tags:

views:

358

answers:

5
+2  Q: 

Obfuscation in .NET: how is it done how secure is it?

I brought up a point about obfuscation in another question to which someone replied "obfuscation doesn't stop much".

Rather than start a debate in comments on there, I wanted serious community answers as to how safe my code is when obfuscated with X, Y or Z obfuscator, and if any obfuscation tools truly get the job done.

I'm also interested in any explanation given to garner some basic understanding of how an obfuscator works.

From my understanding, obfuscation cannot prevent reflection and detecting methods etc. but it makes the code within the methods less readable by skewering variable names. Is that wrong? What else does it do?

+5  A: 

Obfuscation can never be truly secure since it's always possible to look at the MSIL. Even with a good obfuscator people could reproduce most of your code simply from the MSIL and since you have no choice but to compile to MSIL there really is nothing you can do.

Stephan  2009-05-29 13:26:16
+1  A: 

There are ways of doing this sort of thing - for example, have you ever tried running Reflector on itself?

At the end of the day, if you have commercial software, people are going to pay for it to get a supported version whether they can see the source code or not - that's how many open source projects make their money. Obfuscation is basically what it says - it makes the code harder to understand, but doesn't actually hide it. Whether it's worthwhile or not is something you have to judge on a case-by-case basis.

If you're selling software to corporate customers, my view is it isn't worth the bother. If you're selling to retail customers and really want to hide the code, then perhaps .NET isn't the answer.

David M  2009-05-29 13:27:16
A: 
Joel Coehoorn  2009-05-29 13:31:46
A: 
Gavin Miller  2009-05-29 13:41:09
A: 

Here is an article that i wrote published in the ISSA Journal on “Assessing and Managing Security Risks Unique to Java and .NET” - this is a PDF file but it covers obfuscation and a number of related techniques. More importantly, it covers the process of mitigating these risks and some suggestions on how to align all of the above with the materiality of those risks to your specific circumstances.

Sebastian  2010-06-21 19:26:47

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?