views:

385

answers:

6

Almost all the .net assemblies can be de-compiled using Reflection .Which means that all .net products are open source since the code can be easily be used by other developers. Isnt there a way so that we can encrypt the codes (at least for some security logic) so that it cannot be easily cracked or misused.

Edit

Old question Is winforms .net really equal to open source? was edited considering comments regarding proper use of the word Open Source

+1  A: 

Anything can be reverse-engineered. While .NET assemblies can be more easily decompiled there are many obfuscators available to make the code harder to understand.

There isn't any good way to encrypt the code that you are shipping to customers. At some point the code must be decrypted in order to run and that means that the client machine must have the ability to do this. If the client machine has the ability to decrypt the code then so does anyone else who has access to the machine.

This problem is not unique to .NET assemblies - any application is susceptible to decompilation. If the security of the original source is your main concern then perhaps a web-based application (like a website or web service) would be better as you would be able to isolate the assemblies from the outside world.

Andrew Hare
obfuscators, of course, don't prevent decompilation and thus allow analysis of logic, although they make it harder by making method, variable, and namespace names meaningless (as opposed to having an English meaning). Obfuscators are ok but for true logic protection you want to encrypt and protect the assembly.
Michael Bray
+9  A: 

No

All code can be reverse engineered, copied, cloned, reused, relinked and other things. What open source means is that it is free in the legal sense from restrictions, so people can learn from the code. This also means technology can grow and a stronger long-term tech economy can be created, rather than short-termism. Read the "Cathedral and the Bazaar" for a biased but relevant point of view.

I am not aware of a sufficiently strong code protection method that isn't just high obfuscation and is only security through obscurity. Your question alone says you need to know more about the topic you are asking about by reading and researching the technical, logical and possibly the philosophical qualities of the question's intent.

Edit: I stand by my principle even though the use of the term "Open source" was retracted.

Aiden Bell
Harsh..........
Robert Harvey
Yeah a bit harsh I think too... I think the OP misused the term, but it wasn't the point of his question. He's trying to find a way to prevent others from seeing the code he has written. See my answer for some programs that truly protect the MSIL from decompilation.
Michael Bray
Not supposed to be harsh, I just hate seeing people looking at software like a lockable item .. when it isn't .. even DRM is crap. It is the strategic advantage of what the software does, and for whom, and the business model that counts.
Aiden Bell
It sounds like your assertion is that Intellectual Property should not be protected for the benefit of the creator? That all source code should be open so everyone can learn from it? That would be nice, but not practical in a capitalistic society.
Michael Bray
I'm pro capitalist. But you don't see buildings without plans, cars that you can't take apart or patents granted without published details ...
Aiden Bell
Ok then... tell me the formula for Coke... or the ingredients in the special sauce on a Big Mac?? They are called 'trade secrets' and they ARE protectable. The items you mention provide no benefit to protecting them, which is why they are open.
Michael Bray
@Michael Bray - But I do appreciate that my answer is slightly off-topic considering the subsequent clarification ... but I still assert my point about the economics of software and some areas of IP being misunderstood and mismanaged.
Aiden Bell
I'm not saying that all things should be un-protected. Just that software is an odd case.
Aiden Bell
Peace. :) ...15 character padding...
Michael Bray
@Michael Bray ;) ... That was a good comment-discussion-run ... not had one that long before!
Aiden Bell
Aiden: The *definition* of the word "patent" is "to make open". A patent without published details would be a contradiction in terms.
Ken
@Ken Good to know. Makes sense to me.
Aiden Bell
but obtaining patent to all applications and code is not possible as it involves long(may be) process .
Thunder
@Thunder, I am not saying people should patent everything, or anything. Just making a point about the way IP and software is treated.
Aiden Bell
+4  A: 

There are tools that can encrypt .NET Assemblies, preventing decompilation with Reflector and similar tools. They also perform a number of related services such as obfuscation, protection of embedded resources, etc. Two I know of:

RemoteSoft Salamander Suite
XHEO DeployLX

Michael Bray
+1, purely for providing an answer that will be helpful ;)
Aiden Bell
A: 

Obscurity can never help you forever...

Your code that is decompiled may or may not have useful variable/class names and it definitely won't have comments, and of course the copyright still belongs to you.

So legally you can't use decompiled programs in anyway(or even decompile them) and I'm sure there is some option(if not on by default) you can use for basic obscurity such as using var1...9999 as the variable names and class names.

Earlz
+4  A: 

Isnt there a way so that we can encrypt the codes (at least for some security logic) so that it cannot be easily cracked or misused.

Other people have touched on code obfuscators, but ask yourself what you're really trying to accomplish:

  • Are you trying to make your code more "secure"? Not only is security through obscurity a relatively weak strategy, you shouldn't be putting sensitive data in source code anyway! Move passwords, connection strings, etc out of code and into a config file.

    Presumably, then, the application is secure so long as no one has access to your physical machine. You can assume if the attacker has the physical machine, all hope is gone anyway.

  • Are you trying to protect proprietary algorithms? If you don't want to shell out the money to get a patent, then the best tried and true strategy would be exposing your API through a web service on servers you control. The app makes a call into the web service -- meaning performance degrades and you have a dependency on your users having an internet connection, but at least your code is absolutely secure.

  • Are you trying to prevent users from pirating software? There are lots of posts on SO regarding licensing key systems.

Juliet
Interesting approach w/r/t exposing API as webservice... +1 for that and looking at this question from a different perspective!
Michael Bray
:( Very sad that software world is so fragile!
Thunder
I think in Vb 6.0 it was little difficult to decompile!
Thunder
+1 I agree, a SaaS approach is interesting here, but can be a nightmare if latency/constant availability is an issue.
Aiden Bell
A: 

If need opensource try mono framework. Although a part of it has portion that has not been publish by microsoft as part of Common language Infrastructure CLI. For you answer NO you cannot use or reuse/publish part of as whole anywhere. You can also look at rotor Shared Source Common Language Infrastructure 2.0 which is open souce and managed by microsoft but it does not contain Window form namespace just CLI. It for learning and research purpose only. Microsoft also publish it code under MPL at codeplex. Please read license carefully even for opensource there is difference between GPL and LGPL too. Reverse engineering for learning purpose it i think ok in case e.g some issue comeup that is not in you code you might like to debug it. For that purpose microsoft have allow use of it framework source directly from its symbol server. Youc an configure visual studio to download source and symbol:t for any .NET framework and debug it to so how and what happen in framework code. Here is a very good article how to do that at shawn burke blog.

affan
If you want to hide your code that even most vendor dont you can use obfuscators as mention by Andrew and Michael. I believe there is no point of using obfuscators because many people use reflector or reverse engineer with intention of troubleshooting.
affan