Obfuscating

  • Thread starter Thread starter JJ
  • Start date Start date
J

JJ

I'm using Visual Studio 2005. I'm trying to protect my website dll files as
best as possible using obfuscating approach.

I've tried to use Dotfuscator Community Edition (comes with Vis Studio) to
obfuscate the dll from the web deployment project. The result is hardly
obfuscated at all (I am using the default settings and adding all required
DLL's to the Dotfuscators input).

Has anyone used this tool successfully with web deployment projects?
Has anyone any recommendations on other Obfuscators that may do the job?

Thanks in advance,
JJ
 
Thank you. Will take a look.
I'm surprised there are no more suggestion though - is there no one
obfuscating their web projects?
 
I have researched obfuscation extensively. The bottom line is that, by
itself, obfuscation does little to raise the bar for those who want to steal
your intellectual property. There are plenty of "disassemblers" that can
produce good source code from .NET IL. It may not be your exact source code,
but it would be readable and easily understood by a human.

Furthermore, obfuscation makes *your* life much much much more difficult,
and in a number of ways.

Add to that, the fact that in the case of ASP.NET Web apps, your assemblies
reside on a server. So the would-be "bad guys" would have to somehow
physically access your server and grab a copy of your assemblies. That's a
pretty high bar right there for them to clear unless, of course you're in a
shared hosting environment.

Another argument agains obfuscation (given that it makes your life as a
developer far more difficult) is this: if your business model is sound and
you're providing tremendous value to your customers, then it won't matter if
your would-be competitors have access to your algorithms. A related idea is
that "there is nothing new under the Sun" - meaning that - how special is
your code, really? While that may seem offensive or insulting, it's probably
highly unlikely that you have algorithms that are so special that some
would-be hacker would rather steal your code than come up with their own
implementation that works with their competing system.

Okay - so if you still really want to lock your code down (forgeting all
those business reasons to NOT obfsucate), then you should do at least the
following in order to seriously protect your code:
1. Obfuscate with the very best (and consequently most expensive)
obfuscators available (not the freebies). Understand HOW and WHAT they
obfuscate. There are absolutely huge diffrerences amongst available
obfuscators. Here is an ebook on obfuscation:
http://www.desaware.com/products/books/net/obfuscating/index.aspx

2. Sign all of your assemblies with a strong cryptographic key. Then when
code calls into other assemblies, verify that the calling assembly has the
correct signature (i.e., your called assemblies verify the callers as being
one of your assemblies). This makes it more difficult for some hacker to
call directly into your public or internal interfaces.

3. Make use of an industrial-strength licensing system (like the one from
Desaware: http://www.desaware.com/products/licensingsystem/index.aspx)

The bottom-line is this:
Given that obfuscation makes your life (as the developer and supporter of
your application) so much more difficult, you will probably not want to do
it at all unless you have some serious intellectual property. Then, if you
conclude that you do have such valuable intellectual property and that the
trouble [to obfuscate + live with an obfuscated assembly] is worth it, you
should understand that obfuscation, by itself, doesn't raise the bar - not
much anyway - for would-be hackers. So you have to raise the bar in a
meaningful way (or raise it high enough to make it more expensive for
would-be hackers to get your IP) -- therefor you'd really need to do at
least all of the above 3 things - plus physically secure your Web servers.

The above is a bit about why you are getting very little helpful feedback
here about obfuscation. Very few people actually do it.

Food for thought: If Microsoft doesn't obfuscate the .NET Framework's source
code. In fact, they recently made the Framework's actual source code freely
available to the public.

Please note that I do not work for Desaware and I don't know anybody who
does. But I have used their products extensively in the past and have found
them to be top-notch.

-HTH
 
Back
Top