Protecting .NET Software Applications

Protecting .NET Software Applications Arxan Best Practices White Paper

1Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.


TABLE OF CONTENTS Executive Summary 3

.NET Is Powerful, But Also Vulnerable 4 Attacking and Defending .NET Applications 4

Deploying GuardIT for Microsoft .NET Framework 6

Notices 7


Executive Summary.NET is the today’s programming platform of choice. Web applications and enterprise applications are predominantly programmed in .NET today. .NET is also increasingly used in developing traditionally native software such as scientific and engineering packages and other IP-intensive thick client applications. Ease of development, cross-platform support and increasing performance are all factors driving .NET adoption. Many applications are developed in mixed-mode, i.e. as a combination of native C/C++ and .NET code.

.NET code is easily hacked. .NET code does have one major disadvantage. Being a managed language distributed as intermediate-level byte code, .NET is highly susceptible to reverse engineering and tampering attacks. Ease of code analysis also enables rapid vulnerability discovery, which in turn accelerates the development of damaging malware .NET software is also highly vulnerable to tampering, code theft, intellectual property piracy and functional alteration.

Protecting .NET code is an unmet challenge. Enterprises and software vendors have long recognized that protecting .NET applications against compromise is vital to their long term viability, and to long term safeguarding of an organization’s software and data assets. To date, however, the main technology available for protection was basic obfuscation with some tricks to fool specific disassemblers. Such methods are easily reversed and have a short effective shelf life. The only other alternative was encryption of the binary, which forces a native compile to Windows and is also easily broken.

GuardIT for Microsoft .NET Framework durably and reliably secures applications. Arxan’s GuardIT for Microsoft .NET Framework provides an arsenal of deep and intrinsic protection techniques for managed and mixed-mode code that durably fortify your code against disassembly, static analysis, dynamic analysis and tampering. GuardIT for Microsoft .NET Framework is built to work closely with GuardIT, Arxan’s flagship application hardening solution for native applications. This makes GuardIT the only solution on the market today which seamlessly enables protection spanning managed and native portions of your mixed-mode applications.

The table below provides a summary of ways in which hackers attack .NET code, and the types of protection GuardIT provides to secure your code against compromise.

.NET Vulnerabilities and GuardIT Protection Features

Attack StrategyGuardIT for Microsoft .NET

Framework ProtectionBenefits of Protection Feature

Disassembly of .NET binary • Obfuscation including block shuffling, instruction substitution, code chopping, dummy code insertion and garbage code insertion

By altering expected patterns and typical code flow structures, prevents transformation of byte code to structured, understandable source code

Static reverse engineering • Data transformation including string encryption and variable renaming

By altering semantics and eliminating meaningful metadata, makes disassembly less reliable, and makes it difficult for hackers to understand disassembled byte code.

Dynamic reverse engineering • Mixed-mode protection spanning native and managed portions of code prevent debugging• Just-in-time decryption protects against memory dumping attacks• Obfuscation protects against analysis of run-time stacks and memory dumps

Unlike encryption wrappers, which reveal unprotected code at runtime, this intrinsic protection provides deep and meaningful protection against dynamic analysis.

Tampering by malware • Obfuscation prevents easy identification of tampering targets• Checksum Guards ensure integrity at start-up and at run-time• Diversification prevents construction of BORE (break once run everywhere) exploits• Application encryption is an additional layer of defense

Strong protection for both .NET and native components of software prevents piracy, data theft, and compromise by malware. Tampering to bypass security

functions or tampering to dissociate security routines from protected code

Code lifting • Checksum Guards ensure integrity of overall application at start-up and at run-time• Encryption hinders the separation of parts of the application

Intertwining critical intellectual property and anti-piracy security routines prevents separation of sensitive routines from the overall application.


.NET Is Powerful, But Also VulnerableWeb applications and enterprise applications for data management, financial transactions, e-commerce and internal productivity are predominantly coded in .NET today. .NET is also increasingly used in developing applications that have traditionally been coded in native C/C++, such as scientific modeling software, engineering software, productivity software and graphics processing software. As performance characteristics of managed code improve, its advantages of ease of development and cross-platform support are driving .NET adoption across all software development markets. Many applications are developed in mixed-mode, i.e. as a combination of native C/C++ and .NET code.

