使用GETENV在安全性方面 [英] using getenv with respect to security
问题描述
如果我用的getenv()
禁用我的计划的一些验证(例如许可证检查)将黑客能够很容易地发现有关环境变量(使用strace的还是其他?)
If I use getenv()
to disable some verifications of my program (for instance license checking) will a hacker be able to discover easily the concerned environment variable (using strace or other ?)
code的例:
if (! getenv("my_secret_env_variable")) checkLicense();
(如果,另一方面,我查了特定文件的presence,黑客会看到它立即使用strace)
(If, on the other hand, I checked the presence of a specific file, the hacker would see it immediately with strace)
推荐答案
的黑客会立即看到它与使用strace 的 - 也许你应该看看 ltrace
以及
the hacker would see it immediately with strace - maybe you should take a look at ltrace
as well?
虽然你可能无法隐藏变量名,为什么不要求值为?特别是,您可以使用一个整数,一个有效的值(的atoi
),因为它们有很多更难code被发现,甚至一个整数和单字符的组合。但是请记住,环境块是内存找到一个容易的部分,尤其是在一个核心转储。
While you might not be able to hide the variable name, why not require a value? In particular you could use an integer for a valid value (atoi
) since they are a lot harder to spot in code, or even a combination of ints and single chars. However remember that the environment block is an easy part of memory to find, especially in a core dump.
这篇关于使用GETENV在安全性方面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!