Re: Auto-update of an application, permission problem in "Program Files"

have some mechanism to verify the authenticity of updates applied

Look a good idea. I could use MD5 or SHA1 hash to verify the DLL. Any advice
about where and how to store the hash locally so that the "bad guy" could
not alter it ?

--
Francois PIETTE
http://www.overbyte.be


"Skywing [MVP]" <skywing_NO_SPAM_@xxxxxxxxxxxxxxxxxxx> a écrit dans le
message de news:OhcaNg%23qHHA.1172@xxxxxxxxxxxxxxxxxxxxxxx
To add to Jeffrey's comments, it would also be a good idea to have some
mechanism to verify the authenticity of updates applied this way, so that
a
user cannot trick the privileged updater mechanism into copying malicious
code over as well.

--
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
""Jeffrey Tan[MSFT]"" <jetan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:5vkh1w9qHHA.1032@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Francois,

The problem of your current solution is that the bad guy also has the
permission of replace your plug-in dlls. So he may replace your dlls
with
his malicious Troy dll, which injects malicious code into machine.

In this scenario, below is the recommended solution:
1. Coding a separate Windows Service as a broker process which runs
under
a
high priviledge account, such as LocalSystem or Administrator.
2. When you need to update the plug-in dlls, your normal application can
use some type of inter-process communication technology to ask write
request to the Windows Service, and the Windows Service with high
priviledge work on behalf of your application to write "Program Files"
for
replacing the old dlls with new ones.(which are read-only to your normal
user account)

This is a safe solution since we separate the high priviledge
operations/code from the normal operation code. Also, by defining a
well-defined interface between the normal game application and the
Windows
Service, we expect it to be safe. In this mode, the Windows Service
application is called a permission broker application. Microsoft IE7
protected mode uses 2 broker applications for high priviledge write
operation which idea is the same here. Please refer to the
"Understanding
Protected Mode" section in link below to see these 2 broker processes:
"Understanding and Working in Protected Mode Internet Explorer"

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/IETechCol/d
nwebgen/ProtectedMode.asp

A variation of this solution is coding a separate high-priviledge
updating
application. While asking for updating, your normal application can use
ShellExecute API with "runas" parameter to run the updating application
under the full administrator token, which has the permission of writting
to
the "Program Files". This approach has the advantage of prompting the
end
user with a consent dialog for updating, which aligns with Vista UAC
behavior. See the "Run as administrator" section in the link below for
details:

http://weblogs.asp.net/kennykerr/archive/2006/09/29/Windows-Vista-for-Develo
pers-_1320_-Part-4-_1320_-User-Account-Control.aspx

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach
the
most efficient resolution. The offering is not appropriate for
situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are
best
handled working with a dedicated Microsoft Support Engineer by
contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.





.

Relevant Pages
Loading