Is it secure to use a DLL for the main logic of your .NET application?

tags:

.net
dll

views:

113

answers:

+1 Q:

Is it secure to use a DLL for the main logic of your .NET application?

If a user knows almost anything about coding in .net, and they see a .dll, they have the unfortunate ability to call your public functions and subroutines. I know you could try a "key" system, where it will check for a certain "key" as an argument, and only run the code if the "key" is valid, but I just ran some code and a .dll that I made, and when the .dll threw an unhandled exception, it showed me the contents of the file.

How can you protect your .dlls? Should you only put code in that you are willing to risk?

+1 A:

I'm going to sidestep the actual question you asked in order to more quickly point you in the direction you need to go.

You need to look into .Net code obfuscation. Here's a good post from someone else asking essentially the same question, but in different terms:

http://stackoverflow.com/questions/2525/best-net-obfuscation-tools-strategy

Edit - added

Here's a good article on the issue you're asking about.

http://aspnet.4guysfromrolla.com/demos/printPage.aspx?path=/articles/080404-1.aspx

And @Mitch Wheat is right. Obfuscation will only get you so far. But it's a start. If you're going to be redistributing your dll's, you'll need to get used to the idea that someone persistent enough is going to crack them.

David Stratton 2009-09-21 03:08:53

Will that also obfuscate the functions and subroutines?

Cyclone 2009-09-21 03:10:52

I'm going to have to advise you to read the article at the second link rather than answer that. The article covers the topic much more clearly than I can in a few posts or an answer here, and it sounds like you need to look at the basics of the topic. (no offense).

David Stratton 2009-09-21 03:16:27

+9 A:

Nevermind calling existing methods etc. Reflector will decompile the code!

Obfuscation will get you so far, but to protect critical IP you need to host it on a secure server that you control.

Mitch Wheat 2009-09-21 03:09:05

Is Reflector even legal?

Cyclone 2009-09-21 18:45:12

+2 A:

Be aware that there is no difference between a .NET DLL and an EXE file when it comes to ability to decompile or re-use in other applications.

Your question implies that putting all of your code in an executable is somehow safer, this is a big misconception.

Both are assemblies, so it is equally simple to instantiate and use publicly visible types in an executable, as it is with a DLL assembly. (As an example. in Visual Studio go to: Add Reference, Browse, and then notice that 'exe' is a valid component to reference.)

So the question is really more general: is it safe to deploy .NET assemblies of any type to your customers? As another answer says, the only guaranteed safe approach is to not deploy at all, but keep the assemblies on your own server (eg develop a web application).

Obfuscation will not stop someone from accessing your code, just make it harder (for a while) for them to understand it.

Ash 2009-09-21 03:42:32

A small question

Is you application a web application or a C# (windows forms/command prompt) application.

If it is a web application, you can put the logic which you want to hide in a web service hosted on some other URL not accessible to public.

Also if it is a windows application, you can still obfuscate the dll. But remember, you can make the hackers difficult to decompile but not impossible. I also had a similar question in the link below.

http://stackoverflow.com/questions/1276237/preventing-decompilation-of-c-application

You have to weigh the benefits of decompilation over the business returns of hiding/leaving the code as it is.

Hope this helps.

Kalpak 2009-09-21 03:56:22

ansaurus

tags:

views:

answers:

Is it secure to use a DLL for the main logic of your .NET application?

related questions