|
|
You're in the
asp.net security
group:ASP.NET Security
asp.net security:
i have created a web application for businesses pupose, which contains come classes, the whole output of this application is "MyWork.dll" in bin directory, so far so goood. wot i want is to safe this ".dll" file, coz if a made any windows or another webapplication and add its ("MyWork.dll") reference in this new appication, i can access all classes, these classes contains some classes which play with DB and Registry, so i want to make this "MyWork.dll" limited to only that application to which it belongs. any help would be appriciateable aSIM.
use "internal" access specifier for class or your methods, this will prevent
others. Ram [quoted text, click to view] "Asim Qazi" wrote:
> Hi All > i have created a web application for businesses pupose, which contains > come classes, the whole output of this application is "MyWork.dll" in bin > directory, so far so goood. > > wot i want is to safe this ".dll" file, coz if a made any windows or > another webapplication and add its ("MyWork.dll") reference in this new > appication, i can access all classes, these classes contains some classes > which play with DB and Registry, so i want to make this "MyWork.dll" limited > to only that application to which it belongs. > > > > > any help would be appriciateable > > > > aSIM. > >
Thanks Ram for prompt reply,
as i m a new user of asp.net can you please provide me any small sample ?? or syntax ?? aSIM. [quoted text, click to view] "Ram" <Ram@discussions.microsoft.com> wrote in message news:B8A128CE-5D3E-40CD-BA5D-6AC7A945659C@microsoft.com... > use "internal" access specifier for class or your methods, this will prevent > others. > > Ram > > "Asim Qazi" wrote: > > > Hi All > > i have created a web application for businesses pupose, which contains > > come classes, the whole output of this application is "MyWork.dll" in bin > > directory, so far so goood. > > > > wot i want is to safe this ".dll" file, coz if a made any windows or > > another webapplication and add its ("MyWork.dll") reference in this new > > appication, i can access all classes, these classes contains some classes > > which play with DB and Registry, so i want to make this "MyWork.dll" limited > > to only that application to which it belongs. > > > > > > > > > > any help would be appriciateable > > > > > > > > aSIM. > > > > > >
and reflection??
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > use "internal" access specifier for class or your methods, this will > prevent others. > > Ram > > "Asim Qazi" wrote: > >> Hi All >> i have created a web application for businesses pupose, which >> contains >> come classes, the whole output of this application is "MyWork.dll" in >> bin >> directory, so far so goood. >> wot i want is to safe this ".dll" file, coz if a made any windows or >> another webapplication and add its ("MyWork.dll") reference in this >> new appication, i can access all classes, these classes contains some >> classes which play with DB and Registry, so i want to make this >> "MyWork.dll" limited to only that application to which it belongs. >> >> any help would be appriciateable >> >> aSIM. >>
There is no way you can do that. If someone has your .dll he can use it.
I wouldn't spend too much time thinking about this. Keep your stuff on the server, and you have control over it - otherwise you don't. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Hi All > i have created a web application for businesses pupose, which > contains > come classes, the whole output of this application is "MyWork.dll" in > bin > directory, so far so goood. > > wot i want is to safe this ".dll" file, coz if a made any windows or > another webapplication and add its ("MyWork.dll") reference in this > new appication, i can access all classes, these classes contains some > classes which play with DB and Registry, so i want to make this > "MyWork.dll" limited to only that application to which it belongs. > > any help would be appriciateable > > aSIM. >
My Application has two parts, one is web application whose namespace
"MyWork" and the other part is SharedLibrary which contains different classes for different purposes, the name space for this SharedLibrary project is also "MyWork", if i set the AccessModifier "Internal" of the sharedLib classes there are inaccesible even in my web application, both have the same namespace, any solution ?? Is there any way to check if the calling application is my own then allow it else reject it, checking ".dll" path or any other way ?? aSIM. "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> [quoted text, click to view] wrote in message news:4580be6319c84c8c858e422c88800@news.microsoft.com... > There is no way you can do that. If someone has your .dll he can use it. > > I wouldn't spend too much time thinking about this. > > Keep your stuff on the server, and you have control over it - otherwise you > don't. > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hi All > > i have created a web application for businesses pupose, which > > contains > > come classes, the whole output of this application is "MyWork.dll" in > > bin > > directory, so far so goood. > > > > wot i want is to safe this ".dll" file, coz if a made any windows or > > another webapplication and add its ("MyWork.dll") reference in this > > new appication, i can access all classes, these classes contains some > > classes which play with DB and Registry, so i want to make this > > "MyWork.dll" limited to only that application to which it belongs. > > > > any help would be appriciateable > > > > aSIM. > > > >
That's crazy to say that.
The easiest quickest simplest solution is to not use a .dll - just compile the classes directly into each app that needs them - that solves the .dll problem completely. If you insist on using a .dll - 1/2 day with some thought out security code would work fine (check loaded assemblies, use strong naming, declartive security etc) J "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> [quoted text, click to view] wrote in message news:4580be6319c84c8c858e422c88800@news.microsoft.com... > There is no way you can do that. If someone has your .dll he can use it. > > I wouldn't spend too much time thinking about this. > Keep your stuff on the server, and you have control over it - otherwise > you don't. > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hi All >> i have created a web application for businesses pupose, which >> contains >> come classes, the whole output of this application is "MyWork.dll" in >> bin >> directory, so far so goood. >> >> wot i want is to safe this ".dll" file, coz if a made any windows or >> another webapplication and add its ("MyWork.dll") reference in this >> new appication, i can access all classes, these classes contains some >> classes which play with DB and Registry, so i want to make this >> "MyWork.dll" limited to only that application to which it belongs. >> >> any help would be appriciateable >> >> aSIM. >> > >
i will answer that when i have more time, in the meanwhile you may wanna
check your statements if they are really true :) --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > That's crazy to say that. > > The easiest quickest simplest solution is to not use a .dll - just > compile the classes directly into each app that needs them - that > solves the .dll problem completely. > > If you insist on using a .dll - 1/2 day with some thought out security > code would work fine (check loaded assemblies, use strong naming, > declartive security etc) > > J > > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> wrote in message > news:4580be6319c84c8c858e422c88800@news.microsoft.com... > >> There is no way you can do that. If someone has your .dll he can use >> it. >> >> I wouldn't spend too much time thinking about this. >> Keep your stuff on the server, and you have control over it - >> otherwise >> you don't. >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Hi All >>> i have created a web application for businesses pupose, which >>> contains >>> come classes, the whole output of this application is "MyWork.dll" >>> in >>> bin >>> directory, so far so goood. >>> wot i want is to safe this ".dll" file, coz if a made any windows >>> or another webapplication and add its ("MyWork.dll") reference in >>> this new appication, i can access all classes, these classes >>> contains some classes which play with DB and Registry, so i want to >>> make this "MyWork.dll" limited to only that application to which it >>> belongs. >>> >>> any help would be appriciateable >>> >>> aSIM. >>>
Is it a good way to check my own security (could b any, like checking key
comparision keys etc) in constructor of critical classes. aSIM. "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> [quoted text, click to view] wrote in message news:4580be6319c8938c859466ffe38b0@news.microsoft.com... > i will answer that when i have more time, in the meanwhile you may wanna > check your statements if they are really true :) > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > That's crazy to say that. > > > > The easiest quickest simplest solution is to not use a .dll - just > > compile the classes directly into each app that needs them - that > > solves the .dll problem completely. > > > > If you insist on using a .dll - 1/2 day with some thought out security > > code would work fine (check loaded assemblies, use strong naming, > > declartive security etc) > > > > J > > > > "Dominick Baier [DevelopMentor]" > > <dbaier@pleasepleasenospamdevelop.com> wrote in message > > news:4580be6319c84c8c858e422c88800@news.microsoft.com... > > > >> There is no way you can do that. If someone has your .dll he can use > >> it. > >> > >> I wouldn't spend too much time thinking about this. > >> Keep your stuff on the server, and you have control over it - > >> otherwise > >> you don't. > >> --------------------------------------- > >> Dominick Baier - DevelopMentor > >> http://www.leastprivilege.com > >>> Hi All > >>> i have created a web application for businesses pupose, which > >>> contains > >>> come classes, the whole output of this application is "MyWork.dll" > >>> in > >>> bin > >>> directory, so far so goood. > >>> wot i want is to safe this ".dll" file, coz if a made any windows > >>> or another webapplication and add its ("MyWork.dll") reference in > >>> this new appication, i can access all classes, these classes > >>> contains some classes which play with DB and Registry, so i want to > >>> make this "MyWork.dll" limited to only that application to which it > >>> belongs. > >>> > >>> any help would be appriciateable > >>> > >>> aSIM. > >>> > >
what's the difference between a class and a .exe ?? the extension - that's
it - you can also add .exe references - Visual Studio does not allow this but csc.exe does. i can simply turn CAS off if i want to bypass a lot of stuff - i could use reflector to decompile the assembly - i could even patch the CLR to turn off all security checks... If you don't believe me give me your ".exe" and we will see if i can call it or not. you can make it harder by sprinkling all kinds of security checks in your code - but the rule still applies - if i have your binary - it is mine - and i can do whatever i want. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > i will answer that when i have more time, in the meanwhile you may > wanna check your statements if they are really true :) > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com >> That's crazy to say that. >> >> The easiest quickest simplest solution is to not use a .dll - just >> compile the classes directly into each app that needs them - that >> solves the .dll problem completely. >> >> If you insist on using a .dll - 1/2 day with some thought out >> security code would work fine (check loaded assemblies, use strong >> naming, declartive security etc) >> >> J >> >> "Dominick Baier [DevelopMentor]" >> <dbaier@pleasepleasenospamdevelop.com> wrote in message >> news:4580be6319c84c8c858e422c88800@news.microsoft.com... >> >>> There is no way you can do that. If someone has your .dll he can use >>> it. >>> >>> I wouldn't spend too much time thinking about this. >>> Keep your stuff on the server, and you have control over it - >>> otherwise >>> you don't. >>> --------------------------------------- >>> Dominick Baier - DevelopMentor >>> http://www.leastprivilege.com >>>> Hi All >>>> i have created a web application for businesses pupose, which >>>> contains >>>> come classes, the whole output of this application is "MyWork.dll" >>>> in >>>> bin >>>> directory, so far so goood. >>>> wot i want is to safe this ".dll" file, coz if a made any windows >>>> or another webapplication and add its ("MyWork.dll") reference in >>>> this new appication, i can access all classes, these classes >>>> contains some classes which play with DB and Registry, so i want to >>>> make this "MyWork.dll" limited to only that application to which it >>>> belongs. >>>> any help would be appriciateable >>>> >>>> aSIM. >>>>
well duh.
If you have access to the machine you can just run regedit too and bypass the need for .net. Or how about hand assembling some hex codes in a buffer overrun? All those will bypass 'security'. I think he was asking for a reasonable level of assurance, not DOD level protection from the communists. Remind me not to buy your book. "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> [quoted text, click to view] wrote in message news:4580be6319dde78c85cd6eca1d4c1@news.microsoft.com... > what's the difference between a class and a .exe ?? the extension - that's > it - you can also add .exe references - Visual Studio does not allow this > but csc.exe does. > > i can simply turn CAS off if i want to bypass a lot of stuff - i could use > reflector to decompile the assembly - i could even patch the CLR to turn > off all security checks... > > If you don't believe me give me your ".exe" and we will see if i can call > it or not. > > you can make it harder by sprinkling all kinds of security checks in your > code - but the rule still applies - if i have your binary - it is mine - > and i can do whatever i want. > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> i will answer that when i have more time, in the meanwhile you may >> wanna check your statements if they are really true :) >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> That's crazy to say that. >>> >>> The easiest quickest simplest solution is to not use a .dll - just >>> compile the classes directly into each app that needs them - that >>> solves the .dll problem completely. >>> >>> If you insist on using a .dll - 1/2 day with some thought out >>> security code would work fine (check loaded assemblies, use strong >>> naming, declartive security etc) >>> >>> J >>> >>> "Dominick Baier [DevelopMentor]" >>> <dbaier@pleasepleasenospamdevelop.com> wrote in message >>> news:4580be6319c84c8c858e422c88800@news.microsoft.com... >>> >>>> There is no way you can do that. If someone has your .dll he can use >>>> it. >>>> >>>> I wouldn't spend too much time thinking about this. >>>> Keep your stuff on the server, and you have control over it - >>>> otherwise >>>> you don't. >>>> --------------------------------------- >>>> Dominick Baier - DevelopMentor >>>> http://www.leastprivilege.com >>>>> Hi All >>>>> i have created a web application for businesses pupose, which >>>>> contains >>>>> come classes, the whole output of this application is "MyWork.dll" >>>>> in >>>>> bin >>>>> directory, so far so goood. >>>>> wot i want is to safe this ".dll" file, coz if a made any windows >>>>> or another webapplication and add its ("MyWork.dll") reference in >>>>> this new appication, i can access all classes, these classes >>>>> contains some classes which play with DB and Registry, so i want to >>>>> make this "MyWork.dll" limited to only that application to which it >>>>> belongs. >>>>> any help would be appriciateable >>>>> >>>>> aSIM. >>>>> > >
[quoted text, click to view]
>>>> The easiest quickest simplest solution is to not use a .dll - just >>>> compile the classes directly into each app that needs them - that >>>> solves the .dll problem completely. if that sounds reasonable to you...fair enough --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > well duh. > > If you have access to the machine you can just run regedit too and > bypass the need for .net. > > Or how about hand assembling some hex codes in a buffer overrun? > > All those will bypass 'security'. > > I think he was asking for a reasonable level of assurance, not DOD > level protection from the communists. > > Remind me not to buy your book. > > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> wrote in message > news:4580be6319dde78c85cd6eca1d4c1@news.microsoft.com... > >> what's the difference between a class and a .exe ?? the extension - >> that's it - you can also add .exe references - Visual Studio does not >> allow this but csc.exe does. >> >> i can simply turn CAS off if i want to bypass a lot of stuff - i >> could use reflector to decompile the assembly - i could even patch >> the CLR to turn off all security checks... >> >> If you don't believe me give me your ".exe" and we will see if i can >> call it or not. >> >> you can make it harder by sprinkling all kinds of security checks in >> your code - but the rule still applies - if i have your binary - it >> is mine - and i can do whatever i want. >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> i will answer that when i have more time, in the meanwhile you may >>> wanna check your statements if they are really true :) >>> >>> --------------------------------------- >>> Dominick Baier - DevelopMentor >>> http://www.leastprivilege.com >>>> That's crazy to say that. >>>> >>>> The easiest quickest simplest solution is to not use a .dll - just >>>> compile the classes directly into each app that needs them - that >>>> solves the .dll problem completely. >>>> >>>> If you insist on using a .dll - 1/2 day with some thought out >>>> security code would work fine (check loaded assemblies, use strong >>>> naming, declartive security etc) >>>> >>>> J >>>> >>>> "Dominick Baier [DevelopMentor]" >>>> <dbaier@pleasepleasenospamdevelop.com> wrote in message >>>> news:4580be6319c84c8c858e422c88800@news.microsoft.com... >>>> >>>>> There is no way you can do that. If someone has your .dll he can >>>>> use it. >>>>> >>>>> I wouldn't spend too much time thinking about this. >>>>> Keep your stuff on the server, and you have control over it - >>>>> otherwise >>>>> you don't. >>>>> --------------------------------------- >>>>> Dominick Baier - DevelopMentor >>>>> http://www.leastprivilege.com >>>>>> Hi All >>>>>> i have created a web application for businesses pupose, which >>>>>> contains >>>>>> come classes, the whole output of this application is >>>>>> "MyWork.dll" >>>>>> in >>>>>> bin >>>>>> directory, so far so goood. >>>>>> wot i want is to safe this ".dll" file, coz if a made any >>>>>> windows >>>>>> or another webapplication and add its ("MyWork.dll") reference in >>>>>> this new appication, i can access all classes, these classes >>>>>> contains some classes which play with DB and Registry, so i want >>>>>> to >>>>>> make this "MyWork.dll" limited to only that application to which >>>>>> it >>>>>> belongs. >>>>>> any help would be appriciateable >>>>>> aSIM. >>>>>>
[quoted text, click to view]
> well duh. > > If you have access to the machine you can just run regedit too and > bypass the need for .net. > > Or how about hand assembling some hex codes in a buffer overrun? > > All those will bypass 'security'. > > I think he was asking for a reasonable level of assurance, not DOD > level protection from the communists. > > Remind me not to buy your book. Dominick's entirely too nice to say this but he's trying to help someone solve a problem and solve it thoroughly. The "thorough" part is especially important when talking about security. Just because he provides a more thorough answer than you doesn't mean he needs you barking at him on these newsgroups. While you're *obviously* much more advanced and knowledgeable than the original poster, Dom's input just might have been helpful to him. -Brock http://staff.develop.com/balle
The problem is that dom is arguing that there can be no security.
He says that if he has access to an exe he can call any class in it - and that is plain BS. How about SIMPLY decrypting all of the method's payload with a public key? I'll leave it to dom to explain why ANYONE can get access to a private key, as the explanation escapes me and Microsoft. Joe [quoted text, click to view] "Brock Allen" <ballen@NOSPAMdevelop.com> wrote in message news:b8743b1107ba8c85ebbb0d2ea24@msnews.microsoft.com... >> well duh. >> >> If you have access to the machine you can just run regedit too and >> bypass the need for .net. >> >> Or how about hand assembling some hex codes in a buffer overrun? >> >> All those will bypass 'security'. >> >> I think he was asking for a reasonable level of assurance, not DOD >> level protection from the communists. >> >> Remind me not to buy your book. > > Dominick's entirely too nice to say this but he's trying to help someone > solve a problem and solve it thoroughly. The "thorough" part is especially > important when talking about security. Just because he provides a more > thorough answer than you doesn't mean he needs you barking at him on these > newsgroups. While you're *obviously* much more advanced and knowledgeable > than the original poster, Dom's input just might have been helpful to him. > -Brock > http://staff.develop.com/ballen > >
[quoted text, click to view]
> The problem is that dom is arguing that there can be no security. > He says that if he has access to an exe he can call any class in it - > and that is plain BS. And how is it BS? [quoted text, click to view] > How about SIMPLY decrypting all of the method's payload with a public > key? > > I'll leave it to dom to explain why ANYONE can get access to a private > key, as the explanation escapes me and Microsoft. I don't know what feature you're trying refer to, but encryption doesn't solve your problem. If the code normally runs on my client machine and it was somehow encrypted, then to get it to run on my client machine you'd need to decrypt it and thus the key would also need to be on my client machine. If the key is on my machine then the encryption scheme doesn't buy you any protection since I have full control over my client machine. Or are you talking about strong names? This only protects a DLL from being tampered with if the calling assembly itself wasn't tampered with. And as Dom mentioned, this only works if the underlying platform wasn't tampered with. If it's my machine then I can tamper all I want. That's why Dom's original answer was to not give the client direct access to the code. If this is not practical and you need to give your code to the client then you must protect yourself with contracts and legal recourse. If I'm missing your point could you please elaborate (in a civil manner)? -Brock http://staff.develop.com/ballen
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |