Ideas on improving security for my program?

A place to discuss the implementation and style of computer programs.

Moderators: phlip, Moderators General, Prelates

User avatar
e946
Posts: 621
Joined: Wed Jul 11, 2007 6:32 am UTC

Ideas on improving security for my program?

Postby e946 » Thu Aug 09, 2007 6:59 am UTC

I have written a rather useful program in VB6 for an online game I'm in, intended to be used by my guild. The program is very well written if I say so myelf, so me and the guild leaders have worked a lot on the security side of the program in order to prevent outsiders from being able to use it..

Currently, the security goes as follows:

When the program opens, prompt for a password, or read the password in from a file (Done for convenience, ideally the security is completely invisible). It then goes out to the internet to a basic file storage site I have set up and reads in an encrypted version of the password the user just entered. (For the curious, the password we're currently using can be found here. The program then runs the user-entered password through the encryption algorithm and compares it with the one gotten from the internet. If they match, the password is correct and the main form loads up. If it doesn't match, the program exits.

I think this is pretty secure as I control exactly when the passwords are changed, and I have it set up so that I can force versions to expire by deleting that version's password file.

I do have two main worries, however: The first is that if the user has their own DNS server, they can redirect traffic from fortunecity.com to their own site, allowing them to use old passwords and thus not be subject to password changes.

My second worry is that any user who knows asm can decompile the EXE into asm, find the if statement where I test the password, and just change it to if(true) or some alternative that guarantees them access to the rest of the program.

The solution to the first problem is language and implementation specific, and I really don't know if it's solvable, so I'm looking past it for now. What really bothers me is the second one.

How can I change the flow of the program so that is very difficult or impossible for someone to just edit a few lines in asm? Is the hole I described even feasible?

Here's my password testing function, for reference. MS.testPassword() returns true if the password is correct and false if it is not correct.

Code: Select all

Private Sub testPassword(enteredPW as String)

Dim correctPassword As Boolean

correctPassword = MS.testPassword(enteredPW)
If (correctPassword) Then
    formMain.Show
    Unload Me
Else
    a = MsgBox("Password Incorrect.", vbCritical, "Incorrect Password")
    End
End If
End Sub


I posted this in CS because the answer doesn't really seem to be language-specific and instead relates to general things of security.

Porges
Posts: 46
Joined: Mon Aug 06, 2007 3:01 am UTC
Location: Wellington, New Zealand
Contact:

Postby Porges » Thu Aug 09, 2007 7:20 am UTC

It's pretty much impossible to prevent, and I'd say that the bit-twiddling attack is much more likely to be carried out than the first (because of the hassle involved).

demon
Posts: 170
Joined: Tue Feb 06, 2007 8:13 pm UTC

Postby demon » Thu Aug 09, 2007 11:03 am UTC

Anyone with enough free time could probably crack any sort of security he can find. The first thing I can think of is to remove the variable correctPassword at all and just do an if(passwordtestingfunctioncall()) wherever needed. This should at least make some reassembly required, not just overwriting data. Also google maybe for some obfuscators. If they can't find it, they can't crack it, hopefully.

Karrion
Posts: 92
Joined: Fri Jun 22, 2007 12:14 am UTC
Location: Melbourne, AU

Re: Ideas on improving security for my program?

Postby Karrion » Thu Aug 09, 2007 12:18 pm UTC

e946 wrote:I do have two main worries, however: The first is that if the user has their own DNS server, they can redirect traffic from fortunecity.com to their own site, allowing them to use old passwords and thus not be subject to password changes.


They don't even need to control their DNS server, they can just put an entry in their hosts file.

e946 wrote:My second worry is that any user who knows asm can decompile the EXE into asm, find the if statement where I test the password, and just change it to if(true) or some alternative that guarantees them access to the rest of the program.


Given the setup you've described, where the local program is the one verifying the password, there's really no way around this. You haven't said what data the program actually uses, but if you could store the data on the server and have the server program verify the password (preferrably using a challenge-based system), it would be more secure.

Of course, you have to ask yourself whether this program is really that important that you need to worry about people decompiling it in the first place.

User avatar
torne
Posts: 98
Joined: Wed Nov 01, 2006 11:58 am UTC
Location: London, UK

Postby torne » Thu Aug 09, 2007 12:35 pm UTC

You could always go with some amusing virus-like behaviour :)

Encrypt the binary with a random key using a public/private scheme, then shove a loader on it which can go grab the key from the internet. Rootkit the system to protect yourself from being dumped from memory while executing (hooray for I/DTLB desynchronisation). Reencrypt the binary with a different key on every execution to prevent reuse. That kind of thing. Deters mortals. :)

you wouldn't really do all that of course, it's just a fun thought experiment.

iw
Posts: 150
Joined: Tue Jan 30, 2007 3:58 am UTC

Postby iw » Thu Aug 09, 2007 2:26 pm UTC

It's a bit confusing what you are trying to do, but it sounds like you are trying to make a program where the only barrier in running is an online check that a password is okay. If that's it, then you have a DRM/TC-equivalent problem.

I'm not clear on what you're doing, but if it's software that requires a connection to your servers, then the solution would be to authenticate the client on your side, and block all traffic from them if they don't authenticate.

demon
Posts: 170
Joined: Tue Feb 06, 2007 8:13 pm UTC

Postby demon » Thu Aug 09, 2007 3:38 pm UTC

Also, if the computational intensity of this program is low, then perhaps it could be converted to php or executed on the server per user request via cgi? then it would be nigh-impossible to use it without your knowledge, unless the attackers can actually hack your server.

User avatar
e946
Posts: 621
Joined: Wed Jul 11, 2007 6:32 am UTC

Re: Ideas on improving security for my program?

Postby e946 » Thu Aug 09, 2007 10:59 pm UTC

Karrion wrote:
e946 wrote:I do have two main worries, however: The first is that if the user has their own DNS server, they can redirect traffic from fortunecity.com to their own site, allowing them to use old passwords and thus not be subject to password changes.


They don't even need to control their DNS server, they can just put an entry in their hosts file.


I've already got that covered. It looks in their hosts file and it if it finds "fortunecity", the program gives a warning and exits right away.

The main problem with a php-type server is that I know nothing about them, whatsoever. Several users have also said they liek the fact that it's not web based.

Basically, once they get the password is correct, the program never communicates with the server again.

zenten
Posts: 3799
Joined: Fri Jun 22, 2007 7:42 am UTC
Location: Ottawa, Canada

Postby zenten » Fri Aug 10, 2007 2:21 am UTC

Well, for the first one if you set up a secure server then you could get around that. It would require either paying for a registered one, or having the fingerprint built into the program. The later problem is a lot more difficult.

User avatar
davean
Site Ninja
Posts: 2498
Joined: Sat Apr 08, 2006 7:50 am UTC
Contact:

Postby davean » Fri Aug 10, 2007 3:17 am UTC

Well, there will always be a way to break something like what you are doing. It can't even theoretically be done entirely securely. (Has to go through the processor, sorry) As such this is a coding issue, and I'm going to move it there.

That being said, if you assume no insider compromises, IE, no one who has access rights to the program will help compromise it, you can make it NP to break it. Simply encrypt the binary and make them need to enter (or enter a password for) a private key.

That being said, your current scheme is horribly flawed, even just a simple transparent proxy will kill your method.

Why are you even trying to restrict access?

User avatar
e946
Posts: 621
Joined: Wed Jul 11, 2007 6:32 am UTC

Postby e946 » Fri Aug 10, 2007 5:50 am UTC

davean wrote:That being said, if you assume no insider compromises, IE, no one who has access rights to the program will help compromise it, you can make it NP to break it. Simply encrypt the binary and make them need to enter (or enter a password for) a private key.


Sounds like a great idea, but that still may have a few a problems. Can the program be run without knowing the key, or is it required to run as well as edit? If it's required to run, it's useless if the password ever gets out, and the password getting out is the reason I set this internet thing up in the first place.

That being said, your current scheme is horribly flawed, even just a simple transparent proxy will kill your method.


I don't know precisely what a transparent proxy is, but i'm assuming it's related to my concern of redirecting the traffic meant for my host to their own server, in which case yes, that general problem has occurred to me. I'm open to suggestions on how to fix this, but keep in mind that I know nothing about servers and such.

Why are you even trying to restrict access?


It's a pretty useful piece of software, and this game is all about wars between guilds, so allowing it to get out would take away our advantage of having it..

User avatar
bavardage
Posts: 253
Joined: Sun Apr 15, 2007 11:38 pm UTC
Contact:

Postby bavardage » Fri Aug 10, 2007 9:18 am UTC

e946 wrote:
It's a pretty useful piece of software, and this game is all about wars between guilds, so allowing it to get out would take away our advantage of having it..


Would that game be GuildWars ^^?
'It can't be software incompatibility - the Trodden Spiral was designed for concentric rings, idiot ...'

demon
Posts: 170
Joined: Tue Feb 06, 2007 8:13 pm UTC

Postby demon » Fri Aug 10, 2007 10:43 am UTC

e946 wrote:
davean wrote:That being said, if you assume no insider compromises, IE, no one who has access rights to the program will help compromise it, you can make it NP to break it. Simply encrypt the binary and make them need to enter (or enter a password for) a private key.


Sounds like a great idea, but that still may have a few a problems. Can the program be run without knowing the key, or is it required to run as well as edit? If it's required to run, it's useless if the password ever gets out, and the password getting out is the reason I set this internet thing up in the first place.


Well as davean said - once somebody shares the password with another person, you're screwed. So if somebody has the password, he can start up the app and then rip the useful code directly from memory, for example. Really, if the possible attacker can lay his hands on the code, he can take it. So you might want security schemes which disallow any user to see the code - a webapp/restrected remote shell/anything secure and remote really is pretty much the only way to do it reliably if you can provide reasonable authentication. Other than that, you can think of some really twisted obfuscation procedures - like davean's one - but they can be blasted by a mole.

