• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Prevent .NET application being tampered or misuse

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
toughcanny
Just Arrived
Just Arrived


Joined: 06 Jan 2009
Posts: 0


Offline

PostPosted: Sun Jan 25, 2009 5:14 pm    Post subject: Prevent .NET application being tampered or misuse Reply with quote

Hi,

I am .NET developer, I have created a stand alone application (.EXE).
I want to make it secure in such way that no other person can use my application to dodge or create its replica, putting his malicious code inside and promoting his application as real one.

I have gone thorough obfuscation, strong naming but all this way I can not prevent its duplicate copy (Look and feel, functionality etc) same as of mine.

How I can force or let know my user that my application is real one, it is trusted one, it is safe to use because user can not simply find the executable they are running it actually from me or malicious one.

Your serious expert ideas / solutions required

Thanks
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Sun Jan 25, 2009 5:34 pm    Post subject: Reply with quote

In most cases, developers provide an MD5 hash, or an SHA-1 hash. However, that can only be used as a method of validating that a file is the same as the one released by the developer. It will not protect a file from being altered. There is nothing that can prevent me from writing an application from scratch that duplicates the look and feel of your application. There isn't very much that could prevent me from writing an application to inject code into your .exe either. It happens frequently in the malware world. In fact, there is one worm going around right now that injects itself into services.exe:
http://news.bbc.co.uk/2/hi/technology/7832652.stm
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Sun Jan 25, 2009 5:49 pm    Post subject: Reply with quote

As Groovicus said, your best effort is to make sure people get the application from an official source (e.g. your website).

You should divulge hashes for your official releases. You can also sign your official releases with your private OpenPGP key, and divulge the signatures (along with your public key) on your website.

This way, even if your users obtain the EXE from some other source (e.g. download.com or some friend), they can still verify that it hasn't been tampered with. Your users can verify whether the EXE they have is a valid one, by verifying the signature against your public key, or by comparing the hash for the EXE they have with the valid hash on your website.

This is all, unfortunately, opt-in from the side of the users. They must consciously verify the file to make sure it's valid. You could make your software check its own signature, but then of course a malicious attacker could write a similar-looking software that didn't do the check.

In the end, the responsibility lies with the user to check the provenience of whatever software he runs on his computer, and to choose whether or not to trust the source.
Back to top
View user's profile Send private message
toughcanny
Just Arrived
Just Arrived


Joined: 06 Jan 2009
Posts: 0


Offline

PostPosted: Mon Jan 26, 2009 10:48 am    Post subject: Reply with quote

Thanks Groovicus and capi, so it means user becomes the part of responsibility. Developing touchy application makes good developer responsibile to keep his eyes on security risks so thats make me a bit worried about such creeps.

To divulage hashes and signature / thumbs prints on the website to tell user will be beneficial. Another way is to put all your core thing inside a dll/assembly then strongname it and your application using that strong name but still malicious user creates its own program will bypass this thing, create duplicate program keeping program name same but assembly strong name different...

But just a thought that there should be proper solution for touchy security related applications at operating system level to ensure and tell operating system that now I am installing abc.exe and its thumbprint or crc or digital sign or hashes or signature is xxxxxxxx, now for life time of operating system that file can not be change or alter. only can uninstall but can not reinstall with same name and has to get new copy with new signature or hashes, in this way user and operating system will get to know that now that is real file, this enforement and limitation atleast bring peace of mind or more security level Smile

Thank you
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Mon Jan 26, 2009 3:08 pm    Post subject: Reply with quote

The thing is, there is always going to be a compromise between security and flexibility.

The behavior you describe, for example, would be considered unacceptably invasive by many people. It basically means I would be unable to uninstall your application and install a competitor's, if one of its files happened to have the same name as one of yours. It is my computer, my freedom to choose exactly what goes on in it.

There are two schools of thought in this, as always. One can go in the direction of invasive OSes such as Vista, which is to treat the user's machine progressively more and more as though it doesn't actually belong to him. The software is in control and the user is "allowed" to do a few things.

Then there is the other direction, where software sits back and lets the user be in control. My machine, my software. For those of us who care about our fundamental freedom to do whatever we please with the machine we own, the difference is obvious.
Back to top
View user's profile Send private message
toughcanny
Just Arrived
Just Arrived


Joined: 06 Jan 2009
Posts: 0


Offline

PostPosted: Tue Jan 27, 2009 8:58 am    Post subject: Reply with quote

Yes you are right. But in this case for very touchy and secured application in which just a minor injection or temper could ruin user's important thing...

At the cost of flexibility user is going to lose many thing. In my view there is no use of computer and his important data for him when actually now this precious computer and his valuable data is not only his. Some one also sharing which user never want to even doesn't know about.

Giving power to only user in case of any change or uninstall with same sign etc could only benefit it or some other way of implementation. I am not talking about general application but for very specific and toucy application that will deal with user's important things.
Back to top
View user's profile Send private message
KNRGoodMood
Just Arrived
Just Arrived


Joined: 24 Feb 2009
Posts: 0


Offline

PostPosted: Wed Feb 25, 2009 10:25 am    Post subject: Reply with quote

toughcanny, there's one thing that may help.

Nobody can protect the software from everything.
But in practice, with enough effort, you can make harmful attempts as much troublesome and difficult, so that you will hardly suffer from any intrusion unless your application will become extremely popular / desirable for someone to break.

For instance, as one of measures, you may create some checksum, based on some features of the machine you want your app run on, sign it by some online service and make your application check the signature in some sophisticated way upon execution.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter