Assembly modification protection not working?
AntoineC
Posts: 12
I am unclear about the Assembly Modification protection.
Here is what I have done:
- Created a WinForm sample application (. NET 2.0)
- Used SmartAssembly with the following options:
- Strong Name Signing
- Obfuscation default settings
- String Encoding: "I want to use strings encoding with improved protection"
- All other settings to default
After build, SA reports: "The assembly has been protected against any modification" as expected.
To check that, I have changed one byte in the protected .exe (in a char array I could locate easily).
Then, ran again the protected app. Result: the modified app just works!
This is not at all what I was expecting. I was assuming to get an error message or at least the app failing to start since it has been "protected against any modifications".
Am I wrong? Or has SmartAssembly failed to protect my application?
Let me know!
Tested on SmartAssembly 5.
Thanks,
Antoine
PS: the Microsoft Strong Name tool (sn.exe) does report: "validation failed" on the modified app. So, I am sure that I did make a mistake and that the application is indeed modified.
Here is what I have done:
- Created a WinForm sample application (. NET 2.0)
- Used SmartAssembly with the following options:
- Strong Name Signing
- Obfuscation default settings
- String Encoding: "I want to use strings encoding with improved protection"
- All other settings to default
After build, SA reports: "The assembly has been protected against any modification" as expected.
To check that, I have changed one byte in the protected .exe (in a char array I could locate easily).
Then, ran again the protected app. Result: the modified app just works!
This is not at all what I was expecting. I was assuming to get an error message or at least the app failing to start since it has been "protected against any modifications".
Am I wrong? Or has SmartAssembly failed to protect my application?
Let me know!
Tested on SmartAssembly 5.
Thanks,
Antoine
PS: the Microsoft Strong Name tool (sn.exe) does report: "validation failed" on the modified app. So, I am sure that I did make a mistake and that the application is indeed modified.
Comments
SmartAssembly does not perform a full hash of the assembly to verify that nothing has changed, so it will not detect changing a primitive constant in a hex editor.
If you want this sort of functionality either strong name signing the assembly (and then verifying on load) or using code signing (Authenticode) is the best and simplest way.
However SmartAssembly will protect against modifications by decompilation/recompilation, code injection and most modification to the actual code.
The wording in SmartAssembly is a bit misleading for that feature.
Suggestion:
- change the wording.
- much better: add to SmartAssembly what your are telling me! Since SmartAssembly already Strong Name sign the assemblies, it should not be too complicated to compute and verify a hash.
Antoine
We do have a feature, to add self-verification to protected assemblies, listed on the roadmap for SmartAssembly (SA-77). So hopefully it will make it in at some point soon (although no promises).