - thats how .net works....

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Ah, the ol' undocumented special feature thing I'll do some
research and see if I can figure out the hack. thanks again for
your help.

-Jeff

:

not sure if it is documented.

You can extract the strong name of the calling assembly and compare
it to a list of allowed names - thats it...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I
assume it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assembl
y. ge tcallingassembly.aspx

:

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given
enough time, talent, etc. But given some mechanism to implement
*basic* security it would help prevent your average "joe" user
from executing code within your own assemblies. It seams
something could be done to implement basic "I authored this
assembly and I don't want anyone else to re-use it outside *my*
applications" type security.

:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies to
prevent others from using them? I am sitting here wondering
why
anyone is developing with .NET!? Jesus.
:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your code
(even in binary format) a skilled person can do to it
whatever he wants...

There are companies that have much more budget trying to
solve these problems (games vendors, big commercial software,
OS etc) - and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored
used in various applications within our corporate Intranet.
The assemblies are used in fat-client apps, asp.net apps,
etc, therefore many of the assemblies are distributed to end
user systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I
understand .NET assemblies are just MSIL code and meta data
and can be reverse engineered quite easily (based on what
I've read) using tools like the .NET reflector, etc. if they
are not obfuscated. I'm not so concerned with this security
aspect as developers/end users reusing my .NET assemblies in
their own applications.

In short, I've read where with Framework 1.1 one could use
the [StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer
tried to use a strong-named assembly where the caller was
not also signed with the same strong-name key. I then found
this is no longer the case in .NET 2.0 where if the caller
is fully trusted the StrongNameIdentifyPermission check is
completey disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#paggu
id el in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed
by other applications?

 

[Ornette]

Why not implement your own protection in the constructor of you assembly ?
You can check whatever you want.

I can't understand what the point with .NET...

Say I have a compiled COM-based DLL (binary) 'helloworld.dll' with a
function
that simply returns "Hello World". I build the DLL and distribute it with
a
fat-client application that is installed on a developers desktop.

Now I build a .NET dll with the same function and distribute it with a
client app to the same users desktop.

Which DLL is going to be easier for the user re-use in his/her own
application? Why? (I know the answer already, it's not a trick question)

Shouldn't the .NET dll be more difficult to re-use simply based on the
fact
.NET is the "latest/greatest" technology in this day security is one, if
not
the most, important aspect of software applications?

that's no hack, thats no special feature - thats how .net works....


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Ah, the ol' undocumented special feature thing I'll do some
research and see if I can figure out the hack. thanks again for your
help.

-Jeff

:

not sure if it is documented.

You can extract the strong name of the calling assembly and compare
it to a list of allowed names - thats it...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I assume
it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assembly.
ge tcallingassembly.aspx

:

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by someone
else? I understand any software can be compromised given enough
time, talent, etc. But given some mechanism to implement *basic*
security it would help prevent your average "joe" user from
executing code within your own assemblies. It seams something
could be done to implement basic "I authored this assembly and I
don't want anyone else to re-use it outside *my* applications"
type security.

:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried preventing
people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies to
prevent others from using them? I am sitting here wondering why
anyone is developing with .NET!? Jesus.

:

short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your code
(even in binary format) a skilled person can do to it whatever
he wants...

There are companies that have much more budget trying to solve
these problems (games vendors, big commercial software, OS etc)
- and everything has been cracked so far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored used
in various applications within our corporate Intranet. The
assemblies are used in fat-client apps, asp.net apps, etc,
therefore many of the assemblies are distributed to end user
systems (they are not installed in the GAC).

It is my understanding that anyone can basically copy a .NET
assembly, create a reference to it and consume it's public
methods if CAS is not implemented in some fashion? I
understand .NET assemblies are just MSIL code and meta data
and can be reverse engineered quite easily (based on what I've
read) using tools like the .NET reflector, etc. if they are
not obfuscated. I'm not so concerned with this security aspect
as developers/end users reusing my .NET assemblies in their
own applications.

In short, I've read where with Framework 1.1 one could use the
[StrongNameIdentityPermission ( SecurityAction.Demand ,
PublicKey="public key" ...) declaration at a class/function
level which would throw a runtime error if any consumer tried
to use a strong-named assembly where the caller was not also
signed with the same strong-name key. I then found this is no
longer the case in .NET 2.0 where if the caller is fully
trusted the StrongNameIdentifyPermission check is completey
disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pagguid
el in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being consumed
by other applications?

