0

So I have this challenge : Our system has several windows applications each doing some work. One particular application's exe would load DLL of other applications and call a particular method from the DLL.

For security reasons, we want to make sure if the DLL is authentic before loading it. As suggested online, we currently use windows cryptographic APIs to check for the digital signatures but the problem is, in my company, the digital certificate which signs the binaries itself might change although not frequently. And since the upgrade of each of the application is independent of the other, there's a possibility that some of the DLLs could be signed by the old certificate and some by new certificate.

Is there an efficient way to solve this?

prasanth_bazz
  • 41
  • 8
  • 2
    Trying to address the **might change** part is unnecessary future proofing. You can spend a lifetime designing solutions for all the changes that might happen, but in practice you'll never be ready for the change that actually does come. If the code signing certificate changes, update your validation code to include checking for both old and new certificates, then redeploy app that validates the DLL. – selbie Apr 16 '21 at 06:51
  • And should the implementers of the DLL actually decide to change code signing certificates, they can sign with both the old and new certificates for an interim period if the client applications that load them aren't ready. (Yes, you can code-sign a binary multiple times with different certs) – selbie Apr 16 '21 at 06:54
  • Does this answer your question? [WinVerifyTrust to check for a specific signature?](https://stackoverflow.com/questions/1072540/winverifytrust-to-check-for-a-specific-signature) – Simon Mourier Apr 16 '21 at 07:02
  • @selbie Thanks for your suggestion. Recently there's a change in code signing certificate and I got to know that it happens every 3 years. Also I'm planning to validate from both the end to improve security i.e exe checking if the DLL it's loading is authentic and DLL checking if the loading process is authentic. So I cannot relay on checking the certificate information against every version of the code signer. So you think there's no better way to solve this problem than to force an update to every application whenever such code sign change occurs? – prasanth_bazz Apr 16 '21 at 07:08
  • @SimonMourier No, It's more of what we do currently and it does not solve the problem. – prasanth_bazz Apr 16 '21 at 07:18
  • Updating your application every 3 years doesn't sound too bad. Again, dual code signing with the old and new certs for an interim period isn't a bad idea. Also, take a step back and ask what sort of hack attack you are really trying to guard against. I'm not suggesting you skip code sign validation. But a determined hacker could find ways to thwart all your code signing. If your premise is that a hacker could supplant his own binaries onto the system and you need your own code to guard against that, consider the fact that the hacker can do EVEN WORSE things. – selbie Apr 16 '21 at 07:29
  • @selbie Thanks, I agree with you. I'll see if the dual code signing thing would suit all the use cases. – prasanth_bazz Apr 16 '21 at 09:49
  • @prasanth_bazz Why check for a *particular* signature, as opposed to *any* trusted signature? If an attacker removed your company's certificate and replaced it with another *trusted* certificate, then they would have broken already into the trust chain, and you have a bigger problem on your hands than just checking your DLLs can protect against. – dxiv Apr 16 '21 at 16:44
  • Can [here](https://stackoverflow.com/questions/4120381/check-if-dll-is-authentic-correct-before-running-application-i-c-sharp-net) Help you ? – YangXiaoPo-MSFT Apr 19 '21 at 07:08
  • Hi @dxiv. By _any_ _trusted_ _signature_, do you mean any trusted certificate from the windows certificate store of our customer's machine? Do we have any means to have a custom certificate store? Can we publish the signature details in our company's website or will it cause any security issues if we do that? These are some of the solutions I thought of. Please share your thoughts. – prasanth_bazz May 02 '21 at 05:13
  • 1
    @prasanth_bazz See for example [`WinVerifyTrust`](https://learn.microsoft.com/en-us/windows/win32/api/wintrust/nf-wintrust-winverifytrust) and [Verifying the Signature of a PE File](https://learn.microsoft.com/en-us/windows/win32/seccrypto/example-c-program--verifying-the-signature-of-a-pe-file). The other questions might be better suited for [SU](https://superuser.com/) or [SF](https://serverfault.com/) than here. – dxiv May 02 '21 at 05:28

0 Answers0