The Increasing Need to Protect your Applications from Hackers and Competitors

Introduction

The .NET™ platform is unprecedented in its degree of power and flexibility. Unfortunately, that design inherently produces a problem for those trying to hide their program’s intellectual property. .NET applications are delivered using an expressive file syntax for executable code called MSIL (Microsoft Intermediate Language). Being much higher-level than binary machine code, the intermediate files are laden with identifiers and algorithms that are immediately observable and ultimately understandable. After all, it is obviously difficult to make something easy to understand, flexible and extendable while simultaneously hiding its crucial details.

"As soon as a software program gets released, hackers and competitors are swarming over it with the latest code analysis tools. Obfuscation can put a quick end to their ability to succeed, thus strengthening security and protecting the intellectual property."

- Pete Lindstrom, research director for Spire Security, LLC.

Unprotected .NET Applications Provide Source-level Information to All

Your company's source code contains vital data: information about databases, critical algorithms and the workings of internal systems. In a well-controlled environment, only developers should have access to this source code, while the end-users are given binaries to run.

Because of the nature of .NET assemblies, however, distributing unprotected or unobfuscated binaries is essentially equivalent to distributing source code. This is because in a matter of seconds free decompilers can easily recreate source code from an executable, unless steps are taken to prevent it.

Let’s explore the extent of information exposure by examining some code. The following table compares binaries that have been run through decompilers. On the top is code from a binary that was not obfuscated, and on the bottom is an example of what a decompiler might generate when encountering the strongly obfuscated code created by using Dotfuscator Professional Edition.

Decompilation Output

Unobfuscated Code

string myConnectionString = "Initial Catalog=Northwind;" + 
    "Data Source=localhost;" + "User ID=sa;" + "Password=password"; 
SqlConnection myConnection = new SqlConnection(myConnectionString); 
string mySQL = "INSERT INTO Employees" + "(FirstName,LastName) VALUES " + 
    "('J','Smith')"; 
SqlCommand myCommand = new SqlCommand(mySQL,myConnection); 
myConnection.Open(); 
myCommand.ExecuteNonQuery(); 
myCommand.Connection.Close(); 

Obfuscated Code

This item appears to be obfuscated and can not be translated.

System.NotSupportedException: break at offset 00CE can not be translated 
into an expression. 

Clearly, a reader can retrieve important information very quickly from an unobfuscated .NET program, even if it is not quite as obvious as the example above. This allows an attacker to further understand the inner-workings of an application and its underlying network. The more code the attacker understands, the greater possibility that he or she will find a security vulnerability. By removing context, obfuscation techniques can provide another layer of defense against hackers.

Why Should Source Code be Protected?

By not taking a few quick steps to protect your application, your software licensing code, copy protection mechanisms, and proprietary business logic are much more available for all to see - whether it's legal or not. Anyone can peruse the details of your software for whatever reason they like. They can search for security flaws to exploit, steal unique ideas, crack programs, identify where key information resides, etc.

Corporations should disclose the inner-details of applications only to the group of individuals who need to know. By exposing these details to all end-users, a company provides a significantly increased number of people with information that can be used in an attack.

With access to an unobfuscated program, a vengeful employee or hacker could decompile an application and model nefarious alterations of it. Once the alteration is identified, the insider could look for an opportunity to run the modified version. At the extreme end, this modified executable could cause important records to be deleted, surreptitiously corrupt vital data, or otherwise sabotage company operations. To view examples of malicious recompilation, see PreEmptive's demo page.

Microsoft's Choice for code protection, obfuscation and efficiency

When Microsoft sought a .NET obfuscator to protect it's customers' .NET code, they chose Dotfuscator. PreEmptive Solutions is proud to include a lite version of its .NET obfuscator in Microsoft's Visual Studio.NET 2003 and Visual Studio 2005. For enterprise protection, Microsoft uses Dotfuscator Professional Edition on it's .NET code. Microsoft invented .NET; to protect it they chose Dotfuscator. What better recommendation is there?

"Microsoft is excited to include PreEmptive Solutions' Dotfuscator Community Edition in Visual Studio .NET. This tool contains technology that helps developers protect their intellectual property from decompilation or reverse engineering on the Microsoft .NET platform. For commercial and enterprise applications, the superior protection and size reduction provided by an upgrade to Preemptive's Dotfuscator professional version is well worth a look."

-Tom Button, vice president of the Developer Platform and Evangelism Division at Microsoft

Dotfuscator Professional Edition helps protect your program against hackers attempting to steal your intellectual property or find security holes in your program. It contains many important features such as Control Flow Obfuscation, String Encryption, Incremental Obfuscation, Enhanced Overload Induction, Software Watermarking and Pruning. The Professional Edition rearranges code instructions while preserving the original runtime logic. It removes the telltale patterns that decompilers use to recognize (and reconstruct) higher-level program code constructs.

A smaller application transfers, loads, and runs faster. To that end, the output from Dotfuscator Professional Edition contains a slimmer version of exactly the code required to run the application, and nothing more. The benefits to you include superior intellectual property protection, decreased application size, and better program performance. To learn more about obfuscation please see our multilingual Obfuscation FAQ page.

Dotfuscator Pro has full support for MSBuild and rich Visual Studio integration as shown below. This makes it easy to integrate into your development lifecycle.

The Secure .NET Development Lifecycle

PreEmptive's Dotfuscator adds a new level of protection, and application efficiency to your Secure .NET Software Development Life Cycle.

1. Design System based on software requirements analysis and threat modeling
2. Develop/Build using secure coding principles
3. Use Dotfuscator to protect and enhance .NET code
4. Test for security holes
5. Deploy and monitor for breaches

"We needed to protect our intellectual property and make sure no one has access to our code within these diagnostics. We chose PreEmptive Solutions for several reasons the level of security PreEmptive's solutions provide, the low-maintenance and the fact that we needed a solution that could work both in the .NET and Java platforms. PreEmptive Solutions was the best solution for us."

- Mats Hagberg, Method Area Manager for .NET within Volvo IT.

Be PreEmptive. Protect your code before you deploy

Obfuscation is often critical to protect internal software from prying eyes, and thus it is a key component of a layered system of information security controls. Just like makefiles, source control, and optimizers, obfuscation is destined to be a regular step in your future build processes.

When it comes to obfuscation and code protection, choose the only product that can answer yes to all of these questions:

• Integrates seamlessly with Visual Studio?
• Allows for rules based, fine grained configuration?
• Allows the .NET verifier feature to function properly?
• Removes unused Metadata?
• Supports Pre and Post build events?
• Provides Assembly Linking?
• Allows Library mode to be selected on a per assembly basis?
• Provides for automatic strong named assembly re-signing after build?
• Uses Enhanced Overload induction to optimally obfuscate applications?
• Integrates easily into automated build systems?
• Supports managed C++ assemblies?
• Provides compaction/ pruning?
• Applies effective string encryption to hide sensitive information?
• Provides software watermarking?
• Includes vendor phone support?
• Provides integrated help and automated updates?
• Provides features that help in troubleshooting and debugging obfuscated applications?
• Goes through Microsoft's internal security checks and testing process?
• Performs extensive regression testing of its product on a large spectrum of applications?
• Provides timely updates to support new versions of VS and .NET Framework?
• Demonstrates a commitment to code protection, over many years and platforms?
• Works with Microsoft to set new standards in obfuscation?
• Participates as a premier member of the Visual Studio integration program?

Get Dotfuscator Professional Edition and get started protecting and improving your .NET code today.