Protection of .NET applications - nevertheless, what to wrap a herring in?
Protection of .NET applications - nevertheless, what to wrap a herring in?
In spite of this review . I decided to write my own review of obfuscators, because I consider the above not only superficial, but also misleading.
One question is relevant - is it that this or that product protects against deprotection so well? Given that manufacturers of obfuscators honestly warn that the assembly remains disassembled. And this is the cornerstone of the .Net application security problem. Total protection leads to the inconvenience of starting the assembly in different environments, obfuscation leads to conditional openness of the code. It remains to solve the problem of complicating the receipt of the code, its readability and removal of protection.
So what we have:
There are 2 classes of programs to protect .Net applications:
- Protectors (native processor wrapper)
Similar machines are also supplied in combination with an obfuscator, which is rather weak (usually offering renaming of assembly members, no more). The wrapper can be of various types, it is presented most elegantly in the Salamander Protector (here the obfuscator is quite high quality), an exception in the sense of the obfuscator's weakness is Salamander, but there can be problems with both debugging and launching.
Representatives: CodeVeil, Salamander Protector, .Net Reactor.
Benefits:so called Inaccessibility for decompilers and ILDASM. But the fact is that this inaccessibility is apparent. .Net restricts the rights of assemblies located in main memory (in memory), assemblies must be stored somewhere on disk before starting - and here they become available.
Disadvantages:a lot of problems with starting the assembly in environments with more stringent policies, inadequate response of antiviruses, leads to the fact that the user begins to fear products protected in this way, the inability to debug a secure assembly. Plus - the inability to create a secure assembly to work in both 32-bit and 64-bit environments. Either one or the other, although the developer can compile the program in the AnyCPU configuration to work in both 32-bit and 64-bit environments. Well, actually - the apparent benefits. Tread manufacturers generally recommend obfuscating assemblies before protecting them with a tread, thereby recognizing the security vulnerability. - Obfuscators
Provide protection methods more natural for the .Net environment, after which the assembly does not require additional add-ons and shamanism for launching and debugging.
a. Stand-alone obfuscators that do not use MS services and interfaces to access metadata and to generate obfuscated assemblies, that is, having their own access machine, parsers, generators and other tools for working with .Net assemblies.
Representatives: Spices.Net Obfuscator, Dotfuscator, {SmartAssembly}
Advantages: independence from external services in choosing protection tools, a wide range and non-standard approaches to protection.
Disadvantages:as the responsible manufacturers honestly warn, the code remains disassembled (if not ILDASM, then by some kind of artisanal disassembler, the source code can be taken in SSCLI or Mono).
b. Dependent on MS services (here the list is large - from the operation of ILASM / ILDASM, access via COM, as well as the use of services from .Net 2.0). The functionality of such ones is obviously limited, because the services e provide the opportunity to screw something non-standard.
Representatives: Salamander Obfuscator, Skater.Net, Demeanor by WiseOwl (this is an unknown obfuscator almost now, although of good quality, one of the pioneers).
Advantages: I do not know, but in any case, Salamander offers a good obfuscator.
Disadvantages:instability, dependence on services, and therefore limited in funds (Salamander cannot work with projects containing assemblies from different platforms, for example .Net 2.0 and .Net 1.1). Plus - the same disadvantages of paragraph a).
Recommendations to developers
There are few of them: at the beginning of development, remember that the project will be obfuscated. This means that the visibility of certain members of the assembly must be regulated, which means that it must be obfuscated and what should not. The main problem for the obfuscator is the use of reflection / serialization. .Net provides a bunch of possibilities for calling methods, accessing them by name, using classes for structured storage and reading of data. The obfuscator cannot recognize such things, so it’s worthwhile to use some rules in the coding process to relatively easily exclude such cases from obfuscation:
- Classes working in serialization-reflection should be placed in a separate assembly. This is not difficult, for these classes and their members must have public visibility anyway. Members must have public visibility anyway.
- It is not difficult to declare classes that work in serialization-reflection under a specific namespace, and in this case, excluding them from obfuscation, all in bulk.
