6

I have an exe which uses Castle Windsor to implement a plugin mechanism. I need to verify that the plugins I load came from me (and are not some malicious code).

I believe I need to sign both the exe and the dll with an asymmetric key (possibly a SNK?). Firstly is this correct and how can I do this? Secondly how can I verify programmatically in the exe that the the dll came from a trusted source?

Liath
  • 9,913
  • 9
  • 51
  • 81
  • possible duplicate of [.NET Assembly Plugin Security](http://stackoverflow.com/questions/932339/net-assembly-plugin-security) – Matthew Watson Jun 18 '13 at 08:47

1 Answers1

5

If you sign your DLL then at runtime you can check the StrongName of the DLL before you load it.

You could also check that the public key used to sign it is the one that you expect.

To get the public key of an assembly you can do this:

Assembly assembly = ...
AssemblyName assemblyName = assembly.GetName();
byte[] publicKey = assemblyName.GetPublicKey();

I just checked and there's already a good answer about this on StackOverflow here:

https://stackoverflow.com/a/1350012/106159

Community
  • 1
  • 1
Matthew Watson
  • 104,400
  • 10
  • 158
  • 276
  • 1
    StrongName impact references. You should not 'have' to check the key. .Net will just not load a tampered assembly that was signed. – Gusdor Jun 18 '13 at 08:55
  • @Gusdor however if someone else strongly signed an assembly which was malicious it would still be loaded? I'd need to check the public key was an authorised value to ensure that the DLL came from a trusted developer (ie me) – Liath Jun 18 '13 at 08:57
  • I forgot that this was a pluggable system you are talking about. DLL security is interesting on an open platform. Anyone could load your assembly and view the public key then write a malicious version (hence, public!). Have you considered sandboxing the plugins in partial trust app domains? – Gusdor Jun 18 '13 at 09:01
  • I have... I'm just exploring this avenue first (I'd rather not load it at all rather than limit it's access). However don't you need the private key to create a StrongName? So can someone just duplicate my public key? – Liath Jun 18 '13 at 09:03
  • 1
    @Gusdor You cannot sign an assembly if you do not know the private key, so there is no way for someone to tamper with an assembly to give it a fake public key. – Matthew Watson Jun 18 '13 at 09:05
  • Thanks for your help guys! Happy with code signing approach and want to investigate app domain security too. – Liath Jun 18 '13 at 09:28
  • Managing separate app domains will require some form of remoting, providing a UI for your plugin for this is a nightmare. A WPF app could throw xaml files down the pipe but it is very fiddly all the same. – Gusdor Jun 18 '13 at 13:23
  • Using `GetPublicKey()` is basically getting the public key from the assembly itself, **which means you are blindly accepting any strongly signed assembly, regardless of what public/private key pair was used**. You should really install the trusted public key in advance and use that to verify the strongly named assemblies, so you can be sure that you are accepting only assembly signed with the private key that goes with that public key. – AaronLS Jul 31 '15 at 20:16
  • @MatthewWatson "You cannot sign an assembly if you do not know the private key" You can sign it with any public/private key. The only way to know that it was signed with the **particular trusted private key** is to transfer the public key in advance to use as verification. This is why your browsers come pre-installed with public keys such as VeriSign's public keys, so that you can perform trusted validation. – AaronLS Jul 31 '15 at 20:19