Hi folks

I wonder if preJITed code solves some of the security issues. What about:
- Protection of intellectual property (Lutz Röder's .NET Reflector)?
- Discovering of hardcoded secrets?
- Removal of the StrongNameIdentityPermissionAttributes from the files?

Thanks for your time
Chris

That depends...  By pre-jitting, do you mean using ngen or something else?


Ngen does not offer protection against decompilation since the original
assembly is still required to be present at runtime.  Other
"pre-compilation" approaches do not share this limitation, but they usually
introduce other problems.


Not unless deliberate encryption is included as part of the
"pre-compilation" mechanism and, even then, as long as your code has access
to the secret, other code running on the same machine will usually be able
to access it as well without too much trouble.


Identity permission demands can be quite easily bypassed by highly
privileged code even in the v. 1.x .NET Framework.  In v. 2.0, all fully
trusted code will automatically pass demands for any identity permission.
In other words, identity permission demands are already useless against
deliberate assembly misuse, and they're soon to lose what little utility the
had as "don't touch me" markers on semi-public APIs.  No form of obfuscation
or pre-compilation will help with this.


Show quoteHide quote

Sandboxing AppDomain
can you put a strong name assembly in a role?
Can't determine if a file exists
'System.Security.SecurityException' when running .exe file from ot
Strong Name broken?
windows forms UserControl compiled with beta 2 doesn't work with IE
CAS Permission Sets
CryptGenKey & CryptImportKey slow in certain situations
Password Recovery form page...
Forms Authentication - how to proceed when valid login?