如何美元.NET的DLL的对$ pvent欺骗 [英] How to prevent spoofing of DLLs in .NET

问题描述

我有一个.NET应用程序引用了托管的DLL。

该DLL包含一个类，比如记分员实现一个名为方法 GetHighScore（）。应用程序调用这个周期性。

有没有办法来prevent从地方一个我提供的在这里用的是非授权DLL的.NET应用程序？

解决方案

您提及：

  

该DLL包含一个类，比如记分员实现一个名为GetHighScore（）方法。应用程序调用这个周期性。

和则：

  

有没有办法来prevent从地方一个我提供的在这里用的是非授权DLL的.NET应用程序？

假设你想从换出你提供自己的组件，其具有相同的名称和类型（这是在同一个命名空间）大会prevent一个人，你的可以 用力名称包含记分员<装配 / code>类，让你的消费者引用。

不过，我们会看到有一些使这不是100％可靠的问题。强名称帮助您保护用户不知道从更换您的DLL的带有恶意欺骗副本。但是，如果用户是在欺骗（如果他想骗这将是这种情况）串通一气，然后code签售会不会比减速带越来越没有提供真正的保护。当然，强大的名称不提供保护媲美例如PunkBuster的。

使用强名称来验证程序集发布者身份

当你添加一个强名称的程序集，您使用的是私有密钥（非对称公钥/私钥对的一部分，以后会更多）来生成密码散列和公钥包含在程序集名称（连同散列）。

使用公共哈希和公共键，CLR能够验证程序集的签名实际上是来自私钥做到了。

当然，这意味着，你应该保护密钥（内部和外部）;如果别人有你的密钥，那么他们可以有效地冒充你，并发布人会相信是从你的程序集。

然后，当你添加一个引用到您的签名的程序集，如果有人试图把不同的装配中使用相同的组件名称（而不是完全限定的，只是没有版本，散列和公钥的名称）和同一类型名称，填充CLR尝试加载类型时，表明它无法找到它失败;该类型是使用解决了完全限定的程序集名称，与命名空间和类型名称一起。

为什么强名称都没有100％安全的（是什么？）

1）哈希冲突

是还是的正在被验证的哈希值。而散列是相当大的（默认哈希算法160位，SHA-1），具有值的有限数量的任何散列受到碰撞。虽然的非常的可能性不大，它的是的可能（不可能对不可能的）。此外，只有最后8个字节默认情况下使用。与研究表明SHA-1是比较弱相结合，这是一个很好的理由使用SHA-256增强强命名为的 MSDN 。

2）的强名称的去除

强名称的可以的被删除。然而，在这种情况下，因为的您的组件参考的强命名的版本引用的程序集，当你装配试图使用泄露的版本，它会在运行时失败，假设你已经正确地重新启用验证（见下文）。

3）物理访问组件手段的所有的程序集

如果有人访问物理机，可以修改所引用的程序集，那么你的程序集的只是的脆弱。如果攻击者能够修改您引用的程序集的强名称的能力，那么他们可以很容易地修改您的组装和参与执行的所有其他即可。为此，的唯一方法是100％肯定的物理组件未砍死就是否认通过它的物理访问。当然，这带来了一个就杀了的不同的的安全问题。

4）管理员禁用强名称检查

计算机管理员可以简单地绕过强名称检查，使用 SN -Vr 。据 MSDN ：

  

注册装配验证跳跃...恶意组件可以使用完全指定程序集名称（程序集名称，版本，区域性和公钥标记）的组件添加到跳过验证列表伪造其身份。这将允许恶意组件也跳过验证。

5）的强名称检查，必须明确启用后.NET 3.5 SP 1

从.NET 3.5 SP 1上，只要有一个强大的名字不提供任何保障：

  

与.NET Framework 3.5版的Service Pack 1（SP1）开始，当组件加载到完全信任AppDomain中的对象，如用于我的电脑区域的默认的AppDomain强名称签名不验证。

为了让.NET检查加载到你的应用程序中每个程序集的强名称，你要插入下面的代码片段（由MSDN提供）到您的应用程序配置文件：

 ＆LT;结构＆gt;
  ＆LT;＆运行GT;
     ＆LT; bypassTrustedAppStrongNames启用=FALSE/＆GT;
  ＆LT; /运行＆GT;
＆LT; /结构＆gt;
 

但请注意，这只是针对去除强名称的保护。

  

当您覆盖旁路功能，强劲的名称仅用于验证的正确性;它不检查一个 StrongNameIdentityPermission 。如果您想确认一个特定的强名称，你必须单独执行检查。

---

如果您上述的关切问题，你仍然喜欢追求强命名程序集，这里的如何。

生成强名称，并签署您的程序集

您有两种选择为其生成强名称时键使用。在Visual Studio中，转到签名选项卡上的项目属性，点击登录大会

从那里，你有两个选择生成公钥/私钥，有VS.NET为您生成密钥，或者指向现有的：

在选择新建，Visual Studio会提示你生成文件的名称，以及你是否不愿选择使用密码来访问它：

在这一点，关键将被添加到您的项目：

现在，你可以移动这一个解决方案项目（如果你在你的解决方案有多个项目）。

Visual Studio中在这种情况下其实只是调用强名称命令行工具生成一个公共和私有密钥对。如果你宁愿做你自己，你会想调用 SN.EXE 与 -k 命令行选项​​生成密钥，就像这样：

  SN -k keyPair.snk
 

，然后通过上面的浏览对话框中添加它。

请注意，当你这样做，就会拔出钥匙到您的项目。如果你不希望这样做（因为它复制钥匙插入的每个的项目），然后删除该项目关键的 的，然后的add现有文件的项目，但链接的它的。这将清除选择强名称密钥文件选项，但如果你删除它，你会看到你的链接密钥文件的完整路径。

I have a .NET application that references a managed DLL.

This DLL contains a class, say ScoreKeeper that implements a method called GetHighScore(). The application calls this periodically.

Is there a way to prevent the .NET application from using a "non-authorized" DLL here in place of the one I am supplying?

解决方案

You mention:

This DLL contains a class, say ScoreKeeper that implements a method called GetHighScore(). The application calls this periodically.

And then:

Is there a way to prevent the .NET application from using a "non-authorized" DLL here in place of the one I am supplying?

Assuming that you want to prevent someone from swapping out the assembly you have provided with an assembly of their own which has the same name and type (which is in the same namespace), you could apply a strong name to the assembly that contains the ScoreKeeper class and have your consumers reference that.

However, we'll see that there are issues that make this not 100% reliable. Strong Names help you protect unaware users from replacement of your DLL with a malicious spoofed copy. But if the user is complicit in the spoofing (which would be the case if he is trying to cheat), then code signing will be no more than a speed bump and provides no real protection. Certainly, Strong Names don't provide protection comparable to e.g. PunkBuster.

Using a Strong Name to verify an assembly publisher's identity

When you add a strong name to an assembly, you are using a private key (part of an asymmetric public/private key pair, more on this later) to generate a cryptographic hash and the public key is included in the assembly name (along with the hash).

Using the public hash and the public key, the CLR is able to verify that the signature of the assembly did in fact come from the private key.

Of course, this means, you should protect the key (internally and externally); if someone else has your key, then they can effectively impersonate you and publish assemblies that people would trust to be from you.

Then, when you add a reference to your signed assembly, if someone tries to put a different assembly in with the same assembly name (not the fully qualified one, just the name without version, hash and public key) and same type name, the CLR fill fail when trying to load the type, indicating that it couldn't find it; the type is resolved using the fully-qualified assembly name, along with the namespace and type name.

Why Strong Names are not 100% secure (is anything?)

1) Hash Collisions

It is still a hash that is being verified. While the hash is quite large (160 bits for the default hash algorithm, SHA-1), any hash that has a finite number of values is subject to a collision. While extremely unlikely, it is possible (impossible vs. improbable). Furthermore, only the last 8 bytes is used by default. Combined with research indicating that SHA-1 is relatively weak, this is a good reason to use SHA-256 Enhanced Strong Naming as described in MSDN.

2) Removal of the Strong Name

The strong name can be removed. However, in this case, because your assembly is referencing the strong named version of the referenced assembly, when your assembly tries to use the compromised version, it will fail at runtime, assuming you've correctly re-enabled verification (see below).

3) Physical access to the assemblies means all the assemblies

If someone has access to the physical machine and can modify the assembly that you are referencing, then your assembly is just as vulnerable. If the attacker has the ability to modify the strong name of an assembly that you referenced, then they can just as easily modify your assembly and all others involved in the execution. To this end, the only way to be 100% sure that the physical assembly isn't hacked is to deny physical access through it. Of course, that brings up a slew of different security concerns.

4) Administrator disabling the Strong Name check

The computer administrator can simply bypass the strong name check, using sn -Vr. According to MSDN:

Registers assembly for verification skipping... A malicious assembly could use the fully specified assembly name (assembly name, version, culture, and public key token) of the assembly added to the skip verification list to fake its identity. This would allow the malicious assembly to also skip verification.

5) Strong Name checking has to be explicitly enabled post .NET 3.5 SP 1

From .NET 3.5 SP 1 on, simply having a strong name doesn't provide any protection:

Starting with the .NET Framework version 3.5 Service Pack 1 (SP1), strong-name signatures are not validated when an assembly is loaded into a full-trust AppDomain object, such as the default AppDomain for the MyComputer zone.

In order to have .NET check the strong name of each assembly loaded into your application, you'll want to insert the following snippet (provided by MSDN) into your application configuration file:

<configuration>
  <runtime>
     < bypassTrustedAppStrongNames enabled="false" />
  </runtime>
</configuration>

Beware, however, that this only protected against removal of the strong name.

When you override the bypass feature, the strong name is validated only for correctness; it is not checked for a StrongNameIdentityPermission. If you want to confirm a specific strong name, you have to perform that check separately.

---

If in light of the concerns above, you'd still like to pursue Strong Naming your assembly, here's how.

Generating a Strong Name and signing your assembly

You have two options for which key to use when generating a strong name. In Visual Studio, go to the Signing tab on the project properties and click "Sign the assembly":

From there, you have two options to generate the public/private key, to have VS.NET generate the keys for you, or point to an existing one:

When selecting "New", Visual Studio will prompt you for the name of the file to generate, as well as whether or not you want to optionally use a password to access it:

At which point, the key will be added to your project:

Now, you can move this to a solution item (if you have multiple projects in your solution).

Visual Studio in this case is really just calling the Strong Name command line tool to generate a public and private key pair. If you'd rather do that yourself, you'd want to call sn.exe with the -k command line option to generate the key, like so:

sn -k keyPair.snk

And then add it via the "Browse" dialog above.

Note that when you do this, it will pull the key into your project. If you don't want to do this (as it copies the key into every project), then delete the key from the project and then add an existing file to the project, but link it. This will clear the "Choose a strong name key file" option, but if you drop it down, you'll see the full path to your linked key file.

这篇关于如何美元.NET的DLL的对$ pvent欺骗的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！