This is a showcase review for our sponsors at The Code Project. These reviews are intended to provide you with information on products and services that we consider useful and of value to developers.
You can't even trust the school district in the nation's capital. Recently allegations that the District of Columbia in a proposal to the District of Columbia Council had copied verbatim large portions of the document from the documentation of the Charlotte-Mecklenburg, North Carolina school system. While the DC Mayor has expressed deep concern over the scandal, it illustrates the fact that it is easier to stand in the shadows and wait for someone to make a breakthrough which you can then copy, as opposed to doing the work yourself. Moral arguments for enterprise and self reliance appeal aside, when the ability to make a quick buck is so easily exploited by modern Cyber-Visigoths, what is a weary developer to do?
What You Should Know
The methods that people use to steal source code have become more complex over the years. Although the core .NET code is shrouded behind compiled .NET assemblies, there are still vulnerabilities that hackers utilize to break into the strongbox. Searching on strings within assemblies indicates areas of vulnerability to hackers, who can then use disassemblers to break Objects out of .NET assemblies.
Decompilers then come into play, reverse engineering high level language core code from disassembled objects. Using a decompiler, human beings can read the code that your team has worked so hard to write and compile. Used in concert, the use of dissassemblers and decompilers can render your Intellectual Property completely exposed to malicious use.
So what can you do to protect your Intellectuals Property? Obfuscators are vital in the modern business environment to protect proprietary code. Reverse engineering is greatly hampered by the application of effective obfuscation. This means that competitors are unable to benefit from your hard work. Obfuscators act on compiled .NET assemblies, not on core code. What they do is make reverse engineering more difficult by altering the labeling identifiers in your assemblies with meaningless characters. The obfuscator provides assemblies that will perform identically to the ones you wrote in pure language, but which are indecipherable to prying eyes in their code form.
The benefit is obvious. If a competitor is able to reverse engineer your intellectual property, they are not only able to use your code for their own purposes, they do not pay you for the licenses and can easily modify the code to their own needs and recompile it. This is a serious problem and can have real impacts on businesses and their bottom lines.
The process does introduce complexity. If you have pushed obfuscated code to a customer that finds bugs it could be difficult to correct the issue, as patches which you apply that ran through an obfuscator would have different identifiers assigned than the original code which you had sent to them. Incremental obfuscation will map the identifiers in the patches to the original code's identifiers.
Control flow obfuscation will work on control structures in the code. One way that a decompiler works is by looking for common command strings such as for/while/if in the code it is crunching. Control flow obfuscation makes otherwise easily reconstituted commands such as for/while/if unrecognizable and the decompiler thus is forced to improvise as it works. What then occurs is that the decompiler begins to create goto calls trying to duplicate the original function, and in so doing the decompiler itself is prone to introducing false loops and gibberish code that humans and machines cannot decipher. Control flow obfuscation uses the hackers' tools against their own masters.
There are many commercial products that are available to help with this serious threat to your intellectual property, including Spices.Obfuscator from 9Rays.Net is an award-winning tool that is equipped with several unique capabilities that make it extremely valuable for protecting critical proprietary code. Spices.Obfuscator allows a developer to support multiple versions of Microsoft's Visual Studio (2003 and 2005) on the same machine. Patented code anonymization technology renders code meaningless to prying eyes. Spices.Obfuscator is capable of automation, allowing a much greater flexibility of actions for the user, as they can now manage and maintain obfuscation via scripts and build environments, such as MSBuild and NAnt. Mixed assemblies of managed and unmanaged assemblies can be maintained.
Quality obfuscators allow developers to take an active hand in the formatting of their code to ensure that the downstream processing and support that are required in the software development lifecycle can work with the protective obfuscation tools that are being arrayed against hackers. For example, Spices.Obfuscator enables developers to exclude certain assembly members from obfuscation, if they are designed to be utilized by code that is unobfuscated, it is important to keep the naming conventions of certain important members standardized, otherwise the obfuscation processes would render the code meaningless.
Obfuscators will also assist your code in that metadata is reduced in size with the obfuscator's naming conventions taking the place of written identifiers. The size of the metadata reduction will translate into a more efficient program and therefore more streamlined execution of your code.
In itself, obfuscation and decompilation are parts of the whole for protecting your code. They do not represent magic bullets that will render your code invulnerable to the people you are trying to protect it from. Rather, taken together with other products that are available and through intelligent coding practices, your developers can protect your property from prying eyes.
9Rays offers the Spices.Obfuscator and Spices.Decompiler described above along with a number of other tools — Spices.VSIP (Visual Studio Integration Package with MSBuild integration), Spices.Modeler, Spices.Investigator, Spices.Informer and and Spices.Documenter — which taken together are offered as a powerful overall solution called Spices.Net Suite.
Spices.VSIP supports full lifecycle processes in an automated form, assisting with initial development, building and compiling, obfuscating the assemblies, verifying the integrity of the application and the code, assisting in debugging as needed, and assisting with deployment to your customer's site. Spices.Modeler automatically creates graphic hierarchical views of projects, assemblies, classes, and inidicates the myriad interrelationships between members.
Reverse engineering is an enormous temptation for your competitors and for many hobbyist hackers that are looking to make a name for themselves. Your Intellectual Property is not secure unless you take steps to reduce its visibility. Obfuscation, decompilation, and other methods used together do not guarantee your code's integrity from prying eyes, but what they do accomplish is to make your code less enticing to the bad guys. Your protected code taken against another company's unprotected code makes that other company's Intellectual Property a far more attractive target.
Perhaps after reading this article you have some questions that didn't get answered. 9Rays.Net has a great FAQ doc that answers a lot of the commonly asked questions about Obfuscation and the Spices product suite. Take a look at these answers here.
Make sure to keep your Intellectual Property secure! Using the Spices.Obfuscator, you can put your code within a concentrically protective belt of security. Misinformation, blind alleys that lead to dead ends, and obtuse gibberish will greet the hacker, and send them packing for greener pastures. If you would like to try the Spices.Net Suite you can try a free evaluation copy. We would love to hear your feedback. Write to us at email@example.com.