Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (9)

Is Someone Using Your Assembly? (SecUtil.exe .NET Framework Tools Series)

By , 16 Jan 2006
 

Introduction

There are a lot of assemblies that we create in our projects daily. Have we ever wondered that all those assemblies that we write after putting in such a lot of hard work and effort could be easily used by someone else. Also at times you don't want others to use a particular class or a method because it may retrieve some important or confidential information. .NET by itself works on the concept of sharing assemblies between applications which enables rapid application development (RAD). We can secure our code by identifying the caller.

Managed code offers several ways to restrict method access:

  • Limit the scope of accessibility to the class, assembly, or derived classes, if they can be trusted. This is the simplest way to limit method access. Note that, in general, derived classes can be less trustworthy than the class they derive from, though in some cases they share the parent class's identity. In particular, do not infer trust from the keyword protected, which is not necessarily used in the security context.
  • Limit the method access to callers of a specified identity -- essentially, any particular evidence (strong name, publisher, zone, and so on) you choose.
  • Limit the method access to callers having whatever permissions you select.

Let's see how we can accomplish this:

  1. Create a strong named assembly e.g. Calc.dll with one class called MyClass having the Add() method which adds two numbers.
  2. .NET Framework has a tool called SecUtil.exe.
  3. Go to the Visual Studio command prompt
  4. Type SecUtil.exe /?. This will display help and all the available options.
  5. Then type secutil.exe -s -hex -c Calc.dll (or the name of your DLL).
  6. This will display the public key as hexadecimal value as shown below: 
C:\DotNet\DLLProj\bin\Debug>secutil -hex -c -s Calc.dll
Microsoft (R) .NET Framework SecUtil 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.
Public Key =
0x0024000004800000940000000602000000240000525341310004000001000100D96FE3B963FC64
B8A9B6CA05B859A67B8B30603A0D696E1F95D8C9B23C5B2EEF139B96A5CC55C2E38D05B7FD675434
A3EE1EF70C69AE3BDE8E646BF652C006278884856E10D3CD0273B458A3E8ECAF47BE51FC7619E271
6602B6EFE34824238F1CAF86960691256D0608E317217E174F4947397A9D5D0BA48785E8CB726E0F
CA
Name =
Calc
Version =
1.0.1761.29820
Success

Now You can use this public key with any class or method in your assembly that you don't want anyone else to access, you can use the StrongNameIdentityPermissionAttribute for this. Any calling code that isn't signed with your *.snk file won't have access to it.

Here I have used it at the class level. You can also achieve the same at the method or assembly level.

So, let's secure our class:

// put this code above the class as shown

[StrongNameIdentityPermissionAttribute(SecurityAction.Demand,
PublicKey = 
"0x0024000004800000940000000602000000240000525341310004000001000100D96FE3B963FC64" +
"B8A9B6CA05B859A67B8B30603A0D696E1F95D8C9B23C5B2EEF139B96A5CC55C2E38D05B7FD675434" +
"A3EE1EF70C69AE3BDE8E646BF652C006278884856E10D3CD0273B458A3E8ECAF47BE51FC7619E271"+
"6602B6EFE34824238F1CAF86960691256D0608E317217E174F4947397A9D5D0BA48785E8CB726E0FCA")]

public class MyClass
{
public MyClass()
{
}

public int Add(int i , int j)
{
}
}
  1. Now create any Win app which will be a client app for this assembly.
  2. Do not strong name this assembly.
  3. Reference the above assembly in the client App.
  4. Call the Add method or any other method of Myclass.
  5. The code will compile.
  6. Try and execute the function call. You will get an error message similar to the one below: 
Additional information: Request for the permission of 
type System.Security.Permissions.StrongNameIdentityPermission, mscorlib, 
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

History

  • 16th January, 2006: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 Namratha Shah
Architect
United States United States
Member
Namratha Shah a.k.a. Nasha is from orginally from Bombay, India but currently residing NJ, USA. She has to her credit, a Bachelor’s Degree in Microbiology and Biotechnology and a Master's in Computer and Software Applications (1999-2001) from Somaiya College Bombay. She started her career with C and C++ and then moved on to Microsoft Technologies. She has over 7.5 years experience in software architecture, design and development. She is a Certified Scrum Master and a member of the CORE .NET Architecture team. She has been Awarded with Microsoft’s Prestigious Most Valuable Professional (MVP) twice consecutively in years 2005 and 2006 in Visual C#.NET for her outstanding contributions to the .NET community.

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First Prev Next
QuestionFramwork version 4.0memberlill.LEIF23 Mar '11 - 20:03 
If you look into the docs for StrongNameIdentityPermissionAttribute for .NET 4. It says: 
"
Important
Starting with the .NET Framework version 4, identity permissions are not used.
In the .NET Framework versions 1.0 and 1.1, demands on the identity permissions are effective, even when the calling assembly is fully trusted. That is, although the calling assembly has full trust, a demand for an identity permission fails if the assembly does not meet the demanded criteria. In the .NET Framework version 2.0 and later, demands for identity permissions are ineffective if the calling assembly has full trust. This assures consistency for all permissions, eliminating the treatment of identity permissions as a special case.
"
 
