made by people who care ♥
XML Documentation Filter
What Is It?
XML documentation filter is an automatic sanitizer that works on XML documentation files produced by various .NET compilers such as C#, Visual Basic, F# etc.
How It Works?
Consider this code:
public class DS1307
{
///
/// Gets a value indicating whether clock is in halt state.
///
/// true if clock is in halt state; otherwise, false .
The highlighted lines are code documentation comments. They allow to provide a quick documentation for a class, property or method.
Code documentation is then used by Visual Studio to show IntelliSense hints:
Isn't that beautiful? Without a doubt, code documentation is a nice and useful feature.
If you write a class library then it’s always a good idea to provide the code documentation:
With XML documentation enabled, you get two main files in the output folder — an assembly file and a corresponding documentation file (MyLib.XML):
Let's take a look on its content:
<?xml version="1.0"?>
MyLib
Gets a value indicating whether clock is in halt state.
true if clock is in halt state; otherwise, false .
A Security Problem
Here is a common situation when some private members are added to the class (added members are marked with yellow):
public class DS1307
{
///
/// Gets a value indicating whether clock is in halt state.
///
/// true if clock is in halt state; otherwise, false .
/// An I2C bus instance.
///
private II2CBus I2CBus;
///
/// Device address at I2C bus.
///
private byte Address;
}
Let's rebuild the project and take a look at the newly generated MyLib.XML file:
<?xml version="1.0"?>
MyLib
An I2C bus instance.
Device address at I2C bus.
Gets a value indicating whether clock is in halt state.
true if clock is in halt state; otherwise, false .
As you can see, the documentation for private class members was generated and stored in MyLib.XML (lines 7 and 12, marked with yellow). This is a very bad outcome from security standpoint.
Private documentation tends to describe the insights and sacred knowledge about the components' internals. So it is highly desirable to keep that kind of information in secret.
Note that in reality XML documentation files are much larger than our benign example. They are often distributed together with productized assemblies of considerable size. So you can just imagine the volume of intellectual property leakage those files can bring.
The Solution
XML documentation filter is built into Eazfuscator.NET and is applied automatically during obfuscation.
If you rebuild the aforementioned project with Eazfuscator.NET in Release configuration and take a look at MyLib.XML, you will see the following result:
<?xml version="1.0"?>
MyLib
Gets a value indicating whether clock is in halt state.
true if clock is in halt state; otherwise, false .
Right, all private documentation is gone. The only documented member now is a public property — exactly what’s expected without any security compromises.
Eazfuscator.NET automatically sanitizes intellectual property leaks in XML documentation files making them safe for distribution.