There major problem with .NET code, however, is that it is very easily reverse engineered. There are several tools available, many of them free, to decompile applications back into near-original source code. Trends such as outsourcing of development and testing to third party vendors, and the increasing incidence of insider attacks on information security systems, magnify the risk to enterprise applications. This gives rise to the following consequences:

• It is trivial for hackers to steal IP, construct tampering exploits to disable security functions, or discover vulnerabilities and build malware exploits.• Interfaces between the application and security measures such as license management or user authentication are particularly vulnerable. • Feature-rich web 2.0 client applications such as those based on Silverlight require special attention to protect them against hackers and malware.

Across all software segments and uses, hardening of .NET applications is imperative to protect your intellectual property and sensitive data against piracy, theft and malware.

Attacking and Defending .NET ApplicationsHackers attempt to compromise .NET applications in three steps:

1. First, the binary is decompiled to recover source code.

2. Next, the attacker analyzes and attempts to comprehend the source code to identify valuable intellectual property or areas of vulnerability.

3. Finally, this knowledge is used to build exploits for the software, exposing it to piracy, functional compromise or invasion by malware.

Traditional techniques to protect .NET applications focus on preventing comprehension of the reconstructed source code. GuardIT for Microsoft .NET Framework provides effective and durable protection by harden-ing against all three phases of the attack process. It delivers binary-based, performance-friendly hardening for managed and mixed-mode applications.

Step 1: Disassemble the BinaryNET code is intermediate code, rich in metadata and semantic information. It is trivially easy to reverse the .NET assembly process. There are a number of decompilers or disassemblers including Reflector, ILDasm and Salamander which can analyze .NET binaries and reconstruct the original source to near perfection. Some, like Reflector, specifically incorporate techniques to undo shallow protection techniques such as string encryption.

Recovering pristine source code is the first step to attacking managed applications. GuardIT for Microsoft .NET Framework incorporates the following techniques to prevent disassembly of managed applications:

• Building a first layer of armor through application-wide encryption• Breaking internal signature logic patterns through block shuffling, instruction substitution and code chopping.• Creating decoys and breaking expected assembly structure through insertion of garbage code.


These techniques fundamentally alter the code flow and instruction patterns of the binaries. This breaks the determinism and predictable structure of intermediate assembly which enables the easy reconstruction of managed code. Since there is no reliance on weaknesses in specific popular decompilers, code remains secure against current and emerging attack tools.

Step 2: Comprehend the ApplicationOnce attackers obtain source code, they examine it to find valuable IP such as proprietary algorithms. They also seek to discover vulnerabilities in security measures such as license management, data access management, transaction session management and application update channels.

GuardIT for Microsoft .NET Framework incorporates well known techniques to take away descriptive metadata and semantically meaningful variable names, making the comprehension process more difficult:

• Renaming methods and variables to semantically meaningless strings. Identical names are used as often as feasible to further confuse the attacker• Physically separating logically related operations through code shuffling• String encryption to protect data and strings against discovery and code lifting• Creating diversions and honey pots through insertion of dummy code

These transformation techniques are backed up by the arsenal of obfuscation techniques discussed above. The source code generated by decompilers is already mangled and incomprehensible because of these obfuscation techniques. The transformation techniques further protect your application against examination and eventual hacking.

Hackers also dynamically analyze the application, i.e. examine its runtime behavior through trace loggers, debuggers and memory dump attacks, to try and understand the internal workings of the code. Dynamic analysis is much harder than simple source code examination, but is the only alternative available to hackers when meaningful source code cannot be obtained. It is also the method of choice when attacking native and mixed-mode applications, where source code cannot be easily recovered.

The same GuardIT techniques that prevent disassembly of code also protect it against dynamic analysis. In addition, GuardIT provides a host of anti-debugging and run-time encryption measures to prevent dynamic analysis of mixed-mode applications.

Software Segment Threats Resulting Compromise

Enterprise software Reverse engineering • Discovery of proprietary IP such as financial modeling algorithms• Discovery of coding vulnerabilities exploitable by insiders or malware

Tampering • Malware invasion• Disabling authentication-based data access control and similar data security functionality

Web applications and rich internet applications (RIAs)

Reverse engineering • Discovery of coding vulnerabilities exploitable by insiders or malware for key compromise, data theft and phishing

Software applications Reverse engineering • Identification of proprietary IP• Find vulnerabilities in license management component, and in interface between application and license management• Find vulnerabilities in methods used to authenticate software updates

Code lifting • Counterfeiting

Tampering • Widespread piracy of software• Injection of malware into software platform


Step 3: Construct the ExploitOnce hackers find vulnerabilities in the application, they construct exploits to leverage these in the wild. Examples of exploits include:

• In the case of enterprise and web applications, the majority of exploits is built to enable theft of sensitive data – whether from backend databases or from client front ends.• In the case of licensed software, exploits are built to enable piracy – by circumventing license management, or by building counterfeits. These tampering attacks are particularly easy on unprotected .NET applications. The hacker simply decompiles the binary into source, makes the necessary edits, and recompiles.• In cases of both enterprise and desktop applications, exploits to inject malware - whether by exploiting input-based vulnerabilities or by compromising the authentication methods designed to securely update deployed software.

GuardIT provides the following techniques to protect applications against tampering.

• Obfuscation techniques which prevent decompilation and comprehension also thwart the ability to build tampering exploits• Encryption provides an additional layer of defense against tampering• Checksum Guards continuously monitor native and managed portions of mixed-mode applications to ensure initial and ongoing integrity. If any tampering activity is detected, the Guard can react in standard or custom ways to proactively manage the attempted attack.

Additionally, GuardIT for Microsoft .NET Framework provides diversification, a fully automated feature that generates functionally equivalent but structurally and behaviorally diverse application instances from your original application binary. Deploying diversified instances of your software prevents fatal BORE (break once run everywhere) exploits, which are the key to widespread compromise of a given application:

Deploying GuardIT for Microsoft .NET Framework1. Fast. GuardIT for Microsoft .NET Framework is applied directly to your compiled binary. Arxan has partnered with Microsoft to ensure that protection is smooth and hassle-free. Arxan has also partnered with leading license management solution vendors including Acresso (makers of FlexNET) and Microsoft (makers of SLPS) to ensure complete interoperability and to provide fast, point-click protection capability.

2. Easy. GuardIT for Microsoft .NET Framework is fully compatible with the Microsoft .NET framework. It provides a host of easy-use features including wild-card inclusion and exclusion for variable names and function names. This allows you to quickly and easily define which areas of your program need protection. Protected binaries remain managed mode applications – there is no native compilation, and you retain all the portability advantages of the .NET platform. Both GUI and command-line interface options are available, proving for easy protection design and simple integration into build scripts.

3. Strong. GuardITfor Microsoft .NET Framework is built to work closely with GuardIT, Arxan’s flagship application hardening solution for native applications. This makes GuardIT the only solution on the market today which seamlessly enables protection spanning managed and native portions of your mixed-mode applications.

For more information about GuardIT, GuardIT for Microsoft .NET Framework, and maximizing your profits by minimizing your application risk, please contact us at [email protected] or visit our website at www.arxan.com.


NoticesArxan Technologies, Inc. makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Arxan Technologies shall not be liable for errors contained herein or for incidental, consequential, or other indirect damages in connection with the furnishing, performance, or use of this material. Arxan, the Arxan logo, Securing Critical Assets, Guard and GuardScript are either registered trademarks or trademarks of Arxan Technologies, Inc. in the United States and/or other countries. Microsoft, Windows, Windows NT and Visual C++ are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Portions of the information disclosed herein are protected by U.S. Patent No. 6,941,463; U.S. Patent No. 6,957,341; U.S. Patent No. 7,287,166 and Patents Pending. Copyright© 2007 Arxan Technologies, Inc. All rights reserved. No part of this document may be photocopied or reproduced without the prior written consent of Arxan Technologies, Inc.

Documents

Protecting .NET Software Applications