asp:Feature
Obfuscation in .NET
Prevent Your Source Code from Being Open Source
By Joydip Kanjilal
With so many decompilers available in the software
industry today, your application s source code faces security threats from a
variety of prying eyes. This alludes to the potential loss of your intellectual
property. But what makes this possible? .NET reflection, ILDASM.exe, and .NET decompilers.
So, then, what s the solution? This potential threat has
facilitated the development of a technology called obfuscation.
What Is Obfuscation?
Without changing its functionality, obfuscation protects
source code from being disassembled/decompiled. This
is a technology that makes the .NET assemblies more difficult to decompile and impedes
the reverse-engineering efforts, hence, protecting the source code from
potential threats. Obfuscation works by shrouding the facts in your code.
Encryption suffers from the drawback that it needs to keep the decryption key
along with the encrypted data. Therefore, it is possible to decrypt your source
code. On the other hand, obfuscation can increase the protection against
decompilation to a great extent, while leaving the application s functionality
intact.
Why Obfuscate?
There are several reasons why we should obfuscate:
- Obfuscation reduces the size of an executable
- Obfuscation improves the application s
performance at run time
- Obfuscation protects intellectual property
How Does It Work?
Obfuscation encrypts the source code and removes some
unnecessary information from the assembly metadata when it deems that it is
safe to do so, thus making the assembly more difficult to understand or read
after it is decompiled. The assembly metadata and manifest are used by the
dissemblers to decompile them and get the original source code. Note that even
if an application is compiled to native code at the time of execution, the
Microsoft .NET runtime environment still requires that the assembly metadata
and IL code be embedded in an assembly before it starts its execution. There
are a number of techniques that can be used to obfuscate. However, the
disadvantage of obfuscation is that it can affect performance (but not to a
great extent).
Obfuscation never changes your source code. Rather, the
obfuscators obfuscate your assemblies using a specific encryption methodology
and transform them into another assembly that is obfuscated, but the
functionality of it remains unaltered.
How to Obfuscate?
Obfuscation in .NET can be achieved by scrambling the
meaningful names in the assembly metadata with non-meaningful ones and trimming
the non-essential metadata, but without affecting any functionality. The
techniques used include, but are not limited to:
- Changing the Assembly Metadata
- String Encryption
- Size Reduction
Is this the Best Solution?
Unfortunately, the available obfuscators are unable to
completely protect your intellectual property. Even if obfuscators can be a
good tool for preventing most decompilers from stealing your code, if you are
determined and possess a good knowledge of data structures and algorithms, you
can steal the code even from an obfuscated assembly. So, obfuscation can be a
good solution, but there is no software that is absolutely safe.
The Future
Microsoft realized the importance of this technology and
introduced the Dotfuscator tool for obfuscation with Visual Studio .NET. In
addition, these .NET obfuscator tools are available:
Obfuscation is a very powerful technology and will
continue to be a part of the application build and deployment process in the
years to come.
Working extensively in Microsoft technologies for more than 10
years, Joydip Kanjilal is a Senior
Project Leader for a company in a Hyderabad,
India. His
programming skills include C, C++, Java, C#, VB, VC++, ASP.NET, XML, and UML.
He has worked with .NET and C# for more than five years. Reach Joydip at mailto:joydipkanjilal@yahoo.com.