Alberto Salvati 0 Posted January 9, 2023 Hi, all. In the past I used P4D to customize delphi application behavior. Now, I'm working on a project with an very very high level of cyber security restrictions. I think that, NOW, this issue is so relevant and we as IT specialists, can't ignore it. My actual nightmare is "..what's happen if someone breaks my python script including OS and DATABASE (and other...?) calls potentially DANGEROUS?" I wrote to Python team about it...asking them about a "lazy" python version that doesn't support these calls... at this moment, no feedback. Also, I wrote to JetBrains (intelli-j and kotlin owner) about a new lazy language without dangerous calls...at this moment no feedback. I know that scope of my issue is outside of P4D but maybe someone has some puzzle piece... My first idea was to check script about "import" clauses or define script as a function to merge in a template without import clauses. But working with script as a FILE someone could hack file AFTER these check. Same situation could occure using an hash. Also, I could secure the file using some digital signature but maybe this solution is so complicated. Finally, I could run script under antoher user with few grants but this solution required network admin collaboration (AKA: complications...) What you think about? AS Share this post Link to post
David Champion 48 Posted January 9, 2023 If you hash the script file before use you could then programmatically compare against your securely stored hash value; similar to checking user passwords at login. 1 Share this post Link to post
Fr0sT.Brutal 900 Posted January 9, 2023 If you only want your scripts unmodified, that's one question (check hashes, OS-level protection etc) If you want to defend against any potentially malicious script - that's another one (sandboxing, modified executor etc) 1 Share this post Link to post
Arnaud Bouchez 407 Posted January 9, 2023 (edited) Yes, compute a cryptograhic hash of the scripts (MD5 or SHA1 are not enough) before running them. But you need to ensure that the hash are provided in a safe way, e.g. as constant within a digitally signed executable. You may consider hashing ALL the scripts at startup, and compare a single hash with the expected value. Then refuse to start is something was tempered with. Instead of fixed hash, you could add an asymmetric signature of all scripts to your script folder. Then put the signature together with the files, and only store a public key within the executable. You can use https://github.com/synopse/mORMot2/tree/master/src/crypt for those tasks. This is for instance what is run at the core of https://wapt.tranquil.it/store/en/ to protect the python script within each software installation package. Edited January 9, 2023 by Arnaud Bouchez 2 Share this post Link to post
shineworld 73 Posted January 10, 2023 (edited) I don't know if can be valid for you, but in my Python programs I use Cython to transform the scripts (*.py files) into C code then compiled natively and transformed into pyd or .so so as to reduce the possibility of editing them. Just keep a single "main_dummy.py" that instantiates a class in a "main.pyd" which is followed by all cythonized scripts. Edited January 10, 2023 by shineworld Share this post Link to post
Alberto Salvati 0 Posted January 10, 2023 Hi, all. First, many thanks for your answers. I hope this post sounds like a brainstorming about its subject. I'm replying all with this post: 1) I have not a database to store hashs. I'm working on a separate module of a BIG AND COMPLICATED APPLICATION that has db but my module has not db access due do ciber security issue and other causes (aaargh!) 2) About sandbox, I don't know if windows supports it without using virtualization, then run code in separate "context" . I will study this solution . 3) asymmetric signature requires a certificate that requires system additional work. Field persons work so hard to install ande setup application and they can't do this additional work. Also, I used ceritifcates in the past...and I cried due to puzzling.... 4) Cython...It sounds good, I will study it in deep. Cheers. Share this post Link to post
Fr0sT.Brutal 900 Posted January 10, 2023 If you specify what exactly you need, you can get more useful answers instead of crystal ball guesses Share this post Link to post
Sherlock 663 Posted January 10, 2023 Almost every "call" is potentially dangerous. Asking for a language or a dialect of an existing language without potentially dangerous calls will leave you with nothing, hence the lack of answers from the people you contacted. It is up to you to find out what weaknesses a language has and how to either overcome them or, if to cumbersome, avoid the language altogether. Then you also have to take into account the security issues the system running your software may have. Windows has quite the "rap sheet", when it comes to vulnerabilities. But still it is a solid OS to run your software on, if you are aware of these issues. You may choose to run in a browser...that in itself may expose you to new risks you'll have to learn about, risks that may even be specific to the OS running the browser, so you'll end up checking out combinations of browsers and OSes even over different versions, a ton of permutations to evaluate. And so far you haven't even looked at hardware. What about the USB ports on a standard PC? How can you verify that they are not misused? As you see cyber security is very expensive, thinking about what might go wrong is just the first step of many. Real security however is just an illusion, just like the idea of error free software. What you need to have is risk assessment together with a catalog of countermeasures and assess how useful or indispensable your software really may be. If the benefit-risk-ratio is acceptable, go ahead build your software, if not... I seem to have drifted of, sorry. 1 Share this post Link to post
