ASP.NET Security

[Asim Qazi]

Hi All
i have created a web application for businesses pupose, which contains
come classes, the whole output of this application is "MyWork.dll" in bin
directory, so far so goood.

wot i want is to safe this ".dll" file, coz if a made any windows or
another webapplication and add its ("MyWork.dll") reference in this new
appication, i can access all classes, these classes contains some classes
which play with DB and Registry, so i want to make this "MyWork.dll" limited
to only that application to which it belongs.




any help would be appriciateable



aSIM.

 

[Ram]

use "internal" access specifier for class or your methods, this will prevent
others.

Ram

 

[Asim Qazi]

Thanks Ram for prompt reply,

as i m a new user of asp.net can you please provide me any small sample ??
or syntax ??




aSIM.

 

[Dominick Baier [DevelopMentor]]

and reflection??

 

[Dominick Baier [DevelopMentor]]

There is no way you can do that. If someone has your .dll he can use it.

I wouldn't spend too much time thinking about this.

Keep your stuff on the server, and you have control over it - otherwise you
don't.

 

[Asim Qazi]

My Application has two parts, one is web application whose namespace
"MyWork" and the other part is SharedLibrary which contains different
classes for different purposes, the name space for this SharedLibrary
project is also "MyWork", if i set the AccessModifier "Internal" of the
sharedLib classes there are inaccesible even in my web application, both
have the same namespace, any solution ??


Is there any way to check if the calling application is my own then allow it
else reject it, checking ".dll" path or any other way ??



aSIM.

 

[Joe Mamma]

That's crazy to say that.

The easiest quickest simplest solution is to not use a .dll - just compile
the classes directly into each app that needs them - that solves the .dll
problem completely.

If you insist on using a .dll - 1/2 day with some thought out security code
would work fine (check loaded assemblies, use strong naming, declartive
security etc)

J

 

[Dominick Baier [DevelopMentor]]

i will answer that when i have more time, in the meanwhile you may wanna
check your statements if they are really true

 

[Asim Qazi]

Is it a good way to check my own security (could b any, like checking key
comparision keys etc) in constructor of critical classes.



aSIM.

 

[Dominick Baier [DevelopMentor]]

what's the difference between a class and a .exe ?? the extension - that's
it - you can also add .exe references - Visual Studio does not allow this
but csc.exe does.

i can simply turn CAS off if i want to bypass a lot of stuff - i could use
reflector to decompile the assembly - i could even patch the CLR to turn
off all security checks...

If you don't believe me give me your ".exe" and we will see if i can call
it or not.

you can make it harder by sprinkling all kinds of security checks in your
code - but the rule still applies - if i have your binary - it is mine -
and i can do whatever i want.

 

[Joe Mamma]

well duh.

If you have access to the machine you can just run regedit too and bypass
the need for .net.

Or how about hand assembling some hex codes in a buffer overrun?

All those will bypass 'security'.

I think he was asking for a reasonable level of assurance, not DOD level
protection from the communists.

Remind me not to buy your book.

what's the difference between a class and a .exe ?? the extension - that's
it - you can also add .exe references - Visual Studio does not allow this
but csc.exe does.

i can simply turn CAS off if i want to bypass a lot of stuff - i could use
reflector to decompile the assembly - i could even patch the CLR to turn
off all security checks...

If you don't believe me give me your ".exe" and we will see if i can call
it or not.

you can make it harder by sprinkling all kinds of security checks in your
code - but the rule still applies - if i have your binary - it is mine -
and i can do whatever i want.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

i will answer that when i have more time, in the meanwhile you may
wanna check your statements if they are really true

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

That's crazy to say that.

The easiest quickest simplest solution is to not use a .dll - just
compile the classes directly into each app that needs them - that
solves the .dll problem completely.

If you insist on using a .dll - 1/2 day with some thought out
security code would work fine (check loaded assemblies, use strong
naming, declartive security etc)

J

"Dominick Baier [DevelopMentor]"

There is no way you can do that. If someone has your .dll he can use
it.

I wouldn't spend too much time thinking about this.
Keep your stuff on the server, and you have control over it -
otherwise
you don't.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi All
i have created a web application for businesses pupose, which
contains
come classes, the whole output of this application is "MyWork.dll"
in
bin
directory, so far so goood.
wot i want is to safe this ".dll" file, coz if a made any windows
or another webapplication and add its ("MyWork.dll") reference in
this new appication, i can access all classes, these classes
contains some classes which play with DB and Registry, so i want to
make this "MyWork.dll" limited to only that application to which it
belongs.
any help would be appriciateable

aSIM.

 

[Dominick Baier [DevelopMentor]]

The easiest quickest simplest solution is to not use a .dll - just
if that sounds reasonable to you...fair enough

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

well duh.

If you have access to the machine you can just run regedit too and
bypass the need for .net.

Or how about hand assembling some hex codes in a buffer overrun?

All those will bypass 'security'.

I think he was asking for a reasonable level of assurance, not DOD
level protection from the communists.

Remind me not to buy your book.

what's the difference between a class and a .exe ?? the extension -
that's it - you can also add .exe references - Visual Studio does not
allow this but csc.exe does.

i can simply turn CAS off if i want to bypass a lot of stuff - i
could use reflector to decompile the assembly - i could even patch
the CLR to turn off all security checks...

If you don't believe me give me your ".exe" and we will see if i can
call it or not.

you can make it harder by sprinkling all kinds of security checks in
your code - but the rule still applies - if i have your binary - it
is mine - and i can do whatever i want.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

i will answer that when i have more time, in the meanwhile you may
wanna check your statements if they are really true

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
That's crazy to say that.

The easiest quickest simplest solution is to not use a .dll - just
compile the classes directly into each app that needs them - that
solves the .dll problem completely.

If you insist on using a .dll - 1/2 day with some thought out
security code would work fine (check loaded assemblies, use strong
naming, declartive security etc)

J

"Dominick Baier [DevelopMentor]"

There is no way you can do that. If someone has your .dll he can
use it.

I wouldn't spend too much time thinking about this.
Keep your stuff on the server, and you have control over it -
otherwise
you don't.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi All
i have created a web application for businesses pupose, which
contains
come classes, the whole output of this application is
"MyWork.dll"
in
bin
directory, so far so goood.
wot i want is to safe this ".dll" file, coz if a made any
windows
or another webapplication and add its ("MyWork.dll") reference in
this new appication, i can access all classes, these classes
contains some classes which play with DB and Registry, so i want
to
make this "MyWork.dll" limited to only that application to which
it
belongs.
any help would be appriciateable
aSIM.

 

[Brock Allen]

well duh.

If you have access to the machine you can just run regedit too and
bypass the need for .net.

Or how about hand assembling some hex codes in a buffer overrun?

All those will bypass 'security'.

I think he was asking for a reasonable level of assurance, not DOD
level protection from the communists.

Remind me not to buy your book.

Dominick's entirely too nice to say this but he's trying to help someone
solve a problem and solve it thoroughly. The "thorough" part is especially
important when talking about security. Just because he provides a more thorough
answer than you doesn't mean he needs you barking at him on these newsgroups.
While you're *obviously* much more advanced and knowledgeable than the original
poster, Dom's input just might have been helpful to him.

-Brock
http://staff.develop.com/balle

 

[Joe Mamma]

The problem is that dom is arguing that there can be no security.
He says that if he has access to an exe he can call any class in it - and
that is plain BS.

How about SIMPLY decrypting all of the method's payload with a public key?

I'll leave it to dom to explain why ANYONE can get access to a private key,
as the explanation escapes me and Microsoft.

Joe

 

[Brock Allen]

The problem is that dom is arguing that there can be no security.

He says that if he has access to an exe he can call any class in it -
and that is plain BS.

And how is it BS?

How about SIMPLY decrypting all of the method's payload with a public
key?

I'll leave it to dom to explain why ANYONE can get access to a private
key, as the explanation escapes me and Microsoft.

I don't know what feature you're trying refer to, but encryption doesn't
solve your problem. If the code normally runs on my client machine and it
was somehow encrypted, then to get it to run on my client machine you'd need
to decrypt it and thus the key would also need to be on my client machine.
If the key is on my machine then the encryption scheme doesn't buy you any
protection since I have full control over my client machine.

Or are you talking about strong names? This only protects a DLL from being
tampered with if the calling assembly itself wasn't tampered with. And as
Dom mentioned, this only works if the underlying platform wasn't tampered
with. If it's my machine then I can tamper all I want. That's why Dom's original
answer was to not give the client direct access to the code. If this is not
practical and you need to give your code to the client then you must protect
yourself with contracts and legal recourse.

If I'm missing your point could you please elaborate (in a civil manner)?