如何使公共静态类“安全”?
[英]How can I make a public static class “secure”?
问题描述
I'm looking to create a secure wrapper for a public class with public static methods, so let's say the class is very simply: 
我正在寻找使用公共静态方法为公共类创建安全的包装,因此,我们可以说该类非常简单:
public class MyClass {
public static int Add (int first, int second)
{
return first + second;
}
}
I want to have a client needing to access this via some secure other class that will call MyClass. 我想让一个客户端需要通过一些安全的其他类(称为MyClass)来访问它。 At the end of the day I'm expecting to have all this code in a single dll for clients to use. 最终,我希望所有这些代码都在单个dll中供客户端使用。 The intention is to have some behaviour like: 目的是要具有以下行为:
public class SecureMyClassWrapper
{
bool _isUnlocked;
private static readonly List<string> validIds = new List<string>(){"only me", "and them"};
public SecureMyClassWrapper(string id)
{
if (validIds.Contains(id))
{
_isUnlocked = true;
}
else
{
_isUnlocked = false;
}
}
public int Add(int first, int second)
{
if (_isUnlocked)
{
return MyClass.Add(first, second);
}
else
{
// throw security exception etc.
}
}
}
There's a fair possibility that someone with more hacking ability than me is going to want to get at my static methods, so please can somebody suggest why this might be a bad approach or what I should be concerned about here? 黑客能力比我强的人很可能会想使用我的静态方法,所以请有人提出为什么这可能是一个不好的方法,或者我在这里应该关注什么? Some ideas would be that 有些想法是
-
MyClassmethods can easily be called through reflectionMyClass方法可以通过反射轻松调用 - somebody could ildasm.exe code, change the list of
validIdsor_isUnlockedlogic (or even their values at runtime?)有人可以使用ildasm.exe代码,更改validIds或_isUnlocked逻辑的列表(甚至在运行时更改其值?) - possible to read a valid ID and then use it as their own 可以读取有效的ID,然后将其用作自己的ID
How could I guard against reflection or decompilation in these cases? 在这些情况下,如何防止反射或反编译? Is there a standard approach for this you would recommend, eg Code Access Security? 您是否建议使用标准方法,例如代码访问安全性?
3 个解决方案
解决方案1
1 2015-03-09 15:51:01
Host the code you want to protect in a service run on another machine. 将要保护的代码托管在另一台计算机上运行的服务中。 And expose the api with a Interface. 并使用接口公开API。
解决方案2
0 已采纳 2015-03-09 16:34:53
The only way to protect your .Net code is to use an Obfuscator . 保护.Net代码的唯一方法是使用Obfuscator 。 However it only does so much so it is still crack-able. 但是,它只能做很多事情,因此仍然可以破解。 Even non-.Net code is easy to crack, to have its heaps and stacks altered etc. usually for the purpose of bypassing electronic registration process with commercial software. 甚至非.Net代码也容易破解,更改其堆和堆栈等,通常是为了绕过商业软件进行电子注册过程。
If you're dealing with some very sensitive code you can always put it on a cloud server but of course that implies monthly costs. 如果您要处理一些非常敏感的代码,则可以始终将其放在云服务器上,但这当然意味着每月费用。 In that case you may also want secured traffic (https) which is just as costly. 在这种情况下,您可能还需要同样昂贵的安全流量(https)。
Ultimately, you would have to do a cost vs. benefits consideration when dealing with your code's security. 最终,在处理代码的安全性时,您必须考虑成本与收益的关系。 It is always best practice to write your code in such a way that it can be open-source and still not compromise your users security or data. 始终最好的做法是,以这样一种方式来编写代码,使其可以是开源的,同时又不损害用户的安全性或数据。
解决方案3
-1 2015-03-09 15:47:34
You should mark the functions on MyClass as internal . 您应该将MyClass上的函数标记为internal 。 This means only code in the same assembly can call these methods (ie. your "safe" Public methods) 这意味着只有同一程序集中的代码才能调用这些方法(即您的“安全”公共方法)
For example: 例如:
internal static int Add (int first, int second)
{
return first + second;
}
See this: https://msdn.microsoft.com/en-us/library/7c5ka91b.aspx 看到这个: https : //msdn.microsoft.com/en-us/library/7c5ka91b.aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.