How to validate if the software has been corrupted or started by a malicious software

Code signing certificate:

If we downloading a software from internet for example Adobereader.exe from internet how can you validate if this from a trusted source and its not tampered during transit. For this reason we use code signing certificate and sign it in our build system using signtool.exe passing .pfx file containing certificate and private key (if private key not present pass it separately). 


Who will provide the code signing certificate:

A Intermediatery CA or CA will provide you code signing certificate which can be organization validated or domain validated or Extended validated. EV is a special way of approving a certificate its so stringent that CA will validate the organization financial statement and go in person to validate the presence of office. For all other validation just personal identification, legal documents and domain/site details will do, This is needed so a hacker can not impersonate as other valid domain.


How it is generated:

First a organization or developer needs to generate a private/public key and then he send the public key to CA so it provides digital signature using CA private key and embed developer public key in certificate. Using this certificate we use signtool.exe in build environment to sign our product binary or image. This will do two things first it will compute the hash of the binary code and uses the private key you provided in signtool to encrypt the hash. Then it will embed the code signing certificate containing the public key and also embed the encrypted hash which is a digital signature.

Use cases:

Case 1: User downloads the Adobereader.exe from internet then the OS will validate the certificate is present then it will validate if its having a orgnization name (validate the certificate chain) if so it will compute hash of binary keep it. It decrypts the hash present in binary using public key present in certificate. Compares the decrypted hash precomputed during build stage with hash computed now. If both matches then it validates the identity, trust and integrity. OS will allow to install otherwise it will prompt file is corrupted or if certificate is not present will prompt from unknown publisher.

Case 2: I have developed a product I need to make sure the process started is indeed the code I have developed and not tampered with any dll injection how can I do it. During the process init function I will put a function that will verify the digital signatue, certificate domain name or company name if needed verify the certificate thumb signature which will be unique for each certificate. This way as a company will make sure binary is not tampered and its validate company binary since it contains the thumb signature I am expecting.

Case 3: A legitimate process is started by another process. But this child process is not sure if its started by a legtimiate process how it will validate. There can be a malware that start it making it vulnerable for action it performs. So when a child process starts it will query the process table to get the parent process id get its running path, validates its certificate present if it contains the expected thumb signature, company name and digital signature then it will start otherwise it will terminate. 

Comments

Post a Comment

Popular posts from this blog

Decorators in python - Part 1

Decorators in python is very useful in data hiding and performing pre and post operation using simple function object. Below is a example of decorator and how its working in python interpretor. def sample_decorator ( func ):     def wrapper ( val ):         print ( "calling a function for pre-processing" )         return_value = func ( val )         print ( "calling post-processing function" )         return return_value     return wrapper def sample_function ( val ):     print ( f "hai from sample function { val } " ) if __name__ == "__main__" :     sample_function = sample_decorator ( sample_function )     sample_function ( 10 ) In python everything is object so what we are doing above is adding a syntatical sugar using a decorator that replaces the sample_function object with newly created sample_function object. We have created sample_function ...
Read more

Class Decorator practical uses - Part 2

Last part we have seen about function decorator and how to use it to add extensions to existing functions. We have seen how decorator are useful, today we can see about how to use class based decorator which will provide extension functionalities to existing functions. How we can configure a class decorator during creation so that we can configure a decorator for our need. Lets get started with code. def func ( msg ):     print ( f "Hai programmer we got this message { msg } for you " ) if __name__ == "__main__" :     func ( "Hello Developer" ) Now for adding a class decorator we need to understand two things one is how the constructor is invoked for a class and how functors is used while invoking an object of a class. While creating a instance of the  class like below. class MyDecorator :     def __init__ ( self , func ): obj = MyDecorator ( func ) Now we created an instance passing function as a parameter object. Since function is a first clas...
Read more

Public key cryptogrphy - How certificate validation works using certificate chain

Application of certificate- Its widely used as a mean for identity, passing the asymmetric public key used for key exchange, also provides integrity of certificate. In case if the client or server in TLS or SSL handshake want to trust the client/server it will validate the certificate of server/client by verfying the certificate signature.  What is digitial certificate - When I want a server using HTTPS communication I need to purchase a SSL certificate for my domain. The reason is when a browser does ssl handshake it need to validate the authenticity of the website also need to make sure this authenticity is not tampered during the transit. For this problem we use certificate. Certificate contains mainly two parts like attributes and signature.  Attribute contains - Issuer, Subject name like google.com, public key algorithm, public key etc. Signature - This is crucial part of having integrity and authenticy of the certificate. For eg if I am getting an end entity ceritificate...
Read more