3

Can you think of a mechanism to guarantee my software (GUI application) is the software that I'm currently running and not an imposter (as a black box).

It sounds as a crazy requirement, but this software determines life (it is a medical device) and if someone insists on doing bad, he can just create a similar software and make sure somehow to replace the genuine one with his version.

Any hardware / software option is valid for me. I'm targeting Windows and the Java language. If needs to complement with another piece of software/hardware to make it work together, this is of course doable.

BR, Oren

Oren
  • 976
  • 9
  • 23
  • 1
    You can encrypt the data coming to/from the hardware device – MadProgrammer Jun 04 '15 at 09:32
  • It is a good suggestion. My application actually reads plain text files and shows the results on the screen. I can request that the files are encrypted. Still going to investigate first an even more robust mechanism, as I see suggested below by oleksii. – Oren Jun 04 '15 at 09:39
  • There will be other attack vectors, you should follow an established threat modelling framework, such as [STRIDE](https://en.wikipedia.org/wiki/STRIDE_%28security%29). Digital signature and verification is enough for this specific attack, however there are other attacks and you should prioritise which is easiest to implement and has most impact on your software. – oleksii Jun 04 '15 at 09:42
  • 1
    Host the application as java webstart in a secure server. – ring bearer Jun 04 '15 at 09:48

1 Answers1

2

Your best bet is to follow a standard procedure for this. In a nutshell, here's what you can do.

On your machine:

  • Place your code into a jar file
  • Digitally sign jar file with a private key
  • Distribute your public key to the code runner machine

On code runner machine

  • Set up a security policy to run your application with a valid digital signature only
  • Import public key

For detail, please follow this tutorial.

oleksii
  • 35,458
  • 16
  • 93
  • 163
  • What about the HW side? – User404 Jun 04 '15 at 09:37
  • The question was: "Can you think of a mechanism to guarantee my software (GUI application) is the software that I'm currently running and not an imposter (as a black box)." This approach guarantees that. No HW interaction is required. This is not to say that OP shouldn't protect from other types of attacks where using secure HW will be required. It's just for this specific attack digital signature and verification is enough. – oleksii Jun 04 '15 at 09:39
  • I agree that this a valid option for securing the software side. But when dealing with these kind of hardware (medical device, which can probably be accessed physically by lots of people) it won't be enough (as in not 100% secure). – User404 Jun 04 '15 at 09:45
  • Thank you, yes, the HW was just suggested as I could not think of anything else. If above solution is sufficient then I'm happy with it. I have a question though. The tutorial also shows how to set up a security policy to run your application with a valid digital signature only and import public key (on Windows)? Haven't seen it yet, but it was a quick glance. – Oren Jun 04 '15 at 09:46
  • @User404 that's right. Security IMO is not a binary choice (secure or in-secure). It's a gradient and one should protect from most probable and most damaging attacks. Picking defence in random is a poor choice. – oleksii Jun 04 '15 at 09:54
  • @Oren That's right. But similar approach will work on nearly all other well established OSes. It's a known problem and unless OS serves some very specific purposes it should have this verification and policy enforcing mechanism embedded. – oleksii Jun 04 '15 at 09:56