Search This Blog

Sunday, January 11, 2009

Obfuscation in .NET - Prevent your Source Code from Being Open Source

Found this excellent introduction to Obfuscation in .NET by Joydip


Obfuscation in .NET

Prevent Your Source Code from Being Open Source

 

 

With so many decompilers available in the software industry today, your application’s source code faces security threats from a variety of prying eyes. This alludes to the potential loss of your intellectual property. But what makes this possible? .NET reflection, ILDASM.exe, and .NET decompilers.

 

So, then, what’s the solution? This potential threat has facilitated the development of a technology called obfuscation.

 

What Is Obfuscation?

Without changing its functionality, obfuscation protects source code from being disassembled/decompiled. This is a technology that makes the .NET assemblies more difficult to decompile and impedes the reverse-engineering efforts, hence, protecting the source code from potential threats. Obfuscation works by shrouding the facts in your code. Encryption suffers from the drawback that it needs to keep the decryption key along with the encrypted data. Therefore, it is possible to decrypt your source code. On the other hand, obfuscation can increase the protection against decompilation to a great extent, while leaving the application’s functionality intact.

 

Why Obfuscate?

There are several reasons why we should obfuscate:

  • Obfuscation reduces the size of an executable
  • Obfuscation improves the application’s performance at run time
  • Obfuscation protects intellectual property

 

How Does It Work?

Obfuscation encrypts the source code and removes some unnecessary information from the assembly metadata when it deems that it is safe to do so, thus making the assembly more difficult to understand or read after it is decompiled. The assembly metadata and manifest are used by the dissemblers to decompile them and get the original source code. Note that even if an application is compiled to native code at the time of execution, the Microsoft .NET runtime environment still requires that the assembly metadata and IL code be embedded in an assembly before it starts its execution. There are a number of techniques that can be used to obfuscate. However, the disadvantage of obfuscation is that it can affect performance (but not to a great extent).

 

Obfuscation never changes your source code. Rather, the obfuscators obfuscate your assemblies using a specific encryption methodology and transform them into another assembly that is obfuscated, but the functionality of it remains unaltered.

 

How to Obfuscate?

Obfuscation in .NET can be achieved by scrambling the meaningful names in the assembly metadata with non-meaningful ones and trimming the non-essential metadata, but without affecting any functionality. The techniques used include, but are not limited to:

  • Changing the Assembly Metadata
  • String Encryption
  • Size Reduction

 

Is this the Best Solution?

Unfortunately, the available obfuscators are unable to completely protect your intellectual property. Even if obfuscators can be a good tool for preventing most decompilers from stealing your code, if you are determined and possess a good knowledge of data structures and algorithms, you can steal the code even from an obfuscated assembly. So, obfuscation can be a good solution, but there is no software that is absolutely safe.

 

The Future

Microsoft realized the importance of this technology and introduced the Dotfuscator tool for obfuscation with Visual Studio .NET. In addition, these .NET obfuscator tools are available:

 

Obfuscation is a very powerful technology and will continue to be a part of the application build and deployment process in the years to come.

No comments:

 
ss_blog_claim=610c329374fdaea5e07dfca1c6dffb2d