2

There is a security discussion going-on at work as to whether the following DEPLOYED code below can be reached or "hoisted" into...even though it was built in RELEASE mode.

Thoughts?

EDIT:
I do "see" it in DotPeek - even after building in Release.

  • However, the file is "grayed-out"

  • Does that mean it won't execute?

  • DotPeek merely "decompiles" the code...it doesn't show you what code exists in the mode it is built-in...right?

THE CODE LOOKS LIKE:

    using System;
    using System.ServiceProcess;

    static class Program
    {
        /// <summary>
        /// The main entry point for the application.
        /// </summary>
        static void Main()
        {
#if DEBUG
            var myservice = new StpListener();
            myservice.OnDebug();

            //KEEP the service alive
            System.Threading.Thread.Sleep(System.Threading.Timeout.Infinite);
#else
            ServiceBase[] ServicesToRun;
            ServicesToRun = new ServiceBase[] 
            { 
                new StpListener() 
            };
            ServiceBase.Run(ServicesToRun);
#endif
        }
    }
Prisoner ZERO
  • 13,848
  • 21
  • 92
  • 137

4 Answers4

5

Don't confuse debug/release configuration with conditional code. It is entirely possible to apply the DEBUG conditional attribute to a release mode config.

Look, I'm evil!

enter image description here

See: When #if DEBUG runs

Community
  • 1
  • 1
Jamiec
  • 133,658
  • 13
  • 134
  • 193
5

It's a compile time feature. Once the compiler has finished it's job, you'll either have the code between #if and #else or the code between #else and #endif.

You'll never (so long as you leave those items in) produce a binary containing both sets of code.

Damien_The_Unbeliever
  • 234,701
  • 27
  • 340
  • 448
  • 2
    You should also add that DEBUG may still be defined under Release in the project configuration, so it is actually possible. – Camilo Terevinto Jan 26 '17 at 12:48
  • @CamiloTerevinto - I took the question to be "can someone later, at runtime say, maliciously cause the wrong code to run?". If you've built a deployment that contains the correct code (i.e. the non-debug code), then by implication `DEBUG` was not defined during that build. – Damien_The_Unbeliever Jan 26 '17 at 12:50
  • What if some evil developer in the team did #define DEBUG somewhere? – Camilo Terevinto Jan 26 '17 at 12:52
  • @CamiloTerevinto - then during testing, you'll observe that when you try to start this service through the Service Control Manager, it fails to start correctly. Since this code *either* configures the system to run correctly as a service or just runs as a console application. – Damien_The_Unbeliever Jan 26 '17 at 12:54
2

Assuming you are using the Roslyn compiler (although in all likelihood this is true for all C# compliant compilers), #if DEBUG code will not even be compiled into IL so it definitely cannot be accessed.

If you use Conditional("DEBUG") however, the code will make it into IL and just calls to it will be removed, so arguably this could be a security flaw.

Ehsan Sajjad
  • 61,834
  • 16
  • 105
  • 160
ScottishTapWater
  • 3,656
  • 4
  • 38
  • 81
1

This Resource should help further explain, but preprocessor commands are evaluated at compile time. Using them by themselves doesn't expose a security weakness, but that doesn't mean that the condition they evaluate can't be problematic. #If DEBUG is more secure than, say, if(Debugger.IsAttached). You just don't want to make your #If responsive to a runtime condition (which would take some doing anyway).

CDove
  • 1,940
  • 10
  • 19