Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (68)

Building Security Awareness in .NET Assemblies : Part 3 - Learn to break Strong Name .NET Assemblies

By , 31 Oct 2004
 

Disclaimer

NeCoders shall not be held responsible for any cases of software/files being hacked due to the information provided in this article.

General Overview

Welcome back to part 3 of the Building Security Awareness in .Net Assemblies series. In this article, I will share with you the possibility of breaking Strong Named .Net Assemblies. Make sure you have already read through part 1 and 2 before continuing on.

Questions pertaining to Strong Name

I do believe many others have the same doubts as I do on whether Strong Name keys could really protect the assembly from being tampered. I would like to share my doubts with you in this article.

Questions:

  1. Question : Is Strong Name key secure?
    • Answer : Yes, Strong Name key uses RSA 1024 bit encryption.
  2. Question : Is Strong Name key breakable?
    • Answer : If you have enough computing power, time and knowledge on how to break RSA, the answer is yes.
  3. Question : Can Strong Name key be removed from .NET assemblies?
    • Answer : Yes, it can be removed very easily if you know how.

The Demonstration Test machine specifications :

  • Windows XP Professional Edition SP 1 1

  • Intel Pentium 4 2.6GHz

  • 256MB DDR-RAM

  • Visual Studio .Net 2003 Professional Edition

  • Microsoft .Net Framework 1.1
  1. Download the executable files that come with this article.
  2. Open your Visual Studio .Net 2003 command prompt.
  3. Make sure you are inside the CrackingIL/bin/debug directory.
  4. Type “ildasm CrackingIL.exe /out=CrackingIL.il”.

  1. You must be wondering, why we are repeating what we had done in part 1 and part 2 of the series. If you notice, the way to break Strong Name keys is by manipulating the Intermediate Language. But the problem is in part 2, we did modify the Intermediate Language and at the end when we tried to convert it back to an assembly, we will receive an error. I will explain in detail on which part of the Intermediate Language that you should modified to remove the Strong Name key.
  2. Open up the CrackingIL.il with a text editor. I use notepad.

  1. Take a look at the red boxes. From what I understand, each assemblies like System.Windows.Forms, System and mscorlib contains their own public key token and version number.
  2. Now, does our assembly contain a public key? The answer is yes. Before showing it to you, I will first show you 2 screenshots; one without Strong Name key and one with Strong Name key attached.

Without Strong Name :

With Strong Name :

  1. You will notice that the difference on both sides is that the Strong Name key assembly contains a public key. In order to tamper a Strong Named .Net Assembly, just remove that highlighted section. It will look like this.

  1. Now do some modifications to the existing Intermediate Language. You have to remove the registry checking so it will not prompt you for serial number or license. Look for this code.

  1. Then remove the lines of code from IL_0000 to IL_0075. You should have an output like this.

  1. Now just edit some text to prove that you have hijacked that Strong Named key .Net Assembly. Find the code with the phrase “Welcome to NeCoders” and replace it to “You are being hijacked, Strong Names are useless here”.

Change above to:

  1. Open your Visual Studio .Net 2003 command prompt, and type “ilasm CrackingIL.il”.

  1. Try to run CrackingIL.exe. You will see this.

  1. Congratulations! You had managed to manipulate .Net assemblies with Strong Name key attached to it.

Conclusion

Again, I hope you find this series of the article to be interesting. There will be more articles under this series, in terms of breaking and securing the .Net assemblies. Do check out article 4 when it is available as it will explaining the many theories in .NET security. This in return should provide you with a better understanding in this topic.

References

None

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

 Chua Wen Ching
Software Developer
Malaysia Malaysia
Member
I am Chua Wen Ching and it is great to be part of CodeProject network Smile | :)

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
FirstPrevNext
GeneralGreat Jobsusssandurea3 Nov '04 - 23:51 
Hi Chua Wen Ching,
 
It's great article to read, and you have given a good example of strong name assemblies , but what i know that strong name are used for side by side execution of assemblies which are applicable on Public Assemblies , but any way these were very good articles and hope to get Part IV soon from you
 
Cheers
Nitin SandureaSmile | :)

Sign In·View Thread·Permalink
GeneralGood articlememberRakker713 Nov '04 - 7:34 
Just wanted to say thanks for the articles so far. I agree they might be a little verboose, but I found it easy to read and understand. thanks again & keep going!
Sign In·View Thread·Permalink
GeneralDisturbingmemberRabidKangaroo2 Nov '04 - 9:53 
Great series of articles. One thing though...
 
Your disclaimer is ludicrous.
 
NeCoders shall not be held responsible for any cases of software/files being hacked due to the information provided in this article.
 
That's like me writing an article "50 Ways To Infiltrate Buildings and Plant Explosives" and including a disclaimer: "RabidKangaroo shall not be held responsible for any buildings that are destroyed due to the information provided in this article."
 

 
"Those that say a task is impossible shouldn't interrupt the ones who are doing it." - Chinese Proverb
Sign In·View Thread·Permalink
GeneralRe: DisturbingmemberDaniel Turini6 Nov '04 - 22:09 
Sorry, but the author is right. Security through obscurity does not work, and that's why even MS publishes deatiled information about vulnerabilities - knowing about a vulnerability in detail is the only true way of knowing if you're in danger and how you can protect yourself.
 
RabidKangaroo wrote:
That's like me writing an article "50 Ways To Infiltrate Buildings and Plant Explosives" and including a disclaimer: "RabidKangaroo shall not be held responsible for any buildings that are destroyed due to the information provided in this article."
RabidKangaroo never entered a building, right? A world where only hackers know how to break code is a world where no one is safe. Good programmers need to know how to break code. Trying hard to break your own code is the first line of defense against hackers.
 
Yes, even I am blogging now!
Sign In·View Thread·Permalink
GeneralRe: DisturbingmemberPalladino9 Nov '04 - 22:40 
Daniel Turini wrote:
RabidKangaroo never entered a building, right? A world where only hackers know how to break code is a world where no one is safe. Good programmers need to know how to break code. Trying hard to break your own code is the first line of defense against hackers.
 
I agree with Daniel. To KNOW to do the attack is the best form of protecting. Writing Secure Code[^] among other very useful things, talks exactly about this...
 
Marcelo Palladino
Brazil
Sign In·View Thread·Permalink
GeneralSuggestionmemberafinnell1 Nov '04 - 7:23 
I don't believe there is enough content to provide a 3 part article. You could probably get good reviews (You already are but it could get better) if you condensed the 3 parts into a single part about Strong Names. Also you need to understand, like others have said, that Strong Naming isn't supposed to protected code from highjacking but to provide the ability to strongly name an aseembly for reference abilities. It also provides some other benefits when it comes to the CAS but that could be another article. The reason the hashing exists is to verify that the assembly is the same as it was before so that when an app loads the assembly it can be sure it has the one it is supposed to. If you remove the strong name then an app that references that assembly won't be able to find it thus defeating the purpose of trying to highjack the assembly.
 
Great article though. I need to get off my butt and submit the ones I have laying around. Kudos to you.
 
-
Drew
Sign In·View Thread·Permalink
GeneralRe: Suggestionmemberchuawenching1 Nov '04 - 13:54 
Hi adinnell,
 
Point taken. There will be a total of 9 articles or more. I will provide some detail explanations on strong name in my article 4, which is in the process.
 
Thanks Smile | :)
 
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
Sign In·View Thread·Permalink
GeneralIncrediblememberMark Focas1 Nov '04 - 5:42 
Thanks for your series of articles, they are well written and easy to understand.
I really don't see the point of strong named assemblies after reading this. I didn't think it would be that easy to crack, but I guess, having clear text IL code will always make it easily breakable.
A previous comment said that Strong Named assemblies are just for more reliable referencing. I really had the impression that it was for security, but you have blown that theory sky high!
Thanks
 
Being in a minority of one, doesn't make you insane
George Orwell
However, in my case it does
Sign In·View Thread·Permalink
GeneralRe: Incrediblememberchuawenching1 Nov '04 - 13:49 
Thanks. Hope you like it.
 
Regards,
Chua Wen Ching
Visit us at http://www.necoders.com
Sign In·View Thread·Permalink
GeneralRe: IncrediblememberJ.B3 Nov '04 - 11:27 
Don't forget this is very simplistic implementation of using strong names for security. A developer fluent in assembler could just as easily do something similar with compiled win32 code.
 
Strong names are also used for other reason like assigning privileges on a machine/enterprise based on the strong name or public (see Runtime security policy in .Net configuration, many Microsoft assembly are granted special privileges by their public key). .Restrictions can be applied for access to methods/classes in other systems based on public keys by using codeaccess security. (see StrongNameIdentityPermission).
 
Although as this article demonstrates Strong names could be compromised, if you employ a complete security model these changes can be detected. I would recommend that you sign all code, even if it is only deployed to desktops within your organisation. Security is not so much as preventing tamper completely, but making mechanisms that allow you to detect tamper and take appropriate action to prevent the system being compromised.
 
Rather than take the author at this word here suggest you get a good book on .Net security. The author is technically correct, his article is informative, but he has assumed that you are only using strong names for a single purpose which is only part of the .Net security model.
 
Sorry about the rant but as a consultant I often come into organisations where no security has been applied to .Net code, even on public web servers.
 
.Net code can be made secure, but like any good security system a compromise has to be expected and dealt with appropriately. To assume that you code/System will never be compromised just means you will never know when it is.

:(
Sign In·View Thread·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 23 May '13 - 2:35Refresh« Prev1234567 Next »

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
Building Security Awareness in .NET Assemblies : Part 3 of 3
Type Article
Licence 
First Posted 31 Oct 2004
Views 195,008
Downloads 998
Bookmarked 89 times

, +
Top News

The Next Version of Android - Some of What's Coming

Get the Insider News free each morning.
Related Videos
C# .NET Programming - 0908 break And continue
Visual C# 2012: Breaking Changes
Building Security Awareness in .NET Assemblies : Part 2 - Learn to protect your .NET assemblies from being tampered
Strong Names Explained
Assemblies: locating, binding and deploying
Demystifying the .NET Global Assembly Cache
Removing Strong-Signing from Assemblies at File Level (byte patching)
Building Security Awareness in .NET Assemblies : Part 1 - Learn to break a .NET Assembly
C# and the .NET Platform - Chapter 6
Understanding .NET Code Access Security
Code Access Security (CAS) and Design Patterns
Software Copy Protection for .Net Applications - a Tutorial
All About Assemblies
Using MSI or a Strong name to store .NET apps on a network server (Part 2)
How to Protect your Code from Prying Eyes and Theft
Assembly Manipulation and C# / VB.NET Code Injection
Building .NET Coverage Tool
Copy DLL from GAC
MONO: an alternative for the .NET framework
Making Log4Net Work with the .NET Client Profile
.Net Framework Infrastructure
A simple plug-in engine using Reflection
Permalink | Advertise | Privacy | Mobile
Web02 | 2.6.130523.1 | Last Updated 1 Nov 2004
Article Copyright 2004 by Chua Wen Ching
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid