This is a showcase review for our sponsors at The Code Project. These reviews are intended to provide you with information on products and services that we consider useful and of value to developers.
Most .NET software projects can easily be tampered, exposing your software to security risks and theft of intellectual property. Most protection schemes offered on the market do not adequately protect your code. In this article you will learn about the different techniques used to protect .NET code and determine what is the best protection for you. 9Rays.Net offers a free, fully functional evaluation version of their Spices.Net Obfuscator. Or better yet, download a trial version of the Spices.Net Suite for a complete package of tools for protecting and optimizing your code.
With the increase in high speed internet connections, the days of delivering software via CD's and DVD's are quickly disappearing with many customers (estimated to be more than 50%) choosing to download software online or to use Software as a Service. While the convenience of online distribution is clear (almost instant gratification for the user), developers are faced with a number of challenges to ensure that their code is not tampered with or intellectual property stolen. Some of the security challenges that .NET programmers face from hackers/pirates include:
- Easy reverse engineering/decompilation of assembly code to Microsoft Intermediate Language (MSIL is very informative) or high level languages (C#, VB.NET, C++). This allows viewing of sensitive proprietary information such as algorithms, architecture, and parts of code
- Ability to roundtrip (disassemble code with ILDASM (.NET disassembler), make changes (remove licensing, remove copyrights) and assemble changed code with ILASM (.NET linker)
- Tampering-spoofing of code to create additional "back door" keys allowing unauthorized access to corporate data and assets
- Protection of big, complex team projects
The same, easy to use decompiler tools such as Spices.Decompiler that will save the day when you've lost your source code after a server crash, will also allow unauthorized persons to decompile/disassemble unprotected .NET assemblies from binary format to well-formed and optimized source code (6 languages: MSIL, C#, VB.NET, Delphi.NET J# and managed C++). As a result, developers need a solution to protect their .NET code.
History of Obfuscation
First generation protection schemes called Obfuscators appeared in 2002. These first generation obfuscation products offered a way to secure .NET code by simply changing assembly member names to meaningless names thereby protecting the code from prying eyes. However, these techniques were quickly hacked by manually renaming the meaningless names back to something more readable. In addition, these protection schemes did not prevent the ability to roundtrip or prevent tampering/spoofing of code (see above). It became clear that a useful .NET Obfuscator should provide a more complete security solution, not just obfuscating code but also solving the problems of tamper-proofing, data security, and code protection (more on this later).
Obfuscation vs. Full Encryption
Techniques other than obfuscation are also available on the market. Complete encryption of the executable code is one such technique. While in theory the code is more secure, the primary disadvantage is that all of the benefits of compatibility offered by .NET JIT (just in time) compiling to multiple different hardware platforms disappear. Now the developer is forced to create multiple encrypted versions of the executable code making distribution and installation significantly more complicated. As a result, support costs go up significantly and customer satisfaction goes down as users experience frustration trying to get the product to work.
Next Generation Protection
9Rays.NET realized that due to the limitations created by full encryption techniques (loss of platform independency), Obfuscation was the superior approach but that the level of security of first generation Obfuscation products needed to be improved significantly in order to provide complete protection of .NET code. As a result, 9Rays.Net developed a number of patent pending innovations in subsequent versions of Spices.Net Obfuscator that led to the creation of a next generation of Obfuscation technology protection.
String Encryption and Resource Protection
To completely protect your assembly, all parts of the project need protection. Obfuscation protects the metadata, but what about "sensitive" string information contained in the code as well as the need to protect the managed resources? The IL-code format enables hackers to easily extract string information from .NET code and quickly analyze it to find the most interesting parts such as passwords, customer information, licensing information, and other sensitive corporate data. String Protection offers protection for strings by encrypting and compressing the information. The Resource Protection technology protects managed resources by encrypted resource names so that they can't be determined if the assembly is altered. The Resource Protection feature is part of the patented TamperProof technology from 9Rays.Net that allows the developer to protect all of their assets - code, metadata, and managed resources.
Recognizing that the real solution for tamper proofing was to prevent the tampered code from working at all, 9Rays.Net developed techniques that caused the ILASM and ILDASM (Microsoft Intermediate Language Assembler and Disassembler) to be unable to assemble or disassemble code protected by Spices.Net. Tampered versions of software protected by Spices.Net Obfuscator will not work as they are completely uncompilable.
Strong Name Technology
While Microsoft has provided strong-name technology to prevent assemblies from tampering, this technology has some holes as exposed in the following CodeProject article Building Security Awareness in .NET Assemblies : Part 3 - Learn to break Strong Name .NET Assemblies that clearly explains one of the main ways of tampering with an assembly. 9Rays.Net's antiTampering Technology provides a robust solution for string encryption that protects sensitive text information from being recognized by decompilers, disassemblers, or by dumping binaries.
Modern decompilers offer "de-obfuscation" features that allows unauthorized persons to more easily decompile obfuscated code. Spices.Obfuscator provides an Anonymizer technology that anonymizes references to assembly members and makes code completely unreadable. Spices.Anonymizer is one of the key features and patent pending technologies, that offers strong protection against disassemblers and modern decompilers. It is unique feature, that solves the problem of hiding code left from obfuscation members such as properties of classes. See related article on this topic here.
Optimization – A Side Benefit of Obfuscation
Optimization is one of the key features of a modern Obfuscator. Optimization features allow the removal of unused metadata, the ability to compact metadata streams, and to optimize the structure of the metadata and code in order to increase assembly performance.
Other powerful features included with Spices.Obfuscator include a wide range of unique application lifecycle management tools that enable the architect/project manager to maximize the protection and optimize performance by checking the quality of obfuscation and determining how to optimize the architecture of the project to best balance protection and performance.
Difficult to Debug?
So the good news is that finally there is a way to really securely protect .NET code without compromising on the deployment flexibility to multiple platforms. But what about the debugging process? First generation Obfuscation products (as well as full encryption techniques) broke the link that allowed for easy code debugging. Another problem was that many protection products were not well integrated into Visual Studio requiring additional cumbersome steps to learn and use the product. Spices.Net overcame this problem by providing completely integrated plug-in modules in the Visual Studio environment allowing the protection and obfuscation process to be seamlessly integrated in the familiar Visual Studio IDE. Spices.VSIP offers embedded obfuscation into the custom build process using Visual Studio or MSBuild integration. Integration with NAnt is also included. C# or VB developers can create their own custom obfuscator using the developer API's. The Free Trial version of Spices.Net includes a MyObfuscator demo project (\SDK\SimpleObfuscator folder).
Finally, Spices.Net is unique in its ability to handle the protection of very large software projects. Spices.Project and Spices.Solution can obfuscate big projects with many different configurations of projects.
Perhaps after reading this article you have some questions that didn't get answered. 9Rays.Net has a great FAQ doc that answers a lot of the commonly asked questions about Obfuscation and the Spices product suite. Take a look at these answers here.
So hopefully now you have some ideas on how to protect your code from prying eyes and theft. There really is no reason why software created by .NET needs to be exposed to security risks. The Spices.Net Suite includes all of the technology described in this article including the Spices.Obfuscator. If you would like to try the Spices.Net Suite you can try a free evaluation copy. We would love to hear your feedback. Write to us at firstname.lastname@example.org.