Hello,
I was wondering if anybody has ever used SDL for any type of secure programming? I understand SDL’s focus is ease of use and portability, so it’s not necessarily meant to be used for a secure program. Regardless, is there any security concerns I should be aware of if I wanted to use SDL as the means to get mouse input, keyboard input, and display a simple graphics window for, lets say, a extremely sensitive program dealing with important financial data being encrypted/decrypted? Im especially intersted in Sam Lantinga’s comment regarding this question.
Regards,
Anybody?
Im mainly interested in the keyboard input. SDL programs get the keyboard input from SDL, which means if you’re requesting a password that needs to be kept absolutely secret, SDL needs to completely erase it’s keyboard buffer, and the buffer also needs to be absolutely secure. Does anybody know whether SDL can handle such an application?
-
Jeremiah
http://inlovewithGod.com-----Original Message-----
From: sdl-admin at libsdl.org on behalf of Martell, Jeremiah
Sent: Sat 1/31/2004 3:41 PM
To: sdl at libsdl.org
Cc:
Subject: [SDL] SDL secure?
Hello,
I was wondering if anybody has ever used SDL for any type of secure programming? I understand SDL's focus is ease of use and portability, so it's not necessarily meant to be used for a secure program. Regardless, is there any security concerns I should be aware of if I wanted to use SDL as the means to get mouse input, keyboard input, and display a simple graphics window for, lets say, a extremely sensitive program dealing with important financial data being encrypted/decrypted? Im especially intersted in Sam Lantinga's comment regarding this question.
Regards,
-------------- next part --------------
A non-text attachment was scrubbed…
Name: not available
Type: application/ms-tnef
Size: 4342 bytes
Desc: not available
URL: http://lists.libsdl.org/pipermail/sdl-libsdl.org/attachments/20040201/a5a0198e/attachment.bin
SDL doesn’t have a keyboard buffer, I don’t think.
SDL simply uses underlying APIs to read keyboard, mouse, joystick, etc.,
and then bubbles that info up through its own API and event system.
So first off, it’s as secure (or insecure) as the underlying API,
be it XWindow, SVGALib, DirectX, etc.
Hopefully I’m not far off, and haven’t made a complete fool of myself, have I?
-bill!On Sun, Feb 01, 2004 at 10:46:01PM -0500, Martell, Jeremiah wrote:
Anybody?
Im mainly interested in the keyboard input. SDL programs get the keyboard input from SDL, which means if you’re requesting a password that needs to be kept absolutely secret, SDL needs to completely erase it’s keyboard buffer, and the buffer also needs to be absolutely secure. Does anybody know whether SDL can handle such an application?
I think he means the keyboard buffer in the OS. I think the keyboard
hardware itself might have some sort of buffer, too, though I’m not
entirely sure.
You might be able to bypass the OS’s keystroke buffer if you keep the
KeyRepeat disabled (which it is by default, I think.) But that’s gonna
depend on how SDL receives key events from the OS, as well as how OS
handles keystrokes from the keyboard, neither of which I have much
knowledge of. Maybe someone else knows. Good luck!
-MarkOn Sun, 1 Feb 2004, Bill Kendrick wrote:
On Sun, Feb 01, 2004 at 10:46:01PM -0500, Martell, Jeremiah wrote:
Anybody?
Im mainly interested in the keyboard input. SDL programs get the
keyboard input from SDL, which means if you’re requesting a password
that needs to be kept absolutely secret, SDL needs to completely erase
it’s keyboard buffer, and the buffer also needs to be absolutely
secure. Does anybody know whether SDL can handle such an application?
SDL doesn’t have a keyboard buffer, I don’t think.
SDL simply uses underlying APIs to read keyboard, mouse, joystick, etc.,
and then bubbles that info up through its own API and event system.
So first off, it’s as secure (or insecure) as the underlying API,
be it XWindow, SVGALib, DirectX, etc.
Hopefully I’m not far off, and haven’t made a complete fool of myself, have I?
-bill!
SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl
–
Mark K. Kim
AIM: markus kimius
Homepage: http://www.cbreak.org/
Xanga: http://www.xanga.com/vindaci
Friendster: http://www.friendster.com/user.jsp?id=13046
PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE
PGP key available on the homepage
Let’s just say I’m pretty sure no one has ever done a security audit on SDL,
coupled with the fact that it accesses different API’s on every platform to
complete tasks and then the security of those API’s have to be brought into
question. I would’nt feel comfortable using SDL for anything that needed to
be secure, nor would I really feel comfortable using any cross platform
library since cross platform usually ensures that compromises have to be
made (unless of course it was some kind of cross platform library that was
built to be secure in the first place).> ----- Original Message -----
From: jmarte01@bellarmine.edu (Martell, Jeremiah)
To:
Sent: Sunday, February 01, 2004 10:46 PM
Subject: RE: [SDL] SDL secure?
Anybody?
Im mainly interested in the keyboard input. SDL programs get the keyboard
input from SDL, which means if you’re requesting a password that needs to be
kept absolutely secret, SDL needs to completely erase it’s keyboard buffer,
and the buffer also needs to be absolutely secure. Does anybody know whether
SDL can handle such an application?
-----Original Message-----
From: sdl-admin at libsdl.org on behalf of Martell, Jeremiah
Sent: Sat 1/31/2004 3:41 PM
To: sdl at libsdl.org
Cc:
Subject: [SDL] SDL secure?
Hello,
I was wondering if anybody has ever used SDL for any type of secure
programming? I understand SDL’s focus is ease of use and portability, so
it’s not necessarily meant to be used for a secure program. Regardless, is
there any security concerns I should be aware of if I wanted to use SDL as
the means to get mouse input, keyboard input, and display a simple graphics
window for, lets say, a extremely sensitive program dealing with important
financial data being encrypted/decrypted? Im especially intersted in Sam
Lantinga’s comment regarding this question.
Regards,
Anybody?
Im mainly interested in the keyboard input. SDL programs get the keyboard input from SDL, which means if you’re requesting a password that needs to be kept absolutely secret, SDL needs to completely erase it’s keyboard buffer, and the buffer also needs to be absolutely secure. Does anybody know whether SDL can handle such an application?
SDL stores all input in a queue until it is read. So, a key stroke sits
in the queue until processed. After it is processed it stays in the
memory used by the queue until it is eventually overwritten.
From the point of view of “serious” security people SDL is not secure.
Even if it ran on top of a truly secure OS SDL was not designed or
coded to do the kind of security oriented erasure of temporary data
structures you are talking about.
There is also a secondary problem with security and SDL. Because of the
LGPL if you publicly distribute an SDL program you must allow the
program to be relinked with a new version of SDL. That means that an end
user can put in a specially coded version of SDL that can trace all
input. This is not a problem for most people who are writing secure
software because the code will never be distributed outside of the
developing organization and therefore does not have to comply with that
legal restriction.
Because it s open source and because it can run without a windowing
system by directly accessing the frame buffer and input devices SDL
would be a good starting point for a secure standalone graphics API for
secure applications. It would require a detailed secure audit and some
amount of recoding to make it secure enough to us.
Bob PendletonOn Sun, 2004-02-01 at 21:46, Martell, Jeremiah wrote:
-----Original Message-----
From: sdl-admin at libsdl.org on behalf of Martell, Jeremiah
Sent: Sat 1/31/2004 3:41 PM
To: sdl at libsdl.org
Cc:
Subject: [SDL] SDL secure?
Hello,
I was wondering if anybody has ever used SDL for any type of secure programming? I understand SDL's focus is ease of use and portability, so it's not necessarily meant to be used for a secure program. Regardless, is there any security concerns I should be aware of if I wanted to use SDL as the means to get mouse input, keyboard input, and display a simple graphics window for, lets say, a extremely sensitive program dealing with important financial data being encrypted/decrypted? Im especially intersted in Sam Lantinga's comment regarding this question.
Regards,