Security of code in view of disassembler

[Guest]

One can disassemble the code of an assembly (in say Visual C# language)
complied by using Visual Studio .NET even if it is a Release build. This can
be done by using the disassembler "ILDASM.EXE" provided with the VS .NET . It
shows all details of the code giving vivid details of all methods,
properties, fields, classes, structs, etc. What then is the security of a
complied assembly which is in the MSIL version? Tomorrow, anybody can copy
your idea and may be even replace some portions of the compiled file, such as
the code security portions. Can anyone explain as to whether there is some
way out to ensure that a particular assembly could not be disassembled using
the aforesaid disassembler or some other similar utility. (here I may point
out that an assembly converted to native code by using ngen.exe is only a
partial solution in as much as the resultant file cannot be stored in the
application directory but is stored in the protected catche). Even if one
were to use a signed shared assembly, will it not be possible for someone
else to at least copy the idea if not to patch up the secured code? Any
solutions or comments?

 

[Chris Priede]

will it not be possible for someone else to at least
copy the idea if not to patch up the secured code? Any
solutions or comments?

Only comments here. I think you are worried about a non-issue.

Most useful ideas of any program are plainly visible to the user of it,
without any disassembly. If they want to copy the function, look and feel
of your program, they will. Usually, figuring out how to implement it on
their own will take less time than figuring out how you did it from
disassembled code.

Don't rely on security through obscurity and you shouldn't have much of a
security concern. For example, the most trusted crypto algorithms are
public knowledge. That does not make them any less secure -- only more
trustworthy.

Finally, this is nothing new. Native x86 code can be disassembled just as
well.

 

[Fredrik Wahlgren]

One can disassemble the code of an assembly (in say Visual C# language)
complied by using Visual Studio .NET even if it is a Release build. This can
be done by using the disassembler "ILDASM.EXE" provided with the VS .NET . It
shows all details of the code giving vivid details of all methods,
properties, fields, classes, structs, etc. What then is the security of a
complied assembly which is in the MSIL version? Tomorrow, anybody can copy
your idea and may be even replace some portions of the compiled file, such as
the code security portions. Can anyone explain as to whether there is some
way out to ensure that a particular assembly could not be disassembled using
the aforesaid disassembler or some other similar utility. (here I may point
out that an assembly converted to native code by using ngen.exe is only a
partial solution in as much as the resultant file cannot be stored in the
application directory but is stored in the protected catche). Even if one
were to use a signed shared assembly, will it not be possible for someone
else to at least copy the idea if not to patch up the secured code? Any
solutions or comments?

My three pennies worth...
Well, you can use an obfuscator. it should provide some degree of
protection. I don't think it helps much if you have come up with some kind
ogf algorithm that you want to protect. Let's say you come up with some kind
of new encryption algorithm. I'm pretty sure that anyone familiar with
existing algorithms woud be able to decipher the code. If you have something
that you want to be better protected, you should create a COM dll using VB6
or ATL/C++. Another approach, if everything is built on .NET, is to put your
most sensitive code on a trusted server.

/Fredrik