Re: [Nolug] Any way to have a program verify that it's running a legitimate version?

From: Elliott Seyler <rainrunner87_at_mailshack.com>
Date: Sat, 26 May 2007 12:36:30 -0500
Message-ID: <4658701E.8090708@mailshack.com>

Thanks muchly, all of you. This'll be a big help. I'll keep y'all in
the loop for progress on it.

Kevin Kreamer wrote:
> Elliott Seyler wrote:
>
>> I'm planning a rather crazy project to make a distributed server, and
>> one of the problems I've come across in my initial planning is
>> preventing people from connecting modified versions of the server. I
>> want to prevent anything but a legitimate version from being part of the
>> server network, to prevent collusion with the intent to reveal secure
>> information or communication sent or stored within the network.
>>
>> The trouble is that I can't think of any reliable way to do this. Any
>> suggestions you may have would be welcome.
>>
>
> Unfortunately, the short answer is: you can't.
>
> Longer answer: from the view of your known and trusted server (let's
> call it Rock), all you are doing is sending out requests and getting
> back responses from someone, somewhere. The issue, though, is that
> whatever Paper (your suspect but actually good server) says can be
> emulated by Scissors (your evil intruder). An attacker can even go so
> far as having Scissors cut Paper's responses (i.e. run a corrupted proxy
> between two good servers), changing only the responses necessary, and
> leaving everything else the same.
>
> Encryption only gets you so far. From an encryption standpoint, this
> problem reduces to the problem of secure key exchange. That in itself
> wouldn't be fatal, but the fact that you want to do secure exchange
> between strangers (and only, somehow, between those particular strangers
> - killing PKI ideas) is fatal to this idea.
>
> Closed source only gets you so far. While it is true that in a case
> like this, open source helps an attacker (they change what they want to
> change, and simply recompile), closed source doesn't prevent an attack.
> A determined attacker can still reverse engineer the protocol (or run
> the proxy above), and so the only thing closed source buys you is some
> (unknown) amount of time.
>
> Ultimately, your only way to really handle this is to either accept that
> modified servers will connect (and design accordingly), or personally
> know and trust the people running the servers (i.e. a political solution
> instead of a technical solution).
>
> Kevin
> ___________________
> Nolug mailing list
> nolug@nolug.org
>
>

___________________
Nolug mailing list
nolug@nolug.org
Received on 05/26/07

This archive was generated by hypermail 2.2.0 : 12/19/08 EST