load authorized dll

[Guest]

Consider a system that has exe and dlls, how can i ensure that only the
authorized .net assembly can work with my system. For example, consider your
sys got an exe, that would use dll A, B, and C; how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe. Considering, your exe is created to dynamically load the dll,
for future extensibility, meaning, as new dll comes, you don't need to change
your exe.

thanks
Eugene

 

[Dave]

how do you ensure, other

people cannot create a dll D, that has the same interface, from being invoke
from your exe.

Are you loading a dynamic assembly, finding all Types that implement a certain interface defined in your assembly, and then
consuming them?

If so, just ensure that all references to your assembly must be signed with your unique key:

Find the sn.exe utility installed in "%programfiles%\Microsoft Visual Studio .NET 2003\SDK\v1.1\Bin\sn.exe"

Use sn.exe to generate a strong-name public/private key pair from the command-line.

sn.exe -k "c:\mykey.snk"

You can then use an assembly-level attribute to sign your main assembly (.exe) with your key:

[assembly: AssemblyKeyFile(@"c:\mykey.snk")]

Also, sign all your dynamic assemblies with this key. In your code, you can check to make sure that each assembly you load has your
public key:

public void TestLoadAsm()
{
System.Reflection.Assembly thisAsm = System.Reflection.Assembly.GetExecutingAssembly();
System.Reflection.Assembly asm = System.Reflection.Assembly.LoadFile(@"c:\TestLibrary1.dll", thisAsm.Evidence);

System.Reflection.AssemblyName dynamicName = asm.GetName();

System.Security.Permissions.StrongNamePublicKeyBlob key =
new System.Security.Permissions.StrongNamePublicKeyBlob(thisAsm.GetName().GetPublicKey());
System.Security.Permissions.StrongNamePublicKeyBlob dynaKey =
new System.Security.Permissions.StrongNamePublicKeyBlob(dynamicName.GetPublicKey());

if (!key.Equals(dynaKey))
throw new System.Security.SecurityException(asm.FullName + " has an invalid key signature.");

Type type = asm.GetType("TestLibrary1.Class1");
TestLibrary2.IClass obj = Activator.CreateInstance(type) as TestLibrary2.IClass;

Console.WriteLine("{0}: {1}", dynamicName.Name, dynamicName.Version);
Console.WriteLine(obj.GetType().FullName);
}


So, how do you stop them from plugging in a malicious assembly? Don't give them your key file.

 

[Guest]

thanks, it's very helpful. i would have a config file to determine which
assembly to look for, then load through reflection. My concern is when
someone tamper with the config file to load his/her own dll. initially i
thought that the strong name is being used in GAC, so thanks for your code
for my question

so, the problem of this is, only if someone else gets hold of my key file.
so my question is, is there any way that other people can reproduce my file?
like, deassemble my assembly, and get the [assembly:
AssemblyKeyFile(@"c:\mykey.snk")] ?

Eugene

how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe.

Are you loading a dynamic assembly, finding all Types that implement a certain interface defined in your assembly, and then
consuming them?

If so, just ensure that all references to your assembly must be signed with your unique key:

Find the sn.exe utility installed in "%programfiles%\Microsoft Visual Studio .NET 2003\SDK\v1.1\Bin\sn.exe"

Use sn.exe to generate a strong-name public/private key pair from the command-line.

sn.exe -k "c:\mykey.snk"

You can then use an assembly-level attribute to sign your main assembly (.exe) with your key:

[assembly: AssemblyKeyFile(@"c:\mykey.snk")]

Also, sign all your dynamic assemblies with this key. In your code, you can check to make sure that each assembly you load has your
public key:

public void TestLoadAsm()
{
System.Reflection.Assembly thisAsm = System.Reflection.Assembly.GetExecutingAssembly();
System.Reflection.Assembly asm = System.Reflection.Assembly.LoadFile(@"c:\TestLibrary1.dll", thisAsm.Evidence);

System.Reflection.AssemblyName dynamicName = asm.GetName();

System.Security.Permissions.StrongNamePublicKeyBlob key =
new System.Security.Permissions.StrongNamePublicKeyBlob(thisAsm.GetName().GetPublicKey());
System.Security.Permissions.StrongNamePublicKeyBlob dynaKey =
new System.Security.Permissions.StrongNamePublicKeyBlob(dynamicName.GetPublicKey());

if (!key.Equals(dynaKey))
throw new System.Security.SecurityException(asm.FullName + " has an invalid key signature.");

Type type = asm.GetType("TestLibrary1.Class1");
TestLibrary2.IClass obj = Activator.CreateInstance(type) as TestLibrary2.IClass;

Console.WriteLine("{0}: {1}", dynamicName.Name, dynamicName.Version);
Console.WriteLine(obj.GetType().FullName);
}


So, how do you stop them from plugging in a malicious assembly? Don't give them your key file.


--
Dave Sexton
[email protected]
-----------------------------------------------------------------------

Consider a system that has exe and dlls, how can i ensure that only the
authorized .net assembly can work with my system. For example, consider your
sys got an exe, that would use dll A, B, and C; how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe. Considering, your exe is created to dynamically load the dll,
for future extensibility, meaning, as new dll comes, you don't need to change
your exe.

thanks
Eugene

 

[Guest]

can this strong name be used to prevent other developer from inheriting from
my assembly as well?

how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe.

Are you loading a dynamic assembly, finding all Types that implement a certain interface defined in your assembly, and then
consuming them?

If so, just ensure that all references to your assembly must be signed with your unique key:

Find the sn.exe utility installed in "%programfiles%\Microsoft Visual Studio .NET 2003\SDK\v1.1\Bin\sn.exe"

Use sn.exe to generate a strong-name public/private key pair from the command-line.

sn.exe -k "c:\mykey.snk"

You can then use an assembly-level attribute to sign your main assembly (.exe) with your key:

[assembly: AssemblyKeyFile(@"c:\mykey.snk")]

Also, sign all your dynamic assemblies with this key. In your code, you can check to make sure that each assembly you load has your
public key:

public void TestLoadAsm()
{
System.Reflection.Assembly thisAsm = System.Reflection.Assembly.GetExecutingAssembly();
System.Reflection.Assembly asm = System.Reflection.Assembly.LoadFile(@"c:\TestLibrary1.dll", thisAsm.Evidence);

System.Reflection.AssemblyName dynamicName = asm.GetName();

System.Security.Permissions.StrongNamePublicKeyBlob key =
new System.Security.Permissions.StrongNamePublicKeyBlob(thisAsm.GetName().GetPublicKey());
System.Security.Permissions.StrongNamePublicKeyBlob dynaKey =
new System.Security.Permissions.StrongNamePublicKeyBlob(dynamicName.GetPublicKey());

if (!key.Equals(dynaKey))
throw new System.Security.SecurityException(asm.FullName + " has an invalid key signature.");

Type type = asm.GetType("TestLibrary1.Class1");
TestLibrary2.IClass obj = Activator.CreateInstance(type) as TestLibrary2.IClass;

Console.WriteLine("{0}: {1}", dynamicName.Name, dynamicName.Version);
Console.WriteLine(obj.GetType().FullName);
}


So, how do you stop them from plugging in a malicious assembly? Don't give them your key file.


--
Dave Sexton
[email protected]
-----------------------------------------------------------------------

Consider a system that has exe and dlls, how can i ensure that only the
authorized .net assembly can work with my system. For example, consider your
sys got an exe, that would use dll A, B, and C; how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe. Considering, your exe is created to dynamically load the dll,
for future extensibility, meaning, as new dll comes, you don't need to change
your exe.

thanks
Eugene