David Champion 48 Posted January 10, 2023 (edited) 4 hours ago, Alberto Salvati said: I have not a database to store hashs. Arnaud's suggestion was to hash the script(s) and store the hash value as a string constant inside the Delphi application and this in itself can be protected by signing the executable. So to verify, you can check the code signing to see if the executable and string constant has been tampered with or turn on Windows Smart Screen to block unsigned apps. After that, you can check if a freshly calculated hash matches the stored hash. Edited January 10, 2023 by David Champion Share this post Link to post
Fr0sT.Brutal 900 Posted January 10, 2023 1 hour ago, David Champion said: Arnaud's suggestion was to hash the script(s) and store the hash value as a string constant inside the Delphi application and this in itself can be protected by signing the executable. Then it's easier to store whole scripts inside exe. Script signing seems more interesting (allowing versions, limitless number of scripts and so on). 1 Share this post Link to post
Alberto Salvati 0 Posted January 10, 2023 4 hours ago, Fr0sT.Brutal said: If you specify what exactly you need, you can get more useful answers instead of crystal ball guesses You are right but unfortunately I can' share too mush details. Share this post Link to post
Alberto Salvati 0 Posted January 10, 2023 Hi, all. I will try to explain but I can't say all... Application uses a module and I'm the people in charge for it. This module does some operation too complicate to code and different by customer. Each customer (about 5000....) could have about 0..n different implementation for the same operation. n is about 10. But, few customers don't need it. To manage this requirement I need EXTERNAL scripts, one per any different implementation, so, I can't embed in exe hash/key and so on. Also, my module has not db access (cyber security) helpful to store hash/key and so on. Put hash/key in a file could be not safe.... I can't share more details but I think they are enough to have an idea. Sherlock, I agree with you. I'm finding informations needed to decide if we can use scripts or not. Many thanks to all. AS Share this post Link to post
Fr0sT.Brutal 900 Posted January 11, 2023 (edited) These details don't help much. Do you just have many implementations that are maintained by your team or each customer should be able to modify them? What features you need to expose to script engine? What so horrible happens if someone modifies a script according to their needs, estimated they already have your app running on their machines under their full control? Anyway if the security is SOOO strong, do you really have rights to make such fundamental decisions on an important part of the app? I suppose there are some architect guys responsible for app structure and features. You also haven't mentioned what architecture your app has. Local only, customer-personal client-server, shared client-server? Are scripts supposed to run locally or on a server? I wouldn't bother at all if scripts are to be run locally and if they don't able to bypass any access right checks (by accessing opened DB connections from an app, for example). There's no difference between running such a script from your app or from a standalone installation. Edited January 11, 2023 by Fr0sT.Brutal Share this post Link to post
Alberto Salvati 0 Posted January 11, 2023 3 minutes ago, Fr0sT.Brutal said: These details don't help much. Do you just have many implementations that are maintained by your team or each customer should be able to modify them? What features you need to expose to script engine? What so horrible happens if someone modifies a script according to their needs, estimated they already have your app running on their machines under their full control? Anyway if the security is SOOO strong, do you really have rights to make such fundamental decisions on an important part of the app? I suppose there are some architect guys responsible for app structure and features. I know but I'm said more than I could... The needed features is transform a generic input value in other value(s) using additional optional parameters. Logic for there operation could be more complicated, so I can't describe and write code for all use cases. Imho, external scripts are estrema ratio... Customers haven't access to modify them. And yes, my team is responsible. Cheers Share this post Link to post
Fr0sT.Brutal 900 Posted January 11, 2023 (edited) Okay, we're getting closer. So your team fully develops these scripts and no customer has access to them? Then just compile these scripts into binary and protect it from modifications by signing. Next, why Python? Had it been chosen for its rich packages set because processing is pretty complex and implementing all required stuff would be huge task? Otherwise you can use PascalScript engine and build it yourself removing potentially dangerous operations. The same you can do with P4D or any other script engine (JS/Lua/etc) but it will require some investigation and C knowledge. Moreover, what forbids you from writing DLL's for each processing? Edited January 11, 2023 by Fr0sT.Brutal Share this post Link to post