Consider a system that has exe and dlls, how can i ensure that only the
authorized .net assembly can work with my system. For example, consider your
sys got an exe, that would use dll A, B, and C; how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe. Considering, your exe is created to dynamically load the dll,
for future extensibility, meaning, as new dll comes, you don't need to change
your exe.
thanks
Eugene
3  1795 
> how do you ensure, other people cannot create a dll D, that has the same interface, from being invoke
from your exe.
Are you loading a dynamic assembly, finding all Types that implement a certain interface defined in your assembly, and then
consuming them?
If so, just ensure that all references to your assembly must be signed with your unique key:
Find the sn.exe utility installed in "%programfiles%\Microsoft Visual Studio .NET 2003\SDK\v1.1\Bin\sn.exe"
Use sn.exe to generate a strong-name public/private key pair from the command-line.
sn.exe -k "c:\mykey.snk"
You can then use an assembly-level attribute to sign your main assembly (.exe) with your key:
[assembly: AssemblyKeyFile(@"c:\mykey.snk")]
Also, sign all your dynamic assemblies with this key. In your code, you can check to make sure that each assembly you load has your
public key:
public void TestLoadAsm()
{
System.Reflection.Assembly thisAsm = System.Reflection.Assembly.GetExecutingAssembly();
System.Reflection.Assembly asm = System.Reflection.Assembly.LoadFile(@"c:\TestLibra ry1.dll", thisAsm.Evidence);
System.Reflection.AssemblyName dynamicName = asm.GetName();
System.Security.Permissions.StrongNamePublicKeyBlo b key =
new System.Security.Permissions.StrongNamePublicKeyBlo b(thisAsm.GetName().GetPublicKey());
System.Security.Permissions.StrongNamePublicKeyBlo b dynaKey =
new System.Security.Permissions.StrongNamePublicKeyBlo b(dynamicName.GetPublicKey());
if (!key.Equals(dynaKey))
throw new System.Security.SecurityException(asm.FullName + " has an invalid key signature.");
Type type = asm.GetType("TestLibrary1.Class1");
TestLibrary2.IClass obj = Activator.CreateInstance(type) as TestLibrary2.IClass;
Console.WriteLine("{0}: {1}", dynamicName.Name, dynamicName.Version);
Console.WriteLine(obj.GetType().FullName);
}
So, how do you stop them from plugging in a malicious assembly? Don't give them your key file.
--
Dave Sexton
dave@www..jwaonline..com
-----------------------------------------------------------------------
"Eugene" <Eu****@discussions.microsoft.com> wrote in message news:11**********************************@microsof t.com... Consider a system that has exe and dlls, how can i ensure that only the
authorized .net assembly can work with my system. For example, consider your
sys got an exe, that would use dll A, B, and C; how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe. Considering, your exe is created to dynamically load the dll,
for future extensibility, meaning, as new dll comes, you don't need to change
your exe.
thanks
Eugene
thanks, it's very helpful. i would have a config file to determine which
assembly to look for, then load through reflection. My concern is when
someone tamper with the config file to load his/her own dll. initially i
thought that the strong name is being used in GAC, so thanks for your code
for my question :)
so, the problem of this is, only if someone else gets hold of my key file.
so my question is, is there any way that other people can reproduce my file?
like, deassemble my assembly, and get the [assembly:
AssemblyKeyFile(@"c:\mykey.snk")] ?
Eugene
"Dave" wrote: how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe.
Are you loading a dynamic assembly, finding all Types that implement a certain interface defined in your assembly, and then
consuming them?
If so, just ensure that all references to your assembly must be signed with your unique key:
Find the sn.exe utility installed in "%programfiles%\Microsoft Visual Studio .NET 2003\SDK\v1.1\Bin\sn.exe"
Use sn.exe to generate a strong-name public/private key pair from the command-line.
sn.exe -k "c:\mykey.snk"
You can then use an assembly-level attribute to sign your main assembly (.exe) with your key:
[assembly: AssemblyKeyFile(@"c:\mykey.snk")]
Also, sign all your dynamic assemblies with this key. In your code, you can check to make sure that each assembly you load has your
public key:
public void TestLoadAsm()
{
System.Reflection.Assembly thisAsm = System.Reflection.Assembly.GetExecutingAssembly();
System.Reflection.Assembly asm = System.Reflection.Assembly.LoadFile(@"c:\TestLibra ry1.dll", thisAsm.Evidence);
System.Reflection.AssemblyName dynamicName = asm.GetName();
System.Security.Permissions.StrongNamePublicKeyBlo b key =
new System.Security.Permissions.StrongNamePublicKeyBlo b(thisAsm.GetName().GetPublicKey());
System.Security.Permissions.StrongNamePublicKeyBlo b dynaKey =
new System.Security.Permissions.StrongNamePublicKeyBlo b(dynamicName.GetPublicKey());
if (!key.Equals(dynaKey))
throw new System.Security.SecurityException(asm.FullName + " has an invalid key signature.");
Type type = asm.GetType("TestLibrary1.Class1");
TestLibrary2.IClass obj = Activator.CreateInstance(type) as TestLibrary2.IClass;
Console.WriteLine("{0}: {1}", dynamicName.Name, dynamicName.Version);
Console.WriteLine(obj.GetType().FullName);
}
So, how do you stop them from plugging in a malicious assembly? Don't give them your key file.
--
Dave Sexton
dave@www..jwaonline..com
-----------------------------------------------------------------------
"Eugene" <Eu****@discussions.microsoft.com> wrote in message news:11**********************************@microsof t.com... Consider a system that has exe and dlls, how can i ensure that only the
authorized .net assembly can work with my system. For example, consider your
sys got an exe, that would use dll A, B, and C; how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe. Considering, your exe is created to dynamically load the dll,
for future extensibility, meaning, as new dll comes, you don't need to change
your exe.
thanks
Eugene
can this strong name be used to prevent other developer from inheriting from
my assembly as well?
"Dave" wrote: how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe.
Are you loading a dynamic assembly, finding all Types that implement a certain interface defined in your assembly, and then
consuming them?
If so, just ensure that all references to your assembly must be signed with your unique key:
Find the sn.exe utility installed in "%programfiles%\Microsoft Visual Studio .NET 2003\SDK\v1.1\Bin\sn.exe"
Use sn.exe to generate a strong-name public/private key pair from the command-line.
sn.exe -k "c:\mykey.snk"
You can then use an assembly-level attribute to sign your main assembly (.exe) with your key:
[assembly: AssemblyKeyFile(@"c:\mykey.snk")]
Also, sign all your dynamic assemblies with this key. In your code, you can check to make sure that each assembly you load has your
public key:
public void TestLoadAsm()
{
System.Reflection.Assembly thisAsm = System.Reflection.Assembly.GetExecutingAssembly();
System.Reflection.Assembly asm = System.Reflection.Assembly.LoadFile(@"c:\TestLibra ry1.dll", thisAsm.Evidence);
System.Reflection.AssemblyName dynamicName = asm.GetName();
System.Security.Permissions.StrongNamePublicKeyBlo b key =
new System.Security.Permissions.StrongNamePublicKeyBlo b(thisAsm.GetName().GetPublicKey());
System.Security.Permissions.StrongNamePublicKeyBlo b dynaKey =
new System.Security.Permissions.StrongNamePublicKeyBlo b(dynamicName.GetPublicKey());
if (!key.Equals(dynaKey))
throw new System.Security.SecurityException(asm.FullName + " has an invalid key signature.");
Type type = asm.GetType("TestLibrary1.Class1");
TestLibrary2.IClass obj = Activator.CreateInstance(type) as TestLibrary2.IClass;
Console.WriteLine("{0}: {1}", dynamicName.Name, dynamicName.Version);
Console.WriteLine(obj.GetType().FullName);
}
So, how do you stop them from plugging in a malicious assembly? Don't give them your key file.
--
Dave Sexton
dave@www..jwaonline..com
-----------------------------------------------------------------------
"Eugene" <Eu****@discussions.microsoft.com> wrote in message news:11**********************************@microsof t.com... Consider a system that has exe and dlls, how can i ensure that only the
authorized .net assembly can work with my system. For example, consider your
sys got an exe, that would use dll A, B, and C; how do you ensure, other
people cannot create a dll D, that has the same interface, from being invoke
from your exe. Considering, your exe is created to dynamically load the dll,
for future extensibility, meaning, as new dll comes, you don't need to change
your exe.
thanks
Eugene
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Eric.Jones |
last post by:
I've encountered a strange error with loading delimited files from a
Samba (SMB) network drive, has anyone else seen this before?
(Platform: WinXP Pro, UDB PE 8015, level 02060106, SAMPLE db)
...
|
by: Gaetan |
last post by:
I just cannot read any more MSDN articles on IIS6 and ASP.Net authentication ...
everything is blurry now, tanks to old eyes.
Here is a topo of my environment:
- W2K3 SP1 (IIS 6)
- Web site...
|
by: Alex Madon |
last post by:
Hello,
I am testing a web application (using the DBX PHP function to call a
Postgresql backend).
I have 375Mb RAM on my test home box.
I ran ab (apache benchmark) to test the behaviour of the...
|
by: ssg31415926 |
last post by:
I'm getting the error: "Unable to open the Web 'http://blah/blahblah'.
You are not authorized to perform the current operation". I have
changed a few things recently but I can't change them back...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
