[Mono-list] Security Q

Joshua Tauberer tauberer@for.net
Thu, 09 Sep 2004 16:14:36 -0400


Jon Pryor's suggestion ("Well, you could always ship encrypted 
assemblies, decrypt the assemblies at runtime, and use Assembly.Load() 
on the decrypted bytes. ") sounds pretty good.  The drawbacks seem to be 
1) this would have to be done with an embedded Mono runtime, otherwise 
the decryption would be in managed code and 2) the assembly wouldn't be 
accessible for outside developers to use (i.e. it would be good if 
metadata was not encrypted).

At least the second problem could be worked around by putting the 
sharable metadata into an unencrypted second assembly (abstract base 
classes or interfaces).  No big deal there.

And, maybe I'm wrong about the first problem  (though of course it 
depends on how "secure" the assembly needs to be).  In my case, the 
decryption key would almost definitely have to be within the executable 
itself, and that doesn't seem to be a good idea with managed code, at 
least at face value.

Sijmen Mulder wrote:
> Just a suggestion, but you might write a small platform specific
> library in a native language for the copy protection part. But that
> would ruin the cross-platform thing, though.

The copy protection part definitely needs to be in native code.  A call 
to System.Security.Cryptography classes would be a dead giveaway to a 
novice programmer on where to remove a few function calls from the 
bytecode disassembly.  But, the part that it is protecting should be 
written in C#.  And then how do you connect the protector with the 
protectee?

-- 
- Joshua Tauberer

http://taubz.for.net

** Nothing Unreal Exists **