- If it is necessary to use serialization-reflection in the code, then it is better to mark such methods with special attributes. Do not place the safe lock on the plywood door. Moderate your paranoia. It’s better to study the assemblies obtained after obfuscation, check the classes and their members - whether you have hidden everything from an inquiring eye, optimize the settings so that everything you need is obfuscated, hidden and hidden. Try opening it with ILDASM, a reflector, as you can see from these products. Try to dump from ILDASM (if possible) - see the generated file. This is necessary to understand how difficult it will be to make something else from your assembly, to mold the code, or to take a piece of code with a decompiler.
Now about the balance.Well, take a Reflector, take Spices.Net - here they are protected by a regular obfuscator, not a protector, and as the previous browser wrote - everything is easily visible in winDbg. What's the point? Someone learned some secrets of Reflector (and the Pro version is not free now), someone learned the secrets of Spices.Net? But these applications are written in pure IL without native processor code (unlike Salamander). - I also want to say some things about testing obfuscators - if you tried a certain product, after which you received broken assemblies, it makes sense to contact the manufacturer of the product, firstly, it’s bread for the manufacturer to sort out such problems, and secondly, there’s a real chance to get a discount (if the manufacturer thinks about customers), if at all the product is free - cooperation is always paid. Give the manufacturer a chance to solve your problem, it is mutually beneficial.
Now - comparisons
I can immediately say that many representatives of obfuscators were not included in the table, just so as not to waste your time. Yes, and Dotfuscator is included in this list because it is simply a Microsoft-promoted product, although it may not be all of what it claims. The future of Smart Assembly is also not clear after the purchase by Red-Gate for $ 1M.- (IMHO, the deal was not worth it). Reflector is now rarely updated (which is good except for a wide set of plug-ins), which will be observed with SmartAssembly most likely. Why would a company involved in SQL get into the market of obfuscators-decompilers (although the Obfuscator-Decompiler package is a productive approach, it is in Salamander, it is in Spices.Net) - I can’t imagine, the market is quite specific and many promising projects have already died on it such as Decompiler.Net (even Salamander’s staggered positions, for example, they didn’t release V-Spot Elimination technology, although in this review the author writes that they are proud of it (the only question is what didn’t they release, or did they release it? and implemented a patent application made 9Rays.Net, actually).
as follows:
Opportunities | Dotfuscator | Spices.Net Obfuscator | Salamander obfuscator | {SmartAssembly} |
---|---|---|---|---|
In the trial version | Actually Community Edition c minimalistic set. | It gives a complete view, is not limited in functionality (it only marks the obfuscated assemblies with a special watermark - "Obfuscated by Spices.Obfuscator. Not for commercial use") and comes in a complete set - GUI, VS Integration, MSBuild integration, console and SDK. Can be used for free to protect non-profit programs. | Limitations - console version is provided. | Functional limitations. |
Interface, Automation, Integration | The interface is not very. Briefly - ugly (well, here on vsyu and color ...). The console version is present. There is the possibility of applying the rules, but rather confusing. applying the rules, but rather confusing. There is no automation. Integration in MSBuild, integration with VS in the form of Add-In, which does not integrate into the build-process of the current project. | It is delivered both in the GUI version as part of Spices.Net, and in the console. The GUI version provides many additional tools for exploring assemblies. There is automation - an example is provided in C # how to write your own obfuscator using the Spices.Net Obfuscator. In addition, ObfuscationEvents (similar to VS Build Events) are supported, allowing you to insert custom actions between the steps of the obfuscation process. Integration into MSBuild and VS is present - you can configure obfuscation options directly in the project properties, enable / disable any solution project, and generally turn off obfuscation. | Comes in a GUI. There is a console. There is no automation. There is no integration. | Nice wizard-style unpretentious interface. The console is present. There is no automation. There is no integration either. |
