Nominate our 2022 Qt Champions!

Security and the well constructed Qt plugin

  • I'm building an application using plugins. I believe you could build a malicious plugin, copy it into the correct directory, and my main program would happily run it. I'd like the main program to be smart enough to detect unauthorized plugins and reject them. An encrypted signature and a hash on the binary content of each plugin would work well. Has anyone done anything toward this goal? Or a cross platform library for generating signatures for shared libraries?

    I'm aware of how windows does signs executables. Linux not so much. I don't need Mac compatibility.

    Thanks for your time!

  • Ultimately, there is no way you can stop someone from loading a custom plugin. Even using an encrypted, hashed, hidden and topped key, one could simply find the key and copy it. I wouldn't worry a lot about those things if I were you.

  • If a decent cryptographic signature is used "finding the key" would require more time that it would be worth for an attacker. This is how all modern security works. Throwing up my hands and saying it's not possible so why bother isn't a useful answer.

  • I've been a game developer for some time now, so I like to think my opinion when it comes to people interfering in my program is somewhat valuable. But, if you think that way, let someone else answer you.

  • Thanks for helping.

Log in to reply