Toolbox
Protecting Code, Persisting Data, and More
Scott Mitchell
Protect Your App's Source Code
The greatest asset for companies that create and sell software is their source code. That intellectual property is typically the sum total of the thousands of hours spent on planning, designing, coding, and testing the application. Therefore, it's vital that such companies protect their intellectual property against those who would use it for ill-gotten gains.
When shipping an application to your customers you are, effectively, handing over your intellectual property. After all, an executable is just a translation from a high-level syntax into a lower-level one. Decompilation—the process of turning the compiled syntax back into a high-level syntax—is especially easy with technologies such as the Microsoft® .NET Framework and Java. Without taking any proactive measures to complicate decompilation, any user who has your application's assemblies can use a tool like Lutz Roeder's Reflector (www.aisto.com/roeder/dotnet) to decompile the assembly's intermediate language back to C# or Visual Basic source code.
An application's source code can be protected from decompilers by using a technique called obfuscation. Obfuscation is the process of modifying the intermediate language generated by the compiler into a form that is functionally identical to the original code, but is difficult if not impossible to decompile back into a high-level language.
There are a number of third-party products available for obfuscating .NET-based assemblies, one of which is Dotfuscator Professional Edition version 3.0 by PreEmptive Solutions. If you have Visual Studio® .NET or Visual Studio 2005 installed on your machine, you probably already have the free Community Edition of Dotfuscator installed as well.
When obfuscating an assembly, the intermediate language is adjusted in a number of ways. The most common technique renames the human-friendly names for methods, properties, events, variables, and so on with shortened, less intelligible names. For example, a method named DisplayMessage() might be renamed to a(). Such renaming leaves the code functionality intact, but makes it much more difficult for a human to parse and understand the decompiled code.
In addition to renaming, the Professional Edition of Dotfuscator includes many more obfuscation techniques, such as control flow obfuscation, string encryption, and overload induction. With control flow obfuscation, standard control flow semantics are rewritten such that they result in spaghetti-code when decompiled. String encryption helps thwart those attackers who search the code for a particular string, such as the prompt for a password or registration number. And overload induction detects nonconflicting method sets and assigns them the same obfuscated name.
With Dotfuscator's operator overloading you'll find that many of your methods are able to be renamed to the same method name (such as "a" or "b"). When decompiling such an assembly, the result is a class hierarchy with dozens of methods using the exact same name, making it very difficult for a human to make sense of the decompiled output.
Obfuscation can also strip out unneeded metadata from the assembly, remove unused members, and heavily reuse identifier names across the assembly. Together, these techniques can reduce the file size of an assembly significantly, providing for improved performance. On the other hand, control flow obfuscation can impact the performance of finely tuned algorithms, and using string encryption can increase the assembly's size and run time.
Obfuscating an assembly with Dotfuscator is a straightforward process that can be done entirely through Visual Studio or integrated directly into the build process through MSBuild or the command line. To use Dotfuscator within Visual Studio, simply add a Dotfuscator Project to your Visual Studio Solution and identify what assemblies should be obfuscated. From the Dotfuscator Project you can configure the obfuscation options, including options for generating HTML reports. Finally, to obfuscate the selected assemblies, simply build the Solution. In addition to compiling the other projects, Visual Studio will also run Dotfuscator.
It's essential to protect source code in order to prevent lost revenue, to keep it out of the hands of competitors, and to reduce the likelihood of attackers discovering an exploit. To make such attacks much more difficult, you should consider using a tool like Dotfuscator to obfuscate your assemblies.
Price: $1,890 per user for the Professional Edition.
Dotfuscator Project (Click the image for a larger view)
Persist State from a Database
Every single application I've created was at its core a means for users to interact with data residing in some database. Such applications can typically be divided into three tiers: the data tier, the application tier, and the presentation tier.
Persisting and retrieving information between the application and data tiers commonly requires a decent amount of repetitive code. For example, in an online shopping site, the application tier might contain objects like Product, Customer, and ShoppingCart. In order to populate a Product object with information about a particular item, the application tier needs to include code that establishes a connection to the database, issues the appropriate query, and populates the properties of the Product object with the returned database record's fields.
