Obfuscation in .NET

asp:Feature

Obfuscation in .NET

Prevent Your Source Code from Being Open Source

By Joydip Kanjilal

With so many decompilers available in the softwareindustry today, your application s source code faces security threats from avariety of prying eyes. This alludes to the potential loss of your intellectualproperty. But what makes this possible? .NET reflection, ILDASM.exe, and .NET decompilers.

So, then, what s the solution? This potential threat hasfacilitated the development of a technology called obfuscation.

What Is Obfuscation?

Without changing its functionality, obfuscation protectssource code from being disassembled/decompiled. Thisis a technology that makes the .NET assemblies more difficult to decompile and impedesthe reverse-engineering efforts, hence, protecting the source code frompotential threats. Obfuscation works by shrouding the facts in your code.Encryption suffers from the drawback that it needs to keep the decryption keyalong with the encrypted data. Therefore, it is possible to decrypt your sourcecode. On the other hand, obfuscation can increase the protection againstdecompilation to a great extent, while leaving the application s functionalityintact.

Why Obfuscate?

There are several reasons why we should obfuscate:

How Does It Work?

Obfuscation encrypts the source code and removes someunnecessary information from the assembly metadata when it deems that it issafe to do so, thus making the assembly more difficult to understand or readafter it is decompiled. The assembly metadata and manifest are used by thedissemblers to decompile them and get the original source code. Note that evenif an application is compiled to native code at the time of execution, theMicrosoft .NET runtime environment still requires that the assembly metadataand IL code be embedded in an assembly before it starts its execution. Thereare a number of techniques that can be used to obfuscate. However, thedisadvantage of obfuscation is that it can affect performance (but not to agreat extent).

Obfuscation never changes your source code. Rather, theobfuscators obfuscate your assemblies using a specific encryption methodologyand transform them into another assembly that is obfuscated, but thefunctionality of it remains unaltered.

How to Obfuscate?

Obfuscation in .NET can be achieved by scrambling themeaningful names in the assembly metadata with non-meaningful ones and trimmingthe non-essential metadata, but without affecting any functionality. Thetechniques used include, but are not limited to:

Is this the Best Solution?

Unfortunately, the available obfuscators are unable tocompletely protect your intellectual property. Even if obfuscators can be agood tool for preventing most decompilers from stealing your code, if you aredetermined and possess a good knowledge of data structures and algorithms, youcan steal the code even from an obfuscated assembly. So, obfuscation can be agood solution, but there is no software that is absolutely safe.

The Future

Microsoft realized the importance of this technology andintroduced the Dotfuscator tool for obfuscation with Visual Studio .NET. Inaddition, these .NET obfuscator tools are available:

Obfuscation is a very powerful technology and willcontinue to be a part of the application build and deployment process in theyears to come.

Working extensively in Microsoft technologies for more than 10years, Joydip Kanjilal is a SeniorProject Leader for a company in a Hyderabad,India. Hisprogramming skills include C, C++, Java, C#, VB, VC++, ASP.NET, XML, and UML.He has worked with .NET and C# for more than five years. Reach Joydip at mailto:[email protected].