[PHP] Local variable protection
Are there any assurances that function local variables are protected from code
calling the function?
For example, I would like to provide some cryptographic functions such as
function org_secure_string($string) {
$org_key = "a very random key";
return hash($string, $key);
}
function org_reveal_string($hash) {
$org_key = "a very random key";
return unhash($hash, $key);
}
I'd like to protect $org_key from any code following or using these functions.
I've not yet found a way that it can be revealed, but I wonder if anyone here
can give me a definitive answer whether or not it is possible.
Ben
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Local variable protection
On Oct 12, 2011, at 4:24 PM, Ken Robinson wrote:
> Quoting Benjamin Coddington :
>
>> Are there any assurances that function local variables are protected from
>> code calling the function?
>>
>> For example, I would like to provide some cryptographic functions such as
>>
>> function org_secure_string($string) {
>> $org_key = "a very random key";
>> return hash($string, $key);
>> }
>>
>> function org_reveal_string($hash) {
>> $org_key = "a very random key";
>> return unhash($hash, $key);
>> }
>>
>> I'd like to protect $org_key from any code following or using these
>> functions. I've not yet found a way that it can be revealed, but I wonder
>> if anyone here can give me a definitive answer whether or not it is possible.
>
> It's called the scope of the variable. See
> http://us3.php.net/manual/en/language.variables.scope.php
>
> Variables defined in a function are only available to the function where they
> are defined.
Yes, but scope does not necessarily protect a value. Within a function globals
are out of scope, but their values can still be accessed through $GLOBALS.
Many languages have little-documented reflection features. I am concerned
about a determined person being capable of discovering the value of a variable
within a function that has already been defined. Is there a way to this? Is
there a way to examine the input buffer, or anything that has been read into
the interpreter so far? Certainly those values exist within the memory of the
process, which can be accessed through other methods.
I'd be very happy if anyone is able to say it is not possible to do this, and
explain why.
Ben
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Local variable protection
On Oct 13, 2011, at 5:05 AM, Stuart Dallas wrote:
> On 12 Oct 2011, at 21:06, Benjamin Coddington wrote:
>
>> Are there any assurances that function local variables are protected from
>> code calling the function?
>>
>> For example, I would like to provide some cryptographic functions such as
>>
>> function org_secure_string($string) {
>> $org_key = "a very random key";
>> return hash($string, $key);
>> }
>>
>> function org_reveal_string($hash) {
>> $org_key = "a very random key";
>> return unhash($hash, $key);
>> }
>>
>> I'd like to protect $org_key from any code following or using these
>> functions. I've not yet found a way that it can be revealed, but I wonder
>> if anyone here can give me a definitive answer whether or not it is possible.
>
> Maybe I'm missing something, but whatever protection might exist within a
> running PHP process, they'll simply be able to open your PHP file and see it
> there. Even if you're using something like Zend Guard, the string literal
> will not be difficult to extract.
We'll get around this by defining the functions in php's auto_prepend_file
where we'll also restrict access to the file with open_basedir.
Ben
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
