tags:

views:

1379

answers:

4
+5  Q: 

Signing .NET assemblies: Does this protect my assembly from tampering really?

I am implementing a "locking" system in my app which protects my app against being copied and used illegally. The system checks the signature of a hardware-based code and expects it to be signed with a Private Key that only my company owns. (The app has got the Public Key to validate the signature.)

I want to make sure that no one changes my locking mechanism in the app, so I want to sign my app's assembly and I think it makes sense.

  1. Since I haven't seen the CLR ever talk about an assembly's signature being invalid, I want to make sure this system really works. Does it? What should I do to make it work?
  2. Can an attacker concentrate his efforts on the CLR to make it not care about my signature? That is, if he can't tamper with my code because I've signed it, can he tamper with CLR?
  3. Generally, I would like to know your experience about such safe-guards and protection technologies. Can any one suggest anything else?
+2  A: 

Signing your code only allows tamper detection, it doesn't prevent it. Somebody who knows what they are doing can remove your signature and if necessary add their own.

Really most copy protection schemes are a waste of time and can be subverted, and they also tend to annoy the hell out of your paying customers. Ultimately you can't prevent somebody from modifying and running your code on hardware that they control. Just make it sufficiently difficult that it is easier to go to the purchasing department and get a check written, and that it is difficult to forget that you haven't got a licensed copy. Those who care will eventually pay, and those who don't never will.

Also note that even if you think that most people won't bother cracking your scheme, or haven't the skill to do it, it doesn't matter. Because once one person has subverted your copy protection scheme, they can make it available on a torrent site for those without the skill to do it, and it is game over.

frankodwyer  2008-12-18 12:00:51
I tend to disagree. If your app is the sum total of thousands of man hours of development, is specialised and you only sell say 10 or 15 copies a year then of course you'll do anything to protect your efforts. Even if dongling discourages casual copying it's worth it.
Kev  2008-12-18 12:13:27
I agree with Kev - make it hard enough and you will stop casual breaking of your licensing of the sort discussed by Joel on the SO podcast. Most companies will not download from warez sites, as they wouldn't countenance it, and would risk opening themselves to prosecution after any software audits.
mackenir  2008-12-18 12:53:36
Yep - we used a protection scheme as part of the licensing of a desktop app written specifically for a customer. The agreement was they pay x for development and y per additional seat. The dongling prevented casual copying and ensured we got paid as per agreement.
Kev  2008-12-18 13:10:51
That's what I said...you just need to make it somewhat difficult to copy, enough that it's easier for a company to pay. Dongling is easily subverted anyway...and even a serial number scheme will be enough to produce a reminder 'this copy is not licensed' if someone installs intending to pay later.
frankodwyer  2008-12-18 13:11:41
Protection is actually a matter of both technology and psychology. One cannot ignore any of these two. You have to make it technologically hard for people to break your code, and at the same time discourage hackers by keeping a low profile and using legal barriers.
TheAgent  2008-12-18 13:25:55
@Kev: If your app is extremely specialized and expensive, protect it by legal means. At that point, it's worth suing over any unauthorized copying, and if the copier feels safe from legal retribution it's cost-effective to use almost any means to break the protection. Of course, by then you can annoy the hell out of the users, since they're not making the purchasing decisions.
David Thornley  2009-06-01 19:35:48
+4  A: 

Assembly signing is designed to allow applications/assemblies to reference an assembly and be sure that they get the assembly they originally referenced. If someone wanted to, they could in theory decompile your entire app and recompile with no signing. (ie: they could recompile the referencing assembly so that it referenced an unsigned version of the referenced assembly).

They would then be able to modify the code as they wanted, because the client (exe) would now reference an unsigned (or 're-signed') dll.

To make the process of decompilation and recompilation more difficult, you could try creating a mixed-mode C++/CLI assembly containing both managed and native code. But yeah... ultimately people have all your binaries to hand and with enough effort can probably get round any licensing system you think up.

mackenir  2008-12-18 12:02:44
I hear that signing also helps protect the code against tampering. So that's all nonsense?
TheAgent  2008-12-18 12:07:36
Well, if an assembly is signed, any change to the bytes in the assembly will mean it can't be loaded by the CLR, as the CLR will detect the changes.However, if the 'attacker' decompiles all your assemblies and then rebuilds a version of the app with no signing then they can do what they want.
mackenir  2008-12-18 12:11:35
So, removing the signature of an assembly is that easy. Why would anyone use it then?
TheAgent  2008-12-18 12:17:40
Well, with total control of your machine, most security measures are breachable. But being able to say that one's app needs the genuine version of AcmeAssembly.dll when that dll is provided by a third party, and might not even be installed into the GAC by one's installer, is still useful.
mackenir  2008-12-18 12:26:01
I'll rely on Obfuscators and Code Protectors then. Thank you.
TheAgent  2008-12-18 12:33:16
+3  A: 

There's a certaining amount of misconception about signed assemblies. Assembly signing is not, as mackenir pointed out, a secure mechanism to be used to prevent your assemblies from being tampered with. The following article on codeproject gives a pretty good treatment of the subject:

http://www.codeproject.com/KB/security/StrongNameExplained.aspx

Kev  2008-12-18 12:29:26
A: 

One technique you can use is to prevent tampering is to use the public key of your assembly to encrypt essential parts of your software such as application/algorithm parameters. If the public key has been changed, the decryption will not work and your app will crash.

Some obfuscators such as Crypto Obfuscator use this technique with the string encryption feature. It uses the public key of your assembly to encrypt all strings. If the public key has been changed or removed, decryption will fail and your app wont even start.

logicnp  2009-11-04 09:44:35

related questions

ASPX Page Compilation Fails
Does a Silverlight memory profiler exist?
Are static indexers not supported in C#?
(.net) How to support implicit type conversion as well as custom equality
Is there a CLR that runs on the CLR ?
Will .Net 4.0 include a new CLR or keep with version 2.0
Great resources for using the CLR Profiler APIs
Is casting the same thing as converting?
Can you run a version 3 .Net binary on a version 2 CLR install?
Reference .NET Assembly from a SQL Server Stored procedure or function
Should .NET developers *really* be spending time learning C for low-level exposure?
How do I deploy a managed stored procedure without using Visual Studio?
What CLR/.NET bytecode tools exist?
How can I load different endpoints for WCF in SQL CLR?
Can SQL Try-Catch blocks handle thrown CLR errors?
How can you add additional logic to type resolution at runtime?
QDrag destroyed while dragging
How Do VB.Net Optional Parameters work 'Under the hood'? Are they CLS Compliant?
Is there any way to change the .NET JIT compiler to favor performance over compile time?
What's the difference between the inner workings of Java's JVM and .NET's CLR?
CLR Profiler - Attaching to existing process
How can I figure out how much memory a .Net Appdomain is consuming?
How to late bind 32bit/64 bit libs at runtime
Mixed C++/CLI TypeLoadException Internal limitation: too many fields.
LINQ on the .NET 2.0 Runtime