|
|
|||||||
There are a lot of posts looking for ways to encrypt the source code both to prevent reverse engineering and to prevent ripping of passwords etc. To encrypt, command line parameters could be used. Something similar to KixStrip but with built-in encryption. Decryption should be on-the-fly in memory. As a safeguard, Kix could check to see if it is called from a logon. |
||||||||
|
|
|||||||
The problem with encrypting the script is that you need to unencrypt it, in which case you need the password somewhere. Unless the encrypted file contains the password itself of course, hidden within in it using an algorithm that only the developers are aware of. You wouldn't want the decryption to decrypt the entire file, otherwise a simple memory dump would show the original text. That means that you would be constantly reparsing the encrypted file with the associated processing overhead. If the concern is obfuscating passwords used in logon scripts, wouldn't passing them as command line parameters in the logon script definition hide them better? Then they are never in the script itself and the only people who can see them are people with access to the user database. As for hiding the working of your script, an option to compile to pseudo-code, or byte-code would be interesting. It would hide the workings from a casual browser, and speed up the run-time enormously. Of course on the downside a de-compiler for byte-code is very simple to write. |
||||||||
|
|
|||||||
well. what comes to pass for crypted, it's not needed. If you have crypt-engine that does crypt the stuff and write the random decryption key somewhere in the file. the length of that key could be random or according to script size. decrypt function would be runnable only when engine called from kix (that's obvious if engine is kix-script) and it does not output the crypted anywhere, it just translates directly to kix. these kindoff script would be some 20 kb's which is not anymore easy to read, when stripped to one line. and because it's full of execute-lines with some calculations integrated, it'll need guru to read out the correct way of working. what comes to crypting, it can be in just 8 bytes or so, and noone can read it anymore. my 1,5 cents |
||||||||
|
|
|||||||
Richard, I'm aware that if Kix were to decrypt in batch that a memory dump would defeat it. What I suggest, is that it be done byte by byte as it is being interpreted. A public key encryption, like SSL, is what I'm suggesting. Your suggestion to pass the password as a parameter through the User Environment Profile is worth further investigation, but most have concern about reverse engineering. It is often said that locks are for honest folk, and compiling to p-code would hide code from honest folk, but high encryption would keep more folk honest. |
||||||||
|
|
|||||||
RE: Passing passwords to scripts as command line arguments. Unfortunately, users' login scripts are considered "public" information by NT. Despite the fact that this information is stored with the user's account in the domain SAM, ANYONE could view the password argument. Check it out from the command line: This procedure would be useful, say, to provide an admin password to use with su.exe. However, any password made visible to the user's security context would be visible to the user, regardless of whether that password were passed as a command line argument, or if it were contained in a file. Again, strong encryption is the only possible solution. Decryption should be handled inside the script, so that it executes in the client's memory space & not transmitted clear text over the network. |
||||||||
|
|
|||||||
Don't tell anyone , but I have somtimes used passwords that do not look like passwords. For example: NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]] I put this in a script NET USE X: \\server\share /user:fred /domainname and "/domainname" was actually the password. Looking at it, you would just think of it as another switch. Often you don't see what is in front of you. I wouldn't recommend this type of security in the workplace though, but it give you an idea.. cj |
||||||||
|
|
|||||||
cj, cj... Don't change your sig to one like Les has
|
||||||||
|
|
|||||||
That's it! Time for a new sig... I could see knocking off something that compiles to psuedo-code in the timeframe of 2001, but expect that strong encryption would run us into 2002. So just like there is a console-less version (wkix32.exe), there could be secure version (maybe wkix32s.exe). |
||||||||
|
|
|||||||
Teacher...Teacher I have a question? Shut up and finish your test! Yeah, I'm sure it is not an easy task, but having something built-in I think is probably about the only real solution... or a Service Pack that would support all Windows clients with this type of support. |
||||||||
|
|
|||||||
I've been playing with some code with encrypts the script and generates a self decrypting executable. The executable writes the output to a temporary file and runs kix. The first thing the script does is delete itself. As long as the script is short enough and loaded into memory it works pretty well. The problem is that the temporary file is there, albeit for a short time. If kix could read its script file from stdin I wouldn't need the temporary file, although it'd still be subject to attack by a memory dump, or someone using a debug utility to step through the executable and stop before the script is called. In all I can't think of a secure solution that doesn't require that the decrypting is done on the fly within the interpreter. |
||||||||
|
|
|||||||
If your users can do "memory attacks", seems that they already have the admin password, no ? I thought about a ramdrive style protection : an exe using a place only in memory to uncompress/store script, and which can be destruct when asked (and if script abort), so nothing can be get. On the other hand, the exe doing all this stuff must : 1) encrypt the added files it store within, or compress it with a modded header (if some players here looked to the old Diablo mpq files, it's nothing else than zip type with another header. Same things with Diablo 2 and Starcraft. Ok, everything is done with an external dll, but at this point, you can have it in the exe) 2) it won't allow to "extract" files to change some things within, but only execute them. 3) A "builder" must me created, as it will be needed to create the exe with the specified file, and the command the exe will run 4) find someone to create a such thing Advantage of this one is that it would be completly independant of any scripts language That was my € 4 cents [ 13 September 2001: Message edited by: Popovk ] |
||||||||
|
|
|||||||
No, you don't have to have the administrator password. If you have a robust operating system which will allow a process to allocate a private area of memory and place security controls on it so that no other process can read it even if the process is spawned by the same user, then you are safe from memory scanning. Unless your smart user forces a crash and preserves a swap file with the information in it of course. If your operating system won't allow this then the memory (including RAM drives) can be read, and possibly changed. The other problem is, if I can read the program I can take a copy to another computer which I have complete control over and fiddle to my heart's content. A quick search at www.download.com gave me WinHack and MemoryBrowser, both of which will allow you to browse your local PC memory and RamDump which will dump the contents so you can play with it off-line. Of course you need to be quite a sophisticated user to think about cracking the encryption that way, or using a debugger to step through the code and interrogate internal buffers. You need to decide whether you simply want to deter accidental disclosure of passwords and the script code, or if you need a highly secure solution. |
||||||||
|
|
|||||||
I realize that since KIX is an interpreter and doesn't run compiled code, a good portion of the script would have to be unencrypted and buffered in memory. This leaves the code vulnerable to any memory ripping. Passing of some passwords will allways be too risky. One needs to weigh the risk and decide for themself. If the password only gets you local admin rights, the risk may be worth taking, maybe not. FE, If I stole my HR manager's laptop, got local admin rights, and scoured the HD for say, union negotiations... well, you get the picture. While safeguards could be put in place to test whether KIX is running from logon, whether the speed of execution is reduced by an external debugger, etc., these too could be overridden by a good hacker. I think what is needed is a server-side service that the client-side service sends security requests to. |
||||||||
|
|
|||||||
I think you're asking too much. You have users, not hackers. You are speaking of good (great) user that clearly looking for damaging your company. Even if password is encrypted, it won't stop them at this point |
||||||||
|
|
|||||||
Popovk, You may be right, but still I have to ask... These hackers are users for some LAN Admin somewhere. So who's network? My network is connected to a corporate WAN with about 6000 users. I routinely have 6 to 12 Failure Audits per day per server in my security logs. Some I recognize as IT from other divisions, others I don't. We use a term called "due diligence" which means we need to take all reasonable effort to secure our environment. FE, I use SSL on my intranet to secure confidential HR and Payroll information. Maybe nobody sniffs packets on my network to pick up clear text, but I would be remiss to use "security by ignorance". |
||||||||
|
|
|||||||
Calm down folks... nothing to get hot under the collar about. I think Ruud knows by now that we are all looking for something that would be handle our needs. Have a Nice Day... |
||||||||
|
|
|||||||
Hey DOC... I'm calm. Like you, I enjoy playing the Devil's advocate. I am simply echoing the sentiments I see on this board. I also don't like to see security by ignorance. By that I mean the user's ignorance. Mind you, my / our ignorance is the greater sin. Aside from conveying our needs / thoughts, I believe this thread has helped to raise awareness of different perceptions of "security". In the end, Ruud will decide if / and / or what level of security and encryption to implement. This decision, we eagerly anticipate. [ 14 September 2001: Message edited by: LLigetfa ] |
||||||||
|
|
|||||||
Perhaps, if it would help, we could have a poll for this feature. I asked about source encryption a while back... so I obviously would like it. Just my 2¢... |
||||||||
|
|
|||||||
We had a similar discussion to this a number of months back. I remember at the time MCA mentioned that VBSscript (WSH) has an encryption feature (implemented through a command line switch) - anyone know more 'bout that ? Might be a good model to work toward ... -Shawn [ 14 September 2001: Message edited by: Shawn ] |
||||||||
|
|
|||||||
NTDOC, I created that sig when the new board came online. I have been "away" for a few months so you have prob not seen it. I have probably lost my position as a high poster too I was 4th or 5th at one stage. Richard, I was toying with this idea, but never got around to implementing it. When you say small.. what have you found? I had an idea to use the EXECUTE() function with an entire script inside, but I found a size issue there too. Shawn, LTNH, how's tricks. I was thinking of the VBsecure thing too. cj |
||||||||
|
|
|||||||
Ooh, I don't know small. Someone with imtimate knowledge of Kix internals might be able to give an idea about how much of the script is loaded into memory for execution, and whether the file is re-read at any point. The reason the size is an issue is because the first thing the script does is to delete itself. For this to work the entire script must have been read into memory, and Kix must not attempt to refer to the original text again. For the password issue, the passowords can be assigned to variables in a very small encrypted script which kicks off a larger unencrypted script. The large script would have to be read only, have a hard coded path and you'd need to include sufficient controls in the smaller script to ensure that someone hasn't copied it and set up a psuedo-domain at home to emulate yours with a trojan kix32.exe which simpy prints the script rather than running it. Even better, resources requiring passwords would be established in the very small script first. I should have the code in a running state in the next few days - it's quite simple but my 'C' coding is pretty rusty so it's taking a while. Oh, and there's work getting in the way too. Then I'll need to compile it for Windows (I'm developng it under Linux) and faff about with differing variable type lengths, file semantics etc then I'll drop it somewhere for those interested to play with. If there is enough interest I may even publish the source code |
||||||||
|
|
|||||||
If i remember correctly (and don't ask me where i found this, i don't remember), when executing a script, kix load it entirely in ram, before starting to execute it. I do the test with my PALMS script (main script calling subscript using a .ini file to provide scripts to execute and parameters) I rename the logonscr.k2k and the UDF\main.udf.k2k after a first call The logonscr run until end of execution, and main.udf contain all the frequently called udf (as testgroup, testOS, and more). It's called at start. Well, without this files, kix don't get dizzy and the whole script continue to the end like a charm. [ 14 September 2001: Message edited by: Popovk ] |
||||||||
|
|
|||||||
Well I think French users may have a problem using this. I hear (don't know) that they have quite a few restrictions on using encrypted software. Oh! and don't forget to leave a backdoor in the program for all the Government Authorities.... they all seem to want to try and keep pushing that <LOAD OF CRAP> I'm sure they will try to Capitalize and use the recent tragedy in the US as another reason to have these backdoors... even though so far it has not been shown that they have used any encrypted software to accomplish their deed, and as usual it will only handicap the legal users. Criminals don't pay attention to any of these laws anyways. Jumping off soapbox now... [ 14 September 2001: Message edited by: NTDOC ] |
||||||||
|
|
|||||||
My turn on the soapbox... You mean like gun legislation... as if making guns illegal would stop criminals... do you think criminals would obey gun laws? ...stepping down. There are differing rules for encryption in some countries and restrictions on 128-bit exportation, but we all know that. How to build a scalable secure KIX to satisfy these restrictions is the challenge. |
||||||||
|
|
|||||||
hey... in reference to the question of whether scripts get completely loaded into memory or not... I believe that Ruud talked about that in his interview... To my understanding and experience, kix loads the script and ALL related scripts into memory. I once had my primary script fail... and after a long ammount of time, I found that a script 5 levels down from the first (1 calls 2, 2 calls 3, etc..) was missing a quote or paren... fixed it, and the first script ran mint. Baffled me and my post here (about 1 1/2 years ago) was unanswered... |
||||||||
|
|
|||||||
While the fact the entire script gets loaded in memory helps those that try to do an encrypted delivery system of decrypt / load /delete, (re: Richard's post) it has no bearing on on-the-fly decryption. It matters not if encrypted source is in memory. |
||||||||
|
|
|||||||
there were some points to have secure kix.exe version, named differently. I can't think easier way to make kix to work securely as to add some commandline parameters -e for encryption of script and -s for secure mode execution. this way ruud does not have to do this secure stuff himself. someone(s) can make it and only thing is to add it into the kix-main-exe. this way it could also be developed separately. my €0.0012 |
||||||||
|
|
|||||||
Notice about release of KixCrypt.exe binary in scripts forum |
||||||||
|
|
|||||||
While were on the topic of security...it would be nice also if the kix script could run as a service with local administrator rights, which would of course enable the admin of the logon scripts to deploy files that other wise would not be able to be deployed without su and other systools. my 2 bits. |
||||||||
|
|
|||||||
Dear, A short reaction on this soapbox.
We hope that above suggestions and reactions give Ruud more ideas.
|
||||||||
|
|
|||||||
Dear, We were missing the contents fo second page. Later we will a reaction on it. After analyzing the release KixCrypt.exe. |
||||||||
|
|
|||||||
There's an interesting (almost parallel) discussion thread. On the topic of piping, this too parallels the client/server idea mentioned here. Mainly that the client would have instructions "piped" to it from the server. The "client" could be running in the user's context or a spawned script running in the local admin context. The server-side script could handle admin-like functions not available to the user or local admin. Security checks would need to be instituted to prevent spoofing. |
||||||||
|
|
|||||||
MCA, I like your short reaction. What it will be when longer ? Anyway, to clear a little the soapbox (well, mine especially), read another time what i have in mind It's like the IE Redistribution kit do, but instead of getting uncompress in a temp dir, it goes directly to ram. A single exe file will contain the needed kix.exe (and dll if 9x systems are present), the script(s), and all these one compressed, encrypted, ... what you want. And if necessary, the kix.exe could be launched under the "run as" service Another idea was adding some parameters to check for before unpacking kix and the scripts. They could be the domain name, or other things, so it will only work in a particuliar network and nowhere else. And of course, encrypted into the exe package. You could even add a forced reboot if it not what wanted If correctly done, it can be a little more heavy than 150k (well, 200-250), but i think it will be the cost to It's not really good for slow WAN connections, but at this point seems we don't have choice if we don't want to handle the possible kix trojan. Last days i put everything on paper to get a little clearer, if you are interested [ 15 October 2001: Message edited by: Popovk ] |
||||||||
|
|
|||||||
Dear, We read the rest of this topic and here is our long reaction:
Greetings. [ 21 October 2001: Message edited by: MCA ] |
||||||||
|
|
|||||||
To answer the ScriptLogic question... ScriptLogic 3.XX overcomes the Administrative issue with writing to the registry by installing a DC-based service (running as a Domain Admin) which remotely modifies the client's registry, when requested by a client-side command line utility. ScriptLogic 4.XX can run any program as an administrator, much the same way other management apps (like SMS) do. By using a server-side and client-side service, and then making the request using a client-side command-line program. --------- Regarding encryption: during my last phone conversation with Ruud, he mentioned that tokenizing is on the top of his priorty list for the next version of KiX. --------- Hope this helps, |
||||||||
|
|
|||||||
Dear Brian, Thanks for your input and specially the reaction from Ruud. |
||||||||
|
|
|||||||
MCA, Thanks for your comments and for taking the time to download and check out the KixCrypt binary. I'm aware of the short-comings of the KixCrypt process. For a start the password is included in the binary as clear text. The password won't allow you to decrypt the file without knowing the contents of the code tables and peturbing parameters but it will help reverse engineer the encryption *if* you get an encrypting version of the binary. Secondly, and more importantly the source code is published. Anyone can take it and change it so that the decrypted file is not deleted. Now all they need to do is to grab the encrypted script off the end of your file and tack it onto their hacked version. If you have the encrypting binary you can also use a char(0) attack to expose the XOR tables. Together with the password this will give you a decrytion key. KixCrypt is not intended for use by "normal" users, so the fact it dumps to the console is not a problem. Anyone who runs it without reading and understanding the associated help pages should expect to have problems. The instructions on use are simple and quite explicit. There is even a specific warning about binary output to the console If you want to *really* use it you should take the source code and change the encryption tables and peturbing parameters and use the customised version in your own organisation. Now no-one has your personal encryption algorithm. After you create a distributable version of kixcrypt with your encrypted script attached the kixcrypt program will not encrypt again. This means your cracker type cannot create simple scripts and keep pushing them through to determine the algorithm, unless you publish your personal version of kixcrypt. I don't know if you've looked at the source code for KixCrypt, but the encryption algorithm while simple would be devilishly hard to crack without clues, moreso with long scripts. The encryption is a simple XOR, but the password is not used to do the XOR itself, the password is used to generate a key which gets the encryption values from a set of "one time pads". There are also bitshifting processes and the sequence of the password characters used is not linear - sometimes the characters are skipped. KixCrypt is not a finished product - I tried to emphasise this as often as possible in the files and on the download page, heh . It works and you can use it in it's current state in a live environment, although you would want to compile your own version so you don't have the same encryption algorithm as is in the download binary and source files. The purpose was to show that something can be done quite simply, and to encourage more debate. Other than bug fixes and updating the hash checksum for new relases of KixTart I probably won't be adding any features to KixCrypt. I released the source code so that anyone who wished to can have a hack about with it and customise it for their own use. Some things you might like to add are:
|
||||||||
|
|
|||||||
Brian, You mention "tokenizing" as high on Ruud's list. When I read Ruud's interview (http://home.wanadoo.nl/scripting/specials/interview.htm) he makes reference to "the .NET CLR". Is this what you are referring to? |
||||||||
|
|
|||||||
Dear Les, Information for the other readers. The last time bstyles repeat his statement was 1 June 2002. His reaction was quote:An earlier reaction of him was from 21 October 2001. His input was: quote:on this topic source file encryption Possible that bstyles can update the status of it. greetings. |
||||||||
|
|
|||||||
oh, indeed. tokenizing has been part of kix since 4.20 as an internal thing and tokenized scripts are available since 4.50 alpha 1. |