locked
guidline on making class libraries, plz guide me RRS feed

  • Question

  • User852864959 posted

    Hello,

     

    Thanks for your attention and time.

     

    Your expert advice is required please. Task is to develop class libraries that  can be re-use in projects but assambies should be copy righted. By this I mean developer will not give the code of  class libraries to the clients yet they will provide the code of there sites/ applications, these libraries will be used just as internal development libraries. I want to make Business Logic Layer, DAL, Business Objects as class libraries

     

    Please guide me on this:

     

    Q1. How I can control unathorised use of libraries ?

     

    Q2. How to make assamlies non extendable ?

     

    Q3. What security measurs I should take on this.

     

    Once again thanks for your time, attention and sharing


    haansi

    Friday, January 22, 2010 3:47 AM

Answers

  • User1105131773 posted

    Hi

    I would recommend looking into

    .net licencing - which will allow you to provide licence files to specfic customers and functionality contained in your libraries would work only with the correct licence installed. There are many third party tools to do this or you could implement your own

     Ensure that the methods you want to expose have the correct protection - so sensible use of private, protected and public declarations on your various methods

    You might want to look at obsfucation - a way of stopping your source code from being decompiled - again many third parties offer products to aid in doing this

    Hope that helps in getting you on the right track - for specific information on each of these google is probably your best option as they are all well documented.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 22, 2010 5:29 AM
  • User1105131773 posted

    If you don't want to go for the off the shelf option you can implement something yourself - simply ensure that a licence.lic file (or whatever you want to call it) is in the folder, and if it is then you would just check that it contains some relevent information. For example, simply, you may want to get the customer name and convert to a list of numbers representing the name, then your licence file would contain the name and code, if they are valid then you can let them use your application... There are lots of ways of doing it but that suggestion should get you on the right track to implementing something.

    There are some good explainations of the access levels on this post

    http://forums.asp.net/t/1163265.aspx

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 22, 2010 7:15 AM
  • User-952121411 posted

    You might want to look at obsfucation - a way of stopping your source code from being decompiled
     

    I agree that obfuscation is a good technique, but I wanted to clarify one point.  All .NET assemblies are compiled into the intermediate language called MSIL that is then executed by the CLR at runtime.  Beacue the assemblies are MSIL, they can always be decomplied.  The process of obfuscation 'Obfuscates' or presents a view of confusion when the assembly is decompiled.  Symbols and code is rearraged and renamed into naming standards that don't make sense too well to the human eye with a decompiler.  So it makes the decompiled .dll not readable so well, but the process of obfuscation does not actually prevent decompiling the .dll.  If you ever want to see what a decompiled assembly looks like, open it up with the free ILDASM.exe tool that comes with .NET.  Then use obfuscation and open it again; you will see the difference.

    If you have propriatary logic that must be deployed to a client, then obfuscating the built assembly is probably a good idea.  Preemptive makes a decent obfuscation program (although a bit pricey) that you may want to look into.  They had a free version included with .NET a few years back that was installed with VS.NET 2005.  You might want to check out the following:

    http://www.preemptive.com/products/dotfuscator/overview

    Another option you may be able to implement, is if there is something absolutely critical to protect, you could only expose the functionality as a service to your clients.  In this manner they can call your service methods, and get a proxy when consuming the service, but never actually see the code behind the service itself.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 22, 2010 10:48 PM
  • User-952121411 posted

    Can we say development in dotnet is not secure ?
     

    It is not that it is not secure, but that the way .NET works using IL makes it a little easier to reverse engineer than when using unmanaged code.  My 1st thought if it needs to be more secure and less easily reverse engineered would be to use unmanaged code like C++ for the more security sensitive portions of your application.  However, the most used solution I have seen in .NET is to obfuscate the compiled code; it is a decent solution and will secure your code pretty well from being reverse engineered.

    I found a MSDN blog post that summarized this topic well.  Take a look as it has some points similar to the ones in our conversation:

    How do I protect my C# code against reverse engineering? 

    http://blogs.msdn.com/ericgu/archive/2004/02/24/79236.aspx

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 25, 2010 9:08 AM

All replies

  • User1105131773 posted

    Hi

    I would recommend looking into

    .net licencing - which will allow you to provide licence files to specfic customers and functionality contained in your libraries would work only with the correct licence installed. There are many third party tools to do this or you could implement your own

     Ensure that the methods you want to expose have the correct protection - so sensible use of private, protected and public declarations on your various methods

    You might want to look at obsfucation - a way of stopping your source code from being decompiled - again many third parties offer products to aid in doing this

    Hope that helps in getting you on the right track - for specific information on each of these google is probably your best option as they are all well documented.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 22, 2010 5:29 AM
  • User852864959 posted

    thanks simon.hatchar



    .net licencing - which will allow you to provide licence files to specfic customers and functionality contained in your libraries would work only with the correct ted.


    Please guide is there some built in way in frame work for licencing ? Can you guide how I should immplement my own that may workable ?

    Ensure that the methods you want to expose have the correct protection - so sensible use of private, protected and public declarations on your various methods

    kindly explain what will the correct way for this ?

    Thanks once again for sharing your knowledge and sparing time.

    haansi

    <input id="gwProxy" type="hidden"><!--Session data--><input onclick="jsCall();" id="jsProxy" type="hidden">

    <input id="gwProxy" type="hidden"><!--Session data--><input onclick="jsCall();" id="jsProxy" type="hidden">

    Friday, January 22, 2010 6:55 AM
  • User1105131773 posted

    If you don't want to go for the off the shelf option you can implement something yourself - simply ensure that a licence.lic file (or whatever you want to call it) is in the folder, and if it is then you would just check that it contains some relevent information. For example, simply, you may want to get the customer name and convert to a list of numbers representing the name, then your licence file would contain the name and code, if they are valid then you can let them use your application... There are lots of ways of doing it but that suggestion should get you on the right track to implementing something.

    There are some good explainations of the access levels on this post

    http://forums.asp.net/t/1163265.aspx

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 22, 2010 7:15 AM
  • User-952121411 posted

    You might want to look at obsfucation - a way of stopping your source code from being decompiled
     

    I agree that obfuscation is a good technique, but I wanted to clarify one point.  All .NET assemblies are compiled into the intermediate language called MSIL that is then executed by the CLR at runtime.  Beacue the assemblies are MSIL, they can always be decomplied.  The process of obfuscation 'Obfuscates' or presents a view of confusion when the assembly is decompiled.  Symbols and code is rearraged and renamed into naming standards that don't make sense too well to the human eye with a decompiler.  So it makes the decompiled .dll not readable so well, but the process of obfuscation does not actually prevent decompiling the .dll.  If you ever want to see what a decompiled assembly looks like, open it up with the free ILDASM.exe tool that comes with .NET.  Then use obfuscation and open it again; you will see the difference.

    If you have propriatary logic that must be deployed to a client, then obfuscating the built assembly is probably a good idea.  Preemptive makes a decent obfuscation program (although a bit pricey) that you may want to look into.  They had a free version included with .NET a few years back that was installed with VS.NET 2005.  You might want to check out the following:

    http://www.preemptive.com/products/dotfuscator/overview

    Another option you may be able to implement, is if there is something absolutely critical to protect, you could only expose the functionality as a service to your clients.  In this manner they can call your service methods, and get a proxy when consuming the service, but never actually see the code behind the service itself.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 22, 2010 10:48 PM
  • User852864959 posted

    thanks atconway for guiding and sparing time.

    Your suggestions of using services is good but may not workable every time. Like in my case I want to buid re useable class libraries.

    Can we say development in dotnet is not secure ? When application can be de-compiled then any security can be removed. I do not mean I am going to develop some "secret" sort of library but at least normal

    business classes are asset.

    Sunday, January 24, 2010 1:54 AM
  • User-952121411 posted

    Can we say development in dotnet is not secure ?
     

    It is not that it is not secure, but that the way .NET works using IL makes it a little easier to reverse engineer than when using unmanaged code.  My 1st thought if it needs to be more secure and less easily reverse engineered would be to use unmanaged code like C++ for the more security sensitive portions of your application.  However, the most used solution I have seen in .NET is to obfuscate the compiled code; it is a decent solution and will secure your code pretty well from being reverse engineered.

    I found a MSDN blog post that summarized this topic well.  Take a look as it has some points similar to the ones in our conversation:

    How do I protect my C# code against reverse engineering? 

    http://blogs.msdn.com/ericgu/archive/2004/02/24/79236.aspx

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 25, 2010 9:08 AM