Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

First, users have no idea how to decide if a particular signer is trusted or not. Second, just because a component is signed doesn't mean that it is safe. Third, just because two components are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited. Fourth, "safe" is not an all-or-nothing thing; there are degrees of safety. And fifth, the fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attacker could delete or modify the signature during the attack, or simply reformat the drive where the signature is stored."

Code signing is designed to authenticate the origin of the code , as well as to verify the integrity of the code. It relies on a certification authority (CA) to confirm the identity of the principal signer. Naive users should not be expected to understand how certificates and the public key infrastructure (PKI) work.

...

Consider, for example, signed Java applets. When a certificate is verified, on widely used platforms, the user is presented with a security dialog in which the option "Always trust the content from the publisher" is selected by default. The dialog primarily asks whether or not the signed code should be executed or not. Unfortunately, if the user confirms the dialog with the check box selected, the "Always trust..." setting overrides any future warning dialogs. An attacker can take advantage of this mechanism by exploiting vulnerable code signed by the trusted organization. In this case, the code will execute with the user's implied permission and can be freely exploited.

An organization that signs its own code should not vouch for code acquired from a third party without carefully auditing the third-party code. When signing privileged code, ensure that all of the signed code is confined to a single jar JAR file (see rule ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it for more information) and also that any code invoked from the privileged code is also contained in that jar JAR file. Non-privileged Nonprivileged code must be left unsigned, restricting it to the sandbox. For example, unsigned applets and Java Network Launching Protocol (JNLP) applications are granted the minimum set of privileges and are restricted to the sandbox. Finally, never sign any code that is incomprehensible or unaudited.

...

Signing unprivileged code violates the principle of least privilege because it can circumvent security restrictions defined by the security policies of applets and Java Network Launch Protocol ( JNLP ) applications, for example.

...

Detecting code that should be considered privileged or sensitive requires programmer assistance. Given identified privileged code as a starting point, automated tools could compute the closure of all code that can be invoked from that point. Such a tool could plausibly determine whether a body of signed code both includes that entire closure and also excludes all other code.

Related Guidelines

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ca39f2d016bff3fc-23b32275-4b194d65-82889489-a97e5cae17a63eebd2d357b5"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

" Adherence to Least Privilege least privilege [XYN] "

]]></ac:plain-text-body></ac:structured-macro>

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c669c32830916bca-9aeb6a9e-4ea94eb3-8e4db742-fc166ab37df067fc67aacd7a"><ac:plain-text-body><![CDATA[

[[Dormann 2008

AA. Bibliography#Dormann 08]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a6f1ac105fe16627-1add0b85-4a144434-b1d4ac56-6ce9ad6b71b570d49f30796a"><ac:plain-text-body><![CDATA[

[[McGraw 1999

AA. Bibliography#McGraw 99]]

Appendix C: , Sign Only Privileged Code

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d29a94f0328b2508-b05af13f-42424999-a78eb9c8-eaa06f0189e32feaa893f34c"><ac:plain-text-body><![CDATA[

[[Schneier 2000

AA. Bibliography#Schneier 00]]

 

]]></ac:plain-text-body></ac:structured-macro>

...