Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

Code Signing Can Be Trusted (but not blindly)

Posted by Craig H on 8 April 2009

Ben Laurie, who certainly knows security, and is a top bloke for the work he has done on FreeBMD, posted yesterday on why signatures don’t provide assurance of trustworthiness or quality.

I have to respectfully disagree on this.  The context is the W3C widget signing specification, and the wording in that spec that is at issue is:

Widget authors and distributors can digitally sign widgets as a trust and quality assurance mechanism.

If third-party CAs issue code signing certificates to widget authors, and the device trusts the widget authors’ signatures, then I agree it won’t assure either trustworthiness or quality.  I think that’s the model Ben is criticising (as in Microsoft Authenticode) and I agree with him so far as that goes.  There is, however, an alternative model which is the one that Symbian Signed has been successfully using for the past several years: the device doesn’t trust the developer’s signature, but the developer submits their signed application to a certification programme, which enforces acceptance criteria before re-signing the application with a different signature that is trusted by the device.

You can of course argue with the specific acceptance criteria, but surely this model can theoretically provide assurance of trustworthiness or quality, and the W3C widget signing spec can be used with that sort of signing scheme.

6 Responses to “Code Signing Can Be Trusted (but not blindly)”

  1. That is precisely the model we went with. We allow both Author and Distributor signatures. We also don’t trust the author signature as much as the “Distributor”. However, putting too much trust on the distributor is also flawed because it implies that the distributor has a good QA process in place. I’m not sure I see a way around this. If you have further thoughts or comments, please send them to the W3C’s mailing list!

  2. mpwilcox said

    I’ve been sceptical of this model for a long time. I completely agree that the structure used works in theory, but in practice I don’t believe there can be a general purpose set of tests that provide any meaningful QA. You can filter out complete dross but you can’t really make a finer distinction. Then on the downside, you risk making developers jump through pointless hoops to get approved.

    I think Symbian Signed should look at alternative ways of establishing trust than a fixed test criteria and drop the idea of being able to do QA in this way at all – leave that to distributors. Of course I understand that getting all the stakeholders to agree any such notion is going to be hard.

    • Craig H said

      Mark, I’m by no means suggesting that Symbian Signed is perfect, but I don’t accept that the security it provides is only theoretical. I think the fact that it has been in operation for over 3 years and that we have had only a minimal level of malware (a handful of applications have been identified as malicious, but those have been revoked) shows that it does provide meaningful security in practice.

      You’re right to question whether independent testing provides any security value, and in fact we already recognise that it doesn’t. That’s the reason that we introduced Express Signed at the beginning of 2008, so that developers only pay for testing if they want the (non-security) quality assurance benefits. Perhaps surprisingly, many developers still do choose Certified Signed and pay for the optional independent testing, so there must be some value in it for them.

      Returning to the security benefits, I think we have seen that the Symbian Signed programme has been effective. The benefit is not in the testing (note that I deliberately didn’t mention testing in my post!) so it must be in something else – perhaps in the authentication (requiring a publisher ID certificate), perhaps in the simple fact that there’s an intermediary which has discretion to refuse submissions and revoke signed applications, or perhaps something else.

      I agree that we do need to look at alternative ways of establishing trust; in particular the cost and difficulty of obtaining the publisher ID certificate can be a barrier to smaller-scale developers. I do however think we need to implement any changes carefully and incrementally. We have something that works in practice and is trusted by the market-leading phone manufacturers and network operators, so we need to be careful not to break that. We don’t know precisely which factors, or combination of factors, in the current signing criteria are the ones that have contributed to this success; adjusting the security policy, in a controlled way so we can assess the effect, might well help us determine that.

  3. Mark Wilcox said

    Actually I think we agree – I’m only arguing against the QA aspect being linked to the security aspect.

    I think there are two primary reasons for companies to choose to go through Certified Signed now that Express Signed is available:
    1) It is a requirement of a customer (e.g. network operator or device manufacturer).
    2) The development is outsourced and the company wants some kind of independent testing performed (because they are the ones who hold the publisher ID).

    Note that Express Signed still requires you to pass all of the test criteria, the only difference is the independent testing requirement.

    Actually, I think there should be a QA testing program of some kind (which is what Symbian Signed was before PlatSec came along) – I’d debate the current test criteria but that’s not a security question, as we’ve already established – but it should be about access to mass-market distribution opportunities like Ovi Store rather than whether you can install a file on a device at all. To me this is a fairly incremental step (and I agree we can’t make big changes all at once either).

    I’d like to see multiple alternative routes to gaining the appropriate trust. Big corporates can pay for independent testing if they want. Smaller developers can release to a community of enthusiasts that are aware of the risks – if enough respected users give an app the thumbs up then it gets signed for wider distribution.

    Mark

    P.S. While I’m an admirer of the general PlatSec architecture, I think the claims of the success of the system are still open to debate – there was a lot of talk about the potential threat of mobile malware a few years back but I only remember a couple of concrete instances in the wild on S60, and about the same since PlatSec was introduced. Happy to be corrected there though.

  4. Mark Wilcox said

    P.P.S. What I think was very successful, was the way that the system re-assured operators and manufactuers, allowing them to keep the devices open as they went mass-market.

  5. Jouni said

    Have to both agree and disagree with Craig. There are no clear answers, but we can learn from past. Fortunately there are already signs that change is coming.

    Agree that Symbian Signed has provided security and minimized known malware and attacks. However a big factor for this is the lack of software – leading to fewer downloads and installs, which means less interest to write malware. True, Symbian Signed had a big part making this happen.

    Mark listed good reasons why Express Signing isn’t as popular as maybe expected: customers demand that from sw providers and outsourcing companies demand from subcontractors. There is one more: a clear threat of random reviews, which might revoke not only application, but the whole developer certificate (!!!), if some unknown party decides that express signed app does not fulfill all test criteria. Since that criteria is very open to interpretation, the hundreds of euros expense and week(s) effort for test house testing is justified.

    Not because of improved security or additional quality assurance, but because of minimizing risk of business interruption. Not fear, I’d say. That money is an investment, which actually gives measurable value.

    Calling Symbian Signed as “effective” I obviously agree, very strongly. We might disagree what that effect was, but that’s fine. This is not a black and white issue. My view is from developer and subcontractor point of view, the very bottom of Symbian ecosystem food chain. Not an easy place to be.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: