DEV Community

loading...

SuperPyOS- the security

17lwinn profile image 17lwinn ・2 min read

stopping piracy one step at a time...

well not really.


further down the line, we realised after pushing to github that people would poke around at our code. Find vulnerabilities and send pirate copies of the system to others

YES I KNOW IT'S OPEN SOURCE! BUT YOU NEED TO BE PREPARED!


step 1. the name

We needed a name that sounded professional but friendly, in the end we settled for the name EN_LICE_ULOCK. It was a bad name but we didn't have a lot of time.

step 2. the code

There needed to be a way to stop execution on startup if something was missing, licelock 1.0 looked like this:


import os
import sys
import logging
from datetime import datetime
from time import *

f = open("LICENSE.txt", "r")

it was bad, really bad...

all it does is look for a LICENSE.txt file, and python throws the tantrum when it can't be found, we needed to change and fast.

step 3. securing further and the API

First, we needed to change the way licelock works...

  1. instead of putting it in the main code, we turn it into a module and ship with every copy.

  2. change what it looks for, or at least seperate into levels of protection.

  3. get the update out fast.


so our new proccedure worked like this:

def keylock():
    from base64 import (
        b64encode,
        b64decode,
    )

    from Crypto.Hash import SHA256
    from Crypto.Signature import PKCS1_v1_5
    from Crypto.PublicKey import RSA


    message = "Validated"
    digest = SHA256.new()
    digest.update(message)

    # Read shared key from file
    private_key = False
    with open ("superpy.pem", "r") as myfile:
        private_key = RSA.importKey(myfile.read())

    # Load private key and sign message
    signer = PKCS1_v1_5.new(private_key)
    sig = signer.sign(digest)

    # Load public key and verify message
    verifier = PKCS1_v1_5.new(private_key.publickey())
    verified = verifier.verify(digest, sig)
    assert verified, ("Signature verification failed")
    print("Successfully verified signature, booting...")
    os.system("python3 boot.py")

look for secure keys instead of editable text files!

just for ref- the keys are generated through openSSL:

openssl genrsa -out private_key.pem 1024

now with that sorted, we needed to import it into the code. We saved it as licelock.py and in our main file we added-

import licelock

licelock.keylock()

and there we go, a simple but secure mechanism that shuts off the script if there isn't a key. I WOULD NOT use this in production if I was you!

Discussion (0)

pic
Editor guide