Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is Silverlight Secure?

We have a need for an application that runs on an end user's machine and provides us with score results, and we need to results to be accurate (i.e. not tampered with). Currently, there is a debate between Flash and Silverlight, and it looks like Silverlight is going to be the winner.

Aside from the agurment that anything on an end users machine has to be ultimately considered comprimised, how hard is it to attack a SilverLight application? I know it depends on how the code is written etc., and my question really is how hard is it to attack the underlying platform. Are there any articles on how easy it is to do something like bootstrap a silverlight app and alter running code (or some other method)? I am thinking something like a buffer overflow attack to insert other executable code?

I've also heard that Flash application is pretty difficult to attack the memory and execute arbitrary code. Is this true?

like image 683
kemiller2002 Avatar asked Dec 10 '22 22:12

kemiller2002


1 Answers

My understanding is that Silverlight is running on a version of the Common Language Runtime (CLR) called CoreCLR. Like any application running in the browser, the primary security scenario is preventing malicious code attacking other instances of the application, or applications/data on the user's computer.

This scenario that you describe is different from this, and I would say that there is little in the way of active measures to prevent your code from hijacked. A user with enough know how can easily edit the code at the assembly level.

You might attempt to mitigate these attacks by:

  • Preventing access to sophisticated debugging tools (not possible unless you control the client machines).
  • Generating obfuscated or random silverlight code for each individual user, or even per session. In theory this might prevent users from sharing a hack. If you can timeout the code, by making it stale after 30 mins you would make it more difficult.
  • Reducing the amount of logic in your application, and provide it on the server side with web services.

It is just as easy for an expert attacker to attack applications running in the Flash VM as it is to attack Silverlight.

like image 179
Brian Lyttle Avatar answered Dec 25 '22 02:12

Brian Lyttle