Compsoft Flexible Specialists

Compsoft plc

Compsoft Weblog Compsoft Website News Archive Privacy Policy Contact Us  

Thursday, November 08, 2007

Tim Jeanes: Microsoft TechEd (Thursday)

Microsoft have developed a pretty sneaky method of protecting your source code. Normally with managed code, it's all too easy to reverse engineer your compiled code to get back to your original source code. Now though you can encrypt portions of your applications into a Secure Virtual Machine Language. Doing so also includes the corresponding Secure Virtual Machine in your application to decrypt and execute the MSIL. If we then reverse engineer the resulting application we see the original method names, but each contains only a call to the SVM. Our valuable code is held in an encrypted embedded resource file.

Admittedly executing such protected code is significantly slower than executing regular managed code, but you are able to select at the individual method level which parts of your application are protected. The best candidates, then, are those that contain sensitive information or proprietary algorithms but that aren't going to impact noticeably on the user's experience if they run slightly more slowly.

Additionally Microsoft have made it easy to associate license keys with these individual protected methods. The user will see an "activate this product over the internet" dialog when they first execute the application. Entering the activation key we've generated for them give them access to the application as a whole, but prevents them executing any individual protected methods that their license doesn't cover. We'd have to put in a little work to ensure the restricted features aren't shown to be available, but we can rest assured that the SVM will prevent them using reflection to hack the app and executing code they haven't bought a licence to use.


There are some nice improvements coming up for the next version of .NET. A slight surprise was back button support for AJAX pages. This give you the opportunity to alter the URL in the browser, adding items to the browse history, all without performing a full postback or updating anything outside your update panel. The URL can then be used as a permalink to the page in that particular state, so you'll have to put in some effort to ensure you keep sufficient state information in the query string.

The Astoria data services project automatically map URIs to LINQ objects, returning the results serialized as XML. For example, .../ProductCategory would return a list of all product categories, .../ProductCategory(5) would return the product category with ID 5, whilst .../ProductCategory(5)/Product would return all products in that category. The developer has full control over what methods of exposure of this kind of data are used.


It's always a toss-up at TechEd whether to attend sessions on topics you know something about already and want to learn more about, or to go and listen to something you know nothing about. The former can be very useful because it'll relate to your real life; on the other hand it may be a waste of time if you find you know it all already, or if what you learnt could have been gleened from Google in five minutes.

I attended a seminar on security in web applications (as I did last year) and, though it covered some new hacking methods I'd not seen before, I didn't come away with anything I felt I needed to change about the way we work.

The first of the two wild cards I picked today was cancelled (I guess now I'll never learn about publishing on-line comics with WPF) so I was stuck with the safe option (a Q&A comparison between the various flavours of LINQ). My second wild card - about SOA and multi-UI-based applications - showed me some awesome stuff that can be achieved but that I'll probably never reproduce.

A nugget of information from it was that the next edition of WF will (probably) give better support for querying the state of a workflow whilst it's serialized in a database. At the moment this information has to be duplicated manually and just feels too messy to me. Coupling that with how difficult it currently is to alter a serialized workflow has really kept me from using them in real life applications (useful though they are). I just know that our customers need frequent changes to their processes, so I think WF workflows would give me far more of a headache than I could do with until this process is made a whole lot easier.


Seminars today: SEC401 (Aidan Hughes); WEB310 (Mat Gibbs); TLA06-IS (Pablo Castro, Carl Perry, Mike Taulty, Luca Bolognese); WEB201 (Alik Levin); SBP307 (Clemens Vasters, Steve Swartz)

0 Comments:

Post a Comment

<< Home