Security Flaw in dll (or am I wrong?)

It's by design. You need to use an obfuscator that encrypts string literals.
Google for ".NET obfuscator", most of them are not free though.

-Oleg.

"Kevin Steffer [MCP]" <ks******@gmail.com> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...

HI NG

I have made a very nasty discovery on my dll files build from my
ASP.NET projects in VS.NET 2003.

In some of my codebehind files i have a private string that is my SQL
Server connection string for example:

public class myClass
{
private string sqlSvrConStr = "Data Source=blablabla";
public myClass()
{
}
}

When I compile the project and opens the dll in notepad I am able to
read the sqlSvrConStr - it's not pretty and it might take a while to
find BUT IT'S THERE!!!

I am also able to find some of my SQL Command strings and other objects
I use in the code - is this of normal behavior of a dll that you
actually can see the code in text???

Man I'm getting nervous!!

-Kevin

Well, you could also reverse engineer hard coded string in C++ code too.
Other than .NET assemblies being slightly easier to read, what's the difference?

BTW, to make you even more nervous, you should check out Reflector:

http://www.aisto.com/roeder/dotnet/

To be secure you should store the connection string in your config file encrypted
with DPAPI. Dominick has some tools for this:

http://www.leastprivilege.com/PermaL...8-6ff79a60e43f

-Brock
DevelopMentor
http://staff.develop.com/ballen

HI NG

I have made a very nasty discovery on my dll files build from my
ASP.NET projects in VS.NET 2003.

In some of my codebehind files i have a private string that is my SQL
Server connection string for example:

public class myClass
{
private string sqlSvrConStr = "Data Source=blablabla";
public myClass()
{
}
}
When I compile the project and opens the dll in notepad I am able to
read the sqlSvrConStr - it's not pretty and it might take a while to
find BUT IT'S THERE!!!

I am also able to find some of my SQL Command strings and other
objects I use in the code - is this of normal behavior of a dll that
you actually can see the code in text???

Man I'm getting nervous!!

-Kevin

I'd be nervous too, if somehow someone on the Internet could get hold of my
DLLs. Now THAT would be a security issue!

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Ambiguity has a certain quality to it.

"Kevin Steffer [MCP]" <ks******@gmail.com> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...

HI NG

I have made a very nasty discovery on my dll files build from my
ASP.NET projects in VS.NET 2003.

In some of my codebehind files i have a private string that is my SQL
Server connection string for example:

public class myClass
{
private string sqlSvrConStr = "Data Source=blablabla";
public myClass()
{
}
}

When I compile the project and opens the dll in notepad I am able to
read the sqlSvrConStr - it's not pretty and it might take a while to
find BUT IT'S THERE!!!

I am also able to find some of my SQL Command strings and other objects
I use in the code - is this of normal behavior of a dll that you
actually can see the code in text???

Man I'm getting nervous!!

-Kevin

Kevin Spencer wrote:

I'd be nervous too, if somehow someone on the Internet could get hold of my
DLLs. Now THAT would be a security issue!

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Ambiguity has a certain quality to it.

What if we talk shipping dll's API and stuff like that - what would be
nessecary to keep the clean strings away from being readable in the
dll?

-Kevin

One could argue that all applications written using .NET are Open Source.

"Kevin Steffer [MCP]" <ks******@gmail.com> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...

HI NG

I have made a very nasty discovery on my dll files build from my
ASP.NET projects in VS.NET 2003.

In some of my codebehind files i have a private string that is my SQL
Server connection string for example:

public class myClass
{
private string sqlSvrConStr = "Data Source=blablabla";
public myClass()
{
}
}

When I compile the project and opens the dll in notepad I am able to
read the sqlSvrConStr - it's not pretty and it might take a while to
find BUT IT'S THERE!!!

I am also able to find some of my SQL Command strings and other objects
I use in the code - is this of normal behavior of a dll that you
actually can see the code in text???

Man I'm getting nervous!!

-Kevin

You could encrypt your critical strings.

"Kevin Steffer [MCP]" <ks******@gmail.com> wrote in message
news:11*********************@o13g2000cwo.googlegro ups.com...

Kevin Spencer wrote:

I'd be nervous too, if somehow someone on the Internet could get hold of my DLLs. Now THAT would be a security issue!

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Ambiguity has a certain quality to it.

What if we talk shipping dll's API and stuff like that - what would be
nessecary to keep the clean strings away from being readable in the
dll?

-Kevin

> You could encrypt your critical strings.

The problem with encrypting the strings is that you need a key to decrypt
them. Where do you store that? If the original intent was to hide the strings,
encrypting them just means you have to hide the key. Same problem.

-Brock
DevelopMentor
http://staff.develop.com/ballen

The difference is: For SQL connection string, there is clearly
distingrishable words that enables user to find it out easily.
If you're storing a key, the key may(or may not) look like other values. If
your program hold more than one key, it may take the user a while to figure
out which one you're using for decrypting the connection string.

Things can go more tricky if you choose to use Multibyte characters such as
Big5 in the key... You either have a key that won't decrypt at all(not all
encryption algorithm have a mind for high-ASCII values) or a key that's
difficult to be recognize(you can't tell by our eyes it's a legal string or
not after shifting bits)

"Brock Allen" <ba****@NOSPAMdevelop.com>
???????:90**********************@msnews.microsoft. com...

You could encrypt your critical strings.

The problem with encrypting the strings is that you need a key to decrypt
them. Where do you store that? If the original intent was to hide the
strings, encrypting them just means you have to hide the key. Same
problem.

-Brock
DevelopMentor
http://staff.develop.com/ballen

Don't do it.

"Kevin Steffer [MCP]" <ks******@gmail.com> wrote in message
news:11*********************@o13g2000cwo.googlegro ups.com...

Kevin Spencer wrote:

I'd be nervous too, if somehow someone on the Internet could get hold of
my
DLLs. Now THAT would be a security issue!

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Ambiguity has a certain quality to it.

What if we talk shipping dll's API and stuff like that - what would be
nessecary to keep the clean strings away from being readable in the
dll?

-Kevin

bradley shared this with us in microsoft.public.dotnet.framework.aspnet:

One could argue that all applications written using .NET are Open
Source.

Open source doesn't just mean access to the source code. The
distribution terms of open-source software must comply with the
following criteria:

1. Free Redistribution
2. Source Code
3. Derived Works
4. Integrity of The Author's Source Code
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License
8. License Must Not Be Specific to a Product
9. License Must Not Restrict Other Software
10. License Must Be Technology-Neutral

Details on http://www.opensource.org/docs/definition.php

--
Amedee Van Gasse

Well, MSIL can be obfuscated. VS.Net comes with an bfuscator, and there are
others available as well.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Ambiguity has a certain quality to it.

"Shaun Wilson" <mr***********@msn.com> wrote in message
news:eu**************@TK2MSFTNGP15.phx.gbl...

Don't do it.

"Kevin Steffer [MCP]" <ks******@gmail.com> wrote in message
news:11*********************@o13g2000cwo.googlegro ups.com...

Kevin Spencer wrote:

I'd be nervous too, if somehow someone on the Internet could get hold of
my
DLLs. Now THAT would be a security issue!

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Ambiguity has a certain quality to it.

What if we talk shipping dll's API and stuff like that - what would be
nessecary to keep the clean strings away from being readable in the
dll?

-Kevin