.NET Code Protection

Your company’s .NET software and the source code behind it are at risk—and you may not even be aware of the extent of that risk.

Reverse engineering of .NET applications exposes trade secrets, compromises core intellectual property, and facilitates piracy. With the move to SaaS, many companies had considered this to be less of an issue. However, the persistence of On-Premise software and the rise of IoT, with local device deployments, are forcing developers to reconsider .Net Code Protection as a priority.

Traditional Options

Traditional software intellectual property (IP) protection tools typically relied on obfuscation and/or encryption/decryption and provide only limited protection against hackers. 

Obfuscation modifies .NET modules, complicating the human readability of a decompiled program by renaming names of methods, classes, parameters, etc. to meaningless text.  It also attempts to make the resulting Microsoft Intermediate Language (MSIL) harder to disassemble.  Obfuscation does not change calls to a third party or .NET Framework libraries, nor does it modify the structure of the program.  A determined hacker, therefore, can still succeed at reverse engineering obfuscated code.

Encryption/decryption offers limited protection as an encrypted assembly has to be decrypted before it can execute.  Since the decryption engine together with the decryption keys is delivered to end-users, the original code is retrievable if the decryption process can be somehow reproduced or intercepted, for example, by stopping it in a debugger.  Additionally, when decrypted modules-load into memory, they load in their original, unprotected form and any motivated individual hacker can dump the memory and retrieve the code.

Transforming Code with Software Potential Code Protector

InishTech’s Software Potential Code Protector provides a more sophisticated approach to help protect .NET applications.  It has advantages that are not available with traditional solutions, introducing several layers of protection, via code transformation.  Transformation is a one-way process based on the permutation that is unique to each software company’s product and product version.  Software Potential Services provides a Secure Execution Environment (SEE), which includes several layers of protection.  The protection process transforms the Intermediate Language (IL) code into Secure Execution Environment Language (SEEL), and as an added measure of protection, encrypts the resulting in-memory buffer.  Transformation offers an extremely high level of protection against reverse engineering and tampering.

Code Protector applies protection to selected methods within a .NET assembly using a software publisher-specific permutation. To securely protect .NET applications more securely a separate permutation can be used for each individual product and product version to be protected.

Software Potential Code Protector is an integral part of the build process, taking selected features or methods within an assembly and transforming them into a software publisher-specific language – SEEL – that has a software publisher-specific instruction set.  A transformed method executes in a secure virtual machine environment (SEE).

End-users of licensed or protected applications receive only this transformed code, drastically reducing visibility to disassemblers and de-compilers and the risk of using a memory dump to view the code. Code transformation is random and one-way.  Conversion back from SEEL is a complex process making the de-compilation of transformed code extremely arduous and impractical. 

What is the right level of Protection?

Choosing the appropriate level of protection depends to a large degree on the nature of the application. If the .NET Code is unique and of high value, with individual methods that warrant the attention it will certainly justify the use of strong code protection. This may be slightly more expensive initially, but it will provide payback in the long-term. Many ISVs may even use both Obfuscation and Transformation together if they are seriously concerned about their code being cracked. Some protection is obviously better than none and as with guarding your property it usually better to err on the side of caution.

For more information see www.inishtech.com and Connect with us.