Security Flaw in dll (or am I wrong?)

  • Thread starter Kevin Steffer [MCP]
  • Start date
K

Kevin Steffer [MCP]

HI NG

I have made a very nasty discovery on my dll files build from my
ASP.NET projects in VS.NET 2003.

In some of my codebehind files i have a private string that is my SQL
Server connection string for example:

public class myClass
{
private string sqlSvrConStr = "Data Source=blablabla";
public myClass()
{
}
}

When I compile the project and opens the dll in notepad I am able to
read the sqlSvrConStr - it's not pretty and it might take a while to
find BUT IT'S THERE!!!

I am also able to find some of my SQL Command strings and other objects
I use in the code - is this of normal behavior of a dll that you
actually can see the code in text???

Man I'm getting nervous!!

-Kevin
 
B

Brock Allen

O

Oleg Ogurok

It's by design. You need to use an obfuscator that encrypts string literals.
Google for ".NET obfuscator", most of them are not free though.

-Oleg.
 
K

Kevin Spencer

I'd be nervous too, if somehow someone on the Internet could get hold of my
DLLs. Now THAT would be a security issue!

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Ambiguity has a certain quality to it.
 
K

Kevin Steffer [MCP]

Kevin said:
I'd be nervous too, if somehow someone on the Internet could get hold of my
DLLs. Now THAT would be a security issue!

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Ambiguity has a certain quality to it.

What if we talk shipping dll's API and stuff like that - what would be
nessecary to keep the clean strings away from being readable in the
dll?

-Kevin
 
B

bradley

You could encrypt your critical strings.

Kevin Steffer said:
What if we talk shipping dll's API and stuff like that - what would be
nessecary to keep the clean strings away from being readable in the
dll?

-Kevin
 
B

Brock Allen

You could encrypt your critical strings.

The problem with encrypting the strings is that you need a key to decrypt
them. Where do you store that? If the original intent was to hide the strings,
encrypting them just means you have to hide the key. Same problem.
 
L

Lau Lei Cheong

The difference is: For SQL connection string, there is clearly
distingrishable words that enables user to find it out easily.
If you're storing a key, the key may(or may not) look like other values. If
your program hold more than one key, it may take the user a while to figure
out which one you're using for decrypting the connection string.

Things can go more tricky if you choose to use Multibyte characters such as
Big5 in the key... You either have a key that won't decrypt at all(not all
encryption algorithm have a mind for high-ASCII values) or a key that's
difficult to be recognize(you can't tell by our eyes it's a legal string or
not after shifting bits)
 
S

Shaun Wilson

Don't do it.

Kevin Steffer said:
What if we talk shipping dll's API and stuff like that - what would be
nessecary to keep the clean strings away from being readable in the
dll?

-Kevin
 
A

Amedee Van Gasse

bradley shared this with us in microsoft.public.dotnet.framework.aspnet:
One could argue that all applications written using .NET are Open
Source.

Open source doesn't just mean access to the source code. The
distribution terms of open-source software must comply with the
following criteria:

1. Free Redistribution
2. Source Code
3. Derived Works
4. Integrity of The Author's Source Code
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License
8. License Must Not Be Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology-Neutral

Details on http://www.opensource.org/docs/definition.php
 
K

Kevin Spencer

Well, MSIL can be obfuscated. VS.Net comes with an bfuscator, and there are
others available as well.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Ambiguity has a certain quality to it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,731
Messages
2,569,432
Members
44,832
Latest member
GlennSmall

Latest Threads

Top