I'm working on Adaptive AutoSar tsync module.
Now I'm trying to find the way how to verify tsync library between ECUs.
But I don't have any idea of verifying tsync library.
If anyone is able to know how to verify tsync library from time synchronization, Please let me know
You can call now() function periodically from the different ECUs and see if the values are matching.
Related
Can a running nodejs program cryptographically prove that it is the same as a published source code version in a way that could not be tampered with?
Said another way, is there a way to ensure that the commands/code executed by a nodejs program are all and only the commands and code specified in a publicly disclosed repository?
The motivation for this question is the following: In an age of highly sophisticated hackers as well as pressures from government agencies for "backdoors" that allow them to snoop on private transactions and exchanges, can we ensure that an application has been neither been hacked nor had a backdoor added?
As an example, consider an open source-based nodejs application like lesspass (lesspass/lesspass on github) which is used to manage passwords and available for use here (https://lesspass.com/#/).
Or an alternative program for a similar purpose encryptr (SpiderOak/Encryptr on github) with its downloadable version (https://spideroak.com/solutions/encryptr).
Is there a way to ensure that the versions available on their sites to download/use/install are running exactly the same code as is presented in the open source code?
Even if we have 100% faith in the integrity of the the teams behind applications like these, how can we be sure they have not been coerced by anyone to alter the running/downloadable version of their program to create a backdoor for example?
Thank you for your help with this important issue.
sadly no.
simple as that.
the long version:
you are dealing with the outputs of a program, and want to ensure that the output is generated by a specific version of one specific program
lets check a few things:
can an attacker predict the outputs of said program?
if we are talking about open source programs, yes, an attacker can predict what you are expecting to see and even can reproduce all underlying crypto checks against the original source code, or against all internal states of said program
imagine running the program inside a virtual machine with full debugging support like firing up events at certain points in code, directly reading memory to extract cryptographic keys and so on. the attacker does not even have to modify the program, to be able to keep copys of everything you do in plaintext
so ... even if you could cryptographically make sure that the code itself was not tampered with, it would be worth nothing: the environment itself could be designed to do something harmful, and as Maarten Bodewes wrote: in the end you need to trust something.
one could argue that TPM could solve this but i'm afraid of the world that leads to: in the end ... you still have to trust something like a manufacturer or worse a public office signing keys for TPMs ... and as we know those would never... you hear? ... never have other intentions than what's good for you ... so basically you wouldn't win anything with a centralized TPM based infrastructure
You can do this cryptographically by having a runtime that checks signatures before running any code. Of course, you'd have to trust that runtime environment as well. Unless you have such an environment you're out of luck - that is, unless you do a full code review.
Furthermore you can sign the build by placing a signature within the build system. The build system and developer access in turn can be audited. This is usually how secure development environments are build. But in the end you need to trust something.
If you're just afraid that a particular download is corrupted you can test against an official hash published at one or more trusted locations.
I'm trying to secure my play application but I have no idea where to start. In play tutorial I have not found any chapter about that topic. As far as I see security topic is changing between play versions. So what are You guys using to secure Yours applications.
I'm new in Play so please forgive me if I'm asking obvious questions.
Edit:
Ok, maby question was't clear enough(I'm really sorry about that). When talking about security I mean that I need something to deal with users credentials and tool which allows me to restrict access to some pages and eventually to some rest actions in my application.
Edit2:
I'll try deadbolt2 now and we'll see how does it works. But I still encurage You guys to share Your knowledge about Play security with others:)
The documentation seems to still be a bit lacklustre on this topic, but essentially, authentication/authorisation functionality is usually performed using Action composition, which is the basis of reusable controller code in Play. There an example here (also linked from the docs that should help give you the general idea.)
Action composition in Play 2.2.x is done using ActionBuilders. These take a block which accepts a request and returns a Future[SimpleResult]. This allows the action builder to either execute the given block, or return a different Future[SimpleResult] (say, an Unauthorized in the case that a user's credentials did not check out.)
In our app we use the Play2-auth module for handling authentication with session cookies. This has (just) been updated to work with Play 2.2.x but uses a slightly different mechanism for action composition (stackable controllers.) You might be best off working out how the precise functionality you need can be accomplished just using the native framework tools before adding a dependency to it.
I agree with the other answers but just add that I use securesocial to integrate with other auth providers (google, FB, etc...), so I don't have to do auth myself. It's quite easy to get up and running.
https://github.com/jaliss/securesocial
Access control, security, etc. is a very wide topic, because it means very different things depending on context. This may be one of the reasons why Play has little documentation for it, which puzzled me at the beginning as well.
Play2 has some security helpers, namely it's the Authenticated method, for some insights on how to use it, check the comments in the source code. Its a simple method that you could implement yourself, and most do. It, essentially, just proposes a structure for where to place your methods that would check if request is authenticated and what to do if it's not.
Play2 also has some cryptography logic, which is used for signing cookies.
That's about it, you don't have any more pre-built security structures, but that's a good thing, because you don't want the framework making decisions like that for you, if it doesn't know in what context it will be used.
What is essential is to go and research how attacks relevant to your application are carried out, best practices and so on. I recommend going to OWASP, particularly the OWASP Cheat Sheets. If the list of Cheat Sheets seems intimidating start with the OWASP Top Ten Cheat Sheet. Don't mind the large volume of information, it's very useful knowledge.
I've been using the MonoTorrent library for a couple of weeks now and am looking for any kind of feedback or recommended alternatives.
The only issue I have with the library so far is that it is MUCH slower than uTorrent, I am not sure if this is a configuration issue or whether it doesnt support a required feature etc, but I require higher speeds for my needs and I found that for the exact same file I can get a major difference (times 100) in terms of the numbers of seeders and speeds.
I wanted to give libtorrent a try as well but have not been able to even compile the windows dll, let alone write the required code to use it :-)
I probably don't know much about the history of the torrent protocol but found it strange to find so little support in the C#/.Net world.
Was even considering wrapping the uTorrent client somehow, but it might be 'frowned upon' lol
Ended up using the libtorrent C++ library (running on a seperate process with added REST api to communicate with the main program) it works well and the torrent performance is excellent.
I'm creating a simple GTK+ based application in Vala, which should be able to write into system directories, so it needs root access. I realize that giving full root access is a bad idea, so I need a way to gain temporary privileges.
In theory, the PolicyKit D-Bus service is the tool for the job, but I have no idea how to use it, let alone in Vala code. Any insight would be appreciated.
update:
I have done some further digging. My starting point was this. So basically what I need is finding out how to adapt these solutions to PolicyKit. For this, it is necessary to find the D-Bus interface of PolicyKit. I found it here. (Strangely I didn't find it in my local /usr/share/dbus-1/interfaces folder.) But now I have no idea how to continue.
The polkit Reference Manual contains some good information, including a high-level overview on writing polkit applications.
Instead of using the D-Bus interface directly, you should probably consider using the libpolkit-gobject-1 library. You can use the GIR directly, or generate a VAPI (which I would recommend) with vapigen. Here is one I just generated. I'm not really familiar with the API, but it is very easy to use a C API reference as a reference to figure out the Vala API.
I need to send data from an Air application, using a certificate.
This certificate is to be provided by the user through a USB Key.
I've got a lot of questions regarding this.
Is it possible to do what I'm looking for?
If yes, is it possible to do that only with the Flex/Air sdk or should I use Java or some other language to load the certificate?
Would anyone have a link where I can learn some more about this? I've been looking through the web, but haven't really found anything useful...
For the certificate stuff, you may take a look at the as3crypto library, which is doing an awesome work in implementing various cryptographic and security related algorithms in AS3. I've used this particular library to do data signing and verification, using an external X.509 certificate.
The implementation in this library is pretty straightforward, and you shouldn't be confused about it, if you are a little familiar with cryptography and the whole keys/signing/certificates world.
[Edit] If you are not, you might want to take a look at the Digital Signature page on Wikipedia, which is a pretty good introduction to this world. Also, because the AS3 implementation of RSA is quite slow, if you want to sign a large number of data, you may want to sign hash of the data instead of the real data. For the practical code to do this kind of stuff, there is some code sample in the demo of the library.
Also, as you mention that your certificate is coming from an USB drive, you should be aware that using AIR 2.0, you might be able to monitor plugging and unplugging of mass storage devices. That might be cool for your application.