How does that affect the above solution? Is there another way of doing the same thing in .NET 4, preferably without using InternalsVisibleTo?
Sign In·View Thread·Permalink
GeneralMy vote of 1memberMember 307848118 Mar '09 - 21:51 
it doesnt work on my system
Sign In·View Thread·Permalink
GeneralIt doesnt work at all!! [modified]memberMember 307848118 Mar '09 - 21:33 
whats the reason I tried ur solution it doesnt throw any security exception?????
Namratha Plz Reply....
 
modified on Thursday, March 19, 2009 3:49 AM
Sign In·View Thread·Permalink
GeneralNope...!!!memberAbhilashAshok31 Dec '07 - 23:37 
Not working in VS2005
 
Dont think you are no ONE...!!!
Sign In·View Thread·Permalink
GeneralI don't recieve any Error MessagememberZarrinPour11 Feb '07 - 20:15 
Hi
I did all steps that you mentioned in this article But i didn't recieve any Error Message like this:
Additional information: Request for the permission of type System.Security.Permissions.StrongNameIdentityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
 
Could you please send me a sample projet?
BTW i'm using VS2005.i'm mixed up.where do you think i've made a mistake?
 
Kind Regards.
Sign In·View Thread·Permalink
GeneralRe: I don't recieve any Error MessagememberBOB198323 Oct '07 - 11:04 
IDEM, do you find a solution? tank you!
Sign In·View Thread·Permalink
GeneralPeople can steal your code anywaymemberHeinz_3 Aug '06 - 10:49 
Why boder creating and using a key if we can steal your key and the code you want to protect and insert it right into our code avoiding the need to reference your assembly, there're many ways but if you want things easy try with Lutz Roeder's Reflector available at http://www.aisto.com/roeder/dotnet/.
 
Also try the ILDASM itself, it's funny, Microsoft provides the tools for hacking their technology.
 
Reverse engineering of .NET assemblies is done within a minute or less, i've cracked many commercial .NET appz and reused code just to show .NET sucks at assemblies and commercial appz and to show .NET is only recomended for the web or the net as the name of the frameworks says.
Friends of mine got really disapointed after month of development in huge .NET projects when they discovered that their great commercial app was 'open source'.
 
An obfuscator with make things a bit harder but not imposible and your code or assembly gets dirty and sometimes out of control, you really can't know what's inside vendor's obfuscator. I've tried obfuscators but most of the algorithms are still visible.
 
I consider this 'phantom code' the most important lag of .NET and this is why y dropped development in .NET and moved to a 'real compiled language'. Reversion in native code is also posible but makes things a bit harder and you gain a lot of performance, you have total control your program and you leran and know what's happening and how thing works.
 
Good article anyway, great feature!
Sign In·View Thread·Permalink
GeneralA few things to considermemberMrEyes17 Jan '06 - 4:26 
Great article, which explains this little know .NET feature very well
 
Unfortunately the feature (not this article) does have some fatal flaws that need to be considered before entrusting your code to it:
 
1) Do not consider this to be perfect security that is safe to deploy to a volatile environment. Due to the nature of managed .NET assemblies and the fact that they compile into IL code, it is not very difficult to remove the strong name information from the assembly. In fact there is an article here on CP that explains how to do it.
 
2) Depending on your interpretation, this is or isnt a flaw. There is no way to implement the StrongNameIdentityPermissionAttribute at assembly level and automatically protect all classes within the assembly (i.e. within the AssemblyInfo.cs). This attribute has to be declared on every public class within the assembly. Although I have heard unconfirmed rumour that this has been fixed in NET2.
Sign In·View Thread·Permalink
GeneralPreventing someone from examine your original app and/or assembliesmemberT-luv16 Jan '06 - 18:19 
Will the .NET obfuscator prevent someone from examine your original app and/or assemblies to ascertain the key?

 
T-luv
 
don't spit into the wind... Jim Croce
Sign In·View Thread·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 24 May '13 - 21:01Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
SecUtil.exe
Type Article
Licence CPOL
First Posted 16 Jan 2006
Views 30,371
Bookmarked 28 times

, +
Top News

Old Japanese Man Creates Amazing Art Using Excel (Wait, Excel?)

Get the Insider News free each morning.
Related Videos
Entity Framework: Building a Code-First Database Part 2
Entity Framework: Building a Code-First Database Part 4
Building Security Awareness in .NET Assemblies : Part 2 - Learn to protect your .NET assemblies from being tampered
Copy DLL from GAC
A GAC Manager Utility and API
Using MSI or a Strong name to store .NET apps on a network server (Part 2)
Depends4Net - Part 1
Introduction to Mono - Your first Mono app
Demystifying the .NET Global Assembly Cache
ASP.NET 4.0 Chart Control
Merging .NET assemblies using ILMerge
Assemblies: locating, binding and deploying
Exposing .NET Components to COM
ASP.NET MVC Chart Control
MethodLogger - Hook into method calls in .NET binaries
Tlbexp.exe and Regasm.exe (.NET FrameWork Tools Series)
Extract GAC Assemblies
MONO: an alternative for the .NET framework
Building Security Awareness in .NET Assemblies : Part 3 - Learn to break Strong Name .NET Assemblies
.NET Internals and Native Compiling
Windows Mobile Development Without Visual Studio
NetDasm - A tool to disassemble and patch .NET assemblies
Permalink | Advertise | Privacy | Mobile
Web04 | 2.6.130523.1 | Last Updated 16 Jan 2006
Article Copyright 2006 by Namratha Shah
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid