February 3rd, 2006

You can't even trust the identity of the calling executable

A while back, I demonstrated that you can’t trust the return address. What’s more, you can’t even trust the identity of the calling executable. I’ve seen requests from people who say, “I want to check whether I’m being called from MYAPP.EXE. I’m going to make a security decision based on the result.” Although you can do this, all it does is give you more rope.

Even if you are convinced that you’re being called from the expected application, you aren’t any safer. An attacker can inject code into that process (say, via a global hook) and you will foolishly trust it. In the same way that you shouldn’t trust who you’re talking to on the phone based solely on the caller ID. Somebody could have broken into the caller’s house and made the call from that phone.

Topics
Code

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.