software that knows how to update itself

Hi,

the update thing looks sane to me, but only IF you can really trust
that crc/md5 part, which you didn't flesh out very much. I really don't
know enough about crypto stuff to comment on this part. Some things to
think about, anyway: How exactly will this work? How can you be sure
that hackers won't use this mechanism to replace your code with theirs?
You might argue that you won't have enough installations to get hackers
interested in your server. In closed networks, well okay. But I
wouldn't run this on an internetwide accessible machine.

I don't know what your situation is; if this is for a larger
organization: do you run an automatic software deployment tool in your
organization? These do the same thing, but for all kinds of apps. Why
not use that to deliver updates? If you don't have such a thing but can
afford it, think about buying one. I can give you some pointers if
you're interested; I used to work in that field.

Cheers,
Stefan

On 15.09.2004, at 14:46, Brad Tilley wrote:

I've written and tested a *very basic* socket server that I'll have to
deploy soon... sooner than I'd like as much of the functionality that
I want to include hasn't been implemented or even tested yet. So, I've
been thinking about writing a function that has the ability to upgrade
the socket server remotely. However, I have never done anything like
this so I'm looking for tips and advice on the subject.

The socket server runs continuously listening for connections so I'll
always be able to communicate with it. Here's some pseudo code that
captures the essence of what I'd like to do:

def update_urself():
receive updated socket server code & write it to a file
verify file with crc or md5sum check on both ends
if verify is OK:
close all connections
replace sock_serv.py with sock_serv_update.py

if conn.recv == 'UPDATE'
update_urself()

Does this look sane?


--
http://mail.python.org/mailman/listinfo/python-list

// st****@eischet.com //

Am Mittwoch, 15. September 2004 14:46 schrieb Brad Tilley:

def update_urself():
receive updated socket server code & write it to a file
verify file with crc or md5sum check on both ends
This step is very dangerous, as only checking a hash on the client and server
side can really lead to problems when you have a malicious client giving out
the new file.

What you should do:

--- Generate private/public key pair for the client which will update the
server.
--- Export the public key, and hand it out with each distributed server.
--- Now, when sending a new sock_serv.py, the server can check the digital
signature which is also sent by the client (which it can create, because it
has the private key, and which the server can check because it has the public
key as distributed in step 2).
--- Only if this signature check is okay (better use some form of SHA for
creating the signature) will the client accept the new file.
if verify is OK:
close all connections
replace sock_serv.py with sock_serv_update.py

if conn.recv == 'UPDATE'
update_urself()

For the rest, it looks okay.

If you need to implement something like this, I'd like to point you to Sophie
(a crypto library I've written, which directly works on top of libgmp, the
gnu multi precision integer library).

http://www.heim-d.de/~heikowu/Crypto

HTH!

Heiko.