Security and the well constructed Qt plugin

Home
Forums
Qt Development
General and Desktop
Security and the well constructed Q...

December 2, 2011

jsprenkle

Lab Rat
19 posts

I’m building an application using plugins. I believe you could build a malicious plugin, copy it into the correct directory, and my main program would happily run it. I’d like the main program to be smart enough to detect unauthorized plugins and reject them. An encrypted signature and a hash on the binary content of each plugin would work well. Has anyone done anything toward this goal? Or a cross platform library for generating signatures for shared libraries?

I’m aware of how windows does signs executables. Linux not so much. I don’t need Mac compatibility.

Thanks for your time!

4 replies

December 3, 2011

veeeee_d

Lab Rat
56 posts

Ultimately, there is no way you can stop someone from loading a custom plugin. Even using an encrypted, hashed, hidden and topped key, one could simply find the key and copy it. I wouldn’t worry a lot about those things if I were you.

December 3, 2011

jsprenkle

Lab Rat
19 posts

If a decent cryptographic signature is used “finding the key” would require more time that it would be worth for an attacker. This is how all modern security works. Throwing up my hands and saying it’s not possible so why bother isn’t a useful answer.

December 3, 2011

veeeee_d

Lab Rat
56 posts

I’ve been a game developer for some time now, so I like to think my opinion when it comes to people interfering in my program is somewhat valuable. But, if you think that way, let someone else answer you.

December 3, 2011

jsprenkle

Lab Rat
19 posts

Thanks for helping.

‹‹ Multiple inheritance from QObject (QObject is an ambiguous base of ...) Possible Qt Bug: Tool Tips on QTreeView using Proxy Widget with ItemIgnoresTransformations ››

You must log in to post a reply. Not a member yet? Register here!

Tags what is this? Undo?

Ratings what is this?

Forum menu

Not registered?

December 2, 2011