User avatar
torne
Posts: 98
Joined: Wed Nov 01, 2006 11:58 am UTC
Location: London, UK

Postby torne » Fri Aug 10, 2007 11:05 am UTC

I still vote for 'rootkit the machine it gets installed on to prevent copying'. But that's just because I'm evil. :)

zenten
Posts: 3799
Joined: Fri Jun 22, 2007 7:42 am UTC
Location: Ottawa, Canada

Postby zenten » Fri Aug 10, 2007 11:36 am UTC

e946 wrote:
That being said, your current scheme is horribly flawed, even just a simple transparent proxy will kill your method.


I don't know precisely what a transparent proxy is, but i'm assuming it's related to my concern of redirecting the traffic meant for my host to their own server, in which case yes, that general problem has occurred to me. I'm open to suggestions on how to fix this, but keep in mind that I know nothing about servers and such.


Does it use http to connect? Because if it does, then using https set up properly will fix that, since it will be able to know if it has the right site or not.

User avatar
e946
Posts: 621
Joined: Wed Jul 11, 2007 6:32 am UTC

Postby e946 » Fri Aug 10, 2007 6:38 pm UTC

bavardage wrote:
e946 wrote:
It's a pretty useful piece of software, and this game is all about wars between guilds, so allowing it to get out would take away our advantage of having it..


Would that game be GuildWars ^^?


Astroempires.

Rysto
Posts: 1460
Joined: Wed Mar 21, 2007 4:07 am UTC

Postby Rysto » Fri Aug 10, 2007 6:45 pm UTC

zenten wrote:Does it use http to connect? Because if it does, then using https set up properly will fix that, since it will be able to know if it has the right site or not.


Doesn't help you when they use a hex editor to bypass the check.

If you give them the program, you can't stop people from breaking the security -- you can only make it hard on them.

User avatar
Gunfingers
Posts: 2401
Joined: Wed May 30, 2007 7:15 pm UTC

Postby Gunfingers » Fri Aug 10, 2007 6:49 pm UTC

I like AE as much as the next guy, but i'm pretty sure you're taking it too seriously. This is way too much effort to go to for a browser game.

User avatar
e946
Posts: 621
Joined: Wed Jul 11, 2007 6:32 am UTC

Postby e946 » Sat Aug 11, 2007 4:08 am UTC

I agree, but I'm trying to learn as I work. This whole thing has been a learning experience for me from the start. I'm trying to learn about securing programs against unwanted users in general, not just to get an advantage in an online game.

zenten
Posts: 3799
Joined: Fri Jun 22, 2007 7:42 am UTC
Location: Ottawa, Canada

Postby zenten » Sat Aug 11, 2007 1:07 pm UTC

Rysto wrote:
zenten wrote:Does it use http to connect? Because if it does, then using https set up properly will fix that, since it will be able to know if it has the right site or not.


Doesn't help you when they use a hex editor to bypass the check.

If you give them the program, you can't stop people from breaking the security -- you can only make it hard on them.


Well, yes, but I put a lock on my front door, even though it is possible to bypass it.

User avatar
davean
Site Ninja
Posts: 2498
Joined: Sat Apr 08, 2006 7:50 am UTC
Contact:

Postby davean » Sun Aug 12, 2007 6:13 pm UTC

zenten wrote:
Rysto wrote:
zenten wrote:Does it use http to connect? Because if it does, then using https set up properly will fix that, since it will be able to know if it has the right site or not.


Doesn't help you when they use a hex editor to bypass the check.

If you give them the program, you can't stop people from breaking the security -- you can only make it hard on them.


Well, yes, but I put a lock on my front door, even though it is possible to bypass it.


Nether a lock on the front door or any coding you can do will make it "difficult".

User avatar
e946
Posts: 621
Joined: Wed Jul 11, 2007 6:32 am UTC

Postby e946 » Sun Aug 12, 2007 8:41 pm UTC

Well what CAN you do?

zenten
Posts: 3799
Joined: Fri Jun 22, 2007 7:42 am UTC
Location: Ottawa, Canada

Postby zenten » Sun Aug 12, 2007 10:58 pm UTC

e946 wrote:Well what CAN you do?


Ok, it depends on what you want.

Are you worried about very computer savy people who are determined to crack your program being able to do so in a few hours? In that case, you need to keep it on your own server, and make sure it's secure as fuck.

Are you worried about people who wouldn't even know how to use a hex editor? In that case your probably fine.

I would know how (without looking much up) to get passed the network hole you have, but I wouldn't know how to extract what I need with a hex editor (unless you leave it as an obvious constant value or something), but I'm probably the minority in that regard.


Return to “Coding”

Who is online

Users browsing this forum: No registered users and 9 guests