- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
I work in a company that produces scientifics softwares, consisting in a .NET GUI calling a Fortran executable to carry on computations.
We would like to make sure that a malicious customer can not use the Fortran executable as a standalone.
In other words, we would like to make sure that the executable runs properly only if it is called through the GUI.
Is it even possible ?
If not, would you have any other recommendation on how to protect our executables ?
Any help would be much appreciated,
Thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Thank you very much for your time and answers.
I think we are going to explore the CLA solution first as it is really easy to implement.
Wishing you a nice day,
Edouard
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
You can add a "non printable" argument (below 32) in the call parameters that can only be included in a program call or a "coded" argument that can be checked by he program.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using a secret argument might be easy to capture (create a fake program of same name as your Fortran program to capture the command line arguments).
An alternative method could be to set bInheritHandles in SECURITY_ATTRIBUTES and then use a handle to something more obscure/difficult to discover. For example, a memory mapped file, a pipe, event, mutex, etc... any of which that you can construct your "secret handshake".
Jim Dempsey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Passing a timestamp (even coded) to the program and check that it's not too old may avoid basic hacking.
All depend on the cost/benefit balance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a similar situation. I know the outline of our solution, but not the details.
We digitally sign the main function call to Fortran using one of the standard digital signature algorithms. We use two sources of data:
- parameters hard coded into the Fortran DLL - essentially a private key shared with C#. I think we try to conceal the definition of it using TRANSFER but this is probably a waste of time
- values concealed in "unused" fields in Fortran subprogram array arguments. These are initialized to random values and then selected bytes are set to contain the values of interest. These are extracted and combined in Fortran.
Initially we extracted eights scattered bytes of interest, XORed four bytes with our "32-bit private key" and compared them to the other 4 bytes. We just return an internal error if authentication fails. EDIT: We now use a proper crypto algorithm.
I think we now generate the GUI data in C++ as we were concerned about the security of the C# application.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was thinking about your problem over the weekend, as I sat for two hours in a football traffic jam.
There is no security in a C# program, the jetbrains people give you a free viewer. Lisp used to have an obsquring program.
Strand in Australia, which is a Fortran program use a HASP, that works well. It is quite annoying you have to find the HASP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Thank you very much for your time and answers.
I think we are going to explore the CLA solution first as it is really easy to implement.
Wishing you a nice day,
Edouard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page