1

I have an ILog interface that has multiple implementations. One will be writing to a database, one on Windows Event Log, another on an xml file, some on text files for different vendors.

Implementations of this interface are dynamically loaded using Ninject. With the growing number and the recent news on hacks and malwares sleeping on some networks, I would like to know if there is a way to filter the assemblies to only the trusted ones?

We are trying to prevent someone from just creating their own implementation of our interfaces and dropping the dll into the bin folder then they get access to the flow of our information.

Please note that we load assemblies that follows the ILog interface.

Jester
  • 56,577
  • 4
  • 81
  • 125
syntax error
  • 149
  • 1
  • 5
  • 1
    please add the logic (code) you currently use to load those assemblies. I don't understand what you mean by "we load assemblies that follows the ILog interface.". – BatteryBackupUnit Feb 19 '15 at 05:45
  • 2
    This question is not very specific to ninject. Ninject does not offer such a feature, but it's rather a general question of assembly signing and identifying. Therefore, you should have a look at [msdn here](https://msdn.microsoft.com/en-us/library/hh415055%28v=vs.110%29.aspx) and probably also [best_practices.doc - by Microsoft](http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/best_practices.doc) – BatteryBackupUnit Feb 19 '15 at 05:53
  • 2
    Also [this](http://blogs.msdn.com/b/shawnfa/archive/2005/12/13/authenticode-and-assemblies.aspx) and http://stackoverflow.com/questions/4469646/net-strong-naming-vs-authenticode seem interesting – BatteryBackupUnit Feb 19 '15 at 06:03

1 Answers1

4

It is rather useless to try preventing this. If piece of malware can already write to the application folder, all your attempts to 'filter out' illegal dlls will always fail. The attacker can for instance simply replace the .exe and will run in the context of the user and can do everything that your application can do.

Steven
  • 166,672
  • 24
  • 332
  • 435
  • you are actually missing the point. if an attacker does what you suggest, it can easily be detected. what we are trying to prevent is someone putting in something that can go unnoticed for a very long period of time. the attacker that you have been describing here is the newbie type that leaves trail everywhere. the one we are preventing are the smart ones that can inject themselves unnoticed. like the one that is in your apps right now. :) – syntax error Feb 26 '15 at 18:46
  • 1
    @syntaxerror "the one we are preventing are the smart ones that can inject themselves unnoticed". And that's the exact type of attacker that will not create a malicious plugin; it will attack your system differently. You are trying to solve the wrong thing. – Steven Feb 26 '15 at 18:48
  • maybe, but when I asked the question, i was actually expecting a solution. not only you did not provide a solution - maybe you can't - but you dismissed the problem as invalid. like what you are doing now. it maybe invalid to you, but not to me and certainly not to the people above who were trying to help. if you don't know the answer or doesn't have a better idea. it's better to keep it to yourself. – syntax error Feb 26 '15 at 18:56