tags:

views:

1664

answers:

2
+6  Q: 

Checking an assembly for a strong name

Is it possible to check if a, dynamically loaded, assembly has been signed with a specific strong name? Is it enough / secure to compare the values returned from AssemblyName.GetPublicKey() method?

Assembly loaded =
    Assembly.LoadFile(path);

byte[] evidenceKey =
    loaded.GetName().GetPublicKey();

if (evidenceKey != null)
{
    byte[] internalKey =
        Assembly.GetExecutingAssembly().GetName().GetPublicKey();

    if (evidenceKey.SequenceEqual(internalKey))
    {
        return extension;
    }
}

Can't this be spoofed? Not sure if the SetPublicKey() method has any effect on a built assembly, but even the MSDN documentation shows how you can use this on a dynamically generated assembly (reflection emit) so that would mean you could extract the public key from the host application and inject it into an assembly of your own and run mallicious code if the above was the safe-guard, or am I missing something?

Is there a more correct and secure approach? I know if the revered situation was the scenario, i.e where I wanted to secure the assembly from only being called by signed hosts then i could tag the assembly with the StrongNameIdentityPermission attribute

Thanks

+1  A: 

There's little point in testing the strong name after the assembly got loaded. An attacker could simply inject a module constructor in the assembly and execute any code desired. The .NET 3.5 SP1 version of the framework followed suit and is no longer verifying the strong name of assemblies that get loaded from trusted locations. Improving startup times by about 40%.

Key point is: once an attacker compromises the machine to a point where he is able to inject an assembly in the probing path of your app, he won't bother doing it the hard way. He'd just replace your .exe

Hans Passant  2008-11-21 13:59:46
Actually this is a situation where extensions (in the form of assemblies) can be added to the application i.e they are loaded from a directory using Assembly.LoadFile and I only want to be able to load extensions which have been signed with the same strong name as the host application.
TheCodeJunkie  2008-11-21 14:18:28
So this isn't a case of safe-guarding an entire system or application, but restricting whom is able to write extensions to the application itself. No strong name, sorry your extension will not be loaded
TheCodeJunkie  2008-11-21 14:19:23
+2  A: 

I'll answer my own question. There is no managed way to check the signature of an assembly and checking the public key leaves you vulnerable to spoofing. You will have to use p/Invoke and call the StrongNameSignatureVerificationEx function to check the signature

[DllImport("mscoree.dll", CharSet=CharSet.Unicode)]
static extern bool StrongNameSignatureVerificationEx(string wszFilePath, bool fForceVerification, ref bool  pfWasVerified);
TheCodeJunkie  2008-11-21 16:49:01
Whatever you do can leave you to spoofing as the attacker can easily circumvent the check in your assembly and reassemble the modified IL and resign the assembly with his own key.
Mehrdad Afshari  2008-12-15 18:46:59

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?