0

I built a C++ application that loads dll's (plugins). Before loading a dll, the application checks that the dll's digital signature is part of a white list. This is done to ensure that only authorized dll's get loaded.

I'm trying to do accomplish something similar using an out of process COM server/client. The COM server needs to ensure that only specific clients are able to access it (from a white list). I know that Microsoft provides many different authentication mechanisms for COM, but they seem to revolve around the applications identity (account used to run it). Ultimately, I need a secure way to verify that the COM client is who they say they are, and that they are in my white list.

I'm open to other ways of accomplishing this, but not using COM isn't really an option.

Thanks for any help you can provide

  • Chris
Chris McBride
  • 173
  • 2
  • 8
  • >*they seem to revolve around the applications identity (account used to run it)* That's because outside of .Net, you can't base security decisions on the caller, because the caller can do whatever it wants with memory, starting with the stack. What you're asking for is only possible in a controlled environment (.Net verifiable code) or another process running with a different token. – Medinoc Dec 17 '14 at 14:42
  • @Medonic - Could you explain what you mean by "or another process running with a different token"? – Chris McBride Dec 17 '14 at 15:24
  • Suppose you somehow managed to verify the validity of the EXE behind the process from which the call originates - but the actual call could have been made by a third-party DLL (injected via `SetWindowsHookEx`, for example) from within that process. Or the attacker could read the memory of that process (via `ReadProcessMemory`) after the call is made, and obtain the data you provided to it that way. – Igor Tandetnik Dec 17 '14 at 15:45
  • Different token means either different user, or restricted token for the same user (which makes the user belong to less groups and have less privileges, but can't affect the user's rights piecewise). – Medinoc Dec 17 '14 at 15:46

1 Answers1

0

I think this can be accomplished in DCOM Config in combination with trusted client certificates.

Another way is to implement a method in the interface where the server verifies the client digital signature. In this link is an example how to read out the client cert How do I read an embedded code signing signature in C++?

Community
  • 1
  • 1
Hans
  • 269
  • 4
  • 14
  • I don't think this can protect from spoofing the stack to make a call look like it's coming from the signed DLL (while the return address actually points where a legitimate function's `ret` instruction, or a legitimate function that makes a virtual call with data spoofed by the attacker). – Medinoc Dec 17 '14 at 15:50