[Mono-list] Security Madness
Richard Norman
normri@samc.com
Wed, 19 Jan 2005 15:32:01 -0800
--=__PartCBEB69E1.0__=
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
You could use some obfuscation utilities that change the names in the
code and so on so that it is very impractical to reverse engineer the
code with the obfuscated names.
http://www.devsource.ziffdavis.com/article2/0,1759,1604464,00.asp
http://toolbar.search.msn.com/results.aspx?q=.NET+obfuscation&FORM=QBRE
Most of the really good tools cost money, but you can do it and still
have it be a valid assembly.
So if they mean "by any means necessary" spend money, then here you
go.
Maybe this will work for you too...
Richard Norman
Web/Application Developer
*********************************************
Message: 2
From: Matthew Metnetsky <met@uberstats.com>
To: Mono List <mono-list@lists.ximian.com>
Date: Wed, 19 Jan 2005 11:36:26 -0500
Subject: [Mono-list] Security Madness
I have one assembly, that when compiled is no more than 11kb's, but it
contains code that manages our Universities authentication plus some
more annoying things. I've been asked to find a way to obfuscate this
assembly my any means necessary.
I've thought of a couple ways, which all seem like pure madness. What
do you all think?
1) Maintain an encrypted copy of the assemblies CIL code that is
reachable via Http for quick download and compilation. Every time the
application started it would grab the file, descrypt, and compile into
the current AppDomain.
2) Similar to the previous option... maintain an encrypted copy of
each
file that makes up the assembly for retrieval and compilation into the
current AppDomain.
3) rewrite the entire assembly so that it's generated real time by a
Codedom into the current AppDomain.
4) Make use of assembly signing and loading permissions, which don't
seem to keep people from reworking the code to CIL.
So.... what should I actually do? The above options seems absurd, but
I've been asked to take absurd measures.
~ Matthew
--=__PartCBEB69E1.0__=
Content-Type: text/html;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-125=
2">
<META content=3D"MSHTML 6.00.2900.2523" name=3DGENERATOR></HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>You could use some obfuscation utilities that change the names in the =
code and so on so that it is very impractical to reverse engineer the code =
with the obfuscated names.</DIV>
<DIV> </DIV>
<DIV><A href=3D"http://www.devsource.ziffdavis.com/article2/0,1759,1604464,=
00.asp">http://www.devsource.ziffdavis.com/article2/0,1759,1604464,00.asp</=
A></DIV>
<DIV> </DIV>
<DIV><A href=3D"http://toolbar.search.msn.com/results.aspx?q=3D.NET+obfusca=
tion&FORM=3DQBRE">http://toolbar.search.msn.com/results.aspx?q=3D.NET+o=
bfuscation&FORM=3DQBRE</A></DIV>
<DIV> </DIV>
<DIV>Most of the really good tools cost money, but you can do it and still =
have it be a valid assembly.</DIV>
<DIV> </DIV>
<DIV>So if they mean "by any means necessary" spend money, then here you =
go.</DIV>
<DIV> </DIV>
<DIV>Maybe this will work for you too...</DIV>
<DIV> </DIV>
<DIV>Richard Norman</DIV>
<DIV>Web/Application Developer</DIV>
<DIV> </DIV>
<DIV>*********************************************</DIV>
<DIV> </DIV>
<DIV>Message: 2<BR>From: Matthew Metnetsky <<A href=3D"mailto:met@uberst=
ats.com">met@uberstats.com</A>><BR>To: Mono List <<A href=3D"mailto:m=
ono-list@lists.ximian.com">mono-list@lists.ximian.com</A>><BR>Date: =
Wed, 19 Jan 2005 11:36:26 -0500<BR>Subject: [Mono-list] Security Madness</D=
IV>
<DIV> </DIV>
<DIV>I have one assembly, that when compiled is no more than 11kb's, but =
it<BR>contains code that manages our Universities authentication plus =
some<BR>more annoying things. I've been asked to find a way to =
obfuscate this<BR>assembly my any means necessary.</DIV>
<DIV> </DIV>
<DIV>I've thought of a couple ways, which all seem like pure madness. =
What<BR>do you all think?</DIV>
<DIV> </DIV>
<DIV>1) Maintain an encrypted copy of the assemblies CIL code that =
is<BR>reachable via Http for quick download and compilation. Every =
time the<BR>application started it would grab the file, descrypt, and =
compile into<BR>the current AppDomain.</DIV>
<DIV> </DIV>
<DIV>2) Similar to the previous option... maintain an encrypted copy of =
each<BR>file that makes up the assembly for retrieval and compilation into =
the<BR>current AppDomain.</DIV>
<DIV> </DIV>
<DIV>3) rewrite the entire assembly so that it's generated real time by =
a<BR>Codedom into the current AppDomain.</DIV>
<DIV> </DIV>
<DIV>4) Make use of assembly signing and loading permissions, which =
don't<BR>seem to keep people from reworking the code to CIL.</DIV>
<DIV> </DIV>
<DIV>So.... what should I actually do? The above options seems =
absurd, but<BR>I've been asked to take absurd measures.</DIV>
<DIV> </DIV>
<DIV>~ Matthew</DIV>
<DIV> </DIV></BODY></HTML>
--=__PartCBEB69E1.0__=--