Strengthening Software Security through Code Signing

Code signing is a crucial mechanism to establish authenticity and trust, ensuring that software is not compromised during distribution. However, improper code signing practices can introduce significant risks. In this blog, we explore the importance of code signing and delve into the potential consequences of a compromised code signing process.

The Devastating Impact of a Code Signing Failure

Below are a few notable attacks that occurred as a result of code signing compromise or failure:

1. NotPetya Attack

   In June 2017, the global shipping conglomerate A.P. Moller-Maersk fell victim to the NotPetya malware attack. The attack originated from a small Ukrainian software company that had fallen victim to state-sponsored hackers. Exploiting vulnerabilities in the company’s security infrastructure, the hackers gained access to the code signing keys, allowing them to inject malware into a legitimate software update. This malicious update was subsequently distributed to customers, including A.P. Moller-Maersk, resulting in widespread infection and significant disruptions.

2. ShadowPad Supply Chain Attack

   In 2017, a sophisticated supply chain attack targeted the software update mechanism of the popular Ukrainian accounting software, MeDoc. The attackers compromised the code signing process, allowing them to distribute a backdoored software update to MeDoc users. This malicious update ultimately led to the spread of the ShadowPad malware, compromising numerous organizations worldwide.

3. ASUS Live Update Hack

   In 2019, hackers infiltrated ASUS’s web update server and injected malware into legitimate ASUS driver updates. The compromised code signing keys allowed the malicious updates to appear authentic, resulting in over one million infected ASUS computers. This attack highlighted the vulnerability of software supply chains and the importance of robust code-signing practices.

4. CCleaner Backdoor

   In 2017, the popular system optimization tool CCleaner was compromised when hackers injected malware into one of their official software updates. The attackers signed the malicious update with a valid code signing certificate, tricking users into believing it was a legitimate update. The incident affected millions of users and underscored the significance of code signing integrity.

These attacks serve as a stark reminder of the critical role code signing plays in ensuring the trustworthiness and authenticity of the software.

Assessing Software Trust and Vetting Processes

In light of such incidents, it is crucial to question the level of trust we place in the software we install and utilize. Businesses rely on numerous external software packages to support their daily operations. However, the lack of stringent vetting processes for these software packages can introduce significant risks. To enhance software security, consider the following measures:

1. Vetting and Whitelisting

   Implement a robust process to vet and approve software before allowing users to install it. Consider establishing a whitelist of trusted software and restrict installations to only those approved applications.

2. Internal Software Production

   Recognize the importance of securing your company’s software. Treat your private code signing keys as the keys to your business’s kingdom. Implement strict access controls, encryption, and monitoring mechanisms to safeguard these keys from theft or misuse. Consider using Hardware Security Modules (HSMs) to store and protect your code signing keys, as they provide high security and tamper resistance.

3. Supply Chain Integrity

   Ensure that the software you receive from external sources undergoes thorough security checks. Implement mechanisms to verify the integrity and authenticity of software updates before installation.

Understanding the Code Signing Problem

The efficacy of code signing in protecting software supply chains has been proven over the past three decades. However, certain challenges hinder its effectiveness. Organizations often struggle to effectively manage private code signing keys, leading to vulnerabilities and potential compromises. Let’s explore some common issues:

1. Lack of Centralized Key Management

   Many global organizations have geographically dispersed teams of software developers. These teams require access to private code signing keys to sign their software. However, when keys are stored on developers’ laptops, build servers, or web update servers, they become susceptible to theft or misuse.

2. Failure to Recognize Key Importance

   Private code signing keys should be treated as the master keys to your business. Unfortunately, organizations often overlook their criticality and fail to implement adequate security measures to protect them.

3. Insufficient Security Practices

   Inadequate security practices, such as weak password management, lack of encryption, and inadequate access controls, further contribute to code signing vulnerabilities.

Best Practices for Robust Code Signing

To enhance the security and integrity of your software infrastructure, it is imperative to implement best practices for code signing. Consider the following recommendations:

1. Implement Hardware Security Modules (HSMs)

   HSMs provide a dedicated and secure environment for key storage and cryptographic operations. By leveraging HSMs, organizations can protect their private keys from physical and logical attacks, ensuring the integrity of the code-signing process.

2. Regularly Rotate Keys

   Periodically rotate code signing keys to mitigate the impact of potential key compromises. By regularly updating keys, organizations minimize the risk of unauthorized access and maintain the trustworthiness of their signed software.

3. Employ Code Signing Policies and Procedures

   Develop comprehensive code-signing policies and procedures that define roles, responsibilities, and workflows for the code-signing process. Ensure employees receive proper training and adhere to these policies to maintain a secure code-signing environment.

4. Continuous Monitoring and Auditing

   Implement a robust monitoring and auditing mechanism to detect and investigate any suspicious activities related to code signing. Regularly review logs and perform audits to identify potential security gaps and take corrective actions promptly.

5. Scan for viruses

   While code signing provides authentication, it does not guarantee the security of the code itself. Therefore, conducting thorough virus and malware scans on the code before publication and signing with digital certificates is highly recommended. Performing these scans enhances the overall quality of the code and helps identify and mitigate potential security risks.

Want to know how we can assist you?

Encryption Consulting’s CodeSign Secure provides organizations with a comprehensive code-signing solution tailored to their unique requirements. By utilizing this solution, organizations can establish a strong code-signing policy that effectively mitigates security risks and ensures the authenticity of their software. Our product streamlines the code-signing process and offers a range of features designed to enhance security.

One key feature of CodeSign Secure is secure key management. It enables organizations to securely store their private keys of the code-signing certificate by integrating with industry-leading Hardware Security Modules (HSMs) that are FIPS certified. This integration eliminates the potential risks associated with stolen, corrupted, or misused keys, as the private keys never leave the HSM during the code signing operation.

Conclusion

Code signing is a critical component of ensuring software authenticity and trust. However, the potential consequences of a compromised code signing process are severe, as demonstrated by notable attacks like the NotPetya malware attack on A.P. Moller-Maersk and other incidents. To protect your software infrastructure, it is essential to implement robust code-signing practices and prioritize the security of private code-signing keys. Organizations can mitigate the risks associated with code signing failures by adhering to best practices such as HSM usage, regular key rotation, stringent code signing policies, continuous monitoring, and virus scanning.