Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I protect my ASP.Net Source Code From My Developers

This seems like a weird position to be in, but let me ask the question anyway.

I have created some DLLs that do some magical mumbo-jumbo that is needed to display the content for the website I am making right now in ASP.Net. I've got a small team of developers who can help me with this, but I am afraid that they will steal my code (the DLL) and use it in projects when they leave my company. In a software I can probably prove that they are using my DLL to generate the content, but on a server where the DLLs are not available to public I can't.

So in spite of having a team I've been working on this all alone.

My question is. Is there any way you can think of using which I can protect my DLL (which goes into the bin folder) so that my coders can't steal it, or it becomes unusable if stolen.

I just want to protect whatever goes into the bin folder.

like image 779
Cyril Gupta Avatar asked Jul 18 '09 05:07

Cyril Gupta


People also ask

How secure is asp net?

ASP.NET Core contains features for managing authentication, authorization, data protection, HTTPS enforcement, app secrets, anti-request forgery protection, and CORS management. These security features allow you to build robust yet secure ASP.NET Core apps.

What is security in ASP.NET Core?

ASP.NET Core security featuresASP.NET Core provides many tools and libraries to secure ASP.NET Core apps such as built-in identity providers and third-party identity services such as Facebook, Twitter, and LinkedIn. ASP.NET Core provides several approaches to store app secrets.

How do I protect my VB NET application?

Use PC Guard to protect your VB.NET software with advanced cryptography, anti-cracking, anti-reverse-engineering and software copy protection techniques. If you are developing Microsoft . NET framework applications by using VB.NET programming language you will need PC Guard for . NET (x86/AnyCpu) or/and PC Guard for .


4 Answers

You could have the dll check its environment and fail to work (I suggest you make it give wrong results rather than break) if the environment does not feel like home. You will also have to obfuscate the code to hamper efforts to remove the protection.

Edit: you could use an environment variable, registry key, existence of a performance counter, an obscure setting in machine.config, etc., and make it look like a genuine setting, then obfuscate and sign with a strong name.

like image 156
Matt Howells Avatar answered Oct 02 '22 20:10

Matt Howells


This may not be appropriate to your situation but you could provide them with a proxy DLL which doesn't perform the calculations but instead calls your DLL.

You then keep your DLL on another server that only you have access to and the proxy DLL calls it via some sort of remoting protocol.

like image 39
LachlanG Avatar answered Oct 02 '22 20:10

LachlanG


That is a weird position to be in... my condolences.

At the .Net level, the best you can do is obfuscate your code when you build it. Strongly signing your assembly will let you know if tampering is going on as well.

Another approach that some people have taken is to write the really sensitive code in C++ and compile it to an unmanaged .dll, and call into it from .net using interop. C++ bytecode is much harder to read than IL, and this throws up a lot more barriers to easy reverse-engineering.

Edit: based on comments from the OP, here is an updated answer.

If you're simply worried about them stealing the DLL that you place in the bin folder on your web server, simply publish it to a subfolder of \bin, lock the folder down using windows permissions, so there is no way they can get into it, and change your web.config to probe it.

<runtime>
   <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <probing privatePath="bin;bin\mysubfolder;" />
   </assemblyBinding>
</runtime>

Definitely make sure to strongly name the .dll, and keep your private key file somewhere safe. That makes your .dll uniquely identifiable and tampering can be detected if they do get at it.

like image 24
womp Avatar answered Oct 02 '22 21:10

womp


Related: https://stackoverflow.com/questions/181991/suggest-a-good-obfuscator-for-net-closed.
You might want to obfuscate your code selectively(keep public API's as is)

like image 32
Cherian Avatar answered Oct 02 '22 20:10

Cherian