I have written a program in vb.net 2008 (using .net 3.5). It's a decent size program. One part of this program is to access an online database and encrypt/decrypt files. To access db I use a hardcoded password. To encrypt/decrypt files I used a hardcoded key. No matter what I do I would need to hardcode one of the two things at least. For example: even if I store database password in an encrypted file I would need to hardcode key to decrypt it. Or vice versa.
So after doing some thinking I figured that I need to obfuscate my code so that at least these hardcoded elements/values wont be visible easily. Infact to test, I used a program to disassemble my program. And to my amazement, it showed me every line of code in my program. I felt as if my entire code is pasted in my exe.
Thus I need to obfuscate my code. See I do not need too advanced settings. My program is not among the top shareware programs or super popular that I need very high security. But I need enough security so that my basic code, variables and sensitive information (password etc) is not visible.
Please help me choose a good obfuscator which will do the job. It should not be too tedious to use and should be sufficient for me. Plus it should be trusted and secure. I mean I don't want my application to crash or be unstable after I obfuscate it.
I have downloaded trial of .net reactor from Ezriz and it seems to be fine. What do you guys suggest? I cannot affort something over $200. So is this product worth going for. You guys know better.
Thank you for your support.
Cheers,
Saurabh
Obfuscation cannot solve this problem. An attacker can change his hosts file to redirect the domain name to a database he controls. When you login he will get the username/password.
Another attack would be to use a debugger like ollydbg to obtain the username/password in memory. The username/password must be in clear text prior to use, and an attacker will be able to find it.
Security Through Obscurity will never work. You will never be able to control the client.
A better approach is to setup a a SOAP (WCF) server to abstract your database operations. The logic for building the queries must be server side. Assume that an attacker has full access to any functions you expose via SOAP.
I use Eziriz .NET Reactor for a while now and it works great for me. I used Eazfuscator before but it wasn't really powerful.
.Net Reactor has awesome features such as Anti ILDASM and Native Exe file generation. Also it'll fit your budget. You can use Trial before purchasing it and test if it works with your scenario.
You should strongly consider Babel .net obfuscator. In my opinion even though it is a console application it is by far the best for price, licensing (not locked to a single computer) and features.
I use Eazfuscator:http://www.foss.kharkov.ua/g1/projects/eazfuscator/dotnet/Default.aspx
It powerful and it's free. Wonderful tool extremely simple to use.
Related
I have discovered that our SQL statements are appearing in our compiled DLL files in our WinForms projects. What are some good methods of hiding these statements in the DLL files?
The term you are looking for is obfuscation and there are several commercial products that will do that, as well as some open source ones.
Bear in mind, that someone determined enough will be able to see the strings. That can be done through de-obfuscation techniques or by examining the strings at run time with a debugger like WinDbg.
Obfuscators should be used to protect intellectual property, at best. They should not be counted on for the security of your application. If you are hard coding credentials in your application, I would instead re-consider where they are getting stored or retrieved from. There is no "one-size" answer for that.
My scenario is as follows, a .NET 4.0 Solution with several projects (one host and some dlls), one (dll) in particular making use of the MySQL .NET Connector in order to only call upon stored procedures. I've also signed all my assemblies with a private key.
I'm curious if a hacker could somehow obtain the password to the database user from the connection string (even though that user only has permission to EXECUTE).
Also I'm curious whether a hacker would be able to find out the stored procedures I call on and whether he could Select/Insert/Delete arbitrarily with the use of my stored procedures.
All this with the presumption that the hacker only has a copy of the compiled solution.
If you have hard-coded the user name and password in your code, or even if you store the credentials in an encrypted file, but the encryption key is hard-coded in your code, it is easily hackable because .NET assemblies are not compiled to machine code. When you build a .NET assembly, it converts your VB.NET code into MSIL code, which is just a lower level programing language which is still easily readable. Microsoft provides a free tool (as part of the .NET Framework SDK) called MSIL Disassembler which allows you to easily view all the MSIL code for any compiled assembly. There are many tools available which allow you to easily take the MSIL code and "decompile" it to VB or C# code. You'd be amazed at how easy it is to reproduce your original code with a .NET decompiler. If the PDB's are available, the output is shockingly similar to the original code. So, unless you are using some third-party code obfuscation or assembly encryption tool, your "compiled" assemblies are very easily reverse engineered. Usually this isn't a big deal, but if avoiding hacking is a high concern, you certainly shouldn't be putting any secrets in your code.