Code that takes care of all of these tasks is a pain to write. It's bulky, repetitive, and ripe for typos that have a way of manifesting themselves as runtime exceptions. One of the goals of an application tier is to abstract away the data tier so that you no longer need to think about the logical entities in your system in terms of database tables and SQL queries. Manually writing code to handle the marshaling of data between the application and data tiers runs counter to this goal.
Fortunately there are many tools—referred to as object-relational mappers (O/R mappers)—that can help automate this process. In addition to both commercial and open-source O/R mappers, Microsoft provides its own O/R mapper in the .NET Framework through the use of the strongly typed DataSet.
Hibernate is a popular open-source O/R mapper for Java that has been ported to the .NET Framework and renamed NHibernate version 1.0. NHibernate is a framework designed to automate moving data between the application and data tiers. Given an existing data model in the data tier and a set of business objects in the application tier, NHibernate can transfer the data from the data tier to the application tier or vice versa with a few lines of code. This transformation is possible through XML mapping files, which inform NHibernate what objects map to what database entities, and what object properties map to what database fields.
In addition to persisting and retrieving data between the two tiers, NHibernate provides functionality for querying and retrieving data. The Hibernate Query Language provides a SQL-like syntax for querying data directly against the business objects in the application tier.
Getting started with NHibernate is a relatively straightforward process—you simply download the framework from nhibernate.org, add the NHibernate assemblies to your application, and create the XML files that provide the mapping between your application's data and application tiers. If you already have the business objects in the application tier defined, but have yet to implement the data tier, NHibernate can generate the database schema automatically based on the XML mapping files.
Unfortunately, if you already have the data model implemented, but have yet to create the business objects, NHibernate isn't much help. While some O/R mappers will automatically generate the business objects and mapping information from an existing database schema, with NHibernate you must either create these business objects and mappings by hand or rely on other tools, such as CodeSmith (see the January 2006 installment of Toolbox) to generate them. With the mapping files created, marshaling data between the data and application tiers is as simple as working directly with the business objects and NHibernate's straightforward API.
If you build data-driven applications, consider looking into NHibernate as a means to automate persisting and retrieving objects to and from the data tier.
Price: Free. Includes complete source code.
The Bookshelf
Anytime a technology is upgraded, companies have to decide whether the costs and time required in migrating to the new version are outweighed by the new version's features and enhancements. With new versions of the .NET Framework, Visual Studio, and SQL Server™ all released in late 2005, this decision process is being played out across the world by companies both large and small.
Most computer trade books focus on exploring a particular subset of features in great depth and are ideal for developers interested in mastering a new technology. If, however, you want a high-level overview of a technology suitable for evaluation purposes (or for just gaining a broad understanding of the technology) you'll instead need to turn to a book like SQL Server 2005 Distilled (Addison-Wesley, 2006). Authored by former SQL Server team member Eric Brown, the book provides an executive summary of key features, such as security, database management, developer tools, business intelligence, working with XML data, CLR integration, and so on.
Apart from Chapter 6, "The Code Chapter," which has a hodgepodge of examples for performing various queries and administrative tasks, you won't find much T-SQL syntax or DBA-level walkthroughs. Instead, the other chapters provide their high-level overviews using mostly prose mixed with architectural and use case diagrams. And at 336 pages, SQL Server 2005 Distilled provides a digestible overview that can be read cover-to-cover over the course of a weekend.
If you're a developer needing to master the new T-SQL additions, this book probably won't meet all of your needs, as it isn't intended to sharpen your development skills or to transform you into a SQL Server guru. If, however, you are in search of a summary of the key new features of SQL Server 2005, consider picking up a copy.
Price: $34.99.
(Click the image for a larger view)
Send your questions and comments for Scott to toolsmm@microsoft.com.
Scott Mitchell, author of numerous books and founder of 4GuysFromRolla.com, is an MVP who has been working with Microsoft Web technologies since 1998. Scott is an independent consultant, trainer, and writer. Reach him at Mitchell@4guysfromrolla.com or via his blog.