Tamper-resistance | The snitch module is delivered to Enterprise and is designed to prevent corporate theft. For ordinary software, it is enough to disable access to the Internet for this program, or simply simply remove protection because it is quite easy. | There is. A hacked, renamed, or tampered assembly stops working. Protection against both ILASM / ILDASM roundtrip and simple renaming of the assembly (i.e. changing the identity - this includes both its name and full name in case of strong name of the assembly, as well as the version number). And here's what is interesting: after the introduction of this technology, hacked versions of Spices.Net can no longer be found, and Salamander and SmartAssembly (oh yes, offering control flow!) - please lie on the warez. | Not. | Not. |
String Encryption | there is | There is. Additionally - resource protection (without encryption and compression, but works with tamper resistant protection) | There is. | There is. Additionally - compression and encryption of resources. |
AntiILDASM, anti-decompilation | AntiILDASM is, there is no counteraction to decompilation. | AntiILDASM is, there is opposition to decompilation (Reflector does not take, but Salamander Decompiler can partially. Automatically protects against Spices.Net Decompiler). | AntILDASM is, automatically protects against Salamander Decompiler. | Antildasm is |
Removing unused code and declarations (pruning) | Can | Maybe flexibly | Can | Can. |
Software watermarking | Can | Can (with anti-fake protection - that is, TamperProof technology is used) | Not | Not |
Control flow obfuscation | There are, partially recognizable by decompilers. | Instead, CodeAnonymizer technology is proposed as a more effective means of dealing with decompilers. | Yes, but recognizable by decompilers. Mentioned V-Spot Elimination - an unrealized technology similar to that implemented in Spices.Net CodeAnonmizer | Yes, but recognizable by decompilers |
Work with mixed-code assemblies | Not very good, no size optimization | Maybe with size optimization | Yes, but it is unstable | Maybe limited (error reporting is not inserted into similar code) |
64-bit support | there is | there is | Not | Not |
Deobfuscation StackTrace | Not in the community edition, in the enterprise, but not very convenient, based on the obfuscation map | There is as a tool Spices.Net and offers a more detailed free solution. | Not | There is an implemented Error Reporting module. Unique feature. |
Benefits | Comes in every delivery with VS. Unlike other obfuscators - for each new version .Net comes out the very first - an insider after all. | Large selection of protection products. Two technologies that other obfuscators do not offer. Having your own decent decompiler allows you to understand that the obfuscator knows what needs to be protected. That the obfuscator knows what needs to be protected. Of the pluses, I can also name operational support in Russian and constructiveness in solving problems. | The oldest representative, a good quality of protection. | Simple, meets the basic needs of small developers and is imprisoned for them, but because of this, the smallness is inflexible, although it has a good arsenal of protective equipment. |
disadvantages | Unreasonably expensive. The list of features and workmanship does not match the price. Support is not free. | The abundance of settings and tools sometimes stops. Sharpening for professional use, not for the needs of small developers. Although for them, just everything is in the console version. | Inflexibility of settings, out of date. With the release of .Net 2.0, the guys already quit this project, but then left with the combination of Obfuscator + Protector. Cannot work with projects of various .Net versions. On recent versions .Net is unstable. It is difficult and long to get in touch on support. | The future of this good product is unclear. Lack of integration, tamper-resistance degrades performance. But the first thing they could offer was protection from a reflector. It would be a very powerful feature. There used to be very friendly support, now I don’t know. |
About prices
Specially did not compare prices. Dotfuskator has high prices and support rates are such that they serve as a barrier, apparently, they focus on large corporate business. For the rest of the manufacturers, I can say that there is a place for the principle "price is what suits both the seller and the buyer." It has long been practiced to negotiate what, for example, the Indians have mastered to perfection and have not worried about how to buy a 400-dollar product for 150 bucks. There are undeclared discounts for students (academic discounts), for all sorts of MVP and MCP, for members of user groups and communities, for non-profit organizations, regional and national, for mentioning on a blog and posting a logo of a product for a short period of time. Of course, the manufacturer does not write about this on the site.
Try to ask for a discount, but you will find it. Good luck!
PS There is a desire to invite an experienced and good person who was actively involved in the creation of this article - please contact me.