I'm looking to implement a shared configuration file that will be written (output) in python, but be read (input) in C.
The only prerequisite of this configuration file is that it can't be human readable.
Anyone have any suggestions on what file format I should use for this project?
Edit: The file can't be human readable because we don't want the user to be able to modify the configuration, also, in some cases, we don't want the user to know about certain configurations.
How secure do you need this config file to be?
There is no absolute security, you'll quickly run into DRM like issues (allow users to open a file but not allow them to open it ... I know it's insane).
Often simple obfuscation is quite effective. Dump the config to a JSON file (please don't use xml). XOR the contents and change the extension. That will stop all casual inspection of the file. Obviously don't document that this is your obfuscation procedure.
If you're worried about user modification of config files (you don't care if the configs are readable you just want prevent loading custom configs) use a cryptographic signature. Store the private key at your company and use it and the python app to generate a signed configuration. Store the public key in the c++ application and use it to verify the config is properly signed before applying the settings.
try this one http://www.picklingtools.com/
Probably easiest to use XML, then obfuscate it with a simple cypher or encryption with a fixed key.
Use a plain human readable format such as XML, and then obfuscate that to make it uneditable (i.e. encrypt the whole thing and store a hash somewhere and fail to load if its' been messed with).
Otherwise you just have to bite the bullet and write a spec for the binary format that'll be exchanged between the two programs.
Related
I am using visual studio to develop a windows form application in c++ to detect certain anomalies and log it.
The log file that I am intending to create will be of a common format such as .txt. I do not want users of the computer to modify this file that is I want only my program to modify it( I want users to read this file not modify it).
Is there any way to achieve this??
if you want to hide the content from other users then encrypt the file or use a binary format that only your program will be able to understand.
As long as the file resides on a publicly accessible area in the file system, then other users will be able to access it.
You can put the file in a specific user's Documents area, which might go some way to protecting the file from other users of that machine, but not from administrators.
You could even set the file attributes to "hidden" or something along those lines, to further make it hard for people to find it. But a complete access block is difficult (if not impossible).
After all this, you can also use NirMH's method to ensure that even if someone finds and attempts to read the file, then the encryption should make it difficult to crack it open. A binary format can still be read with a hex editor, if someone is really keen to read your file.
I would like to know some tips how to secure DLL (Win32, dynamic) file from injecting and how to increase security of compiled code.
There's a SQL password in DDL source code which is used to connect to MySQL. Is it secure enough to leave it?
Is there any way how to prevent 'users' modifying HEX code? I mean to secure more from source code.
Which options in project properties would be optimal for optimizing and maybe securing DLL?
Im using MVSC++ 2010 Express and source code to users won't be available.
In order for the DLL to be usable it needs to be readable. That means that if you encrypt your file you also need do decrypt it before using it. Also, you can sign your DLL so that you know it has not been modified, but still that doesn't hide the symbols in the file itself. Another approach would be to obfuscate the code so that it is harder for users to understand but the OS can still easily execute it - think of that as a weak form of encryption.
Specific answers:
If you have a password in any binary file then it is not secure. It is a simple matter of looking through the strings of the binary file to find it.
Users can always modify the file, but the file can be signed using some cryptographic scheme which ensures that you will know if it has been tampered with.
I don't use that particular tool but I'm sure that it will not provide you with any real security.
Tip: Instead of having an SQL DB password in your source code you could instead make it send commands to a server which would authenticate and process them. That way you don't need an explicit password in your file.
Any and every literal string in your DLL is readable unless you encrypt the entire file. Do NOT store passwords as literal strings in your dll. Period. Also, you have to remember that assembly code is just data, and if the file is writable, anyone with an Intel reference sheet and a hex editor, or a disassembler and a an assembler can change it if they have access to the file. You can always obfuscate your source, which will make the assembly slightly less readable, but still completely modifiable.
In short, nothing you do will completly secure your DLL.
I have a proprietary application which uses an xml config. Currently I use boost::property_tree to read the xml file.
I would like to deploy both executable and xml file on a more public system and want to avoid anyone, including that system's administrator, from reading the xml.
Ideally, I would like to maintain the clear text xml on my system so I can easily manually modify it. Then I would call some encrypt command on the file, deploy it on the more public machine and have the executable decrypt it on the fly. I'd use the same key and just hardcode it into the source of the executable.
Is this a reasonable approach? What is the easiest way to implement this? Is there a better way?
Since you're already using boost, you could always serialize it. If you use binary archives, the file will be essentially unreadable. I guess my follow-up question would be: do you also want it to be secure? Or just unreadable?
If the code runs on the client's machine, then in principle you can never prevent the data from becoming known, because it has to be on the client's machine. You can try to obfuscate, but ultimately the client will have to be able to read the data, so it has to know it.
If you were to simply embed an encryption key in your program, the client could just scan through the file and extract the key. If you work a bit harder you can make Skype, but even that has been deconstructed.
It all depends on the seriousness of your need to protect the data. If it's absolute, then you cannot do it, but if you just want to keep the casual visitor out, you could try and make it a bit harder... tell us some details if you're serious about this.
If your goal is to prevent someone from casual inspection, then that is a reasonable approach.
If you must ensure (for some weird reason) that the configuration cannot be read, it is a foolish errand, because the program can read it, so a user who is determined to do so can do it as well. Either by disassembling the program, or simply by doing a memory dump from the debugger. Having that said, a simple, lightweight encryption will be good enough, because even the toughest encryption will be broken in the same way.
You might also consider whether using an explicitly human-readable format such as xml is well-suited if you don't want people to read it.
I had a very similar case. I used a compression algorithm to store the file 'encrypted'. zlib can be used for C++. You can easily encrypt and decrypt your file, both from command-line and from code. To add some more 'security' you can xor the compressed file with a password.
This a both simple to implement and easy to use. Of course I won't use such method if my clients are hackers, or have a financial incentive to read the XML.
I am thinking about adding configurable settings to an application, and I think the easiest ways are an external file or win registry (its a win only app).
Which way would be better?
I was wondering, an user with not enough permissions may not be able to create/write the config file. And in the case of the registry, would todays antivirus allow me to add/edit/remove keys? Or they only monitor certain keys?
Also, if someone knows a class/lib to manage config settings (in pure win32) in vc++ please post it.
As far as I know:
an user with not enough permissions may not be able to create/write the config file
You should be able to make files inside user's "home directory" or "application data" directory, regardless of permissions. Normally those directories should be writeable.
would todays antivirus allow me to add/edit/remove keys?
Haven't ever seen my antivirus interfere with registry manipulation. You probably will be fine as long as you aren't doing anything suspicious in registry.
Which way would be better?
It is matter of taste. I think that text file is better - allows easier migration of settings. Just don't leave junk behind after uninstall.
Also, if someone knows a class/lib to manage config settings in vc++
QSettings in Qt 4. But using entire Qt for just saving settings is definitely an overkill. You could also check configuration languages like JSON, use lua for settings (less overkill than using Qt 4) or get any XML library. Also, working with registry directly or writing configuration files using iostreams or stdio shouldn't be hard. And you can always write your own configuration library - if you feel like it.
Is "Windows-only" a restriction or a restriction-relief? If you don't mind being cross-platform then I suggest you give boost::program_options a go. The library supports program options through commandline, through evironment-variables and through INI files. Boost's program_options also integrates and glues the various parsers very nicely with variables_map, which you can view as a map between options and their value.
For simple stuff, you might as well just use the registry. However, there are many benefits to a config file... you can save/load several different configs for different uses of your app, it's easier to share or migrate settings between users or machines, etc.
If you end up going the file route, I would recommend Boost's Property Tree library:
http://www.boost.org/doc/libs/1_41_0/doc/html/property_tree.html
It has a pretty nice syntax:
boost::property_tree::ptree properties;
std::string name = properties.get<std::string>("blah.name");
int score = properties.get<int>("blah.score");
properties.put("blah.name", "Inverse");
properties.put("blah.score", 1000);
It also supports reading and writing to various formats, like xml and others.
I think the new default thing is to write a configuration file in the user's "AppData" folder under the user's folder which should be safe to write/read from.
We're using a simple XML formatted file to store settings; but you could use a INI file type formatting.
If you save your configuration file in the Application Data directory SHGetFolderPath() with CSIDL_COMMON_APPDATA all users will be able to see the configuration. If you use CSIDL_LOCAL_APPDATA then only the one user will be able to see the configuration. The registry is not necessarily the place to save all configuration data.
I've been working on a project in C++ using openGL and am looking to save the current scene to a text file. Something simple along the lines of, cube at x,y,z and its color etc.
My question is about how to make sure that the file has not been changed by a user. I thought about calculating a checksum of the string and including that in the file.
e.g. checksum, string
But again this is open to the user modifying the values.
Any recommendations or is this just a case of writing a good parser?
Cheers
theoretically: you can't.
practically: encrypt it and obfuscate the key within your program (this is how much of DRM works)
although you will never be able to stop a determined user. Why is it so important that the user can't modify it?
If you want users to be able to read, but not modify make the last line a HMAC of the file and a secret key.
Instead of preventing the user from changing the file is better to validate file's content before using it. Create a good parser that is able to detect (and repair?) errors.
Let the user do whatever he wants because some errors might be fixable. Give warnings. With hashing you will prevent your users to do anything.
How strict is your requirement that the file not be user-modifiable? That is, how much effort are you willing to expend to make sure the user can't tinker with the file? Does the file need to be user-readable? If you really don't want the user to change the file, maybe encryption of some sort is the answer (provided the user doesn't need to be able to read the file). Something like this trivial XOR encryption scheme might be enough.