We have a need for an application that runs on an end user's machine and provides us with score results, and we need to results to be accurate (i.e. not tampered with). Currently, there is a debate between Flash and Silverlight, and it looks like Silverlight is going to be the winner.
Aside from the agurment that anything on an end users machine has to be ultimately considered comprimised, how hard is it to attack a SilverLight application? I know it depends on how the code is written etc., and my question really is how hard is it to attack the underlying platform. Are there any articles on how easy it is to do something like bootstrap a silverlight app and alter running code (or some other method)? I am thinking something like a buffer overflow attack to insert other executable code?
I've also heard that Flash application is pretty difficult to attack the memory and execute arbitrary code. Is this true?
My understanding is that Silverlight is running on a version of the Common Language Runtime (CLR) called CoreCLR. Like any application running in the browser, the primary security scenario is preventing malicious code attacking other instances of the application, or applications/data on the user's computer.
This scenario that you describe is different from this, and I would say that there is little in the way of active measures to prevent your code from hijacked. A user with enough know how can easily edit the code at the assembly level.
You might attempt to mitigate these attacks by:
It is just as easy for an expert attacker to attack applications running in the Flash VM as it is to attack Silverlight.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With