I was going to make an AIR application but I need to execute an external application and because of the security restrictions in Adobe AIR... I was thinking why not try and bypass it by writing some C code that does something like System("file to execute"); and then use Alchemy to change it into a swc and us that in my application... Anyone tried this sort, or think it could work?
What you need to understand about Alchemy is that it compiles C into the same bytecode as actionscript, and it runs under the same virtual machine (AVM2) as flash/flex as3 applications.
The reason Alchemy is able to be faster for some operations is that the compiled C (compiled to bytecode) is given access to raw "memory" (ApplicationDomain.domainMemory) via some optimised AVM2 instructions that were added in flash 10.
What I'm trying to get at is that because Alchemy simply runs on top of the AVM2, it is restricted in the same way as any other application. Alchemy in an AIR application can do more than Alchemy in the browser sandbox, but it is still restricted by that sandbox.
If you really need to execute an external application, you'll need to look into something like Shu or Zinc.
Sorry I couldn't be any more help.
This will not work - Alchemy is not really / really not suited for programs that interact with the outside world. I don't think it will support doing a system call, and even if Alchemy would support it the flash/air runtime will most certainly still block it.
If you don't need cross platform behavior you can look into creating an oldfashioned 'projector'. It is possible to launch programs from a projector exe using fscommand- just be aware the executable you want to launch has to be located in a folder named fscommand next to the binary. If that is not sufficient you could try a third party commercial tool like http://www.northcode.com/.
No, Richard Szalay's correct: Alchemy compiles C code into ActionScript bytecode, so the resulting SWF is still subject to the same sandbox restrictions as any other; the AIR restrictions may be looser, but using Alchemy provides no benefit in that respect.
However, you can still "call out" of the sandbox using a socket connection, provided you have an app listening for the connection; check out Merapi -- it might be able to help as a simple solution, if you were open to using Java, although you could certainly roll your own with something else, like C#.
Related
I took a class named "Secure Code", and in our next assignment we are supposed to do static / dynamic analysis of some C files and of a JavaEE Web Project.
I checked out "Source Monitor" and ran it on the C files, but (unless I didn't get how to use it!) it doesn't seem to do what I'm looking for.
Considering the topic, I'd be interested in knowing if there are tools for detecting "insecure" code, i.e. code that is potentially attackable through buffer overflows, SQL-Injections, XSS ... So I'd like it to point out which functions should be "upgraded" (e.g. fgets instead of gets, or a PreparedStatement instead of a normal SQL statement)
Note: I'd prefer open source softwares, possibly for Windows (I have Ubuntu on a VM but I am not really good with it... I generally spend more time finding out how to configure the tools than running them).
Thank you for your tips!
Frama-C's value analysis is open-source, available pre-compiled for Windows, and was used to find such security bugs as this one in the QuickLZ C library or this one in Polar SSL.
This said, you may find that it is a lot to get used to for just a school assignment, and then again, are you actually expected to find security bugs in a school assignment?
For the JavaEE Web Project use Persistence API, and you can use non-SQL statements, where hacking is theoretically impossible! The best open source one is the Hibernate. It's easy to use and very flexible.
I have a small program written in c and i am planning to convert it to a web service module. Is there any web server(Linux or Windows platform) where i can embed the c program directly. I googled and found some of the web servers which supports c code are Apache, mongoose etc. But i don't know how to implement it?
You are looking for CGI. See the docs for more info:
http://httpd.apache.org/docs/2.0/howto/cgi.html
G-WAN is one of the fastest Web Servers, and it supports running C-programs directly (gwan.com). It's much faster on multi-core CPUs than other webservers.
Basically, you can just run any C/C++ (or many other) files just by placing them in /csp directory.
http://monkey-project.com/ is able to do what you want and probably the simplest solution to your problem. http://gwan.com/ might also be interesting, depending on what exactly you want to do.
my question is general for all languages, but I'm using only C, so, I would like to get answer in this one.
My question is, How Can I control the behavior of another applications that I didn't write?
For example:
How Can I fill this entry box (in
this site) using C? Do I need to
control the browser? (I'm using
firefox.)
Still in this example, How Can I open
another tab in this browser using C?
(see, I want to control this
application such another one)
How Can I embed a program im my one?
How Can I fill a database program using your gui, doing it by c?
and so on...
Thanks a lot!
There's no concrete or single answer to your (multiple) questions because every program varies. Short of the desired application having an API, you can resort to using low level Win32 commands to identify handles of processes and windows within those processes which you want to change/read. It's by no means a straightforward or scalable process though.
You'd have to interact with that programs API.
Some programs are scriptable and publish APIs that allow other programs to send commands to them. If your "target" app does something like this, then that will typically be your best bet.
If the app doesn't have a C API, then you probably can't control it in C. That doesn't mean it's impossible, only that you might need a different language. If your app is a Windows GUI app, you can use AutoIt to interact with the GUI programmatically.
Typically you use a program's application programming interface (API) to gain access to publicly available functions that let you accomplish tasks within that program. However, not every application has an API that you can use.
You should start by looking at the documentation of the application you're intending to take control of with your program and seeing if they have an API suitable for your needs.
Most of the time application need API to work with each other.
There is another way around to automatise actions done to applications (like an user would). For example on Windows there is an "language" named AutoIt which can interact with your computer.
I'm not really sure if this is what your seeking but it can do almost all the thing you asked for.
question is, How Can I control the behavior of another applications that I didn't write
Answer: that depends on the application and platform (linux, windows, mac, ...). It generally does not depend on your language of choice.
As an example, quite a lot of gtk/ kde programs on linux can be partially controlled via the dbus messaging bus. Those apps are designed to be controlled in that way.
I think firefox has a command line option to open a new website using an already running browser.
Applescript or automator on a mac can be used to control some apps too, I believe.
In short, make a separate question on what you want to do exactly, stating both platform and app you need to control.
Is there a way I can create a virtual instance of gcc compiler on the client browser when the client opens my website??
By doing so, I can directly pass the user .c file as argument to my compiler instance and then execute it without having to make a POST call to server and execute the file there???
Originally I userstood your question to be targeting the native platform on which the browser is running:
Consider that Browsers may be running
on many different platforms,
operatinng systems and processor
architectures. Compiling C in the way
you describe might be technically
doable, but practically infeasible.
I was basing "practically infeasible" on the difficulty of supporting the plethora of widely used browser platforms.
Now I understand that you are thinking more on the lines of targeting a virtual environment. I'll amend practically infeasible to "a large amount of work".
If I understand your intent it is to run a C compiler which emits, shall we say, x86 compiled code and executes it. So to do that we need an emulation of the x86 environment in, say, JavaScript. What's more I think your intent is that the conmpiler itself execute in this environment, so that you can re-use gcc. So you'll need to emulate a file-system too. It's "obvious" that this could be done, but it really is a lot of work. Is it really worth it?
Competition code is small (I guess) even with lots of programmers the number of simultaneous compiles can't be so huge with a decent queued request system, a touch of Ajax, and a bit of back-end scaling how costly is it to support the expected population? What's the ratio of developers to back end systems?
Anyway, if I were to address this problem I'd go for taking the code for an opensource browser and melding in the gcc code. Produce a compiler/browser hybrid. Give that to the developers and tell them "Use this and get zippy compilation speeds, or use your own browser and join the queue."
You're not going to use GCC as it is written for this. AT BEST, you could accomplish something simalar if you had a compiler written in Java that targeted the JVM and could be ran as an applet. I don't know what it would take to get something like this working but, I suspect it would take a bit work to get it up and going. As far as I know nothing currently exist that does this.
Perhaps using a jsLinux in background? There the making process can run in the virtual machine. Communication could be done by extending the clipboard transfer, perhaps into multiple pipes...
I would be interested in javascript based gcc solutions, too.
I am looking into AJAX for the first time and I would like to know if it's possible to make the requests from a server side CGI application written in C?
Will the C application just use printf for the data, similar to this .asp example?
If I were you, I would stay away from C for server-side stuff. There are so many other languages that are better suited for this, but if you insist, you could use a library like cgic. Basically, you would just use the CGI handler from a server like Apache, but please, PLEASE use something other than C. It's very dangerous in the wrong hands, especially via CGI.
Use something like PHP or Perl to keep yourself sane. PHP is perfect for someone just starting out, and you won't have to futz around with compilation and making your CGI handler work/be secure.
ASP does some magic, such as outputting the appropriate response headers, but other than that it really is that simple. The server-side of AJAX is just responding to requests. Output the right data in the expected format and you're done. Stick with REST principles and this becomes easy.
You can do scripting using C.
Take a look at http://bellard.org/tcc/ - this is a small C99 compiler for Windows and UNIX.
It has a unique feature: "-run" option. With this option, tinycc compiles the code into memory and executes it without creating an intermediate binary. Thus all you need to do is to create your CGI files like this:
#!path-to-tinycc-executable -run
// your C code goes below
....
However, I have to agree with previous commenters that C is not great for server side CGI.
I am looking into AJAX for the first time and I would like to know if it's possible to make the requests from a server side CGI application written in C?
I'll hop on the bandwagon, and say that it's usually easier to just use another language. However, I also understand that sometimes you have to use C - i.e., for embedded servers with limited resources. If that's the strongly suggest you use cgic, or heck, maybe even a framework like klone. I'm a bit biased towards the latter, though. It provides a nice interface to getting request objects, almost like the scripting variety of frameworks.