Dr. Dobb's | Review: PreEmptive Way To Obfuscate .Net Apps

Review: PreEmptive Way To Obfuscate .Net Apps

PreEmptive Solutions wants to ensure that enterprises don't eschew obfuscation in their application life-cycle practices with its Dotfuscator for .Net and DashO Pro for Java tools.

August 16, 2006
URL:http://www.drdobbs.com/windows/review-preemptive-way-to-obfuscate-net-a/192201809

Most enterprises recognize that cleanly compiled .Net and Java objects pose serious risks, yet few grasp the need to incorporate obfuscation into their application life-cycle practices. PreEmptive Solutions wants to ensure that enterprises don't eschew obfuscation with its Dotfuscator for .Net and DashO Pro for Java tools.

PreEmptive aims to change the perception that obfuscators are only name-mangling tools for source code. The Mayfield Village, Ohio-based company knows too well that simply renaming code structures with obfuscation during the last phases of development won't prevent hackers from decompiling and searching through .Net and Java binary code to find weaknesses.

According to PreEmptive, most attacks happen inside companies via identity theft or by employees having access to clean binaries so they can search on strings and other code elements to find intrusion points into data tiers. Companies that make the right security decisions don't overlook that fact.

To gain the most from obfuscation, IT managers should implement enterprisewide controls and manage them consistently across their organizations rather than putting practices in systems only when illegal activities are detected or, worse, just to slow down hacker infiltration on key Web applications.

However, obfuscation can have some negative implications for source code. For instance, by restructuring flow control on code logic, overall application performance can be affected considerably. What's more, renaming can add complexity to debugging, reflective code and incremental patches. Dotfuscator provides some solutions to these problems by generating various configuration files.

Since PreEmptive's free Dotfuscator Community Version is embedded in Microsoft' Visual Studio, .Net developers will immediately be able to familiarize themselves with Dotfuscator Professional. Once installed, output assemblies from Visual Studio projects are pumped right into Dotfuscator.

Dotfuscator takes internal .Net debugging files, which associate variables and code lines with assemblies, and synchronizes them with obfuscated assemblies so the line numbers match up. That's how Dotfuscator can make debugging work. Essentially, Dofuscator generates map files that match original source-code fields with obfuscated fields.

Dotfuscator map files are in XML format and can be transformed into human-readable HTML. A good side effect of renaming code is that it immediately shrinks assemblies. By reducing the string heap within assemblies by 40 percent to 60 percent, applications load faster, which directly affects performance.

With control-flow obfuscation, Dotfuscator scrambles methods to change the path of the code, keeping the logic the same. This technique confuses decompilers that seek specific patterns within instruction streams.

Most .Net decompilers take advantage of code patterns in binary assemblies to construct source code. Dotfuscator's control-flow algorithms produce random results to make it even harder to find patterns.

Developers also can confuse decompilers by optimizing code manually. The use of hash tables to embed repetitive tasks, for example, can make it difficult to find program flow patterns. But control flow in general will affect overall application performance because code is scrambled.

In addition, Dotfuscator can encrypt strings inside code to stop string-based attacks. Typically, hackers will decompile applications and search for sensitive strings that provide clues on how to access data sources or license key breaks. After scrambling strings, Dotfuscator inserts a decoding method before every string load so that it returns original strings only at runtime.

Dofuscator, too, can create declarative obfuscations, a way to mark up source code to give configuration hints to obfuscators using .Net custom attributes. Microsoft and PreEmptive agreed to incorporate custom attributes designed to be detected by Dotfuscator Professional within .Net's official runtime.

Pricing for Dotfuscator Professional starts at $1,890. On the channel side, PreEmptive offers 10 percent to 50 percent margin on the product, based on partner commitments and investment. Partners get unlimited phone, e-mail and database support, including white papers and best practices. For smaller partners, PreEmptive offers a similar program.