Verifying remote program integrity/validity as part of WCF service security

Hello,

I have an application running on remote systems. The remote systems are an embedded computer built into a kiosk. As a result, they are somewhat "untrusted," in that the physical security for them is rather lax. However, these kiosks can be credit card processing, etc. via a WCF service to my server.

Using machine certificates, etc., I can verify that the client is who they say they are, which protects against someone copying my binaries off of the kiosk somehow and then running it on their own machine. However, how can I prevent against the following two attacks:

Someone takes the binary, modifies it maliciously, and then runs it on the system
Someone decompiles my application, and using parts of my code (such as where I reference certificates or shared secrets) writes their own application, and runs it on the machine.

Obviously I have taken steps using the operating system to prevent against these sort of attacks, but I need a way at the server to ensure that it is not being duped.

Any suggestions?

If the machines are not physically secure then there's no way to guarantee any of those attacks won't occur. Focus your efforts on minimising the damage that can be caused by a compromised machine. Examples:

each client should have its own certificate/key, so you can easily revoke credentials of compromised machines without affecting operations elsewhere
minimise unnecessary functionality provided by the server (for instance, clients have no need to retrieve credit card numbers - instead, return some kind of surrogate token that can be used to initiate a payment)
minimise sensitive data stored on the client side, and delete when no longer necessary
enforce business logic on the server side
the server should require authentication before performing sensitive operations
log sensitive operations server-side so you have an audit trail and early warning of malicious activity

In general, take the same precautions that you'd take when writing a web app exposed to the masses...

There's no magic I can work here with code signing to ensure only my application can access the service?

David Pfeffer 2010-10-17 16:43:37

No way that's watertight, as far as I can see - you're either asking the app "tell me your signature" (in which case a compromised app can just return a "good" signature) or relying on the client OS to verify the app (but it sounds like you expect an attacker to have administrative access to the kiosk machine, so the OS can't be trusted to do this accurately).

SimonJ 2010-10-17 17:04:42

@David No, code signing was designed for other purpose. It must be the OS that verifies the signature and allows only properly signed programs to be running.

Eugene Mayevski 'EldoS Corp 2010-10-17 17:07:17

Of course, there are ways to reduce the risk: don't run the client app with administrative access; configure the client OS to only run signed executables; use OS mechanisms to store secrets; use TPM-backed secure startup/disk encryption if possible. But ultimately, attackers *will* find some way to exploit your application, so minimise the damage they can cause.

SimonJ 2010-10-17 17:18:52

Sadly I don't have an embedded TPM. I had thought about BitLocker.

David Pfeffer 2010-10-17 18:40:27

@SimonJ I don't expect the attacker to have admin access per say, but its conceivable that they could open the machine, modify the hard drive, and replace it. Obviously that's a stretch compared to accessing the running machine, but I want to minimize the attack surface as much as possible.

David Pfeffer 2010-10-17 18:42:39

ansaurus

tags:

views:

answers:

Verifying remote program integrity/validity as part of WCF service security

related questions