Sunday, November 07, 2004

Compromising a strong name signed assembly

I saw this article on the CodeProject, which draws attention to the fact that simply signing an assembly by strong name doesn't guarantee that a hacker cannot turn it into a trojan horse :-( The author shows how easy it is to use the ildasm and ilasm tools to simply remove the publickey and hash algorithm segments from the assembly header in the IL code and recompile the IL code making the assembly unsigned!
Going one step further than that, the hacker could even sign the tampered assembly by his own private key - so potentially fooling the CLR, if the CLR grants trust to an assembly simply if it is signed.
I now more strongly feel that the onus is now on the system administator of the machine(s) to cleverly set trust and evidence based code access security policies for the CLR so that the compromised assemblies fail to execute. This can probably only be achieved if the policy is based on the publisher's identity - be it his public key or his digital certificate.

No comments: