Security Tips for Dynamic Libraries

Integrating the CRYPTO-BOX^® via API into the source code of your application offers you maximum flexibility and a high level of protection if you follow our hints for safe implementation.

We provide our libraries to integrate the CRYPTO-BOX both as static libraries (e.g., for C++ and Delphi) and as DLLs. If possible, you should give preference to static integration for security reasons.

However, you can also improve security with dynamic libraries: if you integrate cbios_dll.dll, the CBIOS4NET libraries for C#, or jnicbios.dll for Java, we recommend that you explicitly verify these libraries before loading them. This ensures that the library has not been manipulated or replaced. All libraries mentioned above (provided in the latest Smarx OS Protection Kit) are signed with an Extended Validation (EV) code signing certificate and thus meet the highest requirements for authenticity and integrity.

To check that certificate, the WinVerifyTrust Windows system function can be used. This API checks the Authenticode signature of the file, the complete certificate chain up to a trusted root CA, and, depending on the configuration, the timestamp and certificate revocation.

The check should be performed before loading the library, i.e., before calling LoadLibrary, System.load(), or corresponding .NET mechanisms. The library should only be used if the signature check is successful. This ensures that only original components delivered by us and unchanged components are executed in your application. 

This procedure can be implemented uniformly for all of the above-mentioned MARX DLLs:

• in C++ directly via the Windows API,
• in C# via P/Invoke,
• in Java, e.g., via JNA or JNI.

Sample code which demonstrates this check for C++ can be found in the current Smarx OS Protection Kit (PPK) at:
[PPK root folder]\SmarxOS-Samples\CBIOS\C++\MSVS2005 (Dll)

For further questions about the CRYPTO-BOX implementation please contact us or use our support ticket system.