Code Security in .NET

• Download source code - 6.91 KB

Introduction

Security is one of the most primary concerns for everyone in IT. When we talk about security, we generally think about Data Security. Data is the most important part of every company. We secure data so that unethical minds cannot break through the security gates and get valuable information. In IT, it is common to store information securely. Thus, we use databases to store data than files as to tighten the security of data. To connect to a database, we need ConnectionStrings, which securely connect the database and fetch data. These connection strings are stored in configuration files, and for additional security, we use encryption algorithms to encrypt our data so that no human being can understand our data.

To implement security, .NET provides some superior classes. The classes within the System.Security namespace provide a superior quality library that enhances the security of any application.

But, one thing that never comes to our mind is the security of code. Code security is generally more important than data security. Generally, when we are dealing with .NET assemblies, we write all the security techniques inside it, use our security classes from the code, or even write crypto keys within the business logic.

As we all know, .NET is a framework that produces aseemblies, which are just similar to Assembly Language code which is understood by the CLR (JIT). Thus, the Assembly code is compiled during runtime. Therefore, any assembly editor can pass through this gate and discover your business logic easily.

Background

In the case of traditional machine languages, they are very hard to understand as they are written in binary. But, .NET assemblies are not. Any good programmer or even a newbie can get your business logic from an assembly provided.

This would facilitate the programmers to reverse engineer the assemblies and get the actual code from it. Thus, any business logic that you have written for your application could easily be open to all. Even if you have made use of superior quality security measures to encrypt all the data access, it will be very easy to get into those by reverse engineering your code.

There are some readily available Code Generators that can produce almost the exact code that is used to produce an assembly. For example, we can use the Reflector, which is free to download, and can produce C#, VB.NET, C++, or DELPHI code from our assembly.

In the following demo, I am going to use Lutz Roeder's Reflector project to disassemble a Class Library, and later, we will explain how to avoid this problem. Get Lutz Roeder's Reflector from here. If it is not found there, try this: Download Lutz Roeder's Reflector - 1.04 MB.

Problems with .NET Assemblies

Let's start building a simple class library. Let the code of the assembly be like this:

using System; 
using System.Collections.Generic;
using System.Text;

namespace MyFixedLibrary
{
    public class LibraryClass
    {
        /// <summary>
        /// MethodFromFixedLibrary Comments
        /// </summary>
        public void MethodFromMyFixedLibrary()
        {
            int myidentifier = 10; 
            string myString = "This is a String";
            for(int i=0;i<myidentifier;i++)
                Console.Write(myString);
        }         
    } 
}

This is a simple code that introduces the MyFixedLibrary namespace, and within it, there is a class called LibraryClass. The LibraryClass has a method called MethodFromFixedLibrary.

Now, take a closer look at the name of the identifiers. The first identifier is myIdentifier and the second one is myString. Generally, we make identifiers in such a way that it is clearly understood what the identifier will be doing in the current context.

After building the class library, it produces a DLL. Upon loading the DLL in Lutz's Reflector, it produces the exact code by its reverse engineer logic. Take a look at the picture below:

This is really a threat to development teams. There are some add-ins provided with the disassembler which will produce the exact solution that made up the DLL. Thus, it must be clear how a disassembler can be used to get your precious code from your .NET assemblies.

Try it yourself.

How to Solve this Problem?

To solve this problem, we have to do two steps:

1. After installation of your software, you can use NGen to run, which will produce the native machine code and force the DLLs to convert to binary.
2. Use the DotFuscator and the Obfuscation tool that comes with Visual Studio .NET.

1. NGEN

To use NGEN, you must write a special code that would optimize your code to machine language and add it as post-installation code. You must also ship ngen.exe with your application. If you have a big application, the optimization code will take too long to convert the DLLs to machine specific code. This would bore the users.

Note: You can also add DLLs that are already native generated. But, this will cause the DLL to run only on your platform. Means, if you optimized the DLL in Win XP, it may cause problems in Vista or other Operating Systems. So, it is always a good practice to create machine code from your installation application.

To read more about NGEN, try MSDN.

