2

I'm new to .NET programming, and I'm wondering - from a security perspective - whether the strong naming scheme used in .NET assemblies completely removes the need for other commonly used techniques such as packing the assembled code?

To be clear, I am talking about .NET applications running on the client side and my goal is to make sure the user (client) cannot modify the application. This is a common problem for Software and Game developers, and I know it cannot be 100% mitigated, but I'm looking for a solution that would stop most crackers.

If I have completely misunderstood the use of strong names please correct me and point me in the right direction :)

edit: I should also probably mention that I'm more concerned with the integrity of the application, not necessarily keeping the algorithms hidden/secret.

Edited to add answer thanks to CodeInChaos

So Strong Names seems to be totally broken and do not offer any security - given that the attacker has access to assemblies on a machine where he is root. Strong Names Explained and .NET Framework-Rootkits explain this.

The assemblies in the .NET Framework are placed in folders within the GAC with folder-names corresponding the signature when signed by the original author. The signatures are never verified, so if an attacker replaces a DLL from the framework with his own and places it in a "correct" folder, the attackers DLL will be accepted as legitimate. This means of course that the attacker can change the functions in the framework used for verifying strong names in .NET applications, and therefore allows an attacker to modify .NET applications with his own code.

efr4k
  • 507
  • 3
  • 13
  • Strong names are not broken. They work fine for what they were designed for. They just weren't designed for what you want them to be. – CodesInChaos Feb 19 '12 at 17:15
  • I agree you are right. However everywhere I read about them they're presented as a security feature. – efr4k Feb 19 '12 at 19:31
  • They are a security feature. Code signing is important for partial trust, and for admins who can use it to ensure code authenticity. Anybody who has write access to the GAC is already admin, and thus has full trust. But strong naming doesn't attempt to restrict the admin, which wouldn't be a security feature, but rather DRM. – CodesInChaos Feb 19 '12 at 19:35

1 Answers1

2

It's easy to change signed assemblies, it's just that they don't have a valid signature by the original author afterwards.

Strong naming helps with versioning(in particular required for installation in the GAC), and is a security feature in certain mixed trust scenarios. But it doesn't help much against people who have full rights on the comp where your program is running.

CodesInChaos
  • 12,084
  • 2
  • 41
  • 50
  • I've tried changing the assemblies of an application using Graywolf (http://digitalbodyguard.com/GrayWolf.html). However, when I try to run the application afterwards it fails because the classes are looking for assemblies signed by the original author. My modified assemblies have strong name with PublicKeyToken=null. How would an attacker overcome this? – efr4k Feb 16 '12 at 10:06
  • @ephrack Either update the places where the reference is specified, or hack the .net strong name verification code. – CodesInChaos Feb 16 '12 at 10:08
  • How would you hack the verification code? It's signed using a 1024 bit RSA key. As to updating the references I see this is a possible way, however with a large application this becomes a very daunting task. Say if you have an application with at least a 100 assemblies and a 100k lines of code, would it even be plausible? – efr4k Feb 16 '12 at 10:17
  • You don't need to break RSA. You can just find the one function in the .net framework that verifies the strongname, and substitute your own code. – CodesInChaos Feb 16 '12 at 10:18
  • 2
    @ephrack, This has been done by crackers for decades to circumvent copy protection. The game asks for the nth word on page x of the manual? Or it looks for a broken sector on the CD? Or it does some fancy code singing stuff? Does not matter, the attacker just modifies the conditional jump at the end of this check; assuming he has access to the system (e. g. a typical PC, a rooted smartphone, etc.). – Hendrik Brummermann Feb 16 '12 at 10:35
  • Okay, so long as the attacker has control over its GAC they will be able to do this. I'm accepting this answer. – efr4k Feb 16 '12 at 11:16