Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can signed executables be tampered with while retaining the integrity of the signature?

I was wondering to what degree I can rely on the digital signatures on files (aka Digital Certificates from Verisign, Simantec etc), when deciding if it's been tampered with or not.

Say I want download an application version that's no longer on the original developer's site but available on a third party sites like cnet, oldapps.com or filehippo. I usually resort to search for old forum entries with people listing the MD5 or SHA1 hash signature to see if they match the hash on the one I've downloaded. That only works with really big devs who's software is widespread.

I was wondering if verifying the file's digital signature is another reliable means of ensuring the file came from the dev and wasn't altered by a third party?

What I'm asking is: if a hacker injects an already signed DLL or EXE with a malcode, effectively changing the file's hash, will it break the digital signature because the signature embeds some kind of digest? Or will the signature be completely unaffected?

like image 428
thebunnyrules Avatar asked Jan 16 '17 03:01

thebunnyrules


People also ask

Can digital signature detect tampering?

The digital signature provides proof of the sender's identity and also ensures that the message was not altered in transit. Digital signatures are frequently used where it is important to detect tampering and forgery.

How are authentication and integrity preserved in the Digital Signatures?

Digitally signing data with DSA Senders can use their DSA private key to digitally sign data, which allows their recipient to verify whether the message is authentic and retains its integrity. It also prevents the sender from being able to repudiate the message.

Does digital signature protect integrity?

Digital signatures provide authenticity protection, integrity protection, and non-repudiation, but not confidentiality protection. The result of a cryptographic transformation of data that, when properly implemented, provides origin authentication, assurance of data integrity and signatory non-repudiation.

How are executables signed?

Executable signing certificates, commonly referred to as code signing certificates, are digital files you can use to digitally sign executable files (.exe files). The code signing certificate uses a cryptographic hash that validates the executable file's integrity and authenticity.


1 Answers

I decided to answer my own question using an empirical approach rather than taking the taking the Digital Certification authorities word for it.

I devised an experiment where I used a hex editor to modify copies of wdksetup.exe (a signed WDK web installer from Microsoft's website) and studied how the digital signature is affected. I substituted 1byte all the way to 25KB and made a new copy each time I made a substitution. I also used ResourceHacker to add an icon group to one the which added an extra 400KB to the file.

Results:

  • Substituting 1 single byte will change the SHA1 digest of a file but also cause its Signature to fail checks. The signature will still be there but it will fail any checks. If you send the file to VirusTotal, if you go to properties and click on details on the signature or if you try to run it and look at the Publisher line, you will be notified that the signature is no good. 1 single byte. Brilliant!

  • That being said, I emphasize that the signature wasn't lost (even when I made substitutions of up to 25KB), so when you go to File properties, there will still be a Digital Signatures tab and it will still say Microsoft. This is very misleading and you have to be careful not to end your inspection there because that tab will still be there whether the signature is valid or not. To ensure that you have a good signature, you have to select the signature and click on details. You will then get a dialogue that tells you if that signature is valid or not. This describes the behavior I observed in Windows 7, I didn't have a copy of 8 or 10 handy to see how the properties dialogues behave there.

  • Making massive size changing modifications to a file will result in the signature being completely destroyed.

(edit: I was curious to see the impact of size. I repeated the 1byte substitution experiment on a 250mb file with the same results. I was also curious to see if size impacts the possibility of getting collisions in when calculating digests. I did a 1 byte substitution in 3.5GB DVD iso which resulted in both different MD5 and SHA1 hashes.)

like image 117
thebunnyrules Avatar answered Sep 30 '22 02:09

thebunnyrules