Locking access to a Class Library (C#)
-
07-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have been tasked with designing a class library that I am loathe to actually build. It is basically a huge backdoor to our software security. The idea was that it would only be accessible from one terminal on a closed system. I plan to lock my code with a password, but is there a way to make sure that my library binary files cannot be added to a project without a password (or something to that effect)?
I am not looking for a full explanation, as this is probably not the correct medium for such a thing. I am more looking for what the topics I should be researching are called. My search-fu has not really turned up much yet, so I am looking for more keywords that can lead me in the right direction. A specific book or website would be even better.
Obviously, obfuscating my code as much as possible will also be a security practice I intend to employ. If that is my "best-case" practice for securing my code, so be it. I was hoping for something a little more, though.
Solution
As a solution you can add code in your class initialization routine that basically would check for certain conditions and would fail if the conditions are not met. For example, check if a certain certificate is installed on the machine where the code is running:
OTHER TIPS
IMHO you are approaching this from the very wrong side.
The idea was that it would only be accessible from one terminal on a closed system
Then make sure all software installed on that system can only be accessed by authorized personal. Make sure noone can "steal" the lib from that terminal by closing any holes like USB ports, unrestricted file system access, unrestricted file upload.
Make also sure the source code of that lib is only available to you and other authorized developers.
When you do this right, you won't need such an unsecure approach like a password protection with hard-encoded credentials.
.. a class library ... basically a huge backdoor to our software security.
Have you raised these concerns with those Responsible for Security?
The idea was that it would only be accessible from one terminal on a closed system.
A library can be used in any application, from anywhere.
I plan to lock my code with a password
... which puts that password into Source Control therefore reducing it to just another String variable.
... is there a way to make sure that my library binary files cannot be added to a project without a password (or something to that effect)?
Not easily. If anything, you're getting into an area very much Licencing the use of that library.
If this functionality must only be used in one application from one machine, and assuming that those Responsible for Security don't shoot the whole idea down in flames (which they probably ought to) and you do have to write it, then embed the functionality directly into the target application. Don't create a library at all, thereby preventing it from being reused.
It sounds like you are attempting "security through obscurity". You are right to be highly skeptical of this idea, because it doesn't work. Instead you should be thinking about authentication and authorization. How do I authenticate users so that I know who is attempting an operation? How do I authorize users to perform some operations and not others?
This is a very old problem, and there are well-known solutions in use today. If the protected resources are highly valuable, then look into two-factor authentication using one-time key generators (e.g. Yubikey). There are multiple open-source solutions for maintaining authorization data.
