Auto update: Is this secure?

Question

Dot Net Auto Update

I felt like .net was lacking a simple secure automatic update library so I've implemented something and put it up here. Before anyone considers using the library I was keen for the update process to get a bit a peer review.

Here are the steps:

The client software is populated with a public key and URI to poll.
Client polls a URI for a manifest file.
Manifest is downloaded and signature (in a separate ".signature") is used to check that the manifest is valid.
A list of pending updates is parsed out of the manifest (to show to the user).
The installer file is downloaded and again is verified with a corresponding ".signature" file. (the downloaded file will be protected with ACLs)
The installer is run.

Mitigated threats:

The manifest signature should prevent any malicious downloads ("carpet bombing")
The installer signature should prevent any MITM attacks from sending malicious installers
Protecting the downloaded installer with ACLs should prevent any local escalation attacks.

Unmitigated threats:

A MITM attack where the attacker always reports "no updates available". (Could keep a client at a vulnerable version)

References:

What have I missed?

Out of interest, what was wrong with ClickOnce for this scenario? — Robert MacLean, Oct 02 '09 at 07:26
@Robert ClickOnce only installs with limited access to the system. For example there is no access to system's scanners. I may be wrong but I think ClickOnce apps always need to check for updates before starting? — Luke Quinane, Oct 02 '09 at 12:46
@Luke : You can choose the behaviour you want with clickonce (ie there's a "application is available offline" checkbox than you can tick) — Brann, Oct 02 '09 at 13:20
@Robert : clickonce doesn't support all proxy schemes, clickonce sometimes fail with erratic "corrupted store" messages, clickonce doesn't support encryption ... just to name a few clickonce caveats — Brann, Oct 02 '09 at 13:22
What about just using SSL, it'd solve the whole problem without any complexity. Nowadays it costs about 50$ — dr. evil, Oct 04 '09 at 00:26

Jesse Weigert · Accepted Answer · 2009-09-30T22:46:21.100

8

Dan Kaminsky has a good set of guidelines for an updater:

To succeed, your update package must be:

Signed.
Signed by you.
Signed by you, using the right EKU (Extended Key Usage)
Signed from an unrevoked signature
Be the same product
Be a new version

From your description in this question, it appears that you have the first 3.

edited Sep 30 '09 at 22:46

answered Sep 23 '09 at 23:19

Jesse Weigert

4,714
5
28
37

I was thinking that points #5 and #6 should be enforced by the user of the library. Any thoughts on that? – Luke Quinane Sep 30 '09 at 03:56
The user of the library should be able to pass the name of the application and the current version, and the library could read the metadata from the installer to check the last two points. – Jesse Weigert Sep 30 '09 at 22:47

score 4 · Answer 2 · edited May 23 '17 at 12:25

Having build my own deployer in a corporate environment, here are a few use case I needed to address :

support for digital signature
support for all kind of proxy. Some big corps have complex proxy configurations (through the use of proxy configuration scripts for example). You should support all of those.
encryption support. Your customers will probably want to have the deployed binaries available on a web-server, and they won't want to manage some sort of authentication or access control ; but they won't want unauthorized users to download the binaries either. An easy solution is to encrypt the binaries and have your tool deploy it
support for pluggable additional steps. Corporate clients are usually not very comfortable using automatically deployed tools. They will want more control. Typically, allowing them to run customizable steps (like anti-virus checks, etc) will help
support for different versions of the software based on the consumer identity. This is often needed in corporate environments, when you want to update the copies of a specific consumer (to fix a bug or add an extra-feature) very fast without running all your Q&A process (in this situation, you want to limit the update to this specific consumer)
support limited privilege situations. Aside from the fact that your users may lack Administrator access to their computer, big corporations often use specific tools to limit what you can do. Be ready to deploy in a user-owned folder (or even a temporary folder) rather than the classic "program files".
your tool should be signed by a strong certification authority.

Regarding the MITM attack you mentionned, it's easily solved through the use of public cryptography (as noted by unknown)

+1 for proxy as well. I am someone who sits behind these complex proxies and it can wreck havok — Robert MacLean, Oct 02 '09 at 07:24
Proxy support is a useful feature but it isn't really a security concern for the update process. — Luke Quinane, Oct 02 '09 at 15:31
@Luke : depends on your standpoint. I can assure you a lot of *security* departments will refuse any direct connection to the www for *security* reasons. — Brann, Oct 05 '09 at 07:16

score 3 · Answer 3 · answered Sep 30 '09 at 04:01

3

Well, you can try to prevent MITM by having the "no version update" response also include a timestamp (& be signed). Then if a month goes by (or whatever your policy is) with no version change and no timestamp update, then you refuse to run the software or pop-up a warning dialog informing the user there might be a MITM attack.

Doesn't solve the problem of what to do if your server goes down - presumably you treat it the same as a no timestamp change.

answered Sep 30 '09 at 04:01

Vitali

3,411
2
24
25

+1, Good Idea. Also, you should register your account so you don't lose your rep. – John Gietzen Oct 05 '09 at 03:10
Wasn't I registered? Do I have to do something other than loggin w/ my OpenID? – Vitali Oct 05 '09 at 22:38

score 1 · Answer 4 · answered Oct 04 '09 at 00:37

Don't mean to be troll in here, but you are trying to solve an already solved problem. Using SSL would be a much better choice. That would solve all problems listed in your question.

I understand that this system can be useful for people who can't afford an SSL certificate but anyone who can get one, should get one to solve this problem.

Don't forget, "Complexity is the enemy of security".

Kyle Rosendo · Answer 5 · 2009-09-14T05:45:53.190

0

~~Just as an addition, add a MD5 CheckSum to the downloaded file as well, otherwise, looking good :)~~ - Fair comment below.

Added:

The only additional thing I can see here is delving into things like obfuscating the code, or archiving the setup file and locking the archive, then once downloaded, unlocking it. That type of thing. However I think what you have currently done should be 100%.

The only time more is needed is when the application is very security complex. Right now you prevent DLL tampering and proof of origin, which for an auto updater, should be plenty.

edited Sep 14 '09 at 05:45

answered Sep 14 '09 at 05:31

Kyle Rosendo

25,001
7
80
118

The code uses RSA/SHA1 to calculate the file signatures so I think that's covered. – Luke Quinane Sep 14 '09 at 05:34
2

SHA1 is dead, do not use it. Use SHA256. – Noon Silk Sep 14 '09 at 06:07
Thanks @silky, I'll switch it over to SHA256. – Luke Quinane Sep 14 '09 at 06:11

score 0 · Answer 6 · answered Sep 14 '09 at 06:13

0

So I'm not clear on something; the downloader verifies that the manifest is the one it expects, via a signature, does it do the same for the actual patches it installs?

answered Sep 14 '09 at 06:13

Noon Silk

54,084
6
88
105

Yes, it also verifies the install file once it is downloaded. – Luke Quinane Sep 14 '09 at 06:17
Okay. Okay then. So is it possible to somehow update the public key it validates with? (And the url)? – Noon Silk Sep 14 '09 at 06:19
Its up to the application. The way I'm planning on using it is to only update the key/url by installing a new version (i.e. hard coded in the app). Though you could use the crypto API to store the key so it could be changed. – Luke Quinane Sep 14 '09 at 06:23
I guess what I am suggesting is that you may need a facility to securely update that, incase, for whatever reason, you decide you need to change your private key, or you foresee that a domain is going down/changing. – Noon Silk Sep 14 '09 at 06:26

Sadi · Answer 7 · 2009-10-05T03:47:06.883

0

There is some very nice comment and solution in this post. But I am strongly agree with dr. evil. You should use SSL connection for update and the certificate must be saved (built on) in the client. So, you can make sure the client is not going to accept fake certificate. I think it will effectively immune the client from the MiTM attack.

NOTE: If client can accept unauthorized certificate then MiTM attack can be successful, so do not give this option to the client.

Edit: I think SSL certificate can be self signed in this case.

edited Oct 05 '09 at 03:47

answered Oct 05 '09 at 03:37

Sadi

2,346
4
18
31

I would like to know if MiTM attack can be possible in this scenario. As far as I know it is not. – Sadi Oct 05 '09 at 03:39