9 replies to this topic

[JustPingo]

Hi everyone.
I'm working on a program which need to check if os.computerID() has been overwritted.

I've thought that if I check the size of os.computerID, I can compare it to the original size and check if there's differences.
But, I saw that it was the CC's Java part. So I can't get the original size.

Is there a way to know the size of this thing ? Or is there an easier way to check if os.computerID() has been overwritted ?

Thanks you in advance !

EDIT : Solved !

Spoiler

Lyqyd, on 09 September 2013 - 04:50 PM, said:

You might see if the bytecode it dumps to is consistent. Other than checking that, you won't really have any way of verifying that it is intact. This is ignoring the fact that if you're basing anything important on the computer ID, you've gone wrong several steps ago, of course.

immibis, on 10 September 2013 - 02:22 AM, said:

Then the hypothetical attacker can override string.dump.

 local oldGetID, oldDump = os.computerID, string.dump function os.computerID() return 42 end function string.dump(f) if f == os.computerID then error("dan200.computer.core.LuaJLuaMachine$2 cannot be cast to org.luaj.vm2.LuaClosure", 0) end -- the exact error message CC gives return oldDump(f) end 

(does this count as malicious code? it could be part of a legitimate sandbox) Edit: This can be countered by:

 local old = os.computerID function os.computerID() end local isBeingAttacked = not pcall(string.dump, os.computerID) os.computerID = old 

which can be countered by:

 local oldGetID, oldDump = os.computerID, string.dump function os.computerID() return 42 end local ourComputerID = os.computerID function string.dump(f) if f == ourComputerID then error("dan200.computer.core.LuaJLuaMachine$2 cannot be cast to org.luaj.vm2.LuaClosure", 0) end return oldDump(f) end 

which can be countered by:

 local isBeingAttacked = pcall(string.dump, string.dump) 

which can be countered by: ...etc This could go on for a while. Eventually, the attacker will win. If a sufficiently determined attacker has full access to the computer running your program, they will always win, and there is nothing you can do about it. Of course, maybe this has nothing to do with security. If you're not trying to defend against sufficiently determined attackers, this should do:

 local isComputerIDOverridden = pcall(string.dump, os.computerID) 

[LBPHacker]

If somebody overwrites os.computerID, they'll put the original function into a local (unrachable because of Lua) or into same random index in _G (unreachable because of the randomness). So I think there is no real way of doing that. There's of course the startup script, which can back up os.computerID, though I assume there is already a startup script; the one that overwrites os.computerID, so that's not a way.

[theoriginalbit]

Why would someone ever override os.getComputerID? o.O

[JustPingo]

Long story.

[Cranium]

theoriginalbit, on 09 September 2013 - 12:51 PM, said:

Why would someone ever override os.getComputerID? o.O

ID based security system bypass.

[immibis]

If there was, then the person who overrode os.computerID would just override it too.

[Lyqyd]

You might see if the bytecode it dumps to is consistent. Other than checking that, you won't really have any way of verifying that it is intact. This is ignoring the fact that if you're basing anything important on the computer ID, you've gone wrong several steps ago, of course.

[immibis]

Then the hypothetical attacker can override string.dump.

local oldGetID, oldDump = os.computerID, string.dump
function os.computerID() return 42 end
function string.dump(f)
  if f == os.computerID then error("dan200.computer.core.LuaJLuaMachine$2 cannot be cast to org.luaj.vm2.LuaClosure", 0) end -- the exact error message CC gives
  return oldDump(f)
end

(does this count as malicious code? it could be part of a legitimate sandbox)

Edit: This can be countered by:

local old = os.computerID
function os.computerID() end
local isBeingAttacked = not pcall(string.dump, os.computerID)
os.computerID = old

which can be countered by:

local oldGetID, oldDump = os.computerID, string.dump
function os.computerID() return 42 end
local ourComputerID = os.computerID
function string.dump(f)
  if f == ourComputerID then error("dan200.computer.core.LuaJLuaMachine$2 cannot be cast to org.luaj.vm2.LuaClosure", 0) end
  return oldDump(f)
end

which can be countered by:

local isBeingAttacked = pcall(string.dump, string.dump)

which can be countered by:
...etc
This could go on for a while. Eventually, the attacker will win. If a sufficiently determined attacker has full access to the computer running your program, they will always win, and there is nothing you can do about it.



Of course, maybe this has nothing to do with security. If you're not trying to defend against sufficiently determined attackers, this should do:

local isComputerIDOverridden = pcall(string.dump, os.computerID)

[JustPingo]

Thanks you all !
I think this defense is completly enough.
I know I can't do something completly safe with CC, but the maximum that I can do is the best.
An other time, thanks you.

[immibis]

Also, if someone is trying to attack your program, they can just edit it and remove the security checks.