每当谈到 Dll 安全性时,在线搜索的所有结果都在谈论混淆。现在,我的问题是,除了混淆之外,我们还能做些什么来使我们的程序集更安全并且不受重新设计的影响?
我问的原因是因为我正在准备代码安全演示,并且我知道会发生去混淆,如果你让人们有足够的决心花时间重新设计任何代码,那么他们最终会这样做。这个故事的寓意是混淆不是一个完全证明的解决方案,它只会让重新设计代码变得困难。但是,如果我们将混淆与其他技术结合起来,那么它会变得更加困难。
有什么建议么?
每当谈到 Dll 安全性时,在线搜索的所有结果都在谈论混淆。现在,我的问题是,除了混淆之外,我们还能做些什么来使我们的程序集更安全并且不受重新设计的影响?
我问的原因是因为我正在准备代码安全演示,并且我知道会发生去混淆,如果你让人们有足够的决心花时间重新设计任何代码,那么他们最终会这样做。这个故事的寓意是混淆不是一个完全证明的解决方案,它只会让重新设计代码变得困难。但是,如果我们将混淆与其他技术结合起来,那么它会变得更加困难。
有什么建议么?
Obfuscation is only going to slow them down.
If what you have is of value it will be hacked.
Protecting a DLL is not like encrypting a communications channel where you can change key and even if they hack the key they only got part of communication.
A DLL is a static piece of code that can be hacked.
You can make it very hard to hack but that is time spent not delivering features and a product that is harder to support and extend.
The other technique is legal protection.
I am not an attorney.
This is not legal advice.
This is just my limited understanding of the subject.
Copyright just protects a straight copy of the code.
If they reverse engineer it then copyright alone does nothing.
There are parts of the globe that do little to protect copyrights.
If you have a new algorithm or UI or ??? then the next level of legal protection is a utility patent.
If you are a small entity you can file one yourself for a few hundred dollars.
But without a patent attorney the chance of it being accepted goes down and the chance of it being enforceable goes down.
If the patent is denied you don't get a refund on the application fee.
Or you can treat it as a trade secrete and only host it in house.
In that case still need to take appropriate legal protection such as non disclosure agreements.
My take is obfuscate to the level that you take out the novices and minimize impact on features and support.
The next level of protection is legal.
You are not likely to sue the novices as there are too many of them.
Obfuscate just limits your attack surface and legal action is your recourse.
Again I am not an attorney but my understanding is there used to be a first to invent protection that is now a first to file.
A worst case scenario is you don't get a patent and an existing player (with deep pockets) sees the value in the idea, discovers you don't have it protected, and they get a patent.
Not only do they steal the idea from you but they sue you for stealing your idea.
不幸的是,没有办法确保没有人能够反编译您的代码。根本问题实际上是代码位于用户控制的机器上,任何有足够知识、耐心和时间的人都可以对其进行全面分析,并从二进制文件中获得一些清晰的源代码。计算机本身能够解码和运行它,所以人也是。
混淆、加密、打包或其他任何东西只会给潜在的黑客带来问题,但没有一个是真正无法绕过的,你只是提高了门槛。这不仅发生在 .NET 上,而且在所有和每种编程语言中,反编译总是可能的,只是更难或更容易,因为二进制文件位于用户可以阅读的地方。
唯一安全的措施是将二进制文件放在用户甚至无法阅读它们的地方,这通常意味着您控制的计算机,用户完全无法直接访问。Web 服务是解决此问题的经典方法,您的网页运行代码,而用户只有一个小型客户端程序,甚至只有一个浏览器。当然,这对您的部署方式以及他们需要或想要拥有的基础架构有巨大的影响,但这是为代码安全性付出代价的权衡。