简体繁体 English

.net中客户端/服务器应用程序中dll文件的安全性

[英]The security of dll files in a Client/Server application in .net

原文 2015-05-06 09:19:49 6 2 c#/ .net/ security/ client-server/ reverse-engineering

I'm going to write a Client/Server application. 我要编写一个客户端/服务器应用程序。 There are some ambiguous concepts in this that I was not able to get answer to after many hours of searching. 其中有些模棱两可的概念，经过许多小时的搜索后我仍然无法获得答案。

As we all know one of the major caveats of the .Net framework is that the DLL files can be decompiled and reverse-engineered on the client's machine. 众所周知，.Net框架的主要警告之一是可以在客户端计算机上对DLL文件进行反编译和反向工程。

Now my question is can I put some of the DLL files required by the Client on the Server? 现在我的问题是可以将客户端所需的一些DLL文件放到服务器上吗？

And if true, will it be completely secure or it will still be open to getting reverse-engineered/decompiled by crackers? 并且，如果为真，那么它是否将完全安全，还是仍然可以接受饼干进行逆向工程/反编译？

EDIT: The question is different as it asks for the security in the context of a Client/Server application. 编辑：问题是不同的，因为它要求在客户端/服务器应用程序的上下文中的安全性。

2 个解决方案

For the client to use the dll files, it will have to download them from your server to the client. 为了使客户端使用dll文件，必须将其从服务器下载到客户端。 Thus making reverse engineering possible once again. 因此，再次进行逆向工程成为可能。 It does not solve anything basically. 它基本上没有解决任何问题。

I think your goal should be to keep the client as thin as possible, doing most of your logic server-side. 我认为您的目标应该是在大多数逻辑服务器端上使客户端尽可能地瘦。 While I do not know the details of your client/server application, one could think of using a webservice which the client calls to access the server. 虽然我不知道您的客户端/服务器应用程序的详细信息，但是可以想到使用客户端调用的Web服务来访问服务器。 That way you only have to make sure that client authentication to the webserver is solid and that you do sanity checks against any incoming input from clients. 这样，您只需要确保对Web服务器的客户端身份验证是可靠的，并且可以对来自客户端的任何传入输入进行健全性检查。

That depends completely on your implementation - if you stream the modules to the client at some point, they can be dumped and reversed. 这完全取决于您的实现-如果您在某个时候将模块流式传输到客户端，则可以将它们转储和撤消。 If you keep the functionality purely on the server's end, and only return results to the client, you'd be a lot safer. 如果仅将功能保留在服务器端，而仅将结果返回给客户端，则将更加安全。

General rule of thumb with any software, and not just .NET, is that whatever is present can be reverse engineered. 任何软件（而不仅仅是.NET）的一般经验法则是，可以对存在的任何内容进行逆向工程。 I wouldn't say that's "one of the major caveats of .NET" personally. 我个人不会说这是“ .NET的主要警告之一”。

Basically, if you want to protect yourself against reverse engineering by going with a client/server model, there are a few rules of thumb that apply: 基本上，如果要通过使用客户机/服务器模型来保护自己免受逆向工程的侵害，则有一些适用的经验法则：

The server should never trust the client 服务器永远不要信任客户端
Keep as much of your actual implementation on the server's end 在服务器端保留尽可能多的实际实现
Do not stream modules to your client 不要将模块流式传输到客户端
Use proper authentication and rate limit requests so your server can not be used to simply "dump" responses from 使用正确的身份验证和速率限制请求，因此您的服务器不能仅用于“转储”来自以下服务器的响应