aspnet2securityfaq0088

Question: How should I prevent someone from disassembling IL code?

Answer:

You cannot prevent anyone who has a copy of your assembly and who has full trust on a machine from disassembling your assembly’s IL code. You can however, protect your intellectual property by using obfuscation. An obfuscation tool renders the program logic and internal code details incomprehensible. This makes it extremely hard for malicious users to reverse engineer your assembly and understand the program logic and internal details. An obfuscator cannot guarantee complete security but it makes it much more difficult for an attacker to reverse engineer your code.

Dotfuscator Community Edition (a basic version with limited features) is included with Visual Studio .NET 2005.

If you use obfuscation, you need to ensure that you have a mechanism to deal with exception messages and stack traces generated from the obfuscated assembly because these are obfuscated too. You can use the map file generated by Dotfuscator which contains the mapping between the old and the new symbol names. Also, the Standard and Professional versions of Dotfuscator include a tool called Lucidator for this purpose.

If you want to obfuscate part of an assembly, you can use declarative attributes in code to determine which areas to obfuscate. .NET Framework version 2.0 includes two new custom attributes which aid Dotfuscator while obfuscating assemblies. Use the System.Reflection.ObfuscateAssemblyAttribute to specify assembly level obfuscation attributes and the System.Reflection.ObfuscationAttribute to specify member level obfuscation settings. At an assembly level you can set features to determine whether or not public members are obfuscated or just private members. Use the member level attribute to determine which specific methods or properties should be obfuscated.

Return to
HomePage
ASPNET2SecurityFAQs