Re: [Nolug] Any way to have a program verify that it's running a legitimate version?

From: Kevin Kreamer <kevin_at_kreamer.org>
Date: Sat, 26 May 2007 13:15:42 -0400
Message-ID: <46586B3E.3090703@kreamer.org>

Elliott Seyler wrote:
> I'm planning a rather crazy project to make a distributed server, and
> one of the problems I've come across in my initial planning is
> preventing people from connecting modified versions of the server. I
> want to prevent anything but a legitimate version from being part of the
> server network, to prevent collusion with the intent to reveal secure
> information or communication sent or stored within the network.
>
> The trouble is that I can't think of any reliable way to do this. Any
> suggestions you may have would be welcome.

Unfortunately, the short answer is: you can't.

Longer answer: from the view of your known and trusted server (let's
call it Rock), all you are doing is sending out requests and getting
back responses from someone, somewhere. The issue, though, is that
whatever Paper (your suspect but actually good server) says can be
emulated by Scissors (your evil intruder). An attacker can even go so
far as having Scissors cut Paper's responses (i.e. run a corrupted proxy
between two good servers), changing only the responses necessary, and
leaving everything else the same.

Encryption only gets you so far. From an encryption standpoint, this
problem reduces to the problem of secure key exchange. That in itself
wouldn't be fatal, but the fact that you want to do secure exchange
between strangers (and only, somehow, between those particular strangers
 - killing PKI ideas) is fatal to this idea.

Closed source only gets you so far. While it is true that in a case
like this, open source helps an attacker (they change what they want to
 change, and simply recompile), closed source doesn't prevent an attack.
 A determined attacker can still reverse engineer the protocol (or run
the proxy above), and so the only thing closed source buys you is some
(unknown) amount of time.

Ultimately, your only way to really handle this is to either accept that
 modified servers will connect (and design accordingly), or personally
know and trust the people running the servers (i.e. a political solution
instead of a technical solution).

Kevin
___________________
Nolug mailing list
nolug@nolug.org
Received on 05/26/07

This archive was generated by hypermail 2.2.0 : 12/19/08 EST