 

[Dominick Baier]

What's your problem? Do you want help - or just rant?

AFAIK you already have all the answers? If you have more questions ask them
- and there will be somebody who will help you.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

yes, I realize that.

i am not sure what you are talking about...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)

.NET is flawed IMHO when it comes to security.

-Jeff MCSD.net
ADP Dealer Services
:
that's no hack, thats no special feature - thats how .net works....

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Ah, the ol' undocumented special feature thing I'll do some
research and see if I can figure out the hack. thanks again for
your help.

-Jeff

:

not sure if it is documented.

You can extract the strong name of the calling assembly and
compare it to a list of allowed names - thats it...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Thanks. What I find ironic is MS's own webpage that covers this
mentions nothing about how to use it to protect assemblies. I
assume it's documented elsewhere? in your book?

http://msdn2.microsoft.com/en-us/library/system.reflection.assem
bl y. ge tcallingassembly.aspx

:

and as i said you can do that.

Check Assembly.GetCallingAssembly()

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
It's much more difficult to reverse engineer/re-use compiled
binaries as opposed to MSIL-based assemblies isn't it? I'm
talking about basic security meaures to protect someone from
copying/executing methods within an assembly authored by
someone else? I understand any software can be compromised
given enough time, talent, etc. But given some mechanism to
implement *basic* security it would help prevent your average
"joe" user from executing code within your own assemblies. It
seams something could be done to implement basic "I authored
this assembly and I don't want anyone else to re-use it
outside *my* applications" type security.

:

you never could that - in no language...

Or do you think vendors like Microsoft haven't tried
preventing people to use e.g. Windows without paying for it??

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Amazing I am losing respect for .NET the more I use it.
With security being one of the most important aspects of
applications today one cannot protect their own assemblies
to
prevent others from using them? I am sitting here wondering
why
anyone is developing with .NET!? Jesus.
:
short answer: you can't

longer answer:

you can try to do your best - like checking the SN of the
caller - but it all boils down to: if you hand out your
code (even in binary format) a skilled person can do to it
whatever he wants...

There are companies that have much more budget trying to
solve these problems (games vendors, big commercial
software, OS etc) - and everything has been cracked so
far...

-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
I have a collection of various .NET assemblies I authored
used in various applications within our corporate
Intranet. The assemblies are used in fat-client apps,
asp.net apps, etc, therefore many of the assemblies are
distributed to end user systems (they are not installed in
the GAC).

It is my understanding that anyone can basically copy a
.NET assembly, create a reference to it and consume it's
public methods if CAS is not implemented in some fashion?
I understand .NET assemblies are just MSIL code and meta
data and can be reverse engineered quite easily (based on
what I've read) using tools like the .NET reflector, etc.
if they are not obfuscated. I'm not so concerned with this
security aspect as developers/end users reusing my .NET
assemblies in their own applications.

In short, I've read where with Framework 1.1 one could use
the [StrongNameIdentityPermission ( SecurityAction.Demand
, PublicKey="public key" ...) declaration at a
class/function level which would throw a runtime error if
any consumer tried to use a strong-named assembly where
the caller was not also signed with the same strong-name
key. I then found this is no longer the case in .NET 2.0
where if the caller is fully trusted the
StrongNameIdentifyPermission check is completey
disregarded as discussed here?
http://msdn2.microsoft.com/en-us/library/aa480477.aspx#pag
gu id el in es 00 03_class3

How can I protect my .NET 2.0 assemblies from being
consumed by other applications?

 

[Wibberlet]

Hi Tophog,

I read this post with interest and basically agree with what you are saying.
It is certainly easier to decompile .Net assemblies than COM assemblies due
to the IL that they use.

Obfuscators can protect your code from all but the most determined (and
skilled) hackers but they are still not perfect and certainly not tamper
proof.

I worked on a previous project where the customer bought the source code
that we produced and insisted on security. The only way we were able to
convince them that the code was secure was to use an asp.net solution where
the intellectual copyright was preserved on a web server. Of course, you have
to trust the host here or host it yourself.

The whole code security issue is a problem regardless of the language you
are using but I do sometimes think that more could be done to help secure the
work that we produce.

regards - wibberlet
Development blog at http://wibberlet.blogspot.com

====================================