Thread: Securing .Net code (the 3rd party conundrum)

  1. #1
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446

    Securing .Net code (the 3rd party conundrum)

    I think, except for the open source community, any .Net project wants its code locked and secured. We are currently in the analysis phase of a large scale client-server project and it's simply not acceptable for us to provide a commercial solution which source code can be inspected to the last detail in a comfortable format.

    However, this means making a ~2k investment on a 3rd party solution, because Microsoft doesn't offer the necessary tools to secure .Net source code. Out of the box, any compiled and shipped .Net project is the equivalent of an open source application limited by copyright notices, but not physically constrained. Anyone, with just general .net programming knowledge can reverse engineer a system. This isn't acceptable.

    Being this such an intrinsic aspect to development, it's no wonder that while C# has seen quite an increase in enterprise development, to this day it still lacks any sort of sex appeal for general consumer software developers. The investment in 3rd party solutions can be too big for many of these small outfits.

    What troubles me is that since the decision was made early on by Microsoft to not provide the tools and the mechanisms for properly securing source code in .Net, the proliferation of 3rd party solutions was inevitable. Essentially all of them with vested commercial interests. Any attempt now to do so would probably be met with angry anti-competitive cries from these companies which I suspect they could bring to court and win.

    My questions... how much do you think this affects the adoption of .net for general consumer-grade software? Was it a mistake by Microsoft to not provide these tools? Could it provide them sometime in the future without risking a judicial backlash? Why do you think they didn't offer these solutions when the .Net platform was widely advertised as a development target for general consumer software and enterprise software alike? Doesn't Microsoft early decision contrasts with their desire to make the .Net platform ubiquitous in the Windows development arena?
    Last edited by Mario F.; 02-08-2011 at 07:31 AM.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  2. #2
    Banned
    Join Date
    Aug 2010
    Location
    Ontario Canada
    Posts
    9,547
    I doubt that .net is ever going to be much more than "script kiddies delux" (present company excluded, of course)... As you point out it's beyond insecure and leaves one open to piracy at levels none of us would tolerate.

    But it's also HUGE... both producing larger "executables" and requiring a monstrous run time library. If anyone actually cares about code-bloat anymore, .net is one significant cause of it.

    I won't run .net code on my systems...

  3. #3
    Guest Sebastiani's Avatar
    Join Date
    Aug 2001
    Location
    Waterloo, Texas
    Posts
    5,708
    Quote Originally Posted by CommonTater View Post
    I doubt that .net is ever going to be much more than "script kiddies delux" (present company excluded, of course)... As you point out it's beyond insecure and leaves one open to piracy at levels none of us would tolerate.
    Nothing could be farther from the truth! Code protection issues will eventually be addressed. Fact is, .NET runs on just about everything out there these days - cell phones, PDA-type devices, Unix and MS systems, etc. Both free and third-party libraries abound. Plus, it's open-standard (RIP Java!).
    Code:
    #include <cmath>
    #include <complex>
    bool euler_flip(bool value)
    {
        return std::pow
        (
            std::complex<float>(std::exp(1.0)), 
            std::complex<float>(0, 1) 
            * std::complex<float>(std::atan(1.0)
            *(1 << (value + 2)))
        ).real() < 0;
    }

  4. #4
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    Quote Originally Posted by Sebastiani View Post
    Code protection issues will eventually be addressed.
    Can I have your word on that? Because I have yet to see any indication of that ever happening.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  5. #5
    Gawking at stupidity
    Join Date
    Jul 2004
    Location
    Oregon, USA
    Posts
    3,218
    Quote Originally Posted by CommonTater View Post
    But it's also HUGE... both producing larger "executables" and requiring a monstrous run time library. If anyone actually cares about code-bloat anymore, .net is one significant cause of it.
    What are you talking about? I made a simple change calculator application in both C# and (as similarly as I possibly could) C++. The C++ executable was 53KB, the C# one was only 7KB. I'll show you the code for both if you'd like.

    In fact, every program I've made in C# has come out as a surprisingly small executable size, especially compared to an equivalent C++ program.

    Maybe if you spent some time using it instead of avoiding it like the plague and totally dismissing it you wouldn't have such a twisted view.
    If you understand what you're doing, you're not learning anything.

  6. #6
    Guest Sebastiani's Avatar
    Join Date
    Aug 2001
    Location
    Waterloo, Texas
    Posts
    5,708
    Quote Originally Posted by Mario F. View Post
    Can I have your word on that? Because I have yet to see any indication of that ever happening.
    Simple, expand all non-external classes into PODs, and all non-recursive functions into inline code - right down to the metal, so to speak. The code would likely decompile to the equivalent of assembly language, probably...
    Code:
    #include <cmath>
    #include <complex>
    bool euler_flip(bool value)
    {
        return std::pow
        (
            std::complex<float>(std::exp(1.0)), 
            std::complex<float>(0, 1) 
            * std::complex<float>(std::atan(1.0)
            *(1 << (value + 2)))
        ).real() < 0;
    }

  7. #7
    Password:
    Join Date
    Dec 2009
    Location
    NC
    Posts
    587
    I think it's call IL for intermediate language, but it serves the same purpose as assembly.

    What do you mean by "source code can be inspected to the last detail?" Can you elaborate?

  8. #8
    Master Apprentice phantomotap's Avatar
    Join Date
    Jan 2008
    Posts
    5,108
    Maybe I misunderstood the context, but I don't think the ease of getting human readable source back is an issue for the average bit of consumer grade software. I can't count the number of crappy ".Net" implementations of disc layout (CD/DVD mastering software) I've seen that are all based on a CodeProject tutorial. They are all in the $5 to $10 range. I don't think it would break a project.

    Then again, I don't think you mean consumer the way I have interpreted consumer. I think you are talking more about corporate software where trade secrets... are trade secrets. In that case, where crucial business logic could be discovered in a matter of moments without using the tools you reference, I'd say it affects the choices as much as the choice of platform or any other development tools. In other words, I don't imagine it effects the growth of ".Net" at all considering that it is, as you say, a known issue to be factored in to development costs.

    Then again, I've seen some tools that obfuscate discovery by linking to libraries that carry a per seat cost. These sorts would probably be ignored in favor of better tools, but if that was the only option, or if the development costs can take another hit, I can easily see ".Net" being dropped in favor of a language or platform that isn't so easily reversed.

    Soma

  9. #9
    Woof, woof! zacs7's Avatar
    Join Date
    Mar 2007
    Location
    Australia
    Posts
    3,459
    There's nothing wrong with the .NET framework, "bagging" it out without reason is stupid. Seriously, C# fixes a lot of problems that plague C++ (it also introduces some :-)).

    Dotfuscator is the industry-standard for stopping reverse-engineering by such tools like "Reflector". Microsoft bought Dotfuscator rights long ago, and have since released "community versions". If you're developing commercial software, I'm sure you can pay for a Dotfuscator commercial license.

    I think it doesn't really affect uptake of .NET at all, maybe for a few things. But with the whole SAS movement, it becomes slightly less relevant where the meat of the logic sits "in the cloud".

    This problem covers all forms of software, it's just more prevalent with intermediate languages like IL or Java byte-code.

  10. #10
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    Quote Originally Posted by phantomotap View Post
    Then again, I don't think you mean consumer the way I have interpreted consumer. I think you are talking more about corporate software where trade secrets... are trade secrets.
    By consumer-grade software I mean all software meant to be sold to the masses,.

    In other words, I don't imagine it effects the growth of ".Net" at all considering that it is, as you say, a known issue to be factored in to development costs.
    Apparently however, of all the reasons I've heard not to use.Net in consumer-grade software, this one is the most recurrent. It's particularly damaging to small entrepreneurs who can't afford the 4 digit figure of current obfuscation solutions.

    Quote Originally Posted by zacs
    If you're developing commercial software, I'm sure you can pay for a Dotfuscator commercial license.
    Oh, please....

    Quote Originally Posted by zacs
    But with the whole SAS movement, it becomes slightly less relevant where the meat of the logic sits "in the cloud".
    Software keeps being primarily developed outside the cloud. And it will stay this way most probably for a very long time. This is particularly true for consumer-grade software, where SaaS is a looong way from becoming an acceptable and widespread practice.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  11. #11
    Make Fortran great again
    Join Date
    Sep 2009
    Posts
    1,413
    Quote Originally Posted by CommonTater View Post
    I doubt that .net is ever going to be much more than "script kiddies delux" (present company excluded, of course)... As you point out it's beyond insecure and leaves one open to piracy at levels none of us would tolerate.

    But it's also HUGE... both producing larger "executables" and requiring a monstrous run time library. If anyone actually cares about code-bloat anymore, .net is one significant cause of it.

    I won't run .net code on my systems...
    If you create a standalone application, it ends up being like 36 MB minimum I think. If you make an app that depends on .NET being installed, it should be very small.

    I think .NET is fairly nice even though all the eyecandy that comes with it makes it a little slower than desired. I don't think it could still be that bloated/crappy after 4 major versions and quite a few years.

    As far as obfuscating the code goes (Mario), I think you're stuck with using a paid product.

  12. #12
    Banned
    Join Date
    Aug 2010
    Location
    Ontario Canada
    Posts
    9,547
    Quote Originally Posted by Epy View Post
    If you create a standalone application, it ends up being like 36 MB minimum I think.
    For "Hello World"??

    In my entire life I've never written anything even 1/10th that size...

    Free standing C proggies start at about around 16K.

  13. #13
    Gawking at stupidity
    Join Date
    Jul 2004
    Location
    Oregon, USA
    Posts
    3,218
    Quote Originally Posted by CommonTater View Post
    For "Hello World"??

    In my entire life I've never written anything even 1/10th that size...

    Free standing C proggies start at about around 16K.
    You'd have the same problem with any non-native binaries. Java programs aren't going to do anything without the JRE installed. Python scripts need Python installed, etc. The actual .exe itself is very small; the size comes from the interpreter.
    If you understand what you're doing, you're not learning anything.

  14. #14
    Make Fortran great again
    Join Date
    Sep 2009
    Posts
    1,413
    Quote Originally Posted by CommonTater View Post
    For "Hello World"??

    In my entire life I've never written anything even 1/10th that size...

    Free standing C proggies start at about around 16K.
    It's not exactly statically linking what it needs, it's including the whole runtime I think. I don't know that much about .NET, but I do know that there's a significant difference between standalone and .NET runtime dependent. The analogy to Java is pretty much right on.

  15. #15
    Woof, woof! zacs7's Avatar
    Join Date
    Mar 2007
    Location
    Australia
    Posts
    3,459
    Quote Originally Posted by Epy View Post
    ... I don't know that much about .NET, ...
    Then don't comment that it's "buggy/crappy", I work with it 8 hours a day and the framework is awesome. Perhaps once you've found yourself living in C++ world for example with "oh, that's not in the standard library -- you'll have to endure DLL/static library hell, or write it yourself". And no, I'm not being pro-Microsoft (just take a look at Mono).

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. 3rd party libraries instead of OGL & DX
    By VirtualAce in forum Game Programming
    Replies: 12
    Last Post: 09-17-2006, 01:58 PM
  2. << !! Posting Code? Read this First !! >>
    By biosx in forum C++ Programming
    Replies: 1
    Last Post: 03-20-2002, 12:51 PM
  3. Replies: 0
    Last Post: 02-21-2002, 06:05 PM
  4. .net
    By ygfperson in forum A Brief History of Cprogramming.com
    Replies: 18
    Last Post: 02-15-2002, 01:15 AM
  5. Visual J#
    By mfc2themax in forum A Brief History of Cprogramming.com
    Replies: 0
    Last Post: 10-08-2001, 02:41 PM