Native AOT Support
Shield provides specialized protection for applications using .NET's Native AOT compilation technology, enabling robust security while maintaining AOT compatibility.
Understanding Native AOT
Native AOT is Microsoft's latest approach to Ahead-of-Time compilation for .NET:
- Creates fully self-contained native applications
- Eliminates the need for JIT compilation at runtime
- Produces smaller deployments with faster startup
- Has specific constraints around reflection and code generation
- Available in .NET 7+ and is the successor to CoreRT
Native AOT applications present unique protection challenges due to their compilation model and reflection limitations.
Native AOT Protection Workflow
When protecting Native AOT applications, Shield follows a specialized workflow:
- Pre-AOT Protection: Shield applies compatible protections before Native AOT compilation
- Trimming-Aware Transformations: Applies obfuscation compatible with the trimmer
- Metadata Preservation: Ensures required metadata for AOT compilation is preserved
- Post-Compilation Protection: Optional binary protection for the compiled native executable
graph LR
A[.NET Assembly] --> B[Shield Protection]
B --> C[Protected Assembly]
C --> D[Native AOT Compilation]
D --> E[Native Executable]
E --> F[Optional Binary Protection]
Recommended Protections for Native AOT
For Native AOT applications, we recommend the following protections:
{
"protections": {
"rename": {
"rename_public": false,
"rename_arguments": true
},
"control_flow_advance": {
"intensity": 6
},
"constants_encryption": {},
"constants_mutation": {},
"virtualization": {}
}
}
The following protections should be avoided with Native AOT:
- Anti-Debugger
- Invalid Metadata
- Invalid Code
- Any protection that heavily relies on reflection
Handling Reflection in Native AOT
Shield automatically preserves necessary reflection-related attributes and metadata for Native AOT compilation. This includes:
DynamicallyAccessedMembersattributesUnconditionalSuppressMessageattributes- Required metadata for serialization
- Runtime type information needed by Native AOT
You can use the [Obfuscation] attribute to fine-tune protection:
[Obfuscation(Exclude = false, Feature = "-control_flow_advance")]
public void ReflectionUsedMethod() { }
Troubleshooting Native AOT Protection
Common Issues and Solutions
| Issue | Solution |
|---|---|
| Missing reflection data | Add appropriate DynamicallyAccessedMembers attributes |
| Failed trimming | Disable trimming in your Native AOT configuration |
| Startup crashes | Verify no serialization-related issues |
| Increased binary size | Adjust string encryption settings |
Always test your protected Native AOT application thoroughly across all target platforms and architectures. Native AOT behavior can vary between different platforms.
Best Practices
- Start simple: Begin with basic protection and increase gradually
- Test thoroughly: Verify functionality across all target platforms
- Be cautious with reflection: Explicitly mark types used with reflection
- Disable trimming: Avoid using trimming with protected Native AOT applications
- Layer protection: Use both IL-level protection (Shield) and binary protection measures
For more information on performance considerations, see Performance Impact.