2. DotFuscator

We may also take the help of Obfuscatory tools to compile the DLL so that the logic could be made hard to understand. In this section, I am going to demonstrate how to use DotFuscator to reach your goal. Here are the steps:

1. First, after you have made the library, you need to open DotFuscator. Go to Start-Programs->Visual Studio .NET -> Visual Studio Tools->Dotfuscator Community Edition.

Note: This is Community Edition and comes free with Visual Studio .NET. You can easily buy the Premium Edition and get all the facilities.

2. After opening the assembly, you need to configure it so that the assembly could be obfuscated. In the figure below, choose the Setup tab to be used for the settings. Configdir is the place where the output DLL will be saved.

3. In the next Options tab, for community edition, there is only one, option which is readonly. If Disable Renaming is set to No, it means the variables and private functions will be renamed in such a way that it would be hard to understand the logic.

4. In the Input tab, choose Library to make the assembly a library project. You can also choose Honor Obfuscation Attributes, or Strip Obfuscation Attributes. These are optional.

5. In the Rename tab, you will have to choose Map.xml which provides DLL mapping. If additional DLLs are needed, you can store the info into the XML file.

6. The Build tab will help you to set the output directory.

Note: Regarding the other tabs, they are not available for Community Editions. They are only available with the Premium editions.

Thus, after obfuscation, the code will look like:

using System; 
using System.Collections.Generic;
using System.Text;

namespace MyFixedLibrary
{
    public class LibraryClass
    {
        /// <summary>
        /// MethodFromFixedLibrary Comments
        /// </summary>
        public void MethodFromMyFixedLibrary()
        {
            int num= 10; 
            string str = "This is a String";
            for(int i=0;i<num;i++)
                Console.Write(str);
        }         
    } 
}

The method name remains the same, but all the private variables have been renamed. You can see that num has been mapped to myidentifier and str has been mapped to mystring.

Therefore, if your assembly is very big, making changes to the variables will make it hard for the disassembler.

Another thing, the Community Edition does not provide much facilities. In the full version of the DotFuscator, the obfuscation will be extensive. It can rename your namespaces, and even strings.

Additional Info (Include DotFuscator as a Post Build Event)

You may also add obfuscation as a Post Build Custom Event of your project. To do this, you need to create a project file, which is an XML document that will look like the sample given below:

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE dotfuscator SYSTEM 
    "http://www.preemptive.com/dotfuscator/dtd/dotfuscator_v2.1.dtd">
<dotfuscator version="2.1">
  <!--This is application generated code. Do not edit manually.-->
  <global />
  <input>
    <asmlist>
      <inputassembly>
        <option>library</option>
        <file dir="C:\MyFixedLibrary\bin\Debug" name="MyFixedLibrary.dll" />
      </inputassembly>
    </asmlist>
  </input>
  <output>
    <file dir="C:\ObfuscatedDlls" />
  </output>
  <tempdir>
    <file dir="C:\tempdir" />
  </tempdir>
  <renaming>
    <mapping>
      <mapoutput overwrite="false">
        <file dir="C:\Mapdir" name="map.xml" />
      </mapoutput>
    </mapping>
  </renaming>
</dotfuscator>

This XML file is produced automatically whenever you create a project in DotFuscator. Here, the InputAssembly will hold the input file assembly which should be your project directory, Bin/Debug or bin/Release, where the output of the build will be stored. The output directory is where the final DLL which is produced is available after obfuscation. The Map.xml file from MapDir is another XML file which would be created automatically and used for logging everything that the DotFuscator has done with your DLL. From this file, you would get information regarding all the functions and variable name changes that the process has made.

Now, to include the event: go to Project - > Properties->Build Events, and add these lines to the post build event:

C:\Program Files\PreEmptive Solutions\Dotfuscator 
   Community Edition 1.1\dotfuscator.exe" /q c:\dproj\demo.xml

Please change the Dotfuscator file path and the project path where you have created your project.

History

This is the first version of this article. Hope you will like my article.

You must Sign In to use this message board.

FAQ    Noise Tolerance Very HighHighMediumLowVery Low   Layout Expand Posts & RepliesThread ViewNo JavascriptNo JS + Preview   Per page 102550

Msgs 1 to 15 of 15 (Total in Forum: 15) (Refresh) FirstPrevNext

Clear concise and best ashu fouzdar 22:22 22 Jan '09   Congrats for such great sharing with CP community. I am really lucky that, I got first thread on your article while searching for "Obfuscation" Great work indeed dnpro "Very bad programmer" My Latest Articles RichTextBox Control with Find functionality LogViewer - A Simple Log Listening Utility Sign In·View Thread·PermaLink Best VB.NET article of August 2008 Member 4737353 2:18 10 Oct '08   ...not vb Sign In·View Thread·PermaLink Re: Best VB.NET article of August 2008 Abhishek sur 7:25 11 Oct '08   As per my topic is concerned, this is not an Article for C# as well as VB.NET or anything else.... Its a .NET article as a whole... Abhishek Sur Sign In·View Thread·PermaLink Re: Best VB.NET article of August 2008 Bill Boukouvalas 0:26 13 Oct '08   was obviously making a joke, did select joke from message type as well Sign In·View Thread·PermaLink 1.00/5 (1 vote) Congratulation Abhijit Jana 2:40 30 Sep '08   Keep It Up !!! cheers, Abhijit Think Sharp | Code Sharp | C Sharp Sign In·View Thread·PermaLink Re: Congratulation Abhishek sur 9:07 7 Oct '08   Thanks buddy.... Abhishek Sur Sign In·View Thread·PermaLink Obfuscated Items GLLNS 13:59 21 Sep '08   Be aware that obfuscation doesn't concern local variables since their names aren't present in the assembly metadata. However, class fields & method parameters are included. In this case, it's the .pdb file in the output director that is responsible of containing field names & much more info (such as mapping instructions to line numbers in their original source files) necessary for the debugger. The Reflector tool can read local variable names from this file and use them while decompiling the original assembly. PDB files should NEVER be shipped with the product whenever you use obfuscation of not. Sign In·View Thread·PermaLink 5.00/5 (1 vote) Re: Obfuscated Items Abhishek sur 22:49 2 Oct '08   Thanks for your info.. This is great... Abhishek Sur Sign In·View Thread·PermaLink one more times Abhijit Jana 20:57 7 Sep '08   Great Article.. agin a vote from me !!! cheers, Abhijit Read My Latest Article : IIS 7.0 and Deploying Asp.Net WebSites on IIS 7.0 Sign In·View Thread·PermaLink Nice one Abhijit Jana 18:52 18 Aug '08   Hi Abhishek, nice one !!!! 5 from me !! cheers, Abhijit Sign In·View Thread·PermaLink 3.71/5 (3 votes) Re: Nice one Abhishek sur 22:04 18 Aug '08   wow.. .so nice of you ... And thanks for your vote... Abhishek Sur Web Developer Sign In·View Thread·PermaLink 3.00/5 (1 vote) Re: Nice one Abhijit Jana 0:46 21 Aug '08   check my latest article of iis 7.0 cheers, Abhijit Check My Latest Article Sign In·View Thread·PermaLink 5.00/5 (1 vote) About business logic Nikolay Unguzov 23:57 16 Aug '08   Do not invest so much time in code obfuscation. Any good programmer or team can reproduce your business logic without even read your code. Invest more time in bug fixing and adding new futures... Sign In·View Thread·PermaLink 1.00/5 (3 votes) Re: About business logic [modified] Abhishek sur 0:02 17 Aug '08   Yes.. My stress is not on code. Its just to give idea who dont know about disassembling .NET programs. And also you if anyone wants to license a software by placing a file somewhere else, someone may easily crack.. . But if that we use dotfuscator and encrypt the path... cracker will find more difficulty. Abhishek Sur Web Developer modified on Monday, August 18, 2008 2:56 AM Sign In·View Thread·PermaLink Re: About business logic kissdznuts 9:04 28 Aug '08   If you want to get hardcore here........probably any code security recommendations given on this site could be broken by any individual(s) with enough motivation and time. You're missing the point that this article is intended to help secure code from the intended users of the software. For those of us who don't have access to enterprise level obfusactors or have been given time/authority to really lock down REing of code, simple ideas can go a long ways (in terms of cost and time). Any suggestions, ideas, or 'constructive criticism' are always welcome. Sign In·View Thread·PermaLink

Last Visit: 16:35 6 Jul '09     Last Update: 16:35 6 Jul '09 1