2

How can I limit the loading and execution of my libraries based on a defined precondition? For example, if I distribute to a client an application that uses an external library, how can I ensure the external library is only used with the application and not used by the client for other purposes?

Is code access security the answer? If so, is there a good example of how to apply it in the situation described above?

Thanks!

UPDATE: I cannot use services to protect the logic. I must supply the code in an assembly, and want to protect it from being used to build other products.

Kevin Babcock
  • 10,187
  • 19
  • 69
  • 89

4 Answers4

4

The best way to limit access is to move the logic from an assembly into a service layer. If you are truly concerned about protecting the logic in that assembly this is the best way.

Remember, any mechanism can be defeated with enough effort if the client has the assembly in their hands and is truly motivated to use it. That is why a service layer is a perfect solution as it gives your application access to the logic without allowing the client to obtain the implementation itself.

Andrew Hare
  • 344,730
  • 71
  • 640
  • 635
  • I appreciate the great advice. Unfortunately the logic must be delivered in an assembly, so I want to protect it as best I can. I know I can obfuscate the code, but I'd also like to secure the code from being referenced and called from other libraries that weren't built by my company. – Kevin Babcock Feb 24 '11 at 03:34
  • I'm not sure the answer I wanted exists, and yours seems to be the best solution. Thanks again. – Kevin Babcock May 13 '11 at 21:10
0

You should look into code obfuscation Nothing that you do will prevent someone dedicated enough from using the logic contained in your assembly however they see fit, however obfuscation will make it a more difficult and will hopefully deter most people.

See this question for more information

Community
  • 1
  • 1
Justin
  • 84,773
  • 49
  • 224
  • 367
0

There's a build option to only allow friendly assemblies to use yours but that implies you can sign both your assembly and your client's as well. I doubt what you want to do is possible witout some sort of service layer or authentication/connection limitation to a server logic. Sorry.

anthonyvd
  • 7,329
  • 4
  • 30
  • 51
0

Just a thought here and definitely this is not the safest or best way. Maybe just a small work around.

Instead of sending the assembly with the executable, how about moving the assembly to the Global Assembly Cache (GAC) and modifying the executable code to access the assembly present in the GAC? You can then change the name of the assembly to some garbage name (or whatever you think suitable) which the client will not be able to understand. So finding your assembly in that forest of assemblies would be almost impossible.

Hope this helps!

Regards,

Samar

samar
  • 5,021
  • 9
  • 47
  • 71