security Constraint in VS2008 windows application

Question

0.00/5 (No votes)

See more:

VS2008

I have C# desktop application in VS2008, and it is saved on remote server of our organization.
I want to secure that application so that no one can change it or modify it. what should I do?

Posted 25-Sep-13 17:17pm

Ravndra22

Add a Solution

Comments

Pradeep Shukla 26-Sep-13 0:05am

Is there any source control software is being used that stores the code like VSS, TFS.
If that is the case, Admin can restrict the code editing by using privileges.

Sergey Alexandrovich Kryukov 26-Sep-13 0:34am

Totally unrelated advice. The question is about user-level (built) project, not source code. And VSS is a very unreliable product, please never advise it to anyone. What if it is already replaced by some insider? Yes, there is the protection against it.
Please see my answer.
—SA

Pradeep Shukla 26-Sep-13 1:04am

I am NOT asking Ravndra22 to use any of those products, I asked if he is using any of those? I liked your answer (+5) and agree VSS is not very reliable but every org uses some kind of source control for maintaining code. By using source control If someone does modify his code he would always know who did it and he can revert if he wants to.

Sergey Alexandrovich Kryukov 26-Sep-13 2:11am

Thank you. I agree with recommendations to use Revision Control. In my opinion, this is an absolute must. I just say it is not quite relevant to the question. OP's question is quite rightful. I don't think this is about accidental change of the file or loss of some versions of source files, I think this is about modification due to malicious activity, or perhaps hardware fault...
—SA

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2013-09-25T18:31:00

First of all, sign it to give it a strong name (standard operation with Visual Studio). Please see:
http://msdn.microsoft.com/en-us/library/wd40t7ad.aspx[^].

To be able to compile the application, you will have to sign all assemblies referenced by your application assembly, but you want it, too.

This simple measure already protects the code from modification: if you change anything in the assembly, if will fail to load, which saves you from, say, infecting the system if some modules are infected by a virus, and it also will indicate that the assembly was modified.

But this is not all. What is someone replaces, say, entry-level assembly of the application (this is just the simplest variant of exploit) with some other assembly, also signed and similar in behavior, with the same name of the executable module (PE file)? Such trick could also be done using reverse engineering.

In this case, you can publish a public key of the key pair and provide an application for validation that the assembly in question is signed with the authentic key pair. If the assembly passes such verification, it means it is authentic. It is impossible to craft the key pair and sign the fake assembly by the known public key. To make sure the checkup application itself is not fake, it could be, for example, presented in source code. The user does not need Visual Studio or any skills to build it, as MSBuild and compilers are a part of .NET Framework, so a simple batch file would do a build (just an idea, any schema when a use can have some trusted application would work). Please see:
http://blogs.msdn.com/b/shawnfa/archive/2004/06/07/150378.aspx[^].

Some background: to understand the security scenarios, you need to understand how public-key cryptography works:
http://en.wikipedia.org/wiki/Public-key_cryptography[^],
http://en.wikipedia.org/wiki/Digital_signature[^].

Now, a simpler and cheaper alternative: you can calculate the cryptographic hash function of all the PE files of your application (or ZIP file containing all the files) and publish it. The user can easily validate that the hash matches the required hash data. It is infeasible to fake the files the way giving the same hash. Please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].

Only, if you really need security, don't use MD5 or SHA-1 as many do. These functions were found broken. But a function from the SHA-2 family, in particular, will do well. Please see:
http://en.wikipedia.org/wiki/MD5[^],
http://en.wikipedia.org/wiki/SHA-1[^],
http://en.wikipedia.org/wiki/SHA-2[^].

With .NET, you have enough algorithms already implemented for you: http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[^].

Even if you use the cryptographic hash function way, still do sign all the assemblies if you deploy them anywhere: won't hurt.

—SA