|
Obfuscators Make .NET More Secure
 |
|
| Dan Fergus |
Some developers are feeling insecure about the code security of .NET assemblies, specifically the security of the executables you create and ship with Visual Studio .NET (VS.NET). The problem is that applications in VS.NET ship as assemblies. Each assembly contains two elements: Common Intermediate Language (CIL) metadata and a manifest. Together, these elements provide enough information for an interested party to recompile or decompile your code.
But is this really a problem? You should be aware that this capability is nothing new. With the correct tools and enough incentive, a determined hacker can break the code you ship today. The concern is that .NET makes your code easier to decompile. But if you think .NET is the only culprit, you're wrong—perform a Google search on "decompiling," and you'll see what I mean. You'll see tons of stuff on decompiling Java and other languages.
You can solve this decompiling problem in three ways: use COM objects, use Active Server Pages .NET (ASP.NET), or don't use .NET. You can forget about the third choice because .NET is here to stay and will be Microsoft's flagship development product for years to come. You'll have to use .NET, so get used to it. While using COM components and COM interop is a valid way to protect your algorithms, you don't gain full advantage of .NET, so this choice has disadvantages.
ASP.NET protects your intellectual property because your code is on a secure server; the general public can't download or access it. I've heard it said that even this isn't safe because the Web-hosting company can access your code. That argument just doesn't wash. If you trust the Web-hosting company with your data, you have to trust it with your code. And if you don't trust anyone else, you should host the site yourself.
Over the last few months a new weapon against hackers has arisen: obfuscation. An obfuscator makes it as difficult as possible to decompile your application, or at least it makes the decompiled code unusable. Obfuscators use a variety of techniques and tricks to fool the enemy, including renaming methods and variables so they have the same name, and creating variable names illegal in C# or VB, but legal in CIL. In some cases, obfuscators disguise the decompiled code's execution path. If your code is obfuscated, a hacker has a tough time determining what's happening when the code is decompiled.
Initially, Microsoft planned to ship an obfuscator for .NET, but it decided not to. Why Microsoft decided against this isn't clear. We'll probably never know. However, this decision opened up a niche for third-party vendors. Normally, most companies would be reluctant to take on Microsoft in a product war, but without the specter of this software giant looming on the horizon, ready to stamp out competitors, at least three companies have moved in and created .NET obfuscator products.
One product is an e-book that discusses obfuscation and gives you an open source obfuscator for personal or commercial use. Another product comes in a free community edition and a professional edition with two levels of support. And a third product is sold in "lite" and enterprise editions. Each has a target audience, and each has tricks in the obfuscation process.
Whether or not Microsoft missed the boat by not providing a mechanism to protect .NET applications is debatable. I don't think so. But if you're concerned about the safety of your code or someone looking inside your application, then you can use one of these products.
I see the situation as an opportunity for vendors to fill a niche with products potentially much stronger than what Microsoft might have shipped. I believe in the power of the marketplace. A small, aggressive company—with its future on the line—is motivated to produce the best product possible. Already, three companies have filled the void with obfuscation products, and I'm sure you'll see more in the future.
Available Obfuscators at Press Time
Obfuscating .NET: Protecting your code from prying eyes, by Dan Appleman (PDF e-book, Desaware, 2002)
Dotfuscator from preEmptive Solutions
Demeanor for .NET from WiseOwl
About the Author
Dan Fergus is an independent consultant specializing in Web services and .NET. Dan is a contributing editor at VSM and speaks at developer conferences around the world. You can reach him at .
Back to top
|