Posted by Paul Pluzhnikov on 05/01/07 17:01

"David T. Ashley" <dta@e3ft.com> writes:

> I am not able to call a shared library directly from PHP.

You should be able to write a PHP extension (another shared library)
which will wrap the vendor-supplied library and provide an interface
that PHP expects. You should be able to load that extension into
unmodified PHP packages you get from RedHat.

> Because the FOB key is one of the parameters that must be used with the
> shared library, it must also be passed from PHP to the compiled C program.
> Because the FOB key is so sensitive, the question is how to pass it from PHP
> to the compiled program securely.

There is no method that will be secure against debugger (even the
PHP extension is prone to debugger discovery of the secret).

If you ignore the debugger, encrypting (via plain XOR) the FOB key
with another key, which is known to your compiled C program and to
your PHP module is the answer. You can then pass the encrypted key
any way you want: on command line, via pipe, through the environment
variable, in shared memory, etc. etc.

> Passing the information on the command line is clearly not secure, because
> program names and command-line parameters are world-visible on a Unix
> system.

And so are environment variables, and so are pipes, and so are files.
Any communication between your PHP process and your compiled C
program is very easy to "sniff" from another process with the same UID.

> However, I was thinking that I could use the PHP proc_open() function:
>
> http://us.php.net/manual/en/function.proc-open.php
>
> to pass the information to the compiled C program's stdin and get
> information back from stdout securely (without others being able to
> eavesdrop).

Other processes with the same UID (or root) will be able to trivially
eavesdrop (as we told you before).

> I guess also I'd need to wipe memory before the compiled C program
> terminates to get rid of any trace of the sensitive information (otherwise
> the memory might be discovered by other processes later).

I believe this attack is impossible on any modern UNIX -- the OS
will not give "dirty" RAM to another process.

Cheers,
--
In order to understand recursion you must first understand recursion.
Remove /-nsp/ for email.

• Next in forum: Re: Security of Unix Pipes (with Application Details)
• Prev in forum: Re: Programming PHP offline
• Thread view: Re: Security of Unix Pipes (with Application Details)

[Reply to this message]