tags:

views:

158

answers:

3
+1  Q: 

Restricting using strong named dlls functionality

Hi, I'm trying to think of a way that prevent others using your published dlls, for example let's say you create a cool light weight winui photo processing tool that's separated into several assemblies. one of them is your precious filters.dll assembly that basically does all of the core filtering work. Once you publish your application, how can you prevent from others taking this filters.dll and using it in other projects.

I've already tried to look at the StrongNameIdentityPermissionAttribute which has a good example here but it doesn't seem to work for me, the code just works without throwing any security exceptions..

Any ideas ?

+1  A: 

One method that may work for you is to declare the the methods and classes in the filter assembly to be internal and explicitly specify the assemblies that can access it as "friends".

You do this with an assembly declaration (ususally in assemblyinfo) like:

[assembly:InternalsVisibleTo("cs_friend_assemblies_2")]

see Friend Assemblies for more info.

Also make sure you obfuscate the assembly or people can dig into the code with reflector.

John Hunter  2009-08-27 08:13:06
Note that if you're SN-ing the dependent assemblies, then the internalsVisibleTo needs to be a full assembly name [including the SN token]. But my main concern here would be that InternalsVisibleTo doesnt help much except that an obfuscator will [out of the box] generally be more agressive with internals than with publics.
Ruben Bartelink  2009-08-27 08:21:27
The internals will stop someone directly referencing the assembly and as you say the internals can also be obfuscated which is not the case with publics. If you rely on obfuscation alone your public interface is still exposed to be reused. Ultimately if the code is deployed to the customer you are fighting a losing battle.
John Hunter  2009-08-27 09:45:38
@John: Careful, that's not what I was saying - internal doesnt 'make it obfuscatable'. Most obfuscators have a switch that says 'this is my full set of assemblies' which then also obfuscates publics. As reflection can call everything down to private, there is typically a way to indicate that something shouldnt be obfuscated even if the obfuscator thinks it makes sense - either through ObfuscationAttribute or an obfuscator config setting. The value of peopel being thwarted in attempts at 'directly referencing' is worse than useless as an IP protection mechanism.
Ruben Bartelink  2009-08-28 07:47:20
+2  A: 

Strong names have nothing to do with preventing or inhibiting reverse engineering. They only serve to stop people substituting assemblies with hacked versions - and only if people havent turned off strong name verification. There's nothing to stop people taking your code, ILDASMing or Reflectoring and re-ILASMing as they see fit.

InternalsVisibleTo and friends are on an honour system at the compiler level too, so not much use for what you're looking for (although for some obfuscators, internals get more agressively obfuscated than publics by default - though this can generally be overcome). My main concern here is to point out that jsut because something is 'internal' doesnt bestow on it any magic code protection pixie dust that stops reverse engineering.

Most of this stuff re why these sort of approaches arent a solution for code protection is summarised very well in this article

There are also code protection products on the market that go beyond obfuscation which sound like the tool for the job you describe.

Ruben Bartelink  2009-08-27 08:18:47
Thanks for the info, obfuscation can (try to) protect my code from disassembling or reverse engineering, but can't help from being referenced and reused, so obfuscation is probably a must but not sufficient.
Roiy  2009-08-27 21:07:14
A: 

Don't bother worrying too much about protecting your .NET code. If you deploy it to someone elses computer, and that person wants to use or read your code, they will.

If your code is valuable enough you need to keep it on a computer you control (such as a web server) and guard against unauthorised access.

Obfuscation will only slow determined people down. Strong naming and signing is not used to protect your code, but instead to ensure that the user can confirm the code originates from who they expect it to come from (ie ensure it hasn't been tampered with).

Ash  2009-08-27 08:27:12
Isn't this like also saying don't bother turning on the firewall, if someone wants to penetrate your computer it will ..
Roiy  2009-08-27 21:14:29
@Roiy, No. The firewall in my router actually works and stops unauthorised people from accessing my network, so I'd be an idiot to turn it off. Whereas .NET code obfuscation at most will slow down someone trying to re-use/hack your code, it only protects code that is not worth someones time to de-obfuscate.
Ash  2009-08-29 17:54:23

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?