Are you confident that all of the code in the project is safe from things like SQL Injection vulnerabilities and Local File Inclusion vulnerabilities (and will remain so, as it evolves)?
i'm newbie in FTP connection programming in Cocoa. I found 2 library that i can choose for make my app, but i dont know what's the best between these libraries. The libraries are libcurl and chilkat . The problem is what benefit of each library? Did somebody compare it? or maybe can anyone tell me about your experience? Thank you
I don't have any experience with chilkat, but I can tell yout that libcurl is used in a lot of programming languages and is available on a lot of systems. In for example PHP or on a Mac curl is a great tool to use.
So I would advice libcurl if it's available on your platform. You will probably find more information about curl and it has proven itself on many other platforms.
Also interesting if you want to go with curl is curlhandle. It's a cocoa wrapper around the curl library. Probably very handy in your case, but I've no experience with it.
I can tell you that the difference between libcurl and chilkat is like this: (though you probably know by now)
Chilkat is like the chess game you buy at the store and libcurl is like the plastic in liquid form you buy that you can make any chess piece with.
Libcurl is a slightly abstracted sockets-connector and Chilkat handles everything you'd do, up to a certain amount, with that connection. You're either staring at bits or something "made those bits into an email". I'm about to buy Chilkat for some of the libs, I like the features, but at the same time I wish I had time to read the RFC's and play with the other stuff using libcurl. Anywho, hope that answer is worth something to someone.
Because this question is still ranking high on google i give you my experience.
I bought chilkat in 2015 and moved to libcurl later and my own implementation much later. Both are far from perfect. libcurl just shows it's age and some weak designs.
libCurl is an library that tries to implement all URL able protocols even if they are designed as stream protocol like FTP. Do yourself a favour and only use it with HTTP/HTTPS. It just does the transfer part. Which is not enough for handling. You would love to see at least mime and charset routines to use the downloaded files.
Chilkat is a toplevel library that tries to give you as much highlevel access as possible. It uses background threads in script languages where it is not easy to use. The problem is that the API is terrible, very little documented and total failure when you want to write a quality program. For example it returns requests as a string. There is no way for stream processing. Now imagine you download a large GB iso file, you wont be happy. It can return as a file but then you have to specify this at the begin of a request when you don't knwo the download size.
Also the code quality until proven otherwise is bad. There are a few chilkat source code snippets in the wild which you can find via google and they are pure madness. Ok we don't know how this old code has been refactored now. But it leaves a bad taste, remember this is closed source and there is not a single mention about corner cases, which protocol is implemented, which feature of protocols are implemented and so on. You are using a total black box.
Also it does not allow high performance and high value code. I used it to write a web crawler and it was much much slower then libcurl.
I later used the HTTP and SSH compoenents to automate some server/client management scripts and there it shines. You know both sides and can just test if they work together and don't get any surprises. Then it is indeed easy and better then using the broken python or ruby SSH.
But if you ever contact with another unknown server, Chilkat is not your library.
When you compile a program to publish with Visual Studio 2010, does that have any advanced methods to keep your program being decompiled to source code? Are there any methods you would use to encrypt yoursource code before compiling?
Visual Studio by default does not apply any form of enhancements nor modify the compiled binaries other than chosen optimization setting.
There are however protectors you can make use of.
Remember UPX?
Well upx is still a very viable method of encrypting your binaries altough of course it all depends on your needs.
No, there's really no way to prevent a managed assembly from being decompiled back into source code. The best you can hope for is obfuscation, which can do quite a good job of making the decompiled code hard to understand.
VS 2010 comes with Dotfuscator community edition which will obfuscate your code to a point making it harder to read once decompiled. The only real choice is to encrypt your code if you need the absolute best security. You might want to check out the paid edition http://www.preemptive.com/products/dotfuscator/overview to see if it suits your needs and budget
You can use obfuscators which employ various techniques like class/method name renaming, string encryption, method call hiding, etc. Even if someone were to view your code in a disassembler, he would not be able to make any sense out of it.
DISCLAIMER: I work for LogicNP Software, the developers of Crypto Obfuscator
VS and any other good compiler make optimalizations. Solely these optimalizations are often enough to make your application resist reverse engineering attempts.
