Merging vs Embedding: which one is more secure ?

.NET obfuscator and automated error reporting

Moderators: Luke Jefferson, Alex.Davies, melvyn.harbour

Merging vs Embedding: which one is more secure ?

Postby clement_911 » Wed Dec 22, 2010 10:01 am

Hi.

I'm building a silverlight app and evaluating SmartAssembly.

I was wondering what is the recommended method to maximize security between Merging and Embedding ?

Also why is not possible to do both ?

Is there a way to obfuscate all non public members of dependency ? Therefore all assemblies would be obfuscated without the need to merge.

Thanks
clement_911
 
Posts: 7
Joined: Wed Dec 22, 2010 9:52 am
Location: AU

Postby clement_911 » Wed Dec 22, 2010 10:05 am

A couple of extra things.

I tried the Embedding functionality with encryption + compression and the resulting xap actually got bigger !?

Also, I'm assuming the decryption key is stored somewhere, so I'm wondering how secure the encryption is.

The product looks great so far though....

Cheers.
clement_911
 
Posts: 7
Joined: Wed Dec 22, 2010 9:52 am
Location: AU

Postby ShortAngry » Thu Dec 23, 2010 11:06 am

Did you check out the following couple of links?

http://www.red-gate.com/supportcenter/C ... 121047.htm

http://www.red-gate.com/supportcenter/C ... 121047.htm

They give a bit more information about these functions. As for using it with Silverlight it can be a bit of a pain. If in doubt you should get in touch with support@red-gate directly.
ShortAngry
 
Posts: 14
Joined: Thu Dec 02, 2010 12:29 pm

Postby clement_911 » Thu Dec 23, 2010 11:52 am

Yes I did check those but they do not answer my questions above.
clement_911
 
Posts: 7
Joined: Wed Dec 22, 2010 9:52 am
Location: AU

Postby Brian Donahue » Thu Dec 23, 2010 2:36 pm

Why is it not possible to do both merging and embedding? These are both two different approaches to do the same thing, which is to prevent you from having to ship the dependent DLLs. Doing both would not make sense.

The XAP could be bigger as a result because to workaround one of the strange issues in Silverlight, an additional manifest has to be added to the XAP. And if I'm not mistaken, the BAML resources are already compressed before SA gets hold of them?

I don't think the encryption key for strings and resources is stored in the assembly. Even it it was, I don't believe I would tell you where it is. :-)
Brian Donahue
 
Posts: 6668
Joined: Mon Aug 23, 2004 10:48 am

Postby clement_911 » Thu Dec 23, 2010 9:16 pm

I'm thinking 2 protections would be stronger than 1.
I see, so compression does not make so much sense in the case of Silverlight where xap are already zip files.
clement_911
 
Posts: 7
Joined: Wed Dec 22, 2010 9:52 am
Location: AU

Postby Brian Donahue » Fri Dec 24, 2010 10:30 am

Merging and embedding aren't protecting features really, unless you count merging and obfuscating, or embedding and encryption, which protect code in combination.

I had a bit of a discussion round the office and have discovered there is one circumstance where you would want to merge and embed, and that has to do with assemblies that provide interfaces for remoting, because remoting will still try to bind the assembly even if it's been merged. Sorry, I find this difficult to explain. But there may be a genuine use case for it.
Brian Donahue
 
Posts: 6668
Joined: Mon Aug 23, 2004 10:48 am


Return to SmartAssembly 5

Who is online

Users browsing this forum: No registered users and 1 guest

cron