views:

692

answers:

+9 Q:

I felt like .net was lacking a simple secure automatic update library so I've implemented something and put it up here. Before anyone considers using the library I was keen for the update process to get a bit a peer review.

Here are the steps:

The client software is populated with a public key and URI to poll.
Client polls a URI for a manifest file.
Manifest is downloaded and signature (in a separate ".signature") is used to check that the manifest is valid.
A list of pending updates is parsed out of the manifest (to show to the user).
The installer file is downloaded and again is verified with a corresponding ".signature" file. (the downloaded file will be protected with ACLs)
The installer is run.

Mitigated threats:

The manifest signature should prevent any malicious downloads ("carpet bombing")
The installer signature should prevent any MITM attacks from sending malicious installers
Protecting the downloaded installer with ACLs should prevent any local escalation attacks.

Unmitigated threats:

A MITM attack where the attacker always reports "no updates available". (Could keep a client at a vulnerable version)

References:

What have I missed?

~~Just as an addition, add a MD5 CheckSum to the downloaded file as well, otherwise, looking good :)~~ - Fair comment below.

Added:

The only additional thing I can see here is delving into things like obfuscating the code, or archiving the setup file and locking the archive, then once downloaded, unlocking it. That type of thing. However I think what you have currently done should be 100%.

The only time more is needed is when the application is very security complex. Right now you prevent DLL tampering and proof of origin, which for an auto updater, should be plenty.

Kyle Rozendo 2009-09-14 05:31:43

The code uses RSA/SHA1 to calculate the file signatures so I think that's covered.

Luke Quinane 2009-09-14 05:34:06

SHA1 is dead, do not use it. Use SHA256.

Noon Silk 2009-09-14 06:07:56

Thanks @silky, I'll switch it over to SHA256.

Luke Quinane 2009-09-14 06:11:31

So I'm not clear on something; the downloader verifies that the manifest is the one it expects, via a signature, does it do the same for the actual patches it installs?

Noon Silk 2009-09-14 06:13:55

Yes, it also verifies the install file once it is downloaded.

Luke Quinane 2009-09-14 06:17:57

Okay. Okay then. So is it possible to somehow update the public key it validates with? (And the url)?

Noon Silk 2009-09-14 06:19:22

Its up to the application. The way I'm planning on using it is to only update the key/url by installing a new version (i.e. hard coded in the app). Though you could use the crypto API to store the key so it could be changed.

Luke Quinane 2009-09-14 06:23:30

I guess what I am suggesting is that you may need a facility to securely update that, incase, for whatever reason, you decide you need to change your private key, or you foresee that a domain is going down/changing.

Noon Silk 2009-09-14 06:26:08

+7 A:

Dan Kaminsky has a good set of guidelines for an updater:

To succeed, your update package must be:

Signed.
Signed by you.
Signed by you, using the right EKU (Extended Key Usage)
Signed from an unrevoked signature
Be the same product
Be a new version

From your description in this question, it appears that you have the first 3.

Jesse Weigert 2009-09-23 23:19:25

I was thinking that points #5 and #6 should be enforced by the user of the library. Any thoughts on that?

Luke Quinane 2009-09-30 03:56:40

The user of the library should be able to pass the name of the application and the current version, and the library could read the metadata from the installer to check the last two points.

Jesse Weigert 2009-09-30 22:47:54

+3 A:

Well, you can try to prevent MITM by having the "no version update" response also include a timestamp (& be signed). Then if a month goes by (or whatever your policy is) with no version change and no timestamp update, then you refuse to run the software or pop-up a warning dialog informing the user there might be a MITM attack.

Doesn't solve the problem of what to do if your server goes down - presumably you treat it the same as a no timestamp change.

Vitali 2009-09-30 04:01:37

+1, Good Idea. Also, you should register your account so you don't lose your rep.

John Gietzen 2009-10-05 03:10:17

Wasn't I registered? Do I have to do something other than loggin w/ my OpenID?

Vitali 2009-10-05 22:38:19

+4 A:

Having build my own deployer in a corporate environment, here are a few use case I needed to address :

support for digital signature
support for all kind of proxy. Some big corps have complex proxy configurations (through the use of proxy configuration scripts for example). You should support all of those.
encryption support. Your customers will probably want to have the deployed binaries available on a web-server, and they won't want to manage some sort of authentication or access control ; but they won't want unauthorized users to download the binaries either. An easy solution is to encrypt the binaries and have your tool deploy it
support for pluggable additional steps. Corporate clients are usually not very comfortable using automatically deployed tools. They will want more control. Typically, allowing them to run customizable steps (like anti-virus checks, etc) will help
support for different versions of the software based on the consumer identity. This is often needed in corporate environments, when you want to update the copies of a specific consumer (to fix a bug or add an extra-feature) very fast without running all your Q&A process (in this situation, you want to limit the update to this specific consumer)
support limited privilege situations. Aside from the fact that your users may lack Administrator access to their computer, big corporations often use specific tools to limit what you can do. Be ready to deploy in a user-owned folder (or even a temporary folder) rather than the classic "program files".
your tool should be signed by a strong certification authority.

Regarding the MITM attack you mentionned, it's easily solved through the use of public cryptography (as noted by unknown)

Brann 2009-09-30 13:35:45

+1 for proxy alone, would vote more if I could

slf 2009-09-30 18:48:02

+1 for proxy as well. I am someone who sits behind these complex proxies and it can wreck havok

Robert MacLean 2009-10-02 07:24:34

Proxy support is a useful feature but it isn't really a security concern for the update process.

Luke Quinane 2009-10-02 15:31:03

@Luke : depends on your standpoint. I can assure you a lot of *security* departments will refuse any direct connection to the www for *security* reasons.

Brann 2009-10-05 07:16:50

+1 A:

Don't mean to be troll in here, but you are trying to solve an already solved problem. Using SSL would be a much better choice. That would solve all problems listed in your question.

I understand that this system can be useful for people who can't afford an SSL certificate but anyone who can get one, should get one to solve this problem.

Don't forget, "Complexity is the enemy of security".

dr. evil 2009-10-04 00:37:51

There is some very nice comment and solution in this post. But I am strongly agree with dr. evil. You should use SSL connection for update and the certificate must be saved (built on) in the client. So, you can make sure the client is not going to accept fake certificate. I think it will effectively immune the client from the MiTM attack.

NOTE: If client can accept unauthorized certificate then MiTM attack can be successful, so do not give this option to the client.

Edit: I think SSL certificate can be self signed in this case.

Sadi 2009-10-05 03:37:04

I would like to know if MiTM attack can be possible in this scenario. As far as I know it is not.

Sadi 2009-10-05 03:39:40

ansaurus

tags: