how should plug-ins be located on Windows?

Jeffrey Altman jaltman at secure-endpoints.com
Tue Aug 7 22:44:48 EDT 2007 

Ken Raeburn wrote:
> On Aug 6, 2007, at 22:54, Jeffrey Altman wrote:
>> Has anyone given any thought to how they would like to see plug-ins be
>> configured on Windows?
>>
>> The Windows way would be to use a registry key that is accessible only
>> to the "Administrator" as a place to list plug-ins to be loaded.
>>
>> 	HKLM\Software\MIT\Kerberos5\Plugins
> 
> Sounds okay, though I think a user should be able to override that  
> for non-privileged programs they're running.

How are you classifying privileged vs non-privileged?

Do you want to permit user's to add additional plug-ins or to replace
the plug-ins configured by the System Administrator?

My client wants to ensure that plug-ins cannot be modified by the end
user.  I can do that by using a HKLM value to determine whether or not
HKCU values should be permitted to extend or replace the HKLM values.

>> What about digital signatures?  I would like to see an option that  
>> would
>> require that plug-ins be digitally signed if the Kerberos libraries  
>> are
>> digitally signed.
> 
> I'd like to hear more about your idea.  Would this be Windows- 
> specific?  Why is the requirement on plugins tied to the signing of  
> the library?  How would you test whether the library is signed?  How  
> would you validate the plugin's signature without a race condition?   
> What's the threat model, where digital signatures on plugins help but  
> (I presume) the config file can be trusted?
> 
> This sounds like a much bigger project than just getting KfW to load  
> plugins; might be best to treat it separately, unless you've got a  
> good reason why they should be linked.
> 
> Ken

I already have code that validates the signatures on all libraries
that are loaded by the executable whether by Windows loader or via
the LoadLibrary() API.  This code is used in OpenAFS for Windows.

In the OpenAFS case the code is used to ensure that the signature on the
library modules (minus those signed by Microsoft) match the signature on
the executable.

My client is concerned about code replacement.   Plugins they distribute
would be part of the KFW distribution.  I would recommend that they
resign all of the binaries they distribute with their own certificate
before distributing to workstations.

Jeffrey Altman

More information about the krbdev mailing list