Code Security - .NET Obfuscation

Do you know that .NET Compiled code can be revert back to C# and VB.NET Source code. Yes it is possible by using decompiler we can get the original source code, then what about security. We can use .NET Obfuscation using dotfuscator for source code protection ...

All the lanugage compilers exists nowadays are producing the byte code or intermediate code that could be understandable to thier language interpreters. Microsoft .NET compiler converts the C# and VB.NET source code to MSIL (Microsoft Intermediate Languages). Java compiler converts the Java source code to byte code called class file and.
Now intersting part is there are lots of decompilers are available in market like Reflector for .NET, Dcafe for Java, hackers can get back the source code anytime from intermediate code using these decompilers. Now how we provide security for the source code. Here is the solution using ... Obfuscation  and Obfuscation Tools like Dotfuscator.
Overview

1. Outline
2. Define the problem
3. Define Obfuscation
4. Why Obfuscate?
5. Layout Obfuscation
6. How are we going to do it?
7. Alternatives
8. Conclusion

1. Outline and 2. Define the problem
Security is becoming increasingly important in the world of software. This session will discuss the various software security mechanisms focusing on applications built with .NET or Java. Topics covered include obfuscation and encryption. This session will also discuss common security vulnerabilities and provide tips and best practices to protect our code.

How.Net code is compiled ? 

3. Define Obfuscation

• Obfuscate – “to confuse”
• Behavior preserving transformations on code that preserve function but reduce readability or understandability
  •Hide what’s required, remove the rest
  •Confuse observers, but give Runtime Environment the same delivery
  •How do we confuse the reader?

4. Why Obfuscate? •IP should be protected
•Obfuscation provides important "trade secret" level protection
•Also, obfuscating may provide more legal options, since it indicates that the IP owner has taken measures to secure the IP
Code obfuscation

• Obfuscating Arrays

• Obfuscating Class
• Obfuscating Variables

 

Reverse engineering extracts piece of program

Obfuscation makes reverse engineering difficult

 

5. Layout Obfuscation
Remove comments, identifiers
Scramble identifiers
Limited format changes
Method overloading

getPayroll() becomes a()

makeDeposit(float amount)becomes a(float a)

sendPayment(String dest) becomes a(String a)

How do we confuse the reader?

• Control Flow Obfuscation
     - Rearranges control flow structures to make the application's logic harder to follow.
• Removal of Unused Members
     - Removes members that are not used from the IL.
• String Encryption
     - Encrypts strings so that they do not appear in plain text in the IL.
• Data obfuscation

Control Flow Obfuscation

• Change the flow of the program
• Break the link between the original code and the obfuscated code
• §Must ensure doesn’t introduce any bugs
• For example, if or while statements can be transformed into other statements that are logically equivalent but more complex appearing by using the rules of logic. An obfuscator might also insert GoTo statements and labels to turn your neat logic into "spaghetti code" to further confuse human readers.

Removal of Unused Members An obfuscator can also evaluate your application's entire source code to determine whether there are any methods that are actually unused, and if so, remove them from the obfuscated assembly. This situation can easily arise if you've developed code with a code generator or used classes from a general-purpose utility library. For example: you might have collection classes with the full range of methods that any collection should support, but only use a small fraction of those methods in your application. An obfuscator can remove the unused code, making the remaining code harder to understand and shrinking the program as a beneficial side effect.
String Encryption String constants and literal strings in your .NET source code appear unchanged in your compiled .NET assemblies. Such strings can provide valuable clues for anyone trying to reverse-engineer your code. For example, an attacker trying to break a licensing routine would first focus attention on strings having to do with licensing to locate the appropriate section of code. Obfuscators can make this more difficult by encrypting the strings in the .NET assembly. This is accomplished by inserting a decryption routine into the assembly and calling the decryption code at runtime to return the original strings.
Data obfuscation
Storage obfuscation
    -Alters how data is stored in memory
     E.g. Making local variables to global and vice versa.
Aggregation obfuscation
    -Spliting an array into several array.
.NET Obfuscator Benefits: Protects and Improves .NET Code

• Dotfuscator Professional obfuscator significantly enhances source code security.

. NET rich intermediate language is focused on application flexibility and inherently provides significant information on how an application was written. Because of this, .NET applications are more prone to reverse-engineering attack than most previous computer programs. Dotfuscator Pro includes state-of-the-art obfuscation technology to protect .NET applications - securing the important intellectual property contained within.

• Dotfuscator Professional decreases the size of your .NET program.

Dotfuscator analyzes your application and figures out exactly which parts of your program you're really using (down to the method level!). From there it can parse out those pieces leaving you with the smallest executable possible.

• Dotfuscator Professional improves run-time performance.

By removing unneeded program elements and renaming identifiers to small names, Dotfuscator .NET obfuscator can actually speed up programs.

• Dotfuscator Professional provides tamper detection and notification.

Dotfuscator's Tamper Detection and Notification service notifies your organization when one of your applications detects tampering. Tampered applications cost millions in revenue to suppliers and introduce material security and liability risks to consumers.

• Assembly Linking

Assembly linking, sometimes called merging, is the ability to merge multiple assemblies into one or more output assemblies. This can make an application even smaller and simplify deployment scenarios. When combined with obfuscation and pruning, assembly linking provides a powerful packaging solution for .NET applications.
6. How are we going to do it?

Obfuscators used in .NET

• Salamander .NET Obfuscator
• Spices .NET Obfuscator
• DotFuscator
  
  Salamander .NET Obfuscator

§Remotesoft's Salamander .NET Obfuscator provides both a GUI environment (Remotesoft .NET Explorer) for exploring and obfuscating .NET applications.
Salamander .NET Obfuscator operates directly on your original binary exe and dll files, without altering debug and line number information. This makes source-level debugging easy; you can just drop the obfuscated assembly in place of the original, invoke the debugger, and go into your original source code
Overall, Salamander .NET Obfuscator appears to work well and the user interface makes a good deal of data on your assemblies readily accessible.

Dotfuscator - Introduction

Dotfuscator is an obfuscator, pruner, linker, and watermarker for .NET applications. It is a key component of a Secure .NET Software Development Life Cycle Process. It adds a new level of protection and application efficiency to any .NET application.

7. DotFuscator How to use dotfuscator
1. To open a DotFuscator you need to start up Visual Studio .Net.
Then you will be able to start up DotFuscator Community Edition.
2. All Visual Studio Programs → Microsoft 2005 → Visual Studio Tools → Dotfuscator Community Edition

3. Once the “Dotfuscator Community Edition” is clicked. The Dotfuscator application will startup.

4. Click on “input” tab and provide the dll/exe file that we have created as input.

5. Once the File (dll) has been taken as input, press Ctrl+B to Build the Project. You can use File → Build for the same. The result of the build can visible in output tab.

7. Alternatives for Legal protection

• License agreements – EULA
• Copyright
• Patents
    –Dash-O example
• DMCA and DeCSS
• Lots of very nasty laws coming
    –Life imprisonment, P2P attacks

8. Conclusion

• Protecting software is as important as protecting hosts
• Watermarking, tamper-proofing and obfuscation are important tools for protecting software
• However, no technique can prevent all attacks
• Goal is to increase the cost for the attacker