Red Gate forums :: View topic - Assembly modification protection not working?
Return to www.red-gate.com RSS Feed Available

Search  | Usergroups |  Profile |  Messages |  Log in  Register 
Go to product documentation
SmartAssembly 5
SmartAssembly 5 forum

Assembly modification protection not working?

Search in SmartAssembly 5 forum
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.
Jump to:  
Author Message
AntoineC



Joined: 16 Jun 2010
Posts: 8

PostPosted: Wed Jun 23, 2010 12:35 pm    Post subject: Assembly modification protection not working? Reply with quote

I am unclear about the Assembly Modification protection.

Here is what I have done:
- Created a WinForm sample application (. NET 2.0)
- Used SmartAssembly with the following options:
- Strong Name Signing
- Obfuscation default settings
- String Encoding: "I want to use strings encoding with improved protection"
- All other settings to default

After build, SA reports: "The assembly has been protected against any modification" as expected.

To check that, I have changed one byte in the protected .exe (in a char array I could locate easily).

Then, ran again the protected app. Result: the modified app just works!

This is not at all what I was expecting. I was assuming to get an error message or at least the app failing to start since it has been "protected against any modifications".

Am I wrong? Or has SmartAssembly failed to protect my application?

Let me know!

Tested on SmartAssembly 5.

Thanks,

Antoine
PS: the Microsoft Strong Name tool (sn.exe) does report: "validation failed" on the modified app. So, I am sure that I did make a mistake and that the application is indeed modified.
Back to top
View user's profile Send private message
Paul.Martin



Joined: 03 Feb 2010
Posts: 83
Location: Cambridgeshire

PostPosted: Wed Jun 23, 2010 6:54 pm    Post subject: Reply with quote

I think the wording that SmartAssembly uses is a little bit strong in this case.

SmartAssembly does not perform a full hash of the assembly to verify that nothing has changed, so it will not detect changing a primitive constant in a hex editor.
If you want this sort of functionality either strong name signing the assembly (and then verifying on load) or using code signing (Authenticode) is the best and simplest way.

However SmartAssembly will protect against modifications by decompilation/recompilation, code injection and most modification to the actual code.
Back to top
View user's profile Send private message
AntoineC



Joined: 16 Jun 2010
Posts: 8

PostPosted: Thu Jun 24, 2010 9:54 pm    Post subject: Reply with quote

Thanks for your reply, Paul.

The wording in SmartAssembly is a bit misleading for that feature.

Suggestion:
- change the wording.
- much better: add to SmartAssembly what your are telling me! Since SmartAssembly already Strong Name sign the assemblies, it should not be too complicated to compute and verify a hash.

Antoine
Back to top
View user's profile Send private message
Paul.Martin



Joined: 03 Feb 2010
Posts: 83
Location: Cambridgeshire

PostPosted: Fri Jun 25, 2010 11:34 am    Post subject: Reply with quote

The wording has been fixed for the forthcoming update.

We do have a feature, to add self-verification to protected assemblies, listed on the roadmap for SmartAssembly (SA-77). So hopefully it will make it in at some point soon (although no promises).
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies. All times are GMT + 1 Hour
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group