Strong-Name Signing in .exe?

B

Bill

I know how to sign my assemblies with a private key, so that the .exe of my
application tries to use only strong-named assemblies... Thus a hacker
cannot alter a dll, because the .exe will not recognize it after that.
BUT, what if the hacker alters the .exe and makes it to not ask for
strong-named assemblies, but ask for any assembly. Then the hacker can alter
whatever dll in the app he wants (and among them, my activation dll!).

Is there any solution to that? Is there a way for the dlls to work to ask
for a strong-named .exe as well? (thus completing the circle of trust....)

Thanks in advance for your help,
Bill
 
J

Joakim Karlsson

An assembly can use the StrongNameIdentityPermisison(Attribute) to
demand that the assembly that wants to create and use the types defined
in it has a certain strong name.

Regards,
Joakim
 
R

Richard Blewett [DevelopMentor]

Unfortunately if the hacker is already hacking the .exe I se no reason why they won't hack the DLL to remove the StrongNameIdentityPermission. Strong naming was not designed to solve this problem. It was to allow unique naming and to allow the runtime to detect if a compromised assembly was attempting to be loaded in the situation where the hacker doesn;t have control over the machine.

Regards

Richard Blewett - DevelopMentor
http://www.dotnetconsult.co.uk/weblog
http://www.dotnetconsult.co.uk

An assembly can use the StrongNameIdentityPermisison(Attribute) to
demand that the assembly that wants to create and use the types defined
in it has a certain strong name.

Regards,
Joakim
I know how to sign my assemblies with a private key, so that the .exe of my
application tries to use only strong-named assemblies... Thus a hacker
cannot alter a dll, because the .exe will not recognize it after that.
BUT, what if the hacker alters the .exe and makes it to not ask for
strong-named assemblies, but ask for any assembly. Then the hacker can alter
whatever dll in the app he wants (and among them, my activation dll!).

Is there any solution to that? Is there a way for the dlls to work to ask
for a strong-named .exe as well? (thus completing the circle of trust....)

Thanks in advance for your help,
Bill
Click to expand...

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 16/01/2005



[microsoft.public.dotnet.languages.csharp]
 
J

Joakim Karlsson

That's certainly true. If a bad guy has control of everything on the
box, there's nothing you can do. The StrongNameIdentityPermission and
the other security permissions are only useful if you have control of
the assemblies (or think you do) demanding them, but not over what
assemblies will attempt to call them.

You can never get 100% security without turning the machine off and
maybe read a book instead :)

Regards,
Joakim
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Anybody use Strong Name Signing? 7
Strong name signing question! 10
strong name 1
Dotfuscator and strong names 8
Install custom action fails when assembly signed w/ strong name ke 10
Strong name assemblies patching problem 5
Problem with signing assemblies using AL.exe (Strong name signing an unsigned assembly) 0
Rebuilding a GAC Strong Name assembly DLL 1

Top