Languages like C and C++ are compiled down to machine code – the binary instructions passed in to the processor for execution. It is possible to reverse engineer these binaries into Assembly language which is slightly higher level than the machine code, but still fairly inscrutable. Platforms such as Java and .NET compile their source down into bytecodes that are fed to a virtual machine before being interpreted and actually executed by the processor. The drawback of this approach -- from a code security standpoint -- is that most platforms using this approach have fairly high-level bytecodes and often store a lot of metadata in the bytecode files. This makes it possible to reconstruct part or all of the original source code from the binary application via decompilation.
Obfuscation is a technique that is often used to protect application source code. Obfuscation is the practice of stripping out potentially revealing metadata, renaming useful class and variable names to meaningless labels and adding unused or meaningless code to an application binary in order to defeat reverse engineering.
There are a number of obfuscation tools available for NET. For example, Visual Studio .NET ships with the Dotfuscator Community Edition obfuscation tool to use as a starting point. It is important to understand that obfuscation is not a drop-in solution to code reverse engineering problems. Because of the object-oriented, late-binding nature of many .NET constructs, some .NET code requires that classes maintain their original names. Obfuscation will need to be tuned to the particular application where it is used to ensure that systems continue to behave properly.More information:
- PreEmptive package helps make obfuscation part of the SDLC
- Learning Guide: Application security testing techniques has a section on obfuscation
- Obfuscation tools and security