Friday, March 9, 2012

Possible to encrypt database assembly?

Hello.

I've built a simple Visual Basic .NET project containing the following code...

Imports System
Imports System.Data
Imports System.Data.SqlClient
Imports System.Data.SqlTypes
Imports Microsoft.SqlServer.Server

Partial Public Class StoredProcedures
<Microsoft.SqlServer.Server.SqlProcedure()> _
Public Shared Sub WhoAmI()
Using connection As New SqlConnection("context connection=true")
connection.Open()
Dim command As New SqlCommand("SELECT SUSER_SNAME()", connection)
SqlContext.Pipe.ExecuteAndSend(command)
End Using
End Sub
End Class

From Visual Studio, I want to encrypt the contents of this assembly, as a proof-of-concept.
Even though assembly contents are stored as varbinary(MAX) in the database, converting to varchar(MAX) will expose the code.

However, the Dotfuscator Community Edition reports the following error: "Dotfuscator Community Edition cannot operate on SQL Server applications.... please try Standard or Professional Edition."

Has anyone tried encrypting a database assembly and deploying to the database?

A good test would be to issue the following TSQL script against the database holding the assembly...

-- Does the sample code above run?
EXEC dbo.WhoAmI
GO
-- Is the code readable?
SELECT * , Convert(varchar(MAX), content) FROM sys.assembly_files

Hi,

There is no explicit support for encrypted assemblies in the database. You can use a code obfuscation utility to make reverse-engineering difficult, as you suggest.

Perhaps someone else has a favorite obfuscator they can recommendI don't know much about them.

Cheers,

-Isaac

|||

Note that the code you're reading from sys.assembly_files isn't related to encrypting the assembly - VS deploys your full source code and PDB files to the database to assist with debugging. If you don't want VS to do this, then you can turn it off under the project properties / Deploy / Deploy Code option. This still won't protect your assembly though as anyone can use a reflection tool such as http://www.denisbauer.com/NETTools/SQL2005Browser.aspx. Obfuscation can help here, but the real solution is to control who has access to the system views containing the assembly using metadata permissions.

Steven

|||A great answer... You've given lots of new leads. Thanks.
Posted by despiteiopl at 8:09 PM
Labels: , , , , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)