Secure code for Delphi apps
Posted on 2004-08-02
I've been wondering about the safety of in Delphi written Applications for some time. Of course, much, if not all, of the safety of one's applications comes from the code you write... However, I've some direct questions how to prevent certain security leaks in one's programs:
1) Buffer overruns
How to prevent these? How to recognize whether some code is free of buffer overruns? Where should one be more careful about _not_ placing code that's liable to buffer overruns (ie. i mean: are internal procedures also liable to these buffer overruns, if they're for example declared as private?)
PMyRecord = ^TMyRecord;
TMyRecord = record
procedure MyFunction( const MyRecord: PMyRecord );
This code isn't safe, is it? If I put the length of "str" in "length", is it then safe?
I've heard that Delphi Apps are easy to disassemble. At least, you get a lot of clues where you need to start disassembling (for example: if you want to find the registration key of some program, you'd rather want to start your search in the procedure DoRegister then anywhere else).
Is there a way to prevent/make it more difficult to disassemble code, apart from using strange names for your procedures?
Another issue is storing passwords. Is there any secure way to store a password you need to enter your application? For example: a user needs to give in a password to maximize the main window. How to store that password?
4) Prevent closure:
Zonealarm is able to make it quite difficult to close from the Tasklist. Just try it, and you'll find that it won't close...
Is there any way to make it more difficult for malisious users to close your application (for example: if your app is monitoring the computer). Of course, Windows should be able to close it when the computer is being shut down.
However, if Windows can close it, isn't it possible for others to close it as well, by sending the correct Message?
A lot of questions, and i've got some more, but it's a starters...
I hope you'll be able to give some answers to these questions.