If .NET is Such a Security Nightmare (It Is), Why Isn't Everybody Fighting to Own the Obvious and Fairly Simple Solution

Robert Cringely: "The point is that it carries around tons of info with it that makes reverse engineering easy just as with interpreted languages. The original Microsoft BASIC was an interpreted language and subject to this vulnerability, which is why it was so easy to copy on punched paper tape and why Bill Gates once referred to many of his earliest users as “thieves.” Many languages are interpreted including some of my favorites like Forth, PostScript, and Scheme. Java is interpreted and subject to this same vulnerability but the evolution of Java has led to it being used mainly for server applications where the source is a bit further out of reach. .NET, on the other hand, is Microsoft’s chosen successor to Visual BASIC, and effectively exposes source code at the very heart of Microsoft consumer and enterprise applications.

The result is that nearly every emerging Microsoft product is vulnerable, including the OS itself. That’s one reason why we are always hearing more, not fewer, stories about Microsoft security problems. And that’s why Microsoft security updates are now at least a monthly event. Left unchecked, it will only get worse."

And the solution is called PSCP:

"One area of research is called "Program State Code Protection,” or PSCP, which means changing the code AS IT RUNS to make it harder for a cracker to know what is actually happening. Dotfuscator and DashO, for example, right now change all variable names to the same name. But what if all variable names were changed not just to the same name, but were changed continuously to a wide variety of names? The first technique -– making all the variable names the same -– is like building a jigsaw puzzle entirely of white pieces. But PSCP is like making a jigsaw puzzle of all white pieces that spontaneously and continuously appear to change size and shape.

A cracker works much like someone reading a language they don't understand. For many words, they use a dictionary (for a cracker, just look it up elsewhere in the program). Slowly, the pieces come together. And it gets faster over time as you start to remember words. Once you know that "schwester" means "sister" in German, you don't need to look it up again. But what if the language was changing -- changing so fast that the same words are altered in very different ways from one sentence to the next? You couldn't rely that "schwester" will be "sister" the next time you see it. Reverse engineering such software would become a nightmare. That's the whole idea of course."