Security Tips for Dynamic Libraries

Overview

When integrating SoftwareKey licensing functionality into your application, security should be considered from the very beginning. SoftwareKey provides both static libraries (for example, for C++ and Delphi) and dynamic libraries (DLLs) for Native and .NET environments. For most of our customer, this will be our PLUSNative and PLUSManaged libraries from Protection PLUS 5 SDK.

This article outlines recommended practices to help ensure that only authentic, untampered SoftwareKey components are loaded and executed in your software.

Choose Static Linking When Possible

Where your architecture allows it, we recommend using static libraries rather than dynamically loaded libraries.
Static integration offers several security advantages:
  • The library code becomes part of your compiled binary, making replacement or manipulation at runtime significantly harder.
  • There is no dependency on externally deployed DLL files that could be swapped or modified after installation.
For these reasons, static linking should be your first choice whenever it is technically and commercially feasible.

Securing Dynamic Library Usage

In some scenarios, dynamic libraries are required or preferred (for example, to reduce binary size or to enable shared components). Even in these cases, you can significantly improve security by validating the authenticity of the libraries before loading them.
All SoftwareKey DLLs are digitally signed. You should explicitly verify this signature at runtime to ensure that:
  • The library has not been modified.
  • The library has not been replaced with a malicious or counterfeit file.
  • The library originates from SoftwareKey and is trusted.

Verifying Authenticode Signatures on Windows

On Windows, the recommended approach is to use the operating system’s built-in WinVerifyTrust API. This function validates:
  • The Authenticode signature of the file
  • The complete certificate chain up to a trusted root certificate authority (CA)
  • Optionally, the timestamp and certificate revocation status (depending on configuration)
A library should only be considered valid if this verification succeeds.

Perform Verification Before Loading the Library

Signature verification must occur before the library is loaded into the process. This means the check should be executed prior to calling any of the following (or their equivalents):
  • LoadLibrary (Win32 / Native code)
  • System.load() or System.loadLibrary() (Java)
  • .NET assembly loading mechanisms
If the signature check fails, the library must not be loaded or used.
This ensures that only original, unmodified SoftwareKey components are executed within your application.

Applicable Across Languages and Runtimes

The same verification strategy can be applied consistently across all SoftwareKey DLLs and supported platforms:
  • C / C++: Call the WinVerifyTrust API directly via the Windows SDK.
  • C# / .NET: Invoke WinVerifyTrust using P/Invoke before loading or invoking the assembly. 
    To simplify this, you may use an existing managed wrapper for WinVerifyTrust (e.g., the open-source WinTrustSharp project: https://github.com/tolzy88/WinTrustSharp).
  • Java: Access WinVerifyTrust through JNA or JNI prior to calling System.load().
By centralizing this verification logic, you can uniformly protect all dynamic SoftwareKey integrations within your product.

Additional Recommendations for .NET Applications

For .NET-based applications, consider the following complementary practices:
  • Ensure assemblies are loaded from trusted, non-user-writable locations.
  • Avoid probing or loading assemblies from the current working directory.
  • Combine Authenticode verification with your existing application integrity checks, if available.
These measures further reduce the risk of unauthorized code being introduced at runtime.

Summary

  • Choose static libraries whenever possible for maximum security.
  • When using dynamic libraries, always verify their digital signature before loading.
  • Use WinVerifyTrust on Windows to validate authenticity and integrity.
  • Perform verification before any library loading occurs.
Following these recommendations helps ensure that your application executes only genuine, unchanged SoftwareKey components, protecting both your software and your customers.
For questions about specific implementations or supported environments, please contact SoftwareKey support.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us