This will not encrypt constants in your program so mypass will still be found as mypass in the binary. You need an encryption program for that.
Alas I have no idea what the good and bad encryption programs are for binaries so I won't suggest any.
Best protectors are confuser ,engima and themida
Wibu Systems offers a solution that encrypt the binary files which will preventing reverse engineering.
https://www.wibu.com/uk/products/protectionsuite/axprotector-ip-protection.html
Where can I find the code for creating an online rebol console like the one here ?
http://tryrebol.esperconsultancy.nl/
Update: for the sandbox system on the server, can't Rebol manage it itself with some security wrapper and its security options ?
As for console itself, I don't know Ruby so I don't want to use TryRuby and why would I need it ? Can't I mimic Rebol console itself by "remoting" it somehow ? Why RT or Esper Consultancy can't make an opensource version ? There's no value in keeping it closed source. Rebol needs to prove it's more open than in the past.
In my opinion, you should aim higher with something like the already open-sourced Try Ruby. You'd type in expressions and it would guide you. Their showcase site is at tryruby.org and is fairly slick.
I modified TryRuby to work with Rebol and it wound up looking like this:
But I'm not going to run it on my server because I didn't want to belabor the necessary sandboxing/etc. or protections against someone running an infinite loop. I can give you what I've got so far if you want it.
I started a tutorial script here that no one seemed interested in helping me with, so I wandered off to other tasks:
http://www.rebol.net/wiki/Interactive_tutorial_script
I'm not sure what exactly you want. You mention you want a remote REBOL shell instead of a tutoring setup, but that's what the Try REBOL site is. There are several reasons it's not open source:
It's in heavy development. I'm currently changing the code regularly.
So it's not in a release state. Preparing it for release, documenting and publishing it would take a lot of extra work, as with most projects.
It's written in my CMS that's also in heavy development. Even if the Try REBOL site were open source, it wouldn't run. The CMS is not planned to be open sourced soon.
It's not meant as a generic REBOL remoting tool, but as a one-off demo site. If that site is running, what's the use of more of them?
As others have answered, there are many generic solutions for remoting that you could use. Also, most parts of the Try REBOL site are readily available as open source:
Syllable Server, produced and published by us.
The Cheyenne web server.
The HTML source of the web client can be viewed, including my simple JavaScript command service bus.
Syllable Server is an essential part of the site, as the sandboxing is not done with REBOL facilities (except some extra limits in the R3 backend), but with standard Linux facilities.
A truly air tight (do I mean silica tight?) sandbox is close to impossible with R2.
R3 (still in alpha) is looking a lot more promising. The deep technical discussions in flight right now (see Cure code and AltME/REBOL3 Proposals regarding unwinds and protect and even occasionally mentioning sandboxes should lead to an excellent sandbox capability.
Right now, the big advance R3 has that makes Kaj's tryREBOL possible is R3's secure policy settings which make it possible (with some careful wrapper code) to construct an alpha/demo sandbox.
To answer your precise question("where can I find code...", you could try asking Kaj for his :)
I'm new to StackOverflow. I'm not sure if this is going to end up as a reply to your comment, or as a new answer.
The somewhat common idea that any project can be open sourced and contributed to by others is a naive view. In the case of my Try REBOL site, it makes no sense. It's not just in heavy development; it's written in a CMS that's also in heavy development. Basically noone could contribute to it at this point, because I'm the only one who knows my CMS. Or in any case its newest features, which I develop by developing Try REBOL, and other example sites. So developing Try REBOL means developing the CMS at the same time, and by definition, I'm the only one who can do that.
More generally, my projects are bleeding edge, innovative technology with a strong vision. The vision is mine, and to teach it to others, I have to build it to show how I intended it to work. So there's a catch 22: to enable others to contribute, I have to finish my projects first, because people typically don't understand them until I show them how they work.
There certainly are other projects where mass contribution makes more sense. Still, only the top projects get the contributors. We found that out the hard way. We created Syllable Desktop and Syllable Server with surrounding infrastructure for contributions. These are fairly classic, well understood operating systems that many people could work on in parallel. However, despite years of begging, we get very few contributions.
So, if you feel a burning need to contribute to our projects, please pick one of the many tasks in Syllable to execute. :-)