Prevent Modification of Script?

[ts-dev]

Is it possible to prevent modification of a python file once its been
deployed? File permissions of the OS could be used..but that doesn't
seem very secure.

The root of my question is verifying the integrity of the application
and the scripts being run. Is this possible, if so, how?

 

[Michael Ekstrand]

Is it possible to prevent modification of a python file once its been
deployed? File permissions of the OS could be used..but that doesn't
seem very secure.

The root of my question is verifying the integrity of the application
and the scripts being run. Is this possible, if so, how?

Your best bet is probably some sort of cryptographic signature mechanism.
However, if they can modify it, they can likely modify it so that the
signature check is disabled. So you need something you "trust" to verify
said signature.

So basically, except in a "trusted" computing environment, you cannot
entire ensure what you're wanting. OS permissions are probably the
most practical thing you've got; the signature thing could fool some
slightly more intrepid attackers.

One significant factor: are you worried about other
users on your systems (or other users who share systems with you under a
third party's control), or are you worried about what people will do on
their own systems?

- Michael

 

[Ben Finney]

Is it possible to prevent modification of a python file once its been
deployed?

Prevent modification by whom?

You can't prevent modification by the person who owns the
machine. It's in their possession, and presumably it's out of yours;
they can do whatever they like.

The root of my question is verifying the integrity of the
application and the scripts being run. Is this possible, if so, how?

Never put the program anywhere that someone you don't trust has access
to it.

 

[James Stroud]

The root of my question is verifying the integrity of the application
and the scripts being run.

Google "md5sum". Then google "birthday attack".

James

 

[Alex Martelli]

Prevent modification by whom?

You can't prevent modification by the person who owns the
machine. It's in their possession, and presumably it's out of yours;
they can do whatever they like.

Hmmm -- if the file is deployed on read-only media it might be possible
to prevent modification. Of course, one could COPY it to read-write
media, and modify the copy, but that would still entirely satisfy the
requirement of "preventing modification of the file" as stated.


Alex

 

[ts-dev]

One significant factor: are you worried about other
users on your systems (or other users who share systems with you under a
third party's control), or are you worried about what people will do on
their own systems?

Michael, Ben & others:
The short answer is others on a shared system, or malware that could
modify the scripts.

I'm new to python programming and there are just some paradigms I'm
having trouble grasping.
If the scripts can be modified (very easily), how can the application
be trusted?

i.e. If its an address book, then it would be trivial for malware to
modify the script to override data or send it somewhere else...
It would also seem like it makes user authentication through a
password/ username, or encryption useless. The script could easily be
modified to by-pass authentication and encryption could be disabled.

Please correct any wrong assumptions that I might be making..

In a compiled application its not impossible to by pass the code.. but
its not so easy. Perhaps this is just a side-effect of being a
scripted language - not a flaw, just me trying to use it for something
its not well suited for.

- Kiel

 

[Ben Finney]

If the scripts can be modified (very easily), how can the
application be trusted?

This sounds far more that you don't trust the application *user*.

If that's the case, don't deploy the application such that the user
possesses it. Run it as a service on a machine controlled by people
you *can* trust.

That, or re-evaluate your reason for dealing with people you don't
trust.

 

[James Stroud]

Michael, Ben & others:
The short answer is others on a shared system, or malware that could
modify the scripts.

I'm new to python programming and there are just some paradigms I'm
having trouble grasping.
If the scripts can be modified (very easily), how can the application
be trusted?

i.e. If its an address book, then it would be trivial for malware to
modify the script to override data or send it somewhere else...
It would also seem like it makes user authentication through a
password/ username, or encryption useless. The script could easily be
modified to by-pass authentication and encryption could be disabled.

Please correct any wrong assumptions that I might be making..

In a compiled application its not impossible to by pass the code.. but
its not so easy. Perhaps this is just a side-effect of being a
scripted language - not a flaw, just me trying to use it for something
its not well suited for.

- Kiel

You are worrying a little too much. Lets say you are genuinely worried
about malware, for example. To justify this worry, answer these questions:

1. Who in the world would take the time to write malware targeted at
your application specifically?
2. What value does your application have that would warrant such effort?
3. Would it not be worth a malware writer's troubles to focus on an easy
target that offers more rewards, like say, Microsoft Crapware 3000, or
whatever they are selling these days?
4. Are you so technically proficient at writing streamlined and
transparent code that a malware author will find your code an easy
target, especially if you distribute it as bytecode?
5. Could you not just md5sum the bytecode and check it from within a
launcher against a value on a server somewhere? How many barriers would
a malware writer need to circumvent to foil this protection scheme?
Again, would it be worth his troubles in fame, fortune, or the knowledge
that he did a good job?
6-7000. Etc.

Write your program in the language most suited for it and, when you hit
it big, hire some security experts.

James

 

[half.italian]

Just throw out the .py files and let it run on the .pyc's alone.

~Sean

 

[Thomas Bellman]

Please correct any wrong assumptions that I might be making..

In a compiled application its not impossible to by pass the code.. but
its not so easy.

The huge amount of existing viruses targeting binaries seems to
indicate that binary-only distribution does not deter attackers
very well. Your assumption that the availability of source code
makes your program a more vulnerable is likely wrong.

The script could easily be
modified to by-pass authentication and encryption could be disabled.

Relying on authentication done at the client end is doomed to
fail. Doing so is similar to asking people to put the lock in
the door before opening it. It doesn't matter how good a lock
is or how obscure the inside of the lock is if the lock isn't
an integral part of the door; a burglar will simply bring his
own lock, to which he of course has the key, and use that.

Perhaps this is just a side-effect of being a
scripted language - not a flaw, just me trying to use it for something
its not well suited for.

No. To be blunt, it is an effect of you not knowing enough about
security. (Don't feel too bad about it. I have made similar
mistakes myself, but after many years working with computer
security I have managed to learn not to do *that* particular
error again; I hope...)

 

[Lawrence Oluyede]

Just throw out the .py files and let it run on the .pyc's alone.

Which are very easily decompilable.

 

[Kiel W.]

No. To be blunt, it is an effect of you not knowing enough about
security.

Blunt is good =) I ask question because I don't know. I appreciate
your honesty.

 

[Kiel W.]

You are worrying a little too much. Lets say you are genuinely worried
about malware

Thanks for the feedback. Perhaps you are correct about being too
worried.. eh, to be honest you probably are.

Write your program in the language most suited for it and, when you hit
it big, hire some security experts.

Very good advice..thanks for taking the time to respond.

 

[Steven W. Orr]

On Wednesday, Apr 4th 2007 at 18:04 -0700, quoth ts-dev:

=>Is it possible to prevent modification of a python file once its been
=>deployed? File permissions of the OS could be used..but that doesn't
=>seem very secure.
=>
=>The root of my question is verifying the integrity of the application
=>and the scripts being run. Is this possible, if so, how?

I'm going to take a stab at this one even though I'm a really junior
pythonian.

I know others have already responded, but I'd like to offer a couple of
suggestions that have nothing to do with python. (BTW, I do applaud the
previous answers that suggest that this is really a non-problem in the
first place.)

1. *IF* you are on a linux target platform then it's likely that you have
a package management system in use, either rpm or deb. In either case,
you have the ability to verify by checksum, every file of any package.

In the case of rpm, just use the -V option.

2. You also have the ability to set the immutable flag on ext2/ext3
filesystems. See lsattr/chattr commands. Of course, if you can get root
access then you can shut off immutability, but you can also replace
your package management tools as well. AAAUUUGGGHHH!!!

--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net