保护C＃DLL免受第三方侵害 [英] Protect C# DLL from third party

问题描述

重复项：如何保护dll？

我想防止第三方应用程序使用我的C＃DLL。我只希望我申请使用此DLL。我该如何实现？

I'd like to protect my C# DLL from being used by third party applications. I'd like only MY applycation to use this DLL. How can I achieved that ?

谢谢。

推荐答案

此

整个代码访问安全系统都是基于这样的概念，即安全性决定来自运行代码的用户，而不是由代码作者提供。您，代码作者，不会告诉您的用户他们的安全决策是什么；您是用户的仆人，而不是用户的主人。

The whole code access security system is based upon the notion that security decisions come from the user running the code, not from the author of the code. You, the code author, do not get to tell your users what their security decisions are; you are the user's servant, not the user's master.

现在，您可以使第三方代码使用它变得困难起来。您可以使用各种安全属性来文档，以确保您的意图用于第三方代码而不使用您的代码。这些都是不错的步骤，但在用户对您不利的任何世界中，它们实际上都无法解决您的问题。 在CAS模型中，用户总是赢。

Now, you can make it difficult for third-party code to use your code. You can use various security attributes to document that your intention is for third-party code to not use your code. Those are good steps, but they do not actually solve your problem in any world where your users are hostile to you. In the CAS model, users always win.

例如：您可以在代码中使方法执行安全性要求，从而触发堆栈遍历检查查看调用堆栈中的每个人是否都具有与之相关的某些证据。例如，证据此DLL是用Guillaume的强名私钥签名的，该私钥已锁定在Guillaume办公室的抽屉里，这是检查的好证据。

For example: you can have methods in your code do security demands that trigger stack walks to check to see whether everyone on the call stack has certain evidence associated with them. For example, the evidence "this DLL was signed with Guillaume's strong name private key, which is locked in a drawer in Guillaume's office" would be good evidence to check for. That would almost guarantee that everyone calling your code is also your code.

但这几乎不是保证强名称签名的目的；这几乎可以保证所有调用您代码的人都是您的代码。强名签名的目的是帮助用户知道他们认为自己正在运行的代码实际上来自您。我们将看到，将安全工具用于除预定用途之外的用途是危险的。

But that is not the purpose of strong name signing; the purpose of strong name signing is to help the user know that the code they think they are running actually came from you. Using a security tool for a purpose other than what it was intended for is dangerous, as we'll see. It gives you a completely false sense of security.

假设您的用户想要创建一个不是您自己的使用DLL的应用程序。

Suppose your user wants to make an application that isn't yours that uses your DLL. Users can write fully trusted code, and fully trusted code has the right to forge evidence. That's what "fully trusted" means. So the user makes an application that was not signed by you, but because the user can fully trust that application, the fully-trusted application is allowed to forge the evidence to say that the code comes from you.

用户可以编写完全可信的代码，并且完全可信的代码有权伪造证据。这就是完全信任的手段。因此，用户创建的应用程序没有经过您的签名，但是由于用户可以完全信任该应用程序，因此，允许完全信任的应用程序伪造证据来证明代码来自您。

For that matter, there is nothing stopping the user from simply taking your code, removing your signature, and replacing it with their signature. You can say that your EULA forbids that, and you can sue them if you find out, but you cannot do anything to stop them.

就此而言，没有什么可以阻止用户简单地获取您的代码，删除您的签名并将其替换为他们的签名。您可以说您的EULA禁止这样做，如果发现您可以起诉他们，但您无能为力阻止他们。

And heck, the user can disable the ENTIRE security system if they want, in which case anything can run.

而且，用户可以禁用

您应该考虑是否要完全将DLL交付给客户。如果其中包含您不想泄露的机密，则不要与成千上万的客户共享这些机密，其中有些可能会对您怀有敌意。如果您将DLL保留在自己的服务器上并通过Web提供服务，则您永远不会将DLL交付给客户，因此他们无法在自己的计算机上将DLL用于您的预期目的之外。

You should consider whether you want to ship your DLL to customers at all. If it contains secrets that you do not want to get out, then don't share those secrets with thousands of customers, some of whom might be hostile to you. If you keep your DLL on your own servers and provide your service via the web then you don't ever ship your DLL to customers and therefore they cannot use it on their own machines for purposes other than what you intend.

这篇关于保护C＃DLL免受第三方侵害的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！