Writing Secure Self-Updating Code

Part of the Mesh Networking project I am working on depends on being able to perform fast, scalable mass updates of all of the nodes on the network. This is quite a task. Even if the mesh agent is small, if it's installed on many machines it can represent a lot of data.

To make the process scalable, I use the peer-to-peer network itself as a update system. Nodes can get updates from the central server, but they can also update each other. This is where there is real scalability gains. Nodes on a fast Intranet performing updates of other nodes on the same network. You cut the amount of WAN network usage and cut the about of traffic on the server (good for me!).

But this entire process depends on security. You have to be able to verify that an update is authentic, is truly a better version and is for the same machine architecture as your own. On my mesh agents, there is an HTTP link to the executable of the agent itself. No need for separate storage, just use the binary file you are running right now and the source of the update for other nodes.

On Windows, there is a known process for signing binaries. It's called Authenticode and I use it for the mesh agents. It's nice because it's presumably well reviewed, and you have good support for it in Windows. You can right click on an executable and see the signature in a new tab.

For Linux, I looked around and could not find a executable (ELF) signing format. Luckily, yesterday I tried appending junk at the end of my executable and it kept working fine, so I built my own signature block that I append at the end of the Linux binary. Since the mesh network makes heavy use of signed data blocks, I used the exact same code to sign the executable and append the result at the end.

Tonight, I finally got my Linux executable to start self-checking it's own signature each time it runs, just like my Windows version. It also checks the signed version and architecture type before doing an update. Lastly, I have my own signing tool and modified the agent's makefile to automatically sign the code. Note that when compiling a release executable, I also strip all the symbols before performing the signature.

That's it. Hopefully, I will have Linux support widely avaialble soon.
Ylian
http://meshcentral.homeip.net
Etiquetas:
Para obtener más información sobre las optimizaciones del compilador, consulte el aviso sobre la optimización.