Hiding confidential data
by Richard Russell, March 2007
 BBC BASIC for Windows provides a convenient method of incorporating resource files within a 'compiled' executable, using the Embedded files feature of the Compile utility (or the “REM!Embed” compiler directive). Such resources might be program modules, DLLs, image files, music files etc. When the application is run these resources are automatically extracted from the executable and stored as conventional files, which can be accessed by the program at run-time.
 It is possible to protect the resource data from prying eyes, whilst it is stored in the executable file, using the Encrypt contents option. Although the encryption used is not highly secure, it will defeat all but the most determined attempts to read the data. However when the resource files are extracted at run-time they are unencrypted and stored on the user's disk; this potentially makes them vulnerable to being read.
 If you are particularly concerned to keep the contents of your resource files confidential there are a number of steps you can take:
- In the case of program modules, enable all the crunch options including the Crunch embedded files facility. This will remove all comments from your code and change the variable names into short forms that have no similarity to the variables used in your source program. This will make it much harder for anybody to figure out what your code is doing and reconstruct the original algorithms.
- Store your confidential modules in the @lib$ folder rather than the @dir$ folder. Files in @lib$ are extracted to a temporary folder when the program is run (a different folder each time), and are automatically deleted when it exits. It is therefore considerably more difficult for somebody to discover the whereabouts of the files and examine their contents, indeed they may well have no reason to suspect that they even exist. See Embedding resources in different folders.
- Delete the files immediately after use. For example if you have one or more library modules that are loaded with INSTALL, you can delete them from the disk immediately afterwards. Using that technique the files will be present on the disk, and therefore vulnerable to being read, for the shortest possible time. The code below deletes the file only when the compiled program is run; when running under the IDE it doesn't, to avoid destroying the original:
INSTALL @lib$+"MYMODULE" IF INSTR(@lib$,@tmp$) OSCLI "DELETE """+@lib$+"MYMODULE"""
If none of these techniques provides adequate protection, consider incorporating the most sensitive code within your main program rather than in resource files. The main program is copied directly from the executable into memory and doesn't at any point exist as an unencrypted file on the local disk, however it is still vulnerable to a memory dump attack.
 If you are concerned about memory dump attacks, contact me for a copy of secure.exe which is a utility that can effectively protect compiled BB4W executables from such attacks.
