views:

108

answers:

6
+1  Q: 

Protect assembly?

I have a .NET DLL (C#/VB) with custom controls, extension and other stuff.

I want that it should be available for me only. Is there any way to restrict unauthorized access to a DLL?

+2  A: 

Well, do not redistribute the assembly in the first place. As soon as assembly is out in the wild, anybody can use it. You can make this harder by obfuscating it, but "entry points" will still be there and usable.

Theoretically, you can do something with CAS, but I'm not particularly sure this is at all possible.

Anton Gogolev
It's not in the wild yet, I am looking for a way to restrict it before it reaches there...
Shimmy
CAS won't protect you from someone with full trust. CAS is not intended to enforce component licensing, and therefore won't do a good job at it.
erikkallen
A: 

You have to add checks in the DLL to verify that the caller is you. But that raises other challenges:

How do you prove that you are you to a DLL. (You could check for something simpler like the current username, but that may not be perfect).

You could require that the exe file is signed by your certificate.

Arve
How can I create those 'Checks'?I don't mind to change the source code of the assembly having an internal list of authorized Guids etc.
Shimmy
if(Environment.UserName != "MuUserName") throw new Exception("This function is not for you");The certificate is more complex and not that easy to find a code sample for
Arve
I guess I can prove that i am me because I will be using this DLL from my own code, the question is how can I identify the DLL's caller.
Shimmy
+1  A: 

Perhaps you can use licensing/copy protection tools to alter your dll. And inside the caller, you supply the required license number.

Anton Setiawan
The question is how do I identify the caller of the DLL, is this possible?
Shimmy
you can check the calling assembly with Assembly.GetCallingAssembly
Anton Setiawan
A: 

You should check out the licensing infrastructure. I have no idea how to implement it, but you use it by creating a .licx file and then, I think, the build process uses the lc.exe tool to do something to embed the license.

erikkallen
+1  A: 

Your best option is to pack/encrypt/obfuscate the DLL as Anton pointed out. And then pray that nobody will go through all the hassle of unpacking it.

The usual term for this is simply "packing".

This is what game developers do with f.ex Sony's SecuROM.

But all packing programs have the same drawbacks:

  1. They can be reverse-engineered and the encryption key must be embedded in the binary
  2. They usually cost money, and those that don't (UPX) are easily unpacked.
  3. Platform incompatability issues can be introduced by the unpacking process.
  4. Packed binaries tend to freak Anti-viruses out.

Companies that use packers usually ship binaries that must be able to run on every thinkable computer. If you really meant it, I guess you could encrypt every single dll shipped with a unique key and then require it be ran with internet access for some challenge-response magic during the decryption phase. Overkill at any rate.

You could also make your own packer, but believe me when I say it: You don't want to go there ;)

In short, what you want is not simple to achieve even for the big players. How long does it take for a SecuROM game to show up on piratebay? So the only thing you can do is "raise the bar" and hope to go unnoticed by the good reverse-engineers.

Lastly, knowing what you're getting yourself into: Will it be worth it for you? Let's say you shipped the DLL unpacked - as it is. People will still need to reverse-engineer it to use it. Who uses undocumented 3rd-party libraries anyway? I've only done that once or twice in moments of insanity.

joveha
I don't care, it's a private program that has to be ran on 10-15 machines. I'd like to read more about encrypting and acessing encrypted DLLs.
Shimmy
+1  A: 

This is not completely possible. If you want your code to run, it has to be executable. You can put in checks, packing, encryption keys, watchdogs, monitors, wardens, and various licensing schemes but at the end of the day if your code works it has to be unlocked somehow so that it can be used.

This is why DRM doesn't work. You want to protect X, but you want someone else to view it. The problem is the person you don't want viewing/using X and the person you do want using X are, at some level, the same person.

I got so fed up with dealing with 3rd party licensing code (breaking / unregistering / thinking I wasn't a legit user when I was supposed to be) that I became an FSF member. It's not worth my time to work around someone else's restrictions, and it's not worth my time to deal with them. Their code wasn